Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
/*
|
|
|
|
|
* Packet protocol layer for the SSH-2 transport protocol (RFC 4253).
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <assert.h>
|
|
|
|
|
|
|
|
|
|
#include "putty.h"
|
|
|
|
|
#include "ssh.h"
|
|
|
|
|
#include "sshbpp.h"
|
|
|
|
|
#include "sshppl.h"
|
|
|
|
|
#include "sshcr.h"
|
|
|
|
|
#include "storage.h"
|
|
|
|
|
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
#include "sshgssc.h"
|
|
|
|
|
#include "sshgss.h"
|
|
|
|
|
#define MIN_CTXT_LIFETIME 5 /* Avoid rekey with short lifetime (seconds) */
|
|
|
|
|
#define GSS_KEX_CAPABLE (1<<0) /* Can do GSS KEX */
|
|
|
|
|
#define GSS_CRED_UPDATED (1<<1) /* Cred updated since previous delegation */
|
|
|
|
|
#define GSS_CTXT_EXPIRES (1<<2) /* Context expires before next timer */
|
|
|
|
|
#define GSS_CTXT_MAYFAIL (1<<3) /* Context may expire during handshake */
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#define DH_MIN_SIZE 1024
|
|
|
|
|
#define DH_MAX_SIZE 8192
|
|
|
|
|
|
|
|
|
|
enum kexlist {
|
|
|
|
|
KEXLIST_KEX, KEXLIST_HOSTKEY, KEXLIST_CSCIPHER, KEXLIST_SCCIPHER,
|
|
|
|
|
KEXLIST_CSMAC, KEXLIST_SCMAC, KEXLIST_CSCOMP, KEXLIST_SCCOMP,
|
|
|
|
|
NKEXLIST
|
|
|
|
|
};
|
|
|
|
|
#define MAXKEXLIST 16
|
|
|
|
|
struct kexinit_algorithm {
|
|
|
|
|
const char *name;
|
|
|
|
|
union {
|
|
|
|
|
struct {
|
|
|
|
|
const struct ssh_kex *kex;
|
|
|
|
|
int warn;
|
|
|
|
|
} kex;
|
|
|
|
|
struct {
|
|
|
|
|
const ssh_keyalg *hostkey;
|
|
|
|
|
int warn;
|
|
|
|
|
} hk;
|
|
|
|
|
struct {
|
|
|
|
|
const struct ssh2_cipheralg *cipher;
|
|
|
|
|
int warn;
|
|
|
|
|
} cipher;
|
|
|
|
|
struct {
|
|
|
|
|
const struct ssh2_macalg *mac;
|
|
|
|
|
int etm;
|
|
|
|
|
} mac;
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
struct {
|
|
|
|
|
const struct ssh_compression_alg *comp;
|
|
|
|
|
int delayed;
|
|
|
|
|
} comp;
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
} u;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct ssh_signkey_with_user_pref_id {
|
|
|
|
|
const ssh_keyalg *alg;
|
|
|
|
|
int id;
|
|
|
|
|
};
|
|
|
|
|
const static struct ssh_signkey_with_user_pref_id hostkey_algs[] = {
|
|
|
|
|
{ &ssh_ecdsa_ed25519, HK_ED25519 },
|
|
|
|
|
{ &ssh_ecdsa_nistp256, HK_ECDSA },
|
|
|
|
|
{ &ssh_ecdsa_nistp384, HK_ECDSA },
|
|
|
|
|
{ &ssh_ecdsa_nistp521, HK_ECDSA },
|
|
|
|
|
{ &ssh_dss, HK_DSA },
|
|
|
|
|
{ &ssh_rsa, HK_RSA },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const static struct ssh2_macalg *const macs[] = {
|
|
|
|
|
&ssh_hmac_sha256, &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
|
|
|
|
|
};
|
|
|
|
|
const static struct ssh2_macalg *const buggymacs[] = {
|
|
|
|
|
&ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static ssh_compressor *ssh_comp_none_init(void)
|
|
|
|
|
{
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
static void ssh_comp_none_cleanup(ssh_compressor *handle)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
static ssh_decompressor *ssh_decomp_none_init(void)
|
|
|
|
|
{
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
static void ssh_decomp_none_cleanup(ssh_decompressor *handle)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
static void ssh_comp_none_block(ssh_compressor *handle,
|
|
|
|
|
unsigned char *block, int len,
|
|
|
|
|
unsigned char **outblock, int *outlen,
|
|
|
|
|
int minlen)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
static int ssh_decomp_none_block(ssh_decompressor *handle,
|
|
|
|
|
unsigned char *block, int len,
|
|
|
|
|
unsigned char **outblock, int *outlen)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
const static struct ssh_compression_alg ssh_comp_none = {
|
|
|
|
|
"none", NULL,
|
|
|
|
|
ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
|
|
|
|
|
ssh_decomp_none_init, ssh_decomp_none_cleanup, ssh_decomp_none_block,
|
|
|
|
|
NULL
|
|
|
|
|
};
|
|
|
|
|
const static struct ssh_compression_alg *const compressions[] = {
|
|
|
|
|
&ssh_zlib, &ssh_comp_none
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Enumeration of high-level classes of reason why we might need to do
|
|
|
|
|
* a repeat key exchange. A full detailed reason in human-readable
|
|
|
|
|
* string form for the Event Log is also provided, but this enum type
|
|
|
|
|
* is used to discriminate between classes of reason that the code
|
|
|
|
|
* needs to treat differently.
|
|
|
|
|
*
|
|
|
|
|
* RK_NONE == 0 is the value indicating that no rekey is currently
|
|
|
|
|
* needed at all. RK_INITIAL indicates that we haven't even done the
|
|
|
|
|
* _first_ key exchange yet. RK_SERVER indicates that we're rekeying
|
|
|
|
|
* because the server asked for it, not because we decided it
|
|
|
|
|
* ourselves. RK_NORMAL is the usual case. RK_GSS_UPDATE indicates
|
|
|
|
|
* that we're rekeying because we've just got new GSSAPI credentials
|
|
|
|
|
* (hence there's no point in doing a preliminary check for new GSS
|
|
|
|
|
* creds, because we already know the answer); RK_POST_USERAUTH
|
|
|
|
|
* indicates that _if_ we're going to need a post-userauth immediate
|
|
|
|
|
* rekey for any reason, this is the moment to do it.
|
|
|
|
|
*
|
|
|
|
|
* So RK_POST_USERAUTH only tells the transport layer to _consider_
|
|
|
|
|
* rekeying, not to definitely do it. Also, that one enum value is
|
|
|
|
|
* special in that the user-readable reason text is passed in to the
|
|
|
|
|
* transport layer as NULL, whereas fills in the reason text after it
|
|
|
|
|
* decides whether it needs a rekey at all. In the other cases,
|
|
|
|
|
* rekey_reason is passed in to the at the same time as rekey_class.
|
|
|
|
|
*/
|
|
|
|
|
typedef enum RekeyClass {
|
|
|
|
|
RK_NONE = 0,
|
|
|
|
|
RK_INITIAL,
|
|
|
|
|
RK_SERVER,
|
|
|
|
|
RK_NORMAL,
|
|
|
|
|
RK_POST_USERAUTH,
|
|
|
|
|
RK_GSS_UPDATE
|
|
|
|
|
} RekeyClass;
|
|
|
|
|
|
|
|
|
|
struct ssh2_transport_state {
|
|
|
|
|
int crState;
|
|
|
|
|
|
|
|
|
|
PacketProtocolLayer *higher_layer;
|
|
|
|
|
PktInQueue pq_in_higher;
|
|
|
|
|
PktOutQueue pq_out_higher;
|
|
|
|
|
IdempotentCallback ic_pq_out_higher;
|
|
|
|
|
|
|
|
|
|
Conf *conf;
|
|
|
|
|
char *savedhost;
|
|
|
|
|
int savedport;
|
|
|
|
|
const char *rekey_reason;
|
|
|
|
|
enum RekeyClass rekey_class;
|
|
|
|
|
|
|
|
|
|
unsigned long max_data_size;
|
|
|
|
|
|
|
|
|
|
const struct ssh_kex *kex_alg;
|
|
|
|
|
const ssh_keyalg *hostkey_alg;
|
|
|
|
|
char *hostkey_str; /* string representation, for easy checking in rekeys */
|
|
|
|
|
unsigned char session_id[SSH2_KEX_MAX_HASH_LEN];
|
|
|
|
|
int session_id_len;
|
|
|
|
|
struct dh_ctx *dh_ctx;
|
|
|
|
|
ssh_hash *exhash;
|
|
|
|
|
|
|
|
|
|
struct DataTransferStats *stats;
|
|
|
|
|
|
|
|
|
|
char *client_greeting, *server_greeting;
|
|
|
|
|
|
|
|
|
|
int kex_in_progress;
|
|
|
|
|
unsigned long next_rekey, last_rekey;
|
|
|
|
|
const char *deferred_rekey_reason;
|
|
|
|
|
int higher_layer_ok;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Fully qualified host name, which we need if doing GSSAPI.
|
|
|
|
|
*/
|
|
|
|
|
char *fullhostname;
|
|
|
|
|
|
|
|
|
|
/* shgss is outside the ifdef on purpose to keep APIs simple. If
|
|
|
|
|
* NO_GSSAPI is not defined, then it's just an opaque structure
|
|
|
|
|
* tag and the pointer will be NULL. */
|
|
|
|
|
struct ssh_connection_shared_gss_state *shgss;
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
int gss_status;
|
|
|
|
|
time_t gss_cred_expiry; /* Re-delegate if newer */
|
|
|
|
|
unsigned long gss_ctxt_lifetime; /* Re-delegate when short */
|
|
|
|
|
tree234 *transient_hostkey_cache;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
int gss_kex_used;
|
|
|
|
|
|
|
|
|
|
int nbits, pbits, warn_kex, warn_hk, warn_cscipher, warn_sccipher;
|
|
|
|
|
Bignum p, g, e, f, K;
|
|
|
|
|
void *our_kexinit;
|
|
|
|
|
int our_kexinitlen;
|
|
|
|
|
int kex_init_value, kex_reply_value;
|
|
|
|
|
const struct ssh2_macalg *const *maclist;
|
|
|
|
|
int nmacs;
|
|
|
|
|
struct {
|
|
|
|
|
const struct ssh2_cipheralg *cipher;
|
|
|
|
|
const struct ssh2_macalg *mac;
|
|
|
|
|
int etm_mode;
|
|
|
|
|
const struct ssh_compression_alg *comp;
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
int comp_delayed;
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
} in, out;
|
|
|
|
|
ptrlen hostkeydata, sigdata;
|
|
|
|
|
char *keystr, *fingerprint;
|
|
|
|
|
ssh_key *hkey; /* actual host key */
|
|
|
|
|
struct RSAKey *rsa_kex_key; /* for RSA kex */
|
|
|
|
|
struct ec_key *ecdh_key; /* for ECDH kex */
|
|
|
|
|
unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
|
|
|
|
|
int n_preferred_kex;
|
|
|
|
|
int can_gssapi_keyex;
|
|
|
|
|
int need_gss_transient_hostkey;
|
|
|
|
|
int warned_about_no_gss_transient_hostkey;
|
|
|
|
|
const struct ssh_kexes *preferred_kex[KEX_MAX + 1]; /* +1 for GSSAPI */
|
|
|
|
|
int n_preferred_hk;
|
|
|
|
|
int preferred_hk[HK_MAX];
|
|
|
|
|
int n_preferred_ciphers;
|
|
|
|
|
const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
|
|
|
|
|
const struct ssh_compression_alg *preferred_comp;
|
|
|
|
|
int got_session_id;
|
|
|
|
|
int dlgret;
|
|
|
|
|
int guessok;
|
|
|
|
|
int ignorepkt;
|
|
|
|
|
struct kexinit_algorithm kexlists[NKEXLIST][MAXKEXLIST];
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
Ssh_gss_buf gss_buf;
|
|
|
|
|
Ssh_gss_buf gss_rcvtok, gss_sndtok;
|
|
|
|
|
Ssh_gss_stat gss_stat;
|
|
|
|
|
Ssh_gss_buf mic;
|
|
|
|
|
int init_token_sent;
|
|
|
|
|
int complete_rcvd;
|
|
|
|
|
int gss_delegate;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* List of host key algorithms for which we _don't_ have a stored
|
|
|
|
|
* host key. These are indices into the main hostkey_algs[] array
|
|
|
|
|
*/
|
|
|
|
|
int uncert_hostkeys[lenof(hostkey_algs)];
|
|
|
|
|
int n_uncert_hostkeys;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Flag indicating that the current rekey is intended to finish
|
|
|
|
|
* with a newly cross-certified host key.
|
|
|
|
|
*/
|
|
|
|
|
int cross_certifying;
|
|
|
|
|
|
|
|
|
|
PacketProtocolLayer ppl;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_free(PacketProtocolLayer *);
|
|
|
|
|
static void ssh2_transport_process_queue(PacketProtocolLayer *);
|
|
|
|
|
static int ssh2_transport_get_specials(
|
|
|
|
|
PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx);
|
|
|
|
|
static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
|
|
|
|
|
SessionSpecialCode code, int arg);
|
|
|
|
|
static int ssh2_transport_want_user_input(PacketProtocolLayer *ppl);
|
|
|
|
|
static void ssh2_transport_got_user_input(PacketProtocolLayer *ppl);
|
|
|
|
|
static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf);
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_dialog_callback(void *, int);
|
|
|
|
|
static void ssh2_transport_set_max_data_size(struct ssh2_transport_state *s);
|
|
|
|
|
static unsigned long sanitise_rekey_time(int rekey_time, unsigned long def);
|
|
|
|
|
static void ssh2_transport_higher_layer_packet_callback(void *context);
|
|
|
|
|
|
|
|
|
|
static const struct PacketProtocolLayerVtable ssh2_transport_vtable = {
|
|
|
|
|
ssh2_transport_free,
|
|
|
|
|
ssh2_transport_process_queue,
|
|
|
|
|
ssh2_transport_get_specials,
|
|
|
|
|
ssh2_transport_special_cmd,
|
|
|
|
|
ssh2_transport_want_user_input,
|
|
|
|
|
ssh2_transport_got_user_input,
|
|
|
|
|
ssh2_transport_reconfigure,
|
|
|
|
|
NULL, /* no protocol name for this layer */
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
static void ssh2_transport_gss_update(struct ssh2_transport_state *s,
|
|
|
|
|
int definitely_rekeying);
|
|
|
|
|
static void ssh_init_transient_hostkey_store(struct ssh2_transport_state *);
|
|
|
|
|
static void ssh_cleanup_transient_hostkey_store(struct ssh2_transport_state *);
|
|
|
|
|
static void ssh_store_transient_hostkey(
|
|
|
|
|
struct ssh2_transport_state *s, ssh_key *key);
|
|
|
|
|
static int ssh_verify_transient_hostkey(
|
|
|
|
|
struct ssh2_transport_state *s, ssh_key *key);
|
|
|
|
|
static int ssh_have_transient_hostkey(
|
|
|
|
|
struct ssh2_transport_state *s, const ssh_keyalg *alg);
|
|
|
|
|
static int ssh_have_any_transient_hostkey(
|
|
|
|
|
struct ssh2_transport_state *s);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
static int ssh2_transport_timer_update(struct ssh2_transport_state *s,
|
|
|
|
|
unsigned long rekey_time);
|
|
|
|
|
|
|
|
|
|
static const char *const kexlist_descr[NKEXLIST] = {
|
|
|
|
|
"key exchange algorithm",
|
|
|
|
|
"host key algorithm",
|
|
|
|
|
"client-to-server cipher",
|
|
|
|
|
"server-to-client cipher",
|
|
|
|
|
"client-to-server MAC",
|
|
|
|
|
"server-to-client MAC",
|
|
|
|
|
"client-to-server compression method",
|
|
|
|
|
"server-to-client compression method"
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
PacketProtocolLayer *ssh2_transport_new(
|
|
|
|
|
Conf *conf, const char *host, int port, const char *fullhostname,
|
|
|
|
|
const char *client_greeting, const char *server_greeting,
|
|
|
|
|
struct ssh_connection_shared_gss_state *shgss,
|
|
|
|
|
struct DataTransferStats *stats,
|
|
|
|
|
PacketProtocolLayer *higher_layer)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s = snew(struct ssh2_transport_state);
|
|
|
|
|
memset(s, 0, sizeof(*s));
|
|
|
|
|
s->ppl.vt = &ssh2_transport_vtable;
|
|
|
|
|
|
|
|
|
|
s->conf = conf_copy(conf);
|
|
|
|
|
s->savedhost = dupstr(host);
|
|
|
|
|
s->savedport = port;
|
|
|
|
|
s->fullhostname = dupstr(fullhostname);
|
|
|
|
|
s->shgss = shgss;
|
|
|
|
|
s->client_greeting = dupstr(client_greeting);
|
|
|
|
|
s->server_greeting = dupstr(server_greeting);
|
|
|
|
|
s->stats = stats;
|
|
|
|
|
|
|
|
|
|
pq_in_init(&s->pq_in_higher);
|
|
|
|
|
pq_out_init(&s->pq_out_higher);
|
|
|
|
|
s->pq_out_higher.pqb.ic = &s->ic_pq_out_higher;
|
|
|
|
|
s->ic_pq_out_higher.fn = ssh2_transport_higher_layer_packet_callback;
|
|
|
|
|
s->ic_pq_out_higher.ctx = &s->ppl;
|
|
|
|
|
|
|
|
|
|
s->higher_layer = higher_layer;
|
|
|
|
|
s->higher_layer->selfptr = &s->higher_layer;
|
|
|
|
|
ssh_ppl_setup_queues(s->higher_layer, &s->pq_in_higher, &s->pq_out_higher);
|
|
|
|
|
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
s->gss_cred_expiry = GSS_NO_EXPIRATION;
|
|
|
|
|
s->shgss->srv_name = GSS_C_NO_NAME;
|
|
|
|
|
s->shgss->ctx = NULL;
|
|
|
|
|
ssh_init_transient_hostkey_store(s);
|
|
|
|
|
#endif
|
|
|
|
|
s->gss_kex_used = FALSE;
|
|
|
|
|
|
|
|
|
|
ssh2_transport_set_max_data_size(s);
|
|
|
|
|
|
|
|
|
|
return &s->ppl;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_free(PacketProtocolLayer *ppl)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s =
|
2018-10-05 22:49:08 +00:00
|
|
|
container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* As our last act before being freed, move any outgoing packets
|
|
|
|
|
* off our higher layer's output queue on to our own output queue.
|
|
|
|
|
* We might be being freed while the SSH connection is still alive
|
|
|
|
|
* (because we're initiating shutdown from our end), in which case
|
|
|
|
|
* we don't want those last few packets to get lost.
|
|
|
|
|
*
|
|
|
|
|
* (If our owner were to have already destroyed our output pq
|
|
|
|
|
* before wanting to free us, then it would have to reset our
|
|
|
|
|
* publicly visible out_pq field to NULL to inhibit this attempt.
|
|
|
|
|
* But that's not how I expect the shutdown sequence to go in
|
|
|
|
|
* practice.)
|
|
|
|
|
*/
|
|
|
|
|
if (s->ppl.out_pq)
|
|
|
|
|
pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
|
|
|
|
|
|
|
|
|
|
conf_free(s->conf);
|
|
|
|
|
|
|
|
|
|
ssh_ppl_free(s->higher_layer);
|
|
|
|
|
|
|
|
|
|
pq_in_clear(&s->pq_in_higher);
|
|
|
|
|
pq_out_clear(&s->pq_out_higher);
|
|
|
|
|
|
|
|
|
|
sfree(s->savedhost);
|
|
|
|
|
sfree(s->fullhostname);
|
|
|
|
|
sfree(s->client_greeting);
|
|
|
|
|
sfree(s->server_greeting);
|
|
|
|
|
sfree(s->keystr);
|
|
|
|
|
sfree(s->hostkey_str);
|
|
|
|
|
sfree(s->fingerprint);
|
|
|
|
|
if (s->hkey) {
|
|
|
|
|
ssh_key_free(s->hkey);
|
|
|
|
|
s->hkey = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (s->f) freebn(s->f);
|
|
|
|
|
if (s->p) freebn(s->p);
|
|
|
|
|
if (s->g) freebn(s->g);
|
|
|
|
|
if (s->K) freebn(s->K);
|
|
|
|
|
if (s->dh_ctx)
|
|
|
|
|
dh_cleanup(s->dh_ctx);
|
|
|
|
|
if (s->rsa_kex_key)
|
|
|
|
|
ssh_rsakex_freekey(s->rsa_kex_key);
|
|
|
|
|
if (s->ecdh_key)
|
|
|
|
|
ssh_ecdhkex_freekey(s->ecdh_key);
|
|
|
|
|
if (s->exhash)
|
|
|
|
|
ssh_hash_free(s->exhash);
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
ssh_cleanup_transient_hostkey_store(s);
|
|
|
|
|
#endif
|
|
|
|
|
sfree(s);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* SSH-2 key derivation (RFC 4253 section 7.2).
|
|
|
|
|
*/
|
|
|
|
|
static void ssh2_mkkey(
|
|
|
|
|
struct ssh2_transport_state *s, strbuf *out,
|
|
|
|
|
Bignum K, unsigned char *H, char chr, int keylen)
|
|
|
|
|
{
|
|
|
|
|
int hlen = s->kex_alg->hash->hlen;
|
|
|
|
|
int keylen_padded;
|
|
|
|
|
unsigned char *key;
|
|
|
|
|
ssh_hash *h;
|
|
|
|
|
|
|
|
|
|
if (keylen == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Round the requested amount of key material up to a multiple of
|
|
|
|
|
* the length of the hash we're using to make it. This makes life
|
|
|
|
|
* simpler because then we can just write each hash output block
|
|
|
|
|
* straight into the output buffer without fiddling about
|
|
|
|
|
* truncating the last one. Since it's going into a strbuf, and
|
|
|
|
|
* strbufs are always smemclr()ed on free, there's no need to
|
|
|
|
|
* worry about leaving extra potentially-sensitive data in memory
|
|
|
|
|
* that the caller didn't ask for.
|
|
|
|
|
*/
|
|
|
|
|
keylen_padded = ((keylen + hlen - 1) / hlen) * hlen;
|
|
|
|
|
|
|
|
|
|
out->len = 0;
|
|
|
|
|
key = strbuf_append(out, keylen_padded);
|
|
|
|
|
|
|
|
|
|
/* First hlen bytes. */
|
|
|
|
|
h = ssh_hash_new(s->kex_alg->hash);
|
|
|
|
|
if (!(s->ppl.remote_bugs & BUG_SSH2_DERIVEKEY))
|
|
|
|
|
put_mp_ssh2(h, K);
|
|
|
|
|
put_data(h, H, hlen);
|
|
|
|
|
put_byte(h, chr);
|
|
|
|
|
put_data(h, s->session_id, s->session_id_len);
|
|
|
|
|
ssh_hash_final(h, key);
|
|
|
|
|
|
|
|
|
|
/* Subsequent blocks of hlen bytes. */
|
|
|
|
|
if (keylen_padded > hlen) {
|
|
|
|
|
int offset;
|
|
|
|
|
|
|
|
|
|
h = ssh_hash_new(s->kex_alg->hash);
|
|
|
|
|
if (!(s->ppl.remote_bugs & BUG_SSH2_DERIVEKEY))
|
|
|
|
|
put_mp_ssh2(h, K);
|
|
|
|
|
put_data(h, H, hlen);
|
|
|
|
|
|
|
|
|
|
for (offset = hlen; offset < keylen_padded; offset += hlen) {
|
|
|
|
|
put_data(h, key + offset - hlen, hlen);
|
|
|
|
|
ssh_hash *h2 = ssh_hash_copy(h);
|
|
|
|
|
ssh_hash_final(h2, key + offset);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ssh_hash_free(h);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find a slot in a KEXINIT algorithm list to use for a new algorithm.
|
|
|
|
|
* If the algorithm is already in the list, return a pointer to its
|
|
|
|
|
* entry, otherwise return an entry from the end of the list.
|
|
|
|
|
* This assumes that every time a particular name is passed in, it
|
|
|
|
|
* comes from the same string constant. If this isn't true, this
|
|
|
|
|
* function may need to be rewritten to use strcmp() instead.
|
|
|
|
|
*/
|
|
|
|
|
static struct kexinit_algorithm *ssh2_kexinit_addalg(struct kexinit_algorithm
|
|
|
|
|
*list, const char *name)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < MAXKEXLIST; i++)
|
|
|
|
|
if (list[i].name == NULL || list[i].name == name) {
|
|
|
|
|
list[i].name = name;
|
|
|
|
|
return &list[i];
|
|
|
|
|
}
|
|
|
|
|
assert(!"No space in KEXINIT list");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int ssh2_common_filter_queue(PacketProtocolLayer *ppl)
|
|
|
|
|
{
|
|
|
|
|
static const char *const ssh2_disconnect_reasons[] = {
|
|
|
|
|
NULL,
|
|
|
|
|
"host not allowed to connect",
|
|
|
|
|
"protocol error",
|
|
|
|
|
"key exchange failed",
|
|
|
|
|
"host authentication failed",
|
|
|
|
|
"MAC error",
|
|
|
|
|
"compression error",
|
|
|
|
|
"service not available",
|
|
|
|
|
"protocol version not supported",
|
|
|
|
|
"host key not verifiable",
|
|
|
|
|
"connection lost",
|
|
|
|
|
"by application",
|
|
|
|
|
"too many connections",
|
|
|
|
|
"auth cancelled by user",
|
|
|
|
|
"no more auth methods available",
|
|
|
|
|
"illegal user name",
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
PktIn *pktin;
|
|
|
|
|
ptrlen msg;
|
|
|
|
|
int reason;
|
|
|
|
|
|
|
|
|
|
while ((pktin = pq_peek(ppl->in_pq)) != NULL) {
|
|
|
|
|
switch (pktin->type) {
|
|
|
|
|
case SSH2_MSG_DISCONNECT:
|
|
|
|
|
reason = get_uint32(pktin);
|
|
|
|
|
msg = get_string(pktin);
|
|
|
|
|
|
|
|
|
|
ssh_remote_error(
|
|
|
|
|
ppl->ssh, "Server sent disconnect message\n"
|
|
|
|
|
"type %d (%s):\n\"%.*s\"", reason,
|
|
|
|
|
((reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
|
|
|
|
|
ssh2_disconnect_reasons[reason] : "unknown"),
|
|
|
|
|
PTRLEN_PRINTF(msg));
|
2018-10-13 16:16:07 +00:00
|
|
|
pq_pop(ppl->in_pq);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
return TRUE; /* indicate that we've been freed */
|
|
|
|
|
|
|
|
|
|
case SSH2_MSG_DEBUG:
|
|
|
|
|
/* XXX maybe we should actually take notice of the return value */
|
|
|
|
|
get_bool(pktin);
|
|
|
|
|
msg = get_string(pktin);
|
|
|
|
|
ppl_logevent(("Remote debug message: %.*s", PTRLEN_PRINTF(msg)));
|
|
|
|
|
pq_pop(ppl->in_pq);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case SSH2_MSG_IGNORE:
|
|
|
|
|
/* Do nothing, because we're ignoring it! Duhh. */
|
|
|
|
|
pq_pop(ppl->in_pq);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ssh2_transport_filter_queue(struct ssh2_transport_state *s)
|
|
|
|
|
{
|
|
|
|
|
PktIn *pktin;
|
|
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
|
if (ssh2_common_filter_queue(&s->ppl))
|
|
|
|
|
return TRUE;
|
|
|
|
|
if ((pktin = pq_peek(s->ppl.in_pq)) == NULL)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
/* Pass on packets to the next layer if they're outside
|
|
|
|
|
* the range reserved for the transport protocol. */
|
|
|
|
|
if (pktin->type >= 50) {
|
|
|
|
|
/* ... except that we shouldn't tolerate higher-layer
|
|
|
|
|
* packets coming from the server before we've seen
|
|
|
|
|
* the first NEWKEYS. */
|
|
|
|
|
if (!s->higher_layer_ok) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received premature higher-"
|
|
|
|
|
"layer packet, type %d (%s)", pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pq_pop(s->ppl.in_pq);
|
|
|
|
|
pq_push(&s->pq_in_higher, pktin);
|
|
|
|
|
} else {
|
|
|
|
|
/* Anything else is a transport-layer packet that the main
|
|
|
|
|
* process_queue coroutine should handle. */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static PktIn *ssh2_transport_pop(struct ssh2_transport_state *s)
|
|
|
|
|
{
|
|
|
|
|
ssh2_transport_filter_queue(s);
|
|
|
|
|
return pq_pop(s->ppl.in_pq);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s =
|
2018-10-05 22:49:08 +00:00
|
|
|
container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
PktIn *pktin;
|
|
|
|
|
PktOut *pktout;
|
|
|
|
|
|
|
|
|
|
/* Filter centrally handled messages off the front of the queue on
|
|
|
|
|
* every entry to this coroutine, no matter where we're resuming
|
|
|
|
|
* from, even if we're _not_ looping on pq_pop. That way we can
|
|
|
|
|
* still proactively handle those messages even if we're waiting
|
|
|
|
|
* for a user response. */
|
|
|
|
|
ssh2_transport_filter_queue(s);
|
|
|
|
|
|
|
|
|
|
crBegin(s->crState);
|
|
|
|
|
|
|
|
|
|
s->in.cipher = s->out.cipher = NULL;
|
|
|
|
|
s->in.mac = s->out.mac = NULL;
|
|
|
|
|
s->in.comp = s->out.comp = NULL;
|
|
|
|
|
|
|
|
|
|
s->got_session_id = FALSE;
|
|
|
|
|
s->need_gss_transient_hostkey = FALSE;
|
|
|
|
|
s->warned_about_no_gss_transient_hostkey = FALSE;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Be prepared to work around the buggy MAC problem.
|
|
|
|
|
*/
|
|
|
|
|
if (s->ppl.remote_bugs & BUG_SSH2_HMAC)
|
|
|
|
|
s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
|
|
|
|
|
else
|
|
|
|
|
s->maclist = macs, s->nmacs = lenof(macs);
|
|
|
|
|
|
|
|
|
|
begin_key_exchange:
|
|
|
|
|
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
if (s->need_gss_transient_hostkey) {
|
|
|
|
|
/*
|
|
|
|
|
* This flag indicates a special case in which we must not do
|
|
|
|
|
* GSS key exchange even if we could. (See comments below,
|
|
|
|
|
* where the flag was set on the previous key exchange.)
|
|
|
|
|
*/
|
|
|
|
|
s->can_gssapi_keyex = FALSE;
|
|
|
|
|
} else if (conf_get_int(s->conf, CONF_try_gssapi_kex)) {
|
|
|
|
|
/*
|
|
|
|
|
* We always check if we have GSS creds before we come up with
|
|
|
|
|
* the kex algorithm list, otherwise future rekeys will fail
|
|
|
|
|
* when creds expire. To make this so, this code section must
|
|
|
|
|
* follow the begin_key_exchange label above, otherwise this
|
|
|
|
|
* section would execute just once per-connection.
|
|
|
|
|
*
|
|
|
|
|
* Update GSS state unless the reason we're here is that a
|
|
|
|
|
* timer just checked the GSS state and decided that we should
|
|
|
|
|
* rekey to update delegated credentials. In that case, the
|
|
|
|
|
* state is "fresh".
|
|
|
|
|
*/
|
|
|
|
|
if (s->rekey_class != RK_GSS_UPDATE)
|
|
|
|
|
ssh2_transport_gss_update(s, TRUE);
|
|
|
|
|
|
|
|
|
|
/* Do GSSAPI KEX when capable */
|
|
|
|
|
s->can_gssapi_keyex = s->gss_status & GSS_KEX_CAPABLE;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* But not when failure is likely. [ GSS implementations may
|
|
|
|
|
* attempt (and fail) to use a ticket that is almost expired
|
|
|
|
|
* when retrieved from the ccache that actually expires by the
|
|
|
|
|
* time the server receives it. ]
|
|
|
|
|
*
|
|
|
|
|
* Note: The first time always try KEXGSS if we can, failures
|
|
|
|
|
* will be very rare, and disabling the initial GSS KEX is
|
|
|
|
|
* worse. Some day GSS libraries will ignore cached tickets
|
|
|
|
|
* whose lifetime is critically short, and will instead use
|
|
|
|
|
* fresh ones.
|
|
|
|
|
*/
|
|
|
|
|
if (!s->got_session_id && (s->gss_status & GSS_CTXT_MAYFAIL) != 0)
|
|
|
|
|
s->can_gssapi_keyex = 0;
|
|
|
|
|
s->gss_delegate = conf_get_int(s->conf, CONF_gssapifwd);
|
|
|
|
|
} else {
|
|
|
|
|
s->can_gssapi_keyex = FALSE;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_NOKEX;
|
|
|
|
|
{
|
|
|
|
|
int i, j, k, warn;
|
|
|
|
|
struct kexinit_algorithm *alg;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set up the preferred key exchange. (NULL => warn below here)
|
|
|
|
|
*/
|
|
|
|
|
s->n_preferred_kex = 0;
|
|
|
|
|
if (s->can_gssapi_keyex)
|
|
|
|
|
s->preferred_kex[s->n_preferred_kex++] = &ssh_gssk5_sha1_kex;
|
|
|
|
|
for (i = 0; i < KEX_MAX; i++) {
|
|
|
|
|
switch (conf_get_int_int(s->conf, CONF_ssh_kexlist, i)) {
|
|
|
|
|
case KEX_DHGEX:
|
|
|
|
|
s->preferred_kex[s->n_preferred_kex++] =
|
|
|
|
|
&ssh_diffiehellman_gex;
|
|
|
|
|
break;
|
|
|
|
|
case KEX_DHGROUP14:
|
|
|
|
|
s->preferred_kex[s->n_preferred_kex++] =
|
|
|
|
|
&ssh_diffiehellman_group14;
|
|
|
|
|
break;
|
|
|
|
|
case KEX_DHGROUP1:
|
|
|
|
|
s->preferred_kex[s->n_preferred_kex++] =
|
|
|
|
|
&ssh_diffiehellman_group1;
|
|
|
|
|
break;
|
|
|
|
|
case KEX_RSA:
|
|
|
|
|
s->preferred_kex[s->n_preferred_kex++] =
|
|
|
|
|
&ssh_rsa_kex;
|
|
|
|
|
break;
|
|
|
|
|
case KEX_ECDH:
|
|
|
|
|
s->preferred_kex[s->n_preferred_kex++] =
|
|
|
|
|
&ssh_ecdh_kex;
|
|
|
|
|
break;
|
|
|
|
|
case KEX_WARN:
|
|
|
|
|
/* Flag for later. Don't bother if it's the last in
|
|
|
|
|
* the list. */
|
|
|
|
|
if (i < KEX_MAX - 1) {
|
|
|
|
|
s->preferred_kex[s->n_preferred_kex++] = NULL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set up the preferred host key types. These are just the ids
|
|
|
|
|
* in the enum in putty.h, so 'warn below here' is indicated
|
|
|
|
|
* by HK_WARN.
|
|
|
|
|
*/
|
|
|
|
|
s->n_preferred_hk = 0;
|
|
|
|
|
for (i = 0; i < HK_MAX; i++) {
|
|
|
|
|
int id = conf_get_int_int(s->conf, CONF_ssh_hklist, i);
|
|
|
|
|
/* As above, don't bother with HK_WARN if it's last in the
|
|
|
|
|
* list */
|
|
|
|
|
if (id != HK_WARN || i < HK_MAX - 1)
|
|
|
|
|
s->preferred_hk[s->n_preferred_hk++] = id;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set up the preferred ciphers. (NULL => warn below here)
|
|
|
|
|
*/
|
|
|
|
|
s->n_preferred_ciphers = 0;
|
|
|
|
|
for (i = 0; i < CIPHER_MAX; i++) {
|
|
|
|
|
switch (conf_get_int_int(s->conf, CONF_ssh_cipherlist, i)) {
|
|
|
|
|
case CIPHER_BLOWFISH:
|
|
|
|
|
s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
|
|
|
|
|
break;
|
|
|
|
|
case CIPHER_DES:
|
|
|
|
|
if (conf_get_int(s->conf, CONF_ssh2_des_cbc))
|
|
|
|
|
s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
|
|
|
|
|
break;
|
|
|
|
|
case CIPHER_3DES:
|
|
|
|
|
s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
|
|
|
|
|
break;
|
|
|
|
|
case CIPHER_AES:
|
|
|
|
|
s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
|
|
|
|
|
break;
|
|
|
|
|
case CIPHER_ARCFOUR:
|
|
|
|
|
s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
|
|
|
|
|
break;
|
|
|
|
|
case CIPHER_CHACHA20:
|
|
|
|
|
s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_ccp;
|
|
|
|
|
break;
|
|
|
|
|
case CIPHER_WARN:
|
|
|
|
|
/* Flag for later. Don't bother if it's the last in
|
|
|
|
|
* the list. */
|
|
|
|
|
if (i < CIPHER_MAX - 1) {
|
|
|
|
|
s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set up preferred compression.
|
|
|
|
|
*/
|
|
|
|
|
if (conf_get_int(s->conf, CONF_compression))
|
|
|
|
|
s->preferred_comp = &ssh_zlib;
|
|
|
|
|
else
|
|
|
|
|
s->preferred_comp = &ssh_comp_none;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Flag that KEX is in progress.
|
|
|
|
|
*/
|
|
|
|
|
s->kex_in_progress = TRUE;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < NKEXLIST; i++)
|
|
|
|
|
for (j = 0; j < MAXKEXLIST; j++)
|
|
|
|
|
s->kexlists[i][j].name = NULL;
|
|
|
|
|
/* List key exchange algorithms. */
|
|
|
|
|
warn = FALSE;
|
|
|
|
|
for (i = 0; i < s->n_preferred_kex; i++) {
|
|
|
|
|
const struct ssh_kexes *k = s->preferred_kex[i];
|
|
|
|
|
if (!k) warn = TRUE;
|
|
|
|
|
else for (j = 0; j < k->nkexes; j++) {
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_KEX],
|
|
|
|
|
k->list[j]->name);
|
|
|
|
|
alg->u.kex.kex = k->list[j];
|
|
|
|
|
alg->u.kex.warn = warn;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* List server host key algorithms. */
|
|
|
|
|
if (!s->got_session_id) {
|
|
|
|
|
/*
|
|
|
|
|
* In the first key exchange, we list all the algorithms
|
|
|
|
|
* we're prepared to cope with, but prefer those algorithms
|
|
|
|
|
* for which we have a host key for this host.
|
|
|
|
|
*
|
|
|
|
|
* If the host key algorithm is below the warning
|
|
|
|
|
* threshold, we warn even if we did already have a key
|
|
|
|
|
* for it, on the basis that if the user has just
|
|
|
|
|
* reconfigured that host key type to be warned about,
|
|
|
|
|
* they surely _do_ want to be alerted that a server
|
|
|
|
|
* they're actually connecting to is using it.
|
|
|
|
|
*/
|
|
|
|
|
warn = FALSE;
|
|
|
|
|
for (i = 0; i < s->n_preferred_hk; i++) {
|
|
|
|
|
if (s->preferred_hk[i] == HK_WARN)
|
|
|
|
|
warn = TRUE;
|
|
|
|
|
for (j = 0; j < lenof(hostkey_algs); j++) {
|
|
|
|
|
if (hostkey_algs[j].id != s->preferred_hk[i])
|
|
|
|
|
continue;
|
|
|
|
|
if (have_ssh_host_key(s->savedhost, s->savedport,
|
|
|
|
|
hostkey_algs[j].alg->cache_id)) {
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
|
|
|
|
|
hostkey_algs[j].alg->ssh_id);
|
|
|
|
|
alg->u.hk.hostkey = hostkey_algs[j].alg;
|
|
|
|
|
alg->u.hk.warn = warn;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
warn = FALSE;
|
|
|
|
|
for (i = 0; i < s->n_preferred_hk; i++) {
|
|
|
|
|
if (s->preferred_hk[i] == HK_WARN)
|
|
|
|
|
warn = TRUE;
|
|
|
|
|
for (j = 0; j < lenof(hostkey_algs); j++) {
|
|
|
|
|
if (hostkey_algs[j].id != s->preferred_hk[i])
|
|
|
|
|
continue;
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
|
|
|
|
|
hostkey_algs[j].alg->ssh_id);
|
|
|
|
|
alg->u.hk.hostkey = hostkey_algs[j].alg;
|
|
|
|
|
alg->u.hk.warn = warn;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
} else if (s->gss_kex_used && !s->need_gss_transient_hostkey) {
|
|
|
|
|
/*
|
|
|
|
|
* If we've previously done a GSSAPI KEX, then we list
|
|
|
|
|
* precisely the algorithms for which a previous GSS key
|
|
|
|
|
* exchange has delivered us a host key, because we expect
|
|
|
|
|
* one of exactly those keys to be used in any subsequent
|
|
|
|
|
* non-GSS-based rekey.
|
|
|
|
|
*
|
|
|
|
|
* An exception is if this is the key exchange we
|
|
|
|
|
* triggered for the purposes of populating that cache -
|
|
|
|
|
* in which case the cache will currently be empty, which
|
|
|
|
|
* isn't helpful!
|
|
|
|
|
*/
|
|
|
|
|
warn = FALSE;
|
|
|
|
|
for (i = 0; i < s->n_preferred_hk; i++) {
|
|
|
|
|
if (s->preferred_hk[i] == HK_WARN)
|
|
|
|
|
warn = TRUE;
|
|
|
|
|
for (j = 0; j < lenof(hostkey_algs); j++) {
|
|
|
|
|
if (hostkey_algs[j].id != s->preferred_hk[i])
|
|
|
|
|
continue;
|
|
|
|
|
if (ssh_have_transient_hostkey(s, hostkey_algs[j].alg)) {
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
|
|
|
|
|
hostkey_algs[j].alg->ssh_id);
|
|
|
|
|
alg->u.hk.hostkey = hostkey_algs[j].alg;
|
|
|
|
|
alg->u.hk.warn = warn;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* In subsequent key exchanges, we list only the kex
|
|
|
|
|
* algorithm that was selected in the first key exchange,
|
|
|
|
|
* so that we keep getting the same host key and hence
|
|
|
|
|
* don't have to interrupt the user's session to ask for
|
|
|
|
|
* reverification.
|
|
|
|
|
*/
|
|
|
|
|
assert(s->kex_alg);
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY],
|
|
|
|
|
s->hostkey_alg->ssh_id);
|
|
|
|
|
alg->u.hk.hostkey = s->hostkey_alg;
|
|
|
|
|
alg->u.hk.warn = FALSE;
|
|
|
|
|
}
|
|
|
|
|
if (s->can_gssapi_keyex) {
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[KEXLIST_HOSTKEY], "null");
|
|
|
|
|
alg->u.hk.hostkey = NULL;
|
|
|
|
|
}
|
|
|
|
|
/* List encryption algorithms (client->server then server->client). */
|
|
|
|
|
for (k = KEXLIST_CSCIPHER; k <= KEXLIST_SCCIPHER; k++) {
|
|
|
|
|
warn = FALSE;
|
|
|
|
|
#ifdef FUZZING
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[k], "none");
|
|
|
|
|
alg->u.cipher.cipher = NULL;
|
|
|
|
|
alg->u.cipher.warn = warn;
|
|
|
|
|
#endif /* FUZZING */
|
|
|
|
|
for (i = 0; i < s->n_preferred_ciphers; i++) {
|
|
|
|
|
const struct ssh2_ciphers *c = s->preferred_ciphers[i];
|
|
|
|
|
if (!c) warn = TRUE;
|
|
|
|
|
else for (j = 0; j < c->nciphers; j++) {
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[k],
|
|
|
|
|
c->list[j]->name);
|
|
|
|
|
alg->u.cipher.cipher = c->list[j];
|
|
|
|
|
alg->u.cipher.warn = warn;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* List MAC algorithms (client->server then server->client). */
|
|
|
|
|
for (j = KEXLIST_CSMAC; j <= KEXLIST_SCMAC; j++) {
|
|
|
|
|
#ifdef FUZZING
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[j], "none");
|
|
|
|
|
alg->u.mac.mac = NULL;
|
|
|
|
|
alg->u.mac.etm = FALSE;
|
|
|
|
|
#endif /* FUZZING */
|
|
|
|
|
for (i = 0; i < s->nmacs; i++) {
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[j], s->maclist[i]->name);
|
|
|
|
|
alg->u.mac.mac = s->maclist[i];
|
|
|
|
|
alg->u.mac.etm = FALSE;
|
|
|
|
|
}
|
|
|
|
|
for (i = 0; i < s->nmacs; i++)
|
|
|
|
|
/* For each MAC, there may also be an ETM version,
|
|
|
|
|
* which we list second. */
|
|
|
|
|
if (s->maclist[i]->etm_name) {
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[j],
|
|
|
|
|
s->maclist[i]->etm_name);
|
|
|
|
|
alg->u.mac.mac = s->maclist[i];
|
|
|
|
|
alg->u.mac.etm = TRUE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* List client->server compression algorithms,
|
|
|
|
|
* then server->client compression algorithms. (We use the
|
|
|
|
|
* same set twice.) */
|
|
|
|
|
for (j = KEXLIST_CSCOMP; j <= KEXLIST_SCCOMP; j++) {
|
|
|
|
|
assert(lenof(compressions) > 1);
|
|
|
|
|
/* Prefer non-delayed versions */
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[j], s->preferred_comp->name);
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
alg->u.comp.comp = s->preferred_comp;
|
|
|
|
|
alg->u.comp.delayed = FALSE;
|
|
|
|
|
if (s->preferred_comp->delayed_name) {
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[j],
|
|
|
|
|
s->preferred_comp->delayed_name);
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
alg->u.comp.comp = s->preferred_comp;
|
|
|
|
|
alg->u.comp.delayed = TRUE;
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
}
|
|
|
|
|
for (i = 0; i < lenof(compressions); i++) {
|
|
|
|
|
const struct ssh_compression_alg *c = compressions[i];
|
|
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[j], c->name);
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
alg->u.comp.comp = c;
|
|
|
|
|
alg->u.comp.delayed = FALSE;
|
|
|
|
|
if (c->delayed_name) {
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
alg = ssh2_kexinit_addalg(s->kexlists[j], c->delayed_name);
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
alg->u.comp.comp = c;
|
|
|
|
|
alg->u.comp.delayed = TRUE;
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Construct and send our key exchange packet.
|
|
|
|
|
*/
|
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXINIT);
|
|
|
|
|
for (i = 0; i < 16; i++)
|
|
|
|
|
put_byte(pktout, (unsigned char) random_byte());
|
|
|
|
|
for (i = 0; i < NKEXLIST; i++) {
|
|
|
|
|
strbuf *list = strbuf_new();
|
|
|
|
|
for (j = 0; j < MAXKEXLIST; j++) {
|
|
|
|
|
if (s->kexlists[i][j].name == NULL) break;
|
|
|
|
|
add_to_commasep(list, s->kexlists[i][j].name);
|
|
|
|
|
}
|
|
|
|
|
put_stringsb(pktout, list);
|
|
|
|
|
}
|
|
|
|
|
/* List client->server languages. Empty list. */
|
|
|
|
|
put_stringz(pktout, "");
|
|
|
|
|
/* List server->client languages. Empty list. */
|
|
|
|
|
put_stringz(pktout, "");
|
|
|
|
|
/* First KEX packet does _not_ follow, because we're not that brave. */
|
|
|
|
|
put_bool(pktout, FALSE);
|
|
|
|
|
/* Reserved. */
|
|
|
|
|
put_uint32(pktout, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->our_kexinitlen = pktout->length - 5;
|
|
|
|
|
s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
|
|
|
|
|
memcpy(s->our_kexinit, pktout->data + 5, s->our_kexinitlen);
|
|
|
|
|
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
|
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now examine the other side's KEXINIT to see what we're up
|
|
|
|
|
* to.
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
ptrlen str;
|
|
|
|
|
int i, j;
|
|
|
|
|
|
|
|
|
|
if (pktin->type != SSH2_MSG_KEXINIT) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
|
|
"expecting KEXINIT, type %d (%s)", pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx, pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
s->kex_alg = NULL;
|
|
|
|
|
s->hostkey_alg = NULL;
|
|
|
|
|
s->in.cipher = s->out.cipher = NULL;
|
|
|
|
|
s->in.mac = s->out.mac = NULL;
|
|
|
|
|
s->in.comp = s->out.comp = NULL;
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
s->in.comp_delayed = s->out.comp_delayed = FALSE;
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
s->warn_kex = s->warn_hk = FALSE;
|
|
|
|
|
s->warn_cscipher = s->warn_sccipher = FALSE;
|
|
|
|
|
|
|
|
|
|
get_data(pktin, 16); /* skip garbage cookie */
|
|
|
|
|
|
|
|
|
|
s->guessok = FALSE;
|
|
|
|
|
for (i = 0; i < NKEXLIST; i++) {
|
|
|
|
|
str = get_string(pktin);
|
|
|
|
|
if (get_err(pktin)) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "KEXINIT packet was incomplete");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If we've already selected a cipher which requires a
|
|
|
|
|
* particular MAC, then just select that, and don't even
|
|
|
|
|
* bother looking through the server's KEXINIT string for
|
|
|
|
|
* MACs. */
|
|
|
|
|
if (i == KEXLIST_CSMAC && s->out.cipher &&
|
|
|
|
|
s->out.cipher->required_mac) {
|
|
|
|
|
s->out.mac = s->out.cipher->required_mac;
|
|
|
|
|
s->out.etm_mode = !!(s->out.mac->etm_name);
|
|
|
|
|
goto matched;
|
|
|
|
|
}
|
|
|
|
|
if (i == KEXLIST_SCMAC && s->in.cipher &&
|
|
|
|
|
s->in.cipher->required_mac) {
|
|
|
|
|
s->in.mac = s->in.cipher->required_mac;
|
|
|
|
|
s->in.etm_mode = !!(s->in.mac->etm_name);
|
|
|
|
|
goto matched;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (j = 0; j < MAXKEXLIST; j++) {
|
|
|
|
|
struct kexinit_algorithm *alg = &s->kexlists[i][j];
|
|
|
|
|
if (alg->name == NULL) break;
|
|
|
|
|
if (in_commasep_string(alg->name, str.ptr, str.len)) {
|
|
|
|
|
/* We've found a matching algorithm. */
|
|
|
|
|
if (i == KEXLIST_KEX || i == KEXLIST_HOSTKEY) {
|
|
|
|
|
/* Check if we might need to ignore first kex pkt */
|
|
|
|
|
if (j != 0 ||
|
|
|
|
|
!first_in_commasep_string(alg->name,
|
|
|
|
|
str.ptr, str.len))
|
|
|
|
|
s->guessok = FALSE;
|
|
|
|
|
}
|
|
|
|
|
if (i == KEXLIST_KEX) {
|
|
|
|
|
s->kex_alg = alg->u.kex.kex;
|
|
|
|
|
s->warn_kex = alg->u.kex.warn;
|
|
|
|
|
} else if (i == KEXLIST_HOSTKEY) {
|
|
|
|
|
/*
|
|
|
|
|
* Ignore an unexpected/inappropriate offer of "null",
|
|
|
|
|
* we offer "null" when we're willing to use GSS KEX,
|
|
|
|
|
* but it is only acceptable when GSSKEX is actually
|
|
|
|
|
* selected.
|
|
|
|
|
*/
|
|
|
|
|
if (alg->u.hk.hostkey == NULL &&
|
|
|
|
|
s->kex_alg->main_type != KEXTYPE_GSS)
|
|
|
|
|
continue;
|
|
|
|
|
s->hostkey_alg = alg->u.hk.hostkey;
|
|
|
|
|
s->warn_hk = alg->u.hk.warn;
|
|
|
|
|
} else if (i == KEXLIST_CSCIPHER) {
|
|
|
|
|
s->out.cipher = alg->u.cipher.cipher;
|
|
|
|
|
s->warn_cscipher = alg->u.cipher.warn;
|
|
|
|
|
} else if (i == KEXLIST_SCCIPHER) {
|
|
|
|
|
s->in.cipher = alg->u.cipher.cipher;
|
|
|
|
|
s->warn_sccipher = alg->u.cipher.warn;
|
|
|
|
|
} else if (i == KEXLIST_CSMAC) {
|
|
|
|
|
s->out.mac = alg->u.mac.mac;
|
|
|
|
|
s->out.etm_mode = alg->u.mac.etm;
|
|
|
|
|
} else if (i == KEXLIST_SCMAC) {
|
|
|
|
|
s->in.mac = alg->u.mac.mac;
|
|
|
|
|
s->in.etm_mode = alg->u.mac.etm;
|
|
|
|
|
} else if (i == KEXLIST_CSCOMP) {
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
s->out.comp = alg->u.comp.comp;
|
|
|
|
|
s->out.comp_delayed = alg->u.comp.delayed;
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
} else if (i == KEXLIST_SCCOMP) {
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
s->in.comp = alg->u.comp.comp;
|
|
|
|
|
s->in.comp_delayed = alg->u.comp.delayed;
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
}
|
|
|
|
|
goto matched;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh, "Couldn't agree a %s (available: %.*s)",
|
|
|
|
|
kexlist_descr[i], PTRLEN_PRINTF(str));
|
|
|
|
|
return;
|
|
|
|
|
matched:;
|
|
|
|
|
|
|
|
|
|
if (i == KEXLIST_HOSTKEY &&
|
|
|
|
|
!s->gss_kex_used &&
|
|
|
|
|
s->kex_alg->main_type != KEXTYPE_GSS) {
|
|
|
|
|
int j;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* In addition to deciding which host key we're
|
|
|
|
|
* actually going to use, we should make a list of the
|
|
|
|
|
* host keys offered by the server which we _don't_
|
|
|
|
|
* have cached. These will be offered as cross-
|
|
|
|
|
* certification options by ssh_get_specials.
|
|
|
|
|
*
|
|
|
|
|
* We also count the key we're currently using for KEX
|
|
|
|
|
* as one we've already got, because by the time this
|
|
|
|
|
* menu becomes visible, it will be.
|
|
|
|
|
*/
|
|
|
|
|
s->n_uncert_hostkeys = 0;
|
|
|
|
|
|
|
|
|
|
for (j = 0; j < lenof(hostkey_algs); j++) {
|
|
|
|
|
if (hostkey_algs[j].alg != s->hostkey_alg &&
|
|
|
|
|
in_commasep_string(hostkey_algs[j].alg->ssh_id,
|
|
|
|
|
str.ptr, str.len) &&
|
|
|
|
|
!have_ssh_host_key(s->savedhost, s->savedport,
|
|
|
|
|
hostkey_algs[j].alg->cache_id)) {
|
|
|
|
|
s->uncert_hostkeys[s->n_uncert_hostkeys++] = j;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
get_string(pktin); /* client->server language */
|
|
|
|
|
get_string(pktin); /* server->client language */
|
|
|
|
|
s->ignorepkt = get_bool(pktin) && !s->guessok;
|
|
|
|
|
|
|
|
|
|
s->exhash = ssh_hash_new(s->kex_alg->hash);
|
|
|
|
|
put_stringz(s->exhash, s->client_greeting);
|
|
|
|
|
put_stringz(s->exhash, s->server_greeting);
|
|
|
|
|
put_string(s->exhash, s->our_kexinit, s->our_kexinitlen);
|
|
|
|
|
sfree(s->our_kexinit);
|
|
|
|
|
/* Include the type byte in the hash of server's KEXINIT */
|
|
|
|
|
put_string(s->exhash,
|
|
|
|
|
(const char *)BinarySource_UPCAST(pktin)->data - 1,
|
|
|
|
|
BinarySource_UPCAST(pktin)->len + 1);
|
|
|
|
|
|
|
|
|
|
if (s->warn_kex) {
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
s->dlgret = seat_confirm_weak_crypto_primitive(
|
|
|
|
|
s->ppl.seat, "key-exchange algorithm", s->kex_alg->name,
|
|
|
|
|
ssh2_transport_dialog_callback, s);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
|
|
if (s->dlgret == 0) {
|
|
|
|
|
ssh_user_close(s->ppl.ssh, "User aborted at kex warning");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->warn_hk) {
|
|
|
|
|
int j, k;
|
|
|
|
|
char *betteralgs;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Change warning box wording depending on why we chose a
|
|
|
|
|
* warning-level host key algorithm. If it's because
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
* that's all we have *cached*, list the host keys we
|
|
|
|
|
* could usefully cross-certify. Otherwise, use the same
|
|
|
|
|
* standard wording as any other weak crypto primitive.
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
*/
|
|
|
|
|
betteralgs = NULL;
|
|
|
|
|
for (j = 0; j < s->n_uncert_hostkeys; j++) {
|
|
|
|
|
const struct ssh_signkey_with_user_pref_id *hktype =
|
|
|
|
|
&hostkey_algs[s->uncert_hostkeys[j]];
|
|
|
|
|
int better = FALSE;
|
|
|
|
|
for (k = 0; k < HK_MAX; k++) {
|
|
|
|
|
int id = conf_get_int_int(s->conf, CONF_ssh_hklist, k);
|
|
|
|
|
if (id == HK_WARN) {
|
|
|
|
|
break;
|
|
|
|
|
} else if (id == hktype->id) {
|
|
|
|
|
better = TRUE;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (better) {
|
|
|
|
|
if (betteralgs) {
|
|
|
|
|
char *old_ba = betteralgs;
|
|
|
|
|
betteralgs = dupcat(betteralgs, ",",
|
|
|
|
|
hktype->alg->ssh_id,
|
|
|
|
|
(const char *)NULL);
|
|
|
|
|
sfree(old_ba);
|
|
|
|
|
} else {
|
|
|
|
|
betteralgs = dupstr(hktype->alg->ssh_id);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (betteralgs) {
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
/* Use the special warning prompt that lets us provide
|
|
|
|
|
* a list of better algorithms */
|
|
|
|
|
s->dlgret = seat_confirm_weak_cached_hostkey(
|
|
|
|
|
s->ppl.seat, s->hostkey_alg->ssh_id, betteralgs,
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
ssh2_transport_dialog_callback, s);
|
|
|
|
|
sfree(betteralgs);
|
|
|
|
|
} else {
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
/* If none exist, use the more general 'weak crypto'
|
|
|
|
|
* warning prompt */
|
|
|
|
|
s->dlgret = seat_confirm_weak_crypto_primitive(
|
|
|
|
|
s->ppl.seat, "host key type", s->hostkey_alg->ssh_id,
|
|
|
|
|
ssh2_transport_dialog_callback, s);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
}
|
|
|
|
|
crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
|
|
if (s->dlgret == 0) {
|
|
|
|
|
ssh_user_close(s->ppl.ssh, "User aborted at host key warning");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->warn_cscipher) {
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
s->dlgret = seat_confirm_weak_crypto_primitive(
|
|
|
|
|
s->ppl.seat, "client-to-server cipher", s->out.cipher->name,
|
|
|
|
|
ssh2_transport_dialog_callback, s);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
|
|
if (s->dlgret == 0) {
|
|
|
|
|
ssh_user_close(s->ppl.ssh, "User aborted at cipher warning");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->warn_sccipher) {
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
s->dlgret = seat_confirm_weak_crypto_primitive(
|
|
|
|
|
s->ppl.seat, "server-to-client cipher", s->in.cipher->name,
|
|
|
|
|
ssh2_transport_dialog_callback, s);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
|
|
if (s->dlgret == 0) {
|
|
|
|
|
ssh_user_close(s->ppl.ssh, "User aborted at cipher warning");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->ignorepkt) /* first_kex_packet_follows */
|
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->kex_alg->main_type == KEXTYPE_DH) {
|
|
|
|
|
/*
|
|
|
|
|
* Work out the number of bits of key we will need from the
|
|
|
|
|
* key exchange. We start with the maximum key length of
|
|
|
|
|
* either cipher...
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
int csbits, scbits;
|
|
|
|
|
|
|
|
|
|
csbits = s->out.cipher ? s->out.cipher->real_keybits : 0;
|
|
|
|
|
scbits = s->in.cipher ? s->in.cipher->real_keybits : 0;
|
|
|
|
|
s->nbits = (csbits > scbits ? csbits : scbits);
|
|
|
|
|
}
|
|
|
|
|
/* The keys only have hlen-bit entropy, since they're based on
|
|
|
|
|
* a hash. So cap the key size at hlen bits. */
|
|
|
|
|
if (s->nbits > s->kex_alg->hash->hlen * 8)
|
|
|
|
|
s->nbits = s->kex_alg->hash->hlen * 8;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we're doing Diffie-Hellman group exchange, start by
|
|
|
|
|
* requesting a group.
|
|
|
|
|
*/
|
|
|
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
|
|
|
ppl_logevent(("Doing Diffie-Hellman group exchange"));
|
|
|
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_DHGEX;
|
|
|
|
|
/*
|
|
|
|
|
* Work out how big a DH group we will need to allow that
|
|
|
|
|
* much data.
|
|
|
|
|
*/
|
|
|
|
|
s->pbits = 512 << ((s->nbits - 1) / 64);
|
|
|
|
|
if (s->pbits < DH_MIN_SIZE)
|
|
|
|
|
s->pbits = DH_MIN_SIZE;
|
|
|
|
|
if (s->pbits > DH_MAX_SIZE)
|
|
|
|
|
s->pbits = DH_MAX_SIZE;
|
|
|
|
|
if ((s->ppl.remote_bugs & BUG_SSH2_OLDGEX)) {
|
|
|
|
|
pktout = ssh_bpp_new_pktout(
|
|
|
|
|
s->ppl.bpp, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
|
|
|
|
put_uint32(pktout, s->pbits);
|
|
|
|
|
} else {
|
|
|
|
|
pktout = ssh_bpp_new_pktout(
|
|
|
|
|
s->ppl.bpp, SSH2_MSG_KEX_DH_GEX_REQUEST);
|
|
|
|
|
put_uint32(pktout, DH_MIN_SIZE);
|
|
|
|
|
put_uint32(pktout, s->pbits);
|
|
|
|
|
put_uint32(pktout, DH_MAX_SIZE);
|
|
|
|
|
}
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
|
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
|
|
"expecting Diffie-Hellman group, type %d (%s)",
|
|
|
|
|
pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
s->p = get_mp_ssh2(pktin);
|
|
|
|
|
s->g = get_mp_ssh2(pktin);
|
|
|
|
|
if (get_err(pktin)) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh,
|
|
|
|
|
"Unable to parse Diffie-Hellman group packet");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
s->dh_ctx = dh_setup_gex(s->p, s->g);
|
|
|
|
|
s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
|
|
|
|
|
s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
|
|
|
|
|
} else {
|
|
|
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_DHGROUP;
|
|
|
|
|
s->dh_ctx = dh_setup_group(s->kex_alg);
|
|
|
|
|
s->kex_init_value = SSH2_MSG_KEXDH_INIT;
|
|
|
|
|
s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
|
|
|
|
|
ppl_logevent(("Using Diffie-Hellman with standard group \"%s\"",
|
|
|
|
|
s->kex_alg->groupname));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ppl_logevent(("Doing Diffie-Hellman key exchange with hash %s",
|
|
|
|
|
s->kex_alg->hash->text_name));
|
|
|
|
|
/*
|
|
|
|
|
* Now generate and send e for Diffie-Hellman.
|
|
|
|
|
*/
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
seat_set_busy_status(s->ppl.seat, BUSY_CPU);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
s->e = dh_create_e(s->dh_ctx, s->nbits * 2);
|
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, s->kex_init_value);
|
|
|
|
|
put_mp_ssh2(pktout, s->e);
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
seat_set_busy_status(s->ppl.seat, BUSY_WAITING);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
if (pktin->type != s->kex_reply_value) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
|
|
"expecting Diffie-Hellman reply, type %d (%s)",
|
|
|
|
|
pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
seat_set_busy_status(s->ppl.seat, BUSY_CPU);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
s->hostkeydata = get_string(pktin);
|
|
|
|
|
s->hkey = ssh_key_new_pub(s->hostkey_alg, s->hostkeydata);
|
|
|
|
|
s->f = get_mp_ssh2(pktin);
|
|
|
|
|
s->sigdata = get_string(pktin);
|
|
|
|
|
if (get_err(pktin)) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh,
|
|
|
|
|
"Unable to parse Diffie-Hellman reply packet");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
const char *err = dh_validate_f(s->dh_ctx, s->f);
|
|
|
|
|
if (err) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Diffie-Hellman reply failed "
|
|
|
|
|
"validation: %s", err);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
s->K = dh_find_K(s->dh_ctx, s->f);
|
|
|
|
|
|
|
|
|
|
/* We assume everything from now on will be quick, and it might
|
|
|
|
|
* involve user interaction. */
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
seat_set_busy_status(s->ppl.seat, BUSY_NOT);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
put_stringpl(s->exhash, s->hostkeydata);
|
|
|
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
|
|
|
if (!(s->ppl.remote_bugs & BUG_SSH2_OLDGEX))
|
|
|
|
|
put_uint32(s->exhash, DH_MIN_SIZE);
|
|
|
|
|
put_uint32(s->exhash, s->pbits);
|
|
|
|
|
if (!(s->ppl.remote_bugs & BUG_SSH2_OLDGEX))
|
|
|
|
|
put_uint32(s->exhash, DH_MAX_SIZE);
|
|
|
|
|
put_mp_ssh2(s->exhash, s->p);
|
|
|
|
|
put_mp_ssh2(s->exhash, s->g);
|
|
|
|
|
}
|
|
|
|
|
put_mp_ssh2(s->exhash, s->e);
|
|
|
|
|
put_mp_ssh2(s->exhash, s->f);
|
|
|
|
|
|
|
|
|
|
dh_cleanup(s->dh_ctx);
|
|
|
|
|
s->dh_ctx = NULL;
|
|
|
|
|
freebn(s->f); s->f = NULL;
|
|
|
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
|
|
|
freebn(s->g); s->g = NULL;
|
|
|
|
|
freebn(s->p); s->p = NULL;
|
|
|
|
|
}
|
|
|
|
|
} else if (s->kex_alg->main_type == KEXTYPE_ECDH) {
|
|
|
|
|
|
|
|
|
|
ppl_logevent(("Doing ECDH key exchange with curve %s and hash %s",
|
|
|
|
|
ssh_ecdhkex_curve_textname(s->kex_alg),
|
|
|
|
|
s->kex_alg->hash->text_name));
|
|
|
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_ECDHKEX;
|
|
|
|
|
|
|
|
|
|
s->ecdh_key = ssh_ecdhkex_newkey(s->kex_alg);
|
|
|
|
|
if (!s->ecdh_key) {
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh, "Unable to generate key for ECDH");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEX_ECDH_INIT);
|
|
|
|
|
{
|
|
|
|
|
strbuf *pubpoint = strbuf_new();
|
|
|
|
|
ssh_ecdhkex_getpublic(s->ecdh_key, BinarySink_UPCAST(pubpoint));
|
|
|
|
|
put_stringsb(pktout, pubpoint);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
|
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
if (pktin->type != SSH2_MSG_KEX_ECDH_REPLY) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
|
|
"expecting ECDH reply, type %d (%s)", pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->hostkeydata = get_string(pktin);
|
|
|
|
|
put_stringpl(s->exhash, s->hostkeydata);
|
|
|
|
|
s->hkey = ssh_key_new_pub(s->hostkey_alg, s->hostkeydata);
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
strbuf *pubpoint = strbuf_new();
|
|
|
|
|
ssh_ecdhkex_getpublic(s->ecdh_key, BinarySink_UPCAST(pubpoint));
|
|
|
|
|
put_string(s->exhash, pubpoint->u, pubpoint->len);
|
|
|
|
|
strbuf_free(pubpoint);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
ptrlen keydata = get_string(pktin);
|
|
|
|
|
put_stringpl(s->exhash, keydata);
|
|
|
|
|
s->K = ssh_ecdhkex_getkey(s->ecdh_key, keydata.ptr, keydata.len);
|
|
|
|
|
if (!get_err(pktin) && !s->K) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received invalid elliptic curve "
|
|
|
|
|
"point in ECDH reply");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->sigdata = get_string(pktin);
|
|
|
|
|
if (get_err(pktin)) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Unable to parse ECDH reply packet");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ssh_ecdhkex_freekey(s->ecdh_key);
|
|
|
|
|
s->ecdh_key = NULL;
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
} else if (s->kex_alg->main_type == KEXTYPE_GSS) {
|
|
|
|
|
ptrlen data;
|
|
|
|
|
|
|
|
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_GSSKEX;
|
|
|
|
|
s->init_token_sent = 0;
|
|
|
|
|
s->complete_rcvd = 0;
|
|
|
|
|
s->hkey = NULL;
|
|
|
|
|
s->fingerprint = NULL;
|
|
|
|
|
s->keystr = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Work out the number of bits of key we will need from the
|
|
|
|
|
* key exchange. We start with the maximum key length of
|
|
|
|
|
* either cipher...
|
|
|
|
|
*
|
|
|
|
|
* This is rote from the KEXTYPE_DH section above.
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
int csbits, scbits;
|
|
|
|
|
|
|
|
|
|
csbits = s->out.cipher->real_keybits;
|
|
|
|
|
scbits = s->in.cipher->real_keybits;
|
|
|
|
|
s->nbits = (csbits > scbits ? csbits : scbits);
|
|
|
|
|
}
|
|
|
|
|
/* The keys only have hlen-bit entropy, since they're based on
|
|
|
|
|
* a hash. So cap the key size at hlen bits. */
|
|
|
|
|
if (s->nbits > s->kex_alg->hash->hlen * 8)
|
|
|
|
|
s->nbits = s->kex_alg->hash->hlen * 8;
|
|
|
|
|
|
|
|
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
|
|
|
/*
|
|
|
|
|
* Work out how big a DH group we will need to allow that
|
|
|
|
|
* much data.
|
|
|
|
|
*/
|
|
|
|
|
s->pbits = 512 << ((s->nbits - 1) / 64);
|
|
|
|
|
ppl_logevent(("Doing GSSAPI (with Kerberos V5) Diffie-Hellman "
|
|
|
|
|
"group exchange, with minimum %d bits", s->pbits));
|
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXGSS_GROUPREQ);
|
|
|
|
|
put_uint32(pktout, s->pbits); /* min */
|
|
|
|
|
put_uint32(pktout, s->pbits); /* preferred */
|
|
|
|
|
put_uint32(pktout, s->pbits * 2); /* max */
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
|
|
|
|
|
crMaybeWaitUntilV(
|
|
|
|
|
(pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
if (pktin->type != SSH2_MSG_KEXGSS_GROUP) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
|
|
"expecting Diffie-Hellman group, type %d (%s)",
|
|
|
|
|
pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
s->p = get_mp_ssh2(pktin);
|
|
|
|
|
s->g = get_mp_ssh2(pktin);
|
|
|
|
|
if (get_err(pktin)) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh,
|
|
|
|
|
"Unable to parse Diffie-Hellman group packet");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
s->dh_ctx = dh_setup_gex(s->p, s->g);
|
|
|
|
|
} else {
|
|
|
|
|
s->dh_ctx = dh_setup_group(s->kex_alg);
|
|
|
|
|
ppl_logevent(("Using GSSAPI (with Kerberos V5) Diffie-Hellman with"
|
|
|
|
|
" standard group \"%s\"", s->kex_alg->groupname));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ppl_logevent(("Doing GSSAPI (with Kerberos V5) Diffie-Hellman key "
|
|
|
|
|
"exchange with hash %s", s->kex_alg->hash->text_name));
|
|
|
|
|
/* Now generate e for Diffie-Hellman. */
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
seat_set_busy_status(s->ppl.seat, BUSY_CPU);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
s->e = dh_create_e(s->dh_ctx, s->nbits * 2);
|
|
|
|
|
|
|
|
|
|
if (s->shgss->lib->gsslogmsg)
|
|
|
|
|
ppl_logevent(("%s", s->shgss->lib->gsslogmsg));
|
|
|
|
|
|
|
|
|
|
/* initial tokens are empty */
|
|
|
|
|
SSH_GSS_CLEAR_BUF(&s->gss_rcvtok);
|
|
|
|
|
SSH_GSS_CLEAR_BUF(&s->gss_sndtok);
|
|
|
|
|
SSH_GSS_CLEAR_BUF(&s->mic);
|
|
|
|
|
s->gss_stat = s->shgss->lib->acquire_cred(
|
|
|
|
|
s->shgss->lib, &s->shgss->ctx, &s->gss_cred_expiry);
|
|
|
|
|
if (s->gss_stat != SSH_GSS_OK) {
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh,
|
|
|
|
|
"GSSAPI key exchange failed to initialise");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* now enter the loop */
|
|
|
|
|
assert(s->shgss->srv_name);
|
|
|
|
|
do {
|
|
|
|
|
/*
|
|
|
|
|
* When acquire_cred yields no useful expiration, go with the
|
|
|
|
|
* service ticket expiration.
|
|
|
|
|
*/
|
|
|
|
|
s->gss_stat = s->shgss->lib->init_sec_context(
|
|
|
|
|
s->shgss->lib, &s->shgss->ctx, s->shgss->srv_name,
|
|
|
|
|
s->gss_delegate, &s->gss_rcvtok, &s->gss_sndtok,
|
|
|
|
|
(s->gss_cred_expiry == GSS_NO_EXPIRATION ?
|
|
|
|
|
&s->gss_cred_expiry : NULL), NULL);
|
|
|
|
|
SSH_GSS_CLEAR_BUF(&s->gss_rcvtok);
|
|
|
|
|
|
|
|
|
|
if (s->gss_stat == SSH_GSS_S_COMPLETE && s->complete_rcvd)
|
|
|
|
|
break; /* MIC is verified after the loop */
|
|
|
|
|
|
|
|
|
|
if (s->gss_stat != SSH_GSS_S_COMPLETE &&
|
|
|
|
|
s->gss_stat != SSH_GSS_S_CONTINUE_NEEDED) {
|
|
|
|
|
if (s->shgss->lib->display_status(
|
|
|
|
|
s->shgss->lib, s->shgss->ctx,
|
|
|
|
|
&s->gss_buf) == SSH_GSS_OK) {
|
|
|
|
|
char *err = s->gss_buf.value;
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh,
|
|
|
|
|
"GSSAPI key exchange failed to initialise "
|
|
|
|
|
"context: %s", err);
|
|
|
|
|
sfree(err);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
assert(s->gss_stat == SSH_GSS_S_COMPLETE ||
|
|
|
|
|
s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED);
|
|
|
|
|
|
|
|
|
|
if (!s->init_token_sent) {
|
|
|
|
|
s->init_token_sent = 1;
|
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp,
|
|
|
|
|
SSH2_MSG_KEXGSS_INIT);
|
|
|
|
|
if (s->gss_sndtok.length == 0) {
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh, "GSSAPI key exchange failed: "
|
|
|
|
|
"no initial context token");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
put_string(pktout,
|
|
|
|
|
s->gss_sndtok.value, s->gss_sndtok.length);
|
|
|
|
|
put_mp_ssh2(pktout, s->e);
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
s->shgss->lib->free_tok(s->shgss->lib, &s->gss_sndtok);
|
|
|
|
|
ppl_logevent(("GSSAPI key exchange initialised"));
|
|
|
|
|
} else if (s->gss_sndtok.length != 0) {
|
|
|
|
|
pktout = ssh_bpp_new_pktout(
|
|
|
|
|
s->ppl.bpp, SSH2_MSG_KEXGSS_CONTINUE);
|
|
|
|
|
put_string(pktout,
|
|
|
|
|
s->gss_sndtok.value, s->gss_sndtok.length);
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
s->shgss->lib->free_tok(s->shgss->lib, &s->gss_sndtok);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->gss_stat == SSH_GSS_S_COMPLETE && s->complete_rcvd)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
wait_for_gss_token:
|
|
|
|
|
crMaybeWaitUntilV(
|
|
|
|
|
(pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
switch (pktin->type) {
|
|
|
|
|
case SSH2_MSG_KEXGSS_CONTINUE:
|
|
|
|
|
data = get_string(pktin);
|
|
|
|
|
s->gss_rcvtok.value = (char *)data.ptr;
|
|
|
|
|
s->gss_rcvtok.length = data.len;
|
|
|
|
|
continue;
|
|
|
|
|
case SSH2_MSG_KEXGSS_COMPLETE:
|
|
|
|
|
s->complete_rcvd = 1;
|
|
|
|
|
s->f = get_mp_ssh2(pktin);
|
|
|
|
|
data = get_string(pktin);
|
|
|
|
|
s->mic.value = (char *)data.ptr;
|
|
|
|
|
s->mic.length = data.len;
|
|
|
|
|
/* Save expiration time of cred when delegating */
|
|
|
|
|
if (s->gss_delegate && s->gss_cred_expiry != GSS_NO_EXPIRATION)
|
|
|
|
|
s->gss_cred_expiry = s->gss_cred_expiry;
|
|
|
|
|
/* If there's a final token we loop to consume it */
|
|
|
|
|
if (get_bool(pktin)) {
|
|
|
|
|
data = get_string(pktin);
|
|
|
|
|
s->gss_rcvtok.value = (char *)data.ptr;
|
|
|
|
|
s->gss_rcvtok.length = data.len;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case SSH2_MSG_KEXGSS_HOSTKEY:
|
|
|
|
|
s->hostkeydata = get_string(pktin);
|
|
|
|
|
if (s->hostkey_alg) {
|
|
|
|
|
s->hkey = ssh_key_new_pub(s->hostkey_alg,
|
|
|
|
|
s->hostkeydata);
|
|
|
|
|
put_string(s->exhash,
|
|
|
|
|
s->hostkeydata.ptr, s->hostkeydata.len);
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Can't loop as we have no token to pass to
|
|
|
|
|
* init_sec_context.
|
|
|
|
|
*/
|
|
|
|
|
goto wait_for_gss_token;
|
|
|
|
|
case SSH2_MSG_KEXGSS_ERROR:
|
|
|
|
|
/*
|
|
|
|
|
* We have no use for the server's major and minor
|
|
|
|
|
* status. The minor status is really only
|
|
|
|
|
* meaningful to the server, and with luck the major
|
|
|
|
|
* status means something to us (but not really all
|
|
|
|
|
* that much). The string is more meaningful, and
|
|
|
|
|
* hopefully the server sends any error tokens, as
|
|
|
|
|
* that will produce the most useful information for
|
|
|
|
|
* us.
|
|
|
|
|
*/
|
|
|
|
|
get_uint32(pktin); /* server's major status */
|
|
|
|
|
get_uint32(pktin); /* server's minor status */
|
|
|
|
|
data = get_string(pktin);
|
|
|
|
|
ppl_logevent(("GSSAPI key exchange failed; "
|
|
|
|
|
"server's message: %.*s", PTRLEN_PRINTF(data)));
|
|
|
|
|
/* Language tag, but we have no use for it */
|
|
|
|
|
get_string(pktin);
|
|
|
|
|
/*
|
|
|
|
|
* Wait for an error token, if there is one, or the
|
|
|
|
|
* server's disconnect. The error token, if there
|
|
|
|
|
* is one, must follow the SSH2_MSG_KEXGSS_ERROR
|
|
|
|
|
* message, per the RFC.
|
|
|
|
|
*/
|
|
|
|
|
goto wait_for_gss_token;
|
|
|
|
|
default:
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet "
|
|
|
|
|
"during GSSAPI key exchange, type %d (%s)",
|
|
|
|
|
pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
} while (s->gss_rcvtok.length ||
|
|
|
|
|
s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED ||
|
|
|
|
|
!s->complete_rcvd);
|
|
|
|
|
|
|
|
|
|
s->K = dh_find_K(s->dh_ctx, s->f);
|
|
|
|
|
|
|
|
|
|
/* We assume everything from now on will be quick, and it might
|
|
|
|
|
* involve user interaction. */
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
seat_set_busy_status(s->ppl.seat, BUSY_NOT);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
if (!s->hkey)
|
|
|
|
|
put_stringz(s->exhash, "");
|
|
|
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
|
|
|
/* min, preferred, max */
|
|
|
|
|
put_uint32(s->exhash, s->pbits);
|
|
|
|
|
put_uint32(s->exhash, s->pbits);
|
|
|
|
|
put_uint32(s->exhash, s->pbits * 2);
|
|
|
|
|
|
|
|
|
|
put_mp_ssh2(s->exhash, s->p);
|
|
|
|
|
put_mp_ssh2(s->exhash, s->g);
|
|
|
|
|
}
|
|
|
|
|
put_mp_ssh2(s->exhash, s->e);
|
|
|
|
|
put_mp_ssh2(s->exhash, s->f);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* MIC verification is done below, after we compute the hash
|
|
|
|
|
* used as the MIC input.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
dh_cleanup(s->dh_ctx);
|
|
|
|
|
s->dh_ctx = NULL;
|
|
|
|
|
freebn(s->f); s->f = NULL;
|
|
|
|
|
if (dh_is_gex(s->kex_alg)) {
|
|
|
|
|
freebn(s->g); s->g = NULL;
|
|
|
|
|
freebn(s->p); s->p = NULL;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
} else {
|
|
|
|
|
ptrlen rsakeydata;
|
|
|
|
|
|
|
|
|
|
assert(s->kex_alg->main_type == KEXTYPE_RSA);
|
|
|
|
|
ppl_logevent(("Doing RSA key exchange with hash %s",
|
|
|
|
|
s->kex_alg->hash->text_name));
|
|
|
|
|
s->ppl.bpp->pls->kctx = SSH2_PKTCTX_RSAKEX;
|
|
|
|
|
/*
|
|
|
|
|
* RSA key exchange. First expect a KEXRSA_PUBKEY packet
|
|
|
|
|
* from the server.
|
|
|
|
|
*/
|
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
|
|
"expecting RSA public key, type %d (%s)",
|
|
|
|
|
pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->hostkeydata = get_string(pktin);
|
|
|
|
|
put_stringpl(s->exhash, s->hostkeydata);
|
|
|
|
|
s->hkey = ssh_key_new_pub(s->hostkey_alg, s->hostkeydata);
|
|
|
|
|
|
|
|
|
|
rsakeydata = get_string(pktin);
|
|
|
|
|
|
|
|
|
|
s->rsa_kex_key = ssh_rsakex_newkey(rsakeydata.ptr, rsakeydata.len);
|
|
|
|
|
if (!s->rsa_kex_key) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh,
|
|
|
|
|
"Unable to parse RSA public key packet");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
put_stringpl(s->exhash, rsakeydata);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Next, set up a shared secret K, of precisely KLEN -
|
|
|
|
|
* 2*HLEN - 49 bits, where KLEN is the bit length of the
|
|
|
|
|
* RSA key modulus and HLEN is the bit length of the hash
|
|
|
|
|
* we're using.
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
int klen = ssh_rsakex_klen(s->rsa_kex_key);
|
|
|
|
|
int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49);
|
|
|
|
|
int i, byte = 0;
|
|
|
|
|
strbuf *buf;
|
|
|
|
|
unsigned char *outstr;
|
|
|
|
|
int outstrlen;
|
|
|
|
|
|
|
|
|
|
s->K = bn_power_2(nbits - 1);
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < nbits; i++) {
|
|
|
|
|
if ((i & 7) == 0) {
|
|
|
|
|
byte = random_byte();
|
|
|
|
|
}
|
|
|
|
|
bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Encode this as an mpint.
|
|
|
|
|
*/
|
|
|
|
|
buf = strbuf_new();
|
|
|
|
|
put_mp_ssh2(buf, s->K);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Encrypt it with the given RSA key.
|
|
|
|
|
*/
|
|
|
|
|
outstrlen = (klen + 7) / 8;
|
|
|
|
|
outstr = snewn(outstrlen, unsigned char);
|
|
|
|
|
ssh_rsakex_encrypt(s->kex_alg->hash, buf->u, buf->len,
|
|
|
|
|
outstr, outstrlen, s->rsa_kex_key);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* And send it off in a return packet.
|
|
|
|
|
*/
|
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXRSA_SECRET);
|
|
|
|
|
put_string(pktout, outstr, outstrlen);
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
|
|
|
|
|
put_string(s->exhash, outstr, outstrlen);
|
|
|
|
|
|
|
|
|
|
strbuf_free(buf);
|
|
|
|
|
sfree(outstr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ssh_rsakex_freekey(s->rsa_kex_key);
|
|
|
|
|
s->rsa_kex_key = NULL;
|
|
|
|
|
|
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
|
|
"expecting RSA kex signature, type %d (%s)",
|
|
|
|
|
pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->sigdata = get_string(pktin);
|
|
|
|
|
if (get_err(pktin)) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Unable to parse RSA kex signature");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
put_mp_ssh2(s->exhash, s->K);
|
|
|
|
|
assert(ssh_hash_alg(s->exhash)->hlen <= sizeof(s->exchange_hash));
|
|
|
|
|
ssh_hash_final(s->exhash, s->exchange_hash);
|
|
|
|
|
s->exhash = NULL;
|
|
|
|
|
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
if (s->kex_alg->main_type == KEXTYPE_GSS) {
|
|
|
|
|
Ssh_gss_buf gss_buf;
|
|
|
|
|
SSH_GSS_CLEAR_BUF(&s->gss_buf);
|
|
|
|
|
|
|
|
|
|
gss_buf.value = s->exchange_hash;
|
|
|
|
|
gss_buf.length = s->kex_alg->hash->hlen;
|
|
|
|
|
s->gss_stat = s->shgss->lib->verify_mic(
|
|
|
|
|
s->shgss->lib, s->shgss->ctx, &gss_buf, &s->mic);
|
|
|
|
|
if (s->gss_stat != SSH_GSS_OK) {
|
|
|
|
|
if (s->shgss->lib->display_status(
|
|
|
|
|
s->shgss->lib, s->shgss->ctx, &s->gss_buf) == SSH_GSS_OK) {
|
|
|
|
|
char *err = s->gss_buf.value;
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh, "GSSAPI key exchange MIC was "
|
|
|
|
|
"not valid: %s", err);
|
|
|
|
|
sfree(err);
|
|
|
|
|
} else {
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh, "GSSAPI key exchange MIC was "
|
|
|
|
|
"not valid");
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->gss_kex_used = TRUE;
|
|
|
|
|
|
|
|
|
|
/*-
|
|
|
|
|
* If this the first KEX, save the GSS context for "gssapi-keyex"
|
|
|
|
|
* authentication.
|
|
|
|
|
*
|
|
|
|
|
* http://tools.ietf.org/html/rfc4462#section-4
|
|
|
|
|
*
|
|
|
|
|
* This method may be used only if the initial key exchange was
|
|
|
|
|
* performed using a GSS-API-based key exchange method defined in
|
|
|
|
|
* accordance with Section 2. The GSS-API context used with this
|
|
|
|
|
* method is always that established during an initial GSS-API-based
|
|
|
|
|
* key exchange. Any context established during key exchange for the
|
|
|
|
|
* purpose of rekeying MUST NOT be used with this method.
|
|
|
|
|
*/
|
|
|
|
|
if (s->got_session_id) {
|
|
|
|
|
s->shgss->lib->release_cred(s->shgss->lib, &s->shgss->ctx);
|
|
|
|
|
}
|
|
|
|
|
ppl_logevent(("GSSAPI Key Exchange complete!"));
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
s->dh_ctx = NULL;
|
|
|
|
|
|
|
|
|
|
#if 0
|
|
|
|
|
debug(("Exchange hash is:\n"));
|
|
|
|
|
dmemdump(s->exchange_hash, s->kex_alg->hash->hlen);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* In GSS keyex there's no hostkey signature to verify */
|
|
|
|
|
if (s->kex_alg->main_type != KEXTYPE_GSS) {
|
|
|
|
|
if (!s->hkey) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Server's host key is invalid");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!ssh_key_verify(
|
|
|
|
|
s->hkey, s->sigdata,
|
|
|
|
|
make_ptrlen(s->exchange_hash, s->kex_alg->hash->hlen))) {
|
|
|
|
|
#ifndef FUZZING
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Signature from server's host key "
|
|
|
|
|
"is invalid");
|
|
|
|
|
return;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->keystr = (s->hkey ? ssh_key_cache_str(s->hkey) : NULL);
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
if (s->gss_kex_used) {
|
|
|
|
|
/*
|
|
|
|
|
* In a GSS-based session, check the host key (if any) against
|
|
|
|
|
* the transient host key cache. See comment above, at the
|
|
|
|
|
* definition of ssh_transient_hostkey_cache_entry.
|
|
|
|
|
*/
|
|
|
|
|
if (s->kex_alg->main_type == KEXTYPE_GSS) {
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We've just done a GSS key exchange. If it gave us a
|
|
|
|
|
* host key, store it.
|
|
|
|
|
*/
|
|
|
|
|
if (s->hkey) {
|
|
|
|
|
s->fingerprint = ssh2_fingerprint(s->hkey);
|
|
|
|
|
ppl_logevent(("GSS kex provided fallback host key:"));
|
|
|
|
|
ppl_logevent(("%s", s->fingerprint));
|
|
|
|
|
sfree(s->fingerprint);
|
|
|
|
|
s->fingerprint = NULL;
|
|
|
|
|
ssh_store_transient_hostkey(s, s->hkey);
|
|
|
|
|
} else if (!ssh_have_any_transient_hostkey(s)) {
|
|
|
|
|
/*
|
|
|
|
|
* But if it didn't, then we currently have no
|
|
|
|
|
* fallback host key to use in subsequent non-GSS
|
|
|
|
|
* rekeys. So we should immediately trigger a non-GSS
|
|
|
|
|
* rekey of our own, to set one up, before the session
|
|
|
|
|
* keys have been used for anything else.
|
|
|
|
|
*
|
|
|
|
|
* This is similar to the cross-certification done at
|
|
|
|
|
* user request in the permanent host key cache, but
|
|
|
|
|
* here we do it automatically, once, at session
|
|
|
|
|
* startup, and only add the key to the transient
|
|
|
|
|
* cache.
|
|
|
|
|
*/
|
|
|
|
|
if (s->hostkey_alg) {
|
|
|
|
|
s->need_gss_transient_hostkey = TRUE;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* If we negotiated the "null" host key algorithm
|
|
|
|
|
* in the key exchange, that's an indication that
|
|
|
|
|
* no host key at all is available from the server
|
|
|
|
|
* (both because we listed "null" last, and
|
|
|
|
|
* because RFC 4462 section 5 says that a server
|
|
|
|
|
* MUST NOT offer "null" as a host key algorithm
|
|
|
|
|
* unless that is the only algorithm it provides
|
|
|
|
|
* at all).
|
|
|
|
|
*
|
|
|
|
|
* In that case we actually _can't_ perform a
|
|
|
|
|
* non-GSSAPI key exchange, so it's pointless to
|
|
|
|
|
* attempt one proactively. This is also likely to
|
|
|
|
|
* cause trouble later if a rekey is required at a
|
|
|
|
|
* moment whne GSS credentials are not available,
|
|
|
|
|
* but someone setting up a server in this
|
|
|
|
|
* configuration presumably accepts that as a
|
|
|
|
|
* consequence.
|
|
|
|
|
*/
|
|
|
|
|
if (!s->warned_about_no_gss_transient_hostkey) {
|
|
|
|
|
ppl_logevent(("No fallback host key available"));
|
|
|
|
|
s->warned_about_no_gss_transient_hostkey = TRUE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* We've just done a fallback key exchange, so make
|
|
|
|
|
* sure the host key it used is in the cache of keys
|
|
|
|
|
* we previously received in GSS kexes.
|
|
|
|
|
*
|
|
|
|
|
* An exception is if this was the non-GSS key exchange we
|
|
|
|
|
* triggered on purpose to populate the transient cache.
|
|
|
|
|
*/
|
|
|
|
|
assert(s->hkey); /* only KEXTYPE_GSS lets this be null */
|
|
|
|
|
s->fingerprint = ssh2_fingerprint(s->hkey);
|
|
|
|
|
|
|
|
|
|
if (s->need_gss_transient_hostkey) {
|
|
|
|
|
ppl_logevent(("Post-GSS rekey provided fallback host key:"));
|
|
|
|
|
ppl_logevent(("%s", s->fingerprint));
|
|
|
|
|
ssh_store_transient_hostkey(s, s->hkey);
|
|
|
|
|
s->need_gss_transient_hostkey = FALSE;
|
|
|
|
|
} else if (!ssh_verify_transient_hostkey(s, s->hkey)) {
|
|
|
|
|
ppl_logevent(("Non-GSS rekey after initial GSS kex "
|
|
|
|
|
"used host key:"));
|
|
|
|
|
ppl_logevent(("%s", s->fingerprint));
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh, "Server's host key did not match any "
|
|
|
|
|
"used in previous GSS kex");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sfree(s->fingerprint);
|
|
|
|
|
s->fingerprint = NULL;
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
#endif /* NO_GSSAPI */
|
|
|
|
|
if (!s->got_session_id) {
|
|
|
|
|
/*
|
|
|
|
|
* Make a note of any other host key formats that are available.
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
int i, j, nkeys = 0;
|
|
|
|
|
char *list = NULL;
|
|
|
|
|
for (i = 0; i < lenof(hostkey_algs); i++) {
|
|
|
|
|
if (hostkey_algs[i].alg == s->hostkey_alg)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
for (j = 0; j < s->n_uncert_hostkeys; j++)
|
|
|
|
|
if (s->uncert_hostkeys[j] == i)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
if (j < s->n_uncert_hostkeys) {
|
|
|
|
|
char *newlist;
|
|
|
|
|
if (list)
|
|
|
|
|
newlist = dupprintf("%s/%s", list,
|
|
|
|
|
hostkey_algs[i].alg->ssh_id);
|
|
|
|
|
else
|
|
|
|
|
newlist = dupprintf("%s", hostkey_algs[i].alg->ssh_id);
|
|
|
|
|
sfree(list);
|
|
|
|
|
list = newlist;
|
|
|
|
|
nkeys++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (list) {
|
|
|
|
|
ppl_logevent(("Server also has %s host key%s, but we "
|
|
|
|
|
"don't know %s", list,
|
|
|
|
|
nkeys > 1 ? "s" : "",
|
|
|
|
|
nkeys > 1 ? "any of them" : "it"));
|
|
|
|
|
sfree(list);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Authenticate remote host: verify host key. (We've already
|
|
|
|
|
* checked the signature of the exchange hash.)
|
|
|
|
|
*/
|
|
|
|
|
s->fingerprint = ssh2_fingerprint(s->hkey);
|
|
|
|
|
ppl_logevent(("Host key fingerprint is:"));
|
|
|
|
|
ppl_logevent(("%s", s->fingerprint));
|
|
|
|
|
/* First check against manually configured host keys. */
|
|
|
|
|
s->dlgret = verify_ssh_manual_host_key(
|
|
|
|
|
s->conf, s->fingerprint, s->hkey);
|
|
|
|
|
if (s->dlgret == 0) { /* did not match */
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh, "Host key did not appear in manually "
|
|
|
|
|
"configured list");
|
|
|
|
|
return;
|
|
|
|
|
} else if (s->dlgret < 0) { /* none configured; use standard handling */
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
s->dlgret = seat_verify_ssh_host_key(
|
|
|
|
|
s->ppl.seat, s->savedhost, s->savedport,
|
|
|
|
|
ssh_key_cache_id(s->hkey), s->keystr, s->fingerprint,
|
|
|
|
|
ssh2_transport_dialog_callback, s);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
#ifdef FUZZING
|
|
|
|
|
s->dlgret = 1;
|
|
|
|
|
#endif
|
|
|
|
|
crMaybeWaitUntilV(s->dlgret >= 0);
|
|
|
|
|
if (s->dlgret == 0) {
|
|
|
|
|
ssh_user_close(s->ppl.ssh,
|
|
|
|
|
"User aborted at host key verification");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
sfree(s->fingerprint);
|
|
|
|
|
s->fingerprint = NULL;
|
|
|
|
|
/*
|
|
|
|
|
* Save this host key, to check against the one presented in
|
|
|
|
|
* subsequent rekeys.
|
|
|
|
|
*/
|
|
|
|
|
s->hostkey_str = s->keystr;
|
|
|
|
|
s->keystr = NULL;
|
|
|
|
|
} else if (s->cross_certifying) {
|
|
|
|
|
s->fingerprint = ssh2_fingerprint(s->hkey);
|
|
|
|
|
ppl_logevent(("Storing additional host key for this host:"));
|
|
|
|
|
ppl_logevent(("%s", s->fingerprint));
|
|
|
|
|
sfree(s->fingerprint);
|
|
|
|
|
s->fingerprint = NULL;
|
|
|
|
|
store_host_key(s->savedhost, s->savedport,
|
|
|
|
|
ssh_key_cache_id(s->hkey), s->keystr);
|
|
|
|
|
s->cross_certifying = FALSE;
|
|
|
|
|
/*
|
|
|
|
|
* Don't forget to store the new key as the one we'll be
|
|
|
|
|
* re-checking in future normal rekeys.
|
|
|
|
|
*/
|
|
|
|
|
s->hostkey_str = s->keystr;
|
|
|
|
|
s->keystr = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* In a rekey, we never present an interactive host key
|
|
|
|
|
* verification request to the user. Instead, we simply
|
|
|
|
|
* enforce that the key we're seeing this time is identical to
|
|
|
|
|
* the one we saw before.
|
|
|
|
|
*/
|
|
|
|
|
if (strcmp(s->hostkey_str, s->keystr)) {
|
|
|
|
|
#ifndef FUZZING
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh,
|
|
|
|
|
"Host key was different in repeat key exchange");
|
|
|
|
|
return;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
sfree(s->keystr);
|
|
|
|
|
s->keystr = NULL;
|
|
|
|
|
if (s->hkey) {
|
|
|
|
|
ssh_key_free(s->hkey);
|
|
|
|
|
s->hkey = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The exchange hash from the very first key exchange is also
|
|
|
|
|
* the session id, used in session key construction and
|
|
|
|
|
* authentication.
|
|
|
|
|
*/
|
|
|
|
|
if (!s->got_session_id) {
|
|
|
|
|
assert(sizeof(s->exchange_hash) <= sizeof(s->session_id));
|
|
|
|
|
memcpy(s->session_id, s->exchange_hash, sizeof(s->exchange_hash));
|
|
|
|
|
s->session_id_len = s->kex_alg->hash->hlen;
|
|
|
|
|
assert(s->session_id_len <= sizeof(s->session_id));
|
|
|
|
|
s->got_session_id = TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Send SSH2_MSG_NEWKEYS.
|
|
|
|
|
*/
|
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_NEWKEYS);
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
/* Start counting down the outgoing-data limit for these cipher keys. */
|
|
|
|
|
s->stats->out.running = TRUE;
|
|
|
|
|
s->stats->out.remaining = s->max_data_size;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Force the BPP to synchronously marshal all packets up to and
|
|
|
|
|
* including that NEWKEYS into wire format, before we switch over
|
|
|
|
|
* to new crypto.
|
|
|
|
|
*/
|
|
|
|
|
ssh_bpp_handle_output(s->ppl.bpp);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We've sent client NEWKEYS, so create and initialise
|
|
|
|
|
* client-to-server session keys.
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
strbuf *cipher_key = strbuf_new();
|
|
|
|
|
strbuf *cipher_iv = strbuf_new();
|
|
|
|
|
strbuf *mac_key = strbuf_new();
|
|
|
|
|
|
|
|
|
|
if (s->out.cipher) {
|
|
|
|
|
ssh2_mkkey(s, cipher_iv, s->K, s->exchange_hash, 'A',
|
|
|
|
|
s->out.cipher->blksize);
|
|
|
|
|
ssh2_mkkey(s, cipher_key, s->K, s->exchange_hash, 'C',
|
|
|
|
|
s->out.cipher->padded_keybytes);
|
|
|
|
|
}
|
|
|
|
|
if (s->out.mac) {
|
|
|
|
|
ssh2_mkkey(s, mac_key, s->K, s->exchange_hash, 'E',
|
|
|
|
|
s->out.mac->keylen);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ssh2_bpp_new_outgoing_crypto(
|
|
|
|
|
s->ppl.bpp,
|
|
|
|
|
s->out.cipher, cipher_key->u, cipher_iv->u,
|
|
|
|
|
s->out.mac, s->out.etm_mode, mac_key->u,
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
s->out.comp, s->out.comp_delayed);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
strbuf_free(cipher_key);
|
|
|
|
|
strbuf_free(cipher_iv);
|
|
|
|
|
strbuf_free(mac_key);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now our end of the key exchange is complete, we can send all
|
|
|
|
|
* our queued higher-layer packets. Transfer the whole of the next
|
|
|
|
|
* layer's outgoing queue on to our own.
|
|
|
|
|
*/
|
|
|
|
|
pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Expect SSH2_MSG_NEWKEYS from server.
|
|
|
|
|
*/
|
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
if (pktin->type != SSH2_MSG_NEWKEYS) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
|
|
|
|
|
"expecting SSH_MSG_NEWKEYS, type %d (%s)",
|
|
|
|
|
pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
/* Start counting down the incoming-data limit for these cipher keys. */
|
|
|
|
|
s->stats->in.running = TRUE;
|
|
|
|
|
s->stats->in.remaining = s->max_data_size;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We've seen server NEWKEYS, so create and initialise
|
|
|
|
|
* server-to-client session keys.
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
strbuf *cipher_key = strbuf_new();
|
|
|
|
|
strbuf *cipher_iv = strbuf_new();
|
|
|
|
|
strbuf *mac_key = strbuf_new();
|
|
|
|
|
|
|
|
|
|
if (s->in.cipher) {
|
|
|
|
|
ssh2_mkkey(s, cipher_iv, s->K, s->exchange_hash, 'B',
|
|
|
|
|
s->in.cipher->blksize);
|
|
|
|
|
ssh2_mkkey(s, cipher_key, s->K, s->exchange_hash, 'D',
|
|
|
|
|
s->in.cipher->padded_keybytes);
|
|
|
|
|
}
|
|
|
|
|
if (s->in.mac) {
|
|
|
|
|
ssh2_mkkey(s, mac_key, s->K, s->exchange_hash, 'F',
|
|
|
|
|
s->in.mac->keylen);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ssh2_bpp_new_incoming_crypto(
|
|
|
|
|
s->ppl.bpp,
|
|
|
|
|
s->in.cipher, cipher_key->u, cipher_iv->u,
|
|
|
|
|
s->in.mac, s->in.etm_mode, mac_key->u,
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
s->in.comp, s->in.comp_delayed);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
strbuf_free(cipher_key);
|
|
|
|
|
strbuf_free(cipher_iv);
|
|
|
|
|
strbuf_free(mac_key);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Free shared secret.
|
|
|
|
|
*/
|
|
|
|
|
freebn(s->K); s->K = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Update the specials menu to list the remaining uncertified host
|
|
|
|
|
* keys.
|
|
|
|
|
*/
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
seat_update_specials_menu(s->ppl.seat);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Key exchange is over. Loop straight back round if we have a
|
|
|
|
|
* deferred rekey reason.
|
|
|
|
|
*/
|
|
|
|
|
if (s->deferred_rekey_reason) {
|
|
|
|
|
ppl_logevent(("%s", s->deferred_rekey_reason));
|
|
|
|
|
pktin = NULL;
|
|
|
|
|
s->deferred_rekey_reason = NULL;
|
|
|
|
|
goto begin_key_exchange;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Otherwise, schedule a timer for our next rekey.
|
|
|
|
|
*/
|
|
|
|
|
s->kex_in_progress = FALSE;
|
|
|
|
|
s->last_rekey = GETTICKCOUNT();
|
|
|
|
|
(void) ssh2_transport_timer_update(s, 0);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now we're encrypting. Get the next-layer protocol started if it
|
|
|
|
|
* hasn't already, and then sit here waiting for reasons to go
|
|
|
|
|
* back to the start and do a repeat key exchange. One of those
|
|
|
|
|
* reasons is that we receive KEXINIT from the other end; the
|
|
|
|
|
* other is if we find rekey_reason is non-NULL, i.e. we've
|
|
|
|
|
* decided to initiate a rekey ourselves for some reason.
|
|
|
|
|
*/
|
|
|
|
|
if (!s->higher_layer_ok) {
|
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_SERVICE_REQUEST);
|
|
|
|
|
put_stringz(pktout, s->higher_layer->vt->name);
|
|
|
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
|
crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
|
|
|
|
|
if (pktin->type != SSH2_MSG_SERVICE_ACCEPT) {
|
|
|
|
|
ssh_sw_abort(s->ppl.ssh, "Server refused request to start "
|
|
|
|
|
"'%s' protocol", s->higher_layer->vt->name);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->higher_layer_ok = TRUE;
|
|
|
|
|
queue_idempotent_callback(&s->higher_layer->ic_process_queue);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->rekey_class = RK_NONE;
|
|
|
|
|
do {
|
|
|
|
|
crReturnV;
|
|
|
|
|
|
|
|
|
|
/* Pass through outgoing packets from the higher layer. */
|
|
|
|
|
pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
|
|
|
|
|
|
|
|
|
|
/* Wait for either a KEXINIT, or something setting
|
|
|
|
|
* s->rekey_class. This call to ssh2_transport_pop also has
|
|
|
|
|
* the side effect of transferring incoming packets _to_ the
|
|
|
|
|
* higher layer (via filter_queue). */
|
|
|
|
|
if ((pktin = ssh2_transport_pop(s)) != NULL) {
|
|
|
|
|
if (pktin->type != SSH2_MSG_KEXINIT) {
|
|
|
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected transport-"
|
|
|
|
|
"layer packet outside a key exchange, "
|
|
|
|
|
"type %d (%s)", pktin->type,
|
|
|
|
|
ssh2_pkt_type(s->ppl.bpp->pls->kctx,
|
|
|
|
|
s->ppl.bpp->pls->actx,
|
|
|
|
|
pktin->type));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
pq_push_front(s->ppl.in_pq, pktin);
|
|
|
|
|
ppl_logevent(("Server initiated key re-exchange"));
|
|
|
|
|
s->rekey_class = RK_SERVER;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->rekey_class == RK_POST_USERAUTH) {
|
|
|
|
|
/*
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
* userauth has seen a USERAUTH_SUCCESS. This may be the
|
|
|
|
|
* moment to do an immediate rekey with different
|
|
|
|
|
* parameters. But it may not; so here we turn that rekey
|
|
|
|
|
* class into either RK_NONE or RK_NORMAL.
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
*
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
* Currently the only reason for this is if we've done a
|
|
|
|
|
* GSS key exchange and don't have anything in our
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
* transient hostkey cache, in which case we should make
|
|
|
|
|
* an attempt to populate the cache now.
|
|
|
|
|
*/
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
if (s->need_gss_transient_hostkey) {
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
s->rekey_reason = "populating transient host key cache";
|
|
|
|
|
s->rekey_class = RK_NORMAL;
|
|
|
|
|
} else {
|
|
|
|
|
/* No need to rekey at this time. */
|
|
|
|
|
s->rekey_class = RK_NONE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!s->rekey_class) {
|
|
|
|
|
/* If we don't yet have any other reason to rekey, check
|
|
|
|
|
* if we've hit our data limit in either direction. */
|
|
|
|
|
if (!s->stats->in.running) {
|
|
|
|
|
s->rekey_reason = "too much data received";
|
|
|
|
|
s->rekey_class = RK_NORMAL;
|
|
|
|
|
} else if (!s->stats->out.running) {
|
|
|
|
|
s->rekey_reason = "too much data sent";
|
|
|
|
|
s->rekey_class = RK_NORMAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->rekey_class != RK_NONE && s->rekey_class != RK_SERVER) {
|
|
|
|
|
/*
|
|
|
|
|
* Special case: if the server bug is set that doesn't
|
|
|
|
|
* allow rekeying, we give a different log message and
|
|
|
|
|
* continue waiting. (If such a server _initiates_ a
|
|
|
|
|
* rekey, we process it anyway!)
|
|
|
|
|
*/
|
|
|
|
|
if ((s->ppl.remote_bugs & BUG_SSH2_REKEY)) {
|
|
|
|
|
ppl_logevent(("Server bug prevents key re-exchange (%s)",
|
|
|
|
|
s->rekey_reason));
|
|
|
|
|
/* Reset the counters, so that at least this message doesn't
|
|
|
|
|
* hit the event log _too_ often. */
|
|
|
|
|
s->stats->in.running = s->stats->out.running = TRUE;
|
|
|
|
|
s->stats->in.remaining = s->stats->out.remaining =
|
|
|
|
|
s->max_data_size;
|
|
|
|
|
(void) ssh2_transport_timer_update(s, 0);
|
|
|
|
|
s->rekey_class = RK_NONE;
|
|
|
|
|
} else {
|
|
|
|
|
ppl_logevent(("Initiating key re-exchange (%s)",
|
|
|
|
|
s->rekey_reason));
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-09-25 16:12:22 +00:00
|
|
|
} while (s->rekey_class == RK_NONE);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
/* Once we exit the above loop, we really are rekeying. */
|
|
|
|
|
goto begin_key_exchange;
|
|
|
|
|
|
|
|
|
|
crFinishV;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_higher_layer_packet_callback(void *context)
|
|
|
|
|
{
|
|
|
|
|
PacketProtocolLayer *ppl = (PacketProtocolLayer *)context;
|
|
|
|
|
ssh_ppl_process_queue(ppl);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_timer(void *ctx, unsigned long now)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s = (struct ssh2_transport_state *)ctx;
|
|
|
|
|
unsigned long mins;
|
|
|
|
|
unsigned long ticks;
|
|
|
|
|
|
|
|
|
|
if (s->kex_in_progress || now != s->next_rekey)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
mins = sanitise_rekey_time(conf_get_int(s->conf, CONF_ssh_rekey_time), 60);
|
|
|
|
|
if (mins == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Rekey if enough time has elapsed */
|
|
|
|
|
ticks = mins * 60 * TICKSPERSEC;
|
|
|
|
|
if (now - s->last_rekey > ticks - 30*TICKSPERSEC) {
|
|
|
|
|
s->rekey_reason = "timeout";
|
|
|
|
|
s->rekey_class = RK_NORMAL;
|
|
|
|
|
queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
/*
|
|
|
|
|
* Rekey now if we have a new cred or context expires this cycle,
|
|
|
|
|
* but not if this is unsafe.
|
|
|
|
|
*/
|
|
|
|
|
if (conf_get_int(s->conf, CONF_gssapirekey)) {
|
|
|
|
|
ssh2_transport_gss_update(s, FALSE);
|
|
|
|
|
if ((s->gss_status & GSS_KEX_CAPABLE) != 0 &&
|
|
|
|
|
(s->gss_status & GSS_CTXT_MAYFAIL) == 0 &&
|
|
|
|
|
(s->gss_status & (GSS_CRED_UPDATED|GSS_CTXT_EXPIRES)) != 0) {
|
|
|
|
|
s->rekey_reason = "GSS credentials updated";
|
|
|
|
|
s->rekey_class = RK_GSS_UPDATE;
|
|
|
|
|
queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* Try again later. */
|
|
|
|
|
(void) ssh2_transport_timer_update(s, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The rekey_time is zero except when re-configuring.
|
|
|
|
|
*
|
|
|
|
|
* We either schedule the next timer and return 0, or return 1 to run the
|
|
|
|
|
* callback now, which will call us again to re-schedule on completion.
|
|
|
|
|
*/
|
|
|
|
|
static int ssh2_transport_timer_update(struct ssh2_transport_state *s,
|
|
|
|
|
unsigned long rekey_time)
|
|
|
|
|
{
|
|
|
|
|
unsigned long mins;
|
|
|
|
|
unsigned long ticks;
|
|
|
|
|
|
|
|
|
|
mins = sanitise_rekey_time(conf_get_int(s->conf, CONF_ssh_rekey_time), 60);
|
|
|
|
|
ticks = mins * 60 * TICKSPERSEC;
|
|
|
|
|
|
|
|
|
|
/* Handle change from previous setting */
|
|
|
|
|
if (rekey_time != 0 && rekey_time != mins) {
|
|
|
|
|
unsigned long next;
|
|
|
|
|
unsigned long now = GETTICKCOUNT();
|
|
|
|
|
|
|
|
|
|
mins = rekey_time;
|
|
|
|
|
ticks = mins * 60 * TICKSPERSEC;
|
|
|
|
|
next = s->last_rekey + ticks;
|
|
|
|
|
|
|
|
|
|
/* If overdue, caller will rekey synchronously now */
|
|
|
|
|
if (now - s->last_rekey > ticks)
|
|
|
|
|
return 1;
|
|
|
|
|
ticks = next - now;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
if (s->gss_kex_used) {
|
|
|
|
|
/*
|
|
|
|
|
* If we've used GSSAPI key exchange, then we should
|
|
|
|
|
* periodically check whether we need to do another one to
|
|
|
|
|
* pass new credentials to the server.
|
|
|
|
|
*/
|
|
|
|
|
unsigned long gssmins;
|
|
|
|
|
|
|
|
|
|
/* Check cascade conditions more frequently if configured */
|
|
|
|
|
gssmins = sanitise_rekey_time(
|
|
|
|
|
conf_get_int(s->conf, CONF_gssapirekey), GSS_DEF_REKEY_MINS);
|
|
|
|
|
if (gssmins > 0) {
|
|
|
|
|
if (gssmins < mins)
|
|
|
|
|
ticks = (mins = gssmins) * 60 * TICKSPERSEC;
|
|
|
|
|
|
|
|
|
|
if ((s->gss_status & GSS_KEX_CAPABLE) != 0) {
|
|
|
|
|
/*
|
|
|
|
|
* Run next timer even sooner if it would otherwise be
|
|
|
|
|
* too close to the context expiration time
|
|
|
|
|
*/
|
|
|
|
|
if ((s->gss_status & GSS_CTXT_EXPIRES) == 0 &&
|
|
|
|
|
s->gss_ctxt_lifetime - mins * 60 < 2 * MIN_CTXT_LIFETIME)
|
|
|
|
|
ticks -= 2 * MIN_CTXT_LIFETIME * TICKSPERSEC;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* Schedule the next timer */
|
|
|
|
|
s->next_rekey = schedule_timer(ticks, ssh2_transport_timer, s);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_dialog_callback(void *loginv, int ret)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s = (struct ssh2_transport_state *)loginv;
|
|
|
|
|
s->dlgret = ret;
|
|
|
|
|
ssh_ppl_process_queue(&s->ppl);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifndef NO_GSSAPI
|
|
|
|
|
/*
|
|
|
|
|
* This is called at the beginning of each SSH rekey to determine
|
|
|
|
|
* whether we are GSS capable, and if we did GSS key exchange, and are
|
|
|
|
|
* delegating credentials, it is also called periodically to determine
|
|
|
|
|
* whether we should rekey in order to delegate (more) fresh
|
|
|
|
|
* credentials. This is called "credential cascading".
|
|
|
|
|
*
|
|
|
|
|
* On Windows, with SSPI, we may not get the credential expiration, as
|
|
|
|
|
* Windows automatically renews from cached passwords, so the
|
|
|
|
|
* credential effectively never expires. Since we still want to
|
|
|
|
|
* cascade when the local TGT is updated, we use the expiration of a
|
|
|
|
|
* newly obtained context as a proxy for the expiration of the TGT.
|
|
|
|
|
*/
|
|
|
|
|
static void ssh2_transport_gss_update(struct ssh2_transport_state *s,
|
|
|
|
|
int definitely_rekeying)
|
|
|
|
|
{
|
|
|
|
|
PacketProtocolLayer *ppl = &s->ppl; /* for ppl_logevent */
|
|
|
|
|
int gss_stat;
|
|
|
|
|
time_t gss_cred_expiry;
|
|
|
|
|
unsigned long mins;
|
|
|
|
|
Ssh_gss_buf gss_sndtok;
|
|
|
|
|
Ssh_gss_buf gss_rcvtok;
|
|
|
|
|
Ssh_gss_ctx gss_ctx;
|
|
|
|
|
|
|
|
|
|
s->gss_status = 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Nothing to do if no GSSAPI libraries are configured or GSSAPI
|
|
|
|
|
* auth is not enabled.
|
|
|
|
|
*/
|
|
|
|
|
if (s->shgss->libs->nlibraries == 0)
|
|
|
|
|
return;
|
|
|
|
|
if (!conf_get_int(s->conf, CONF_try_gssapi_auth) &&
|
|
|
|
|
!conf_get_int(s->conf, CONF_try_gssapi_kex))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Import server name and cache it */
|
|
|
|
|
if (s->shgss->srv_name == GSS_C_NO_NAME) {
|
|
|
|
|
gss_stat = s->shgss->lib->import_name(
|
|
|
|
|
s->shgss->lib, s->fullhostname, &s->shgss->srv_name);
|
|
|
|
|
if (gss_stat != SSH_GSS_OK) {
|
|
|
|
|
if (gss_stat == SSH_GSS_BAD_HOST_NAME)
|
|
|
|
|
ppl_logevent(("GSSAPI import name failed - Bad service name;"
|
|
|
|
|
" won't use GSS key exchange"));
|
|
|
|
|
else
|
|
|
|
|
ppl_logevent(("GSSAPI import name failed;"
|
|
|
|
|
" won't use GSS key exchange"));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Do we (still) have credentials? Capture the credential
|
|
|
|
|
* expiration when available
|
|
|
|
|
*/
|
|
|
|
|
gss_stat = s->shgss->lib->acquire_cred(
|
|
|
|
|
s->shgss->lib, &gss_ctx, &gss_cred_expiry);
|
|
|
|
|
if (gss_stat != SSH_GSS_OK)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
SSH_GSS_CLEAR_BUF(&gss_sndtok);
|
|
|
|
|
SSH_GSS_CLEAR_BUF(&gss_rcvtok);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* When acquire_cred yields no useful expiration, get a proxy for
|
|
|
|
|
* the cred expiration from the context expiration.
|
|
|
|
|
*/
|
|
|
|
|
gss_stat = s->shgss->lib->init_sec_context(
|
|
|
|
|
s->shgss->lib, &gss_ctx, s->shgss->srv_name,
|
|
|
|
|
0 /* don't delegate */, &gss_rcvtok, &gss_sndtok,
|
|
|
|
|
(gss_cred_expiry == GSS_NO_EXPIRATION ? &gss_cred_expiry : NULL),
|
|
|
|
|
&s->gss_ctxt_lifetime);
|
|
|
|
|
|
|
|
|
|
/* This context was for testing only. */
|
|
|
|
|
if (gss_ctx)
|
|
|
|
|
s->shgss->lib->release_cred(s->shgss->lib, &gss_ctx);
|
|
|
|
|
|
|
|
|
|
if (gss_stat != SSH_GSS_OK &&
|
|
|
|
|
gss_stat != SSH_GSS_S_CONTINUE_NEEDED) {
|
|
|
|
|
/*
|
|
|
|
|
* No point in verbosely interrupting the user to tell them we
|
|
|
|
|
* couldn't get GSS credentials, if this was only a check
|
|
|
|
|
* between key exchanges to see if fresh ones were available.
|
|
|
|
|
* When we do do a rekey, this message (if displayed) will
|
|
|
|
|
* appear among the standard rekey blurb, but when we're not,
|
|
|
|
|
* it shouldn't pop up all the time regardless.
|
|
|
|
|
*/
|
|
|
|
|
if (definitely_rekeying)
|
|
|
|
|
ppl_logevent(("No GSSAPI security context available"));
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (gss_sndtok.length)
|
|
|
|
|
s->shgss->lib->free_tok(s->shgss->lib, &gss_sndtok);
|
|
|
|
|
|
|
|
|
|
s->gss_status |= GSS_KEX_CAPABLE;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* When rekeying to cascade, avoding doing this too close to the
|
|
|
|
|
* context expiration time, since the key exchange might fail.
|
|
|
|
|
*/
|
|
|
|
|
if (s->gss_ctxt_lifetime < MIN_CTXT_LIFETIME)
|
|
|
|
|
s->gss_status |= GSS_CTXT_MAYFAIL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we're not delegating credentials, rekeying is not used to
|
|
|
|
|
* refresh them. We must avoid setting GSS_CRED_UPDATED or
|
|
|
|
|
* GSS_CTXT_EXPIRES when credential delegation is disabled.
|
|
|
|
|
*/
|
|
|
|
|
if (conf_get_int(s->conf, CONF_gssapifwd) == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (s->gss_cred_expiry != GSS_NO_EXPIRATION &&
|
|
|
|
|
difftime(gss_cred_expiry, s->gss_cred_expiry) > 0)
|
|
|
|
|
s->gss_status |= GSS_CRED_UPDATED;
|
|
|
|
|
|
|
|
|
|
mins = sanitise_rekey_time(
|
|
|
|
|
conf_get_int(s->conf, CONF_gssapirekey), GSS_DEF_REKEY_MINS);
|
|
|
|
|
if (mins > 0 && s->gss_ctxt_lifetime <= mins * 60)
|
|
|
|
|
s->gss_status |= GSS_CTXT_EXPIRES;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Data structure managing host keys in sessions based on GSSAPI KEX.
|
|
|
|
|
*
|
|
|
|
|
* In a session we started with a GSSAPI key exchange, the concept of
|
|
|
|
|
* 'host key' has completely different lifetime and security semantics
|
|
|
|
|
* from the usual ones. Per RFC 4462 section 2.1, we assume that any
|
|
|
|
|
* host key delivered to us in the course of a GSSAPI key exchange is
|
|
|
|
|
* _solely_ there to use as a transient fallback within the same
|
|
|
|
|
* session, if at the time of a subsequent rekey the GSS credentials
|
|
|
|
|
* are temporarily invalid and so a non-GSS KEX method has to be used.
|
|
|
|
|
*
|
|
|
|
|
* In particular, in a GSS-based SSH deployment, host keys may not
|
|
|
|
|
* even _be_ persistent identities for the server; it would be
|
|
|
|
|
* legitimate for a server to generate a fresh one routinely if it
|
|
|
|
|
* wanted to, like SSH-1 server keys.
|
|
|
|
|
*
|
|
|
|
|
* So, in this mode, we never touch the persistent host key cache at
|
|
|
|
|
* all, either to check keys against it _or_ to store keys in it.
|
|
|
|
|
* Instead, we maintain an in-memory cache of host keys that have been
|
|
|
|
|
* mentioned in GSS key exchanges within this particular session, and
|
|
|
|
|
* we permit precisely those host keys in non-GSS rekeys.
|
|
|
|
|
*/
|
|
|
|
|
struct ssh_transient_hostkey_cache_entry {
|
|
|
|
|
const ssh_keyalg *alg;
|
|
|
|
|
strbuf *pub_blob;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int ssh_transient_hostkey_cache_cmp(void *av, void *bv)
|
|
|
|
|
{
|
|
|
|
|
const struct ssh_transient_hostkey_cache_entry
|
|
|
|
|
*a = (const struct ssh_transient_hostkey_cache_entry *)av,
|
|
|
|
|
*b = (const struct ssh_transient_hostkey_cache_entry *)bv;
|
|
|
|
|
return strcmp(a->alg->ssh_id, b->alg->ssh_id);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ssh_transient_hostkey_cache_find(void *av, void *bv)
|
|
|
|
|
{
|
|
|
|
|
const ssh_keyalg *aalg = (const ssh_keyalg *)av;
|
|
|
|
|
const struct ssh_transient_hostkey_cache_entry
|
|
|
|
|
*b = (const struct ssh_transient_hostkey_cache_entry *)bv;
|
|
|
|
|
return strcmp(aalg->ssh_id, b->alg->ssh_id);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh_init_transient_hostkey_store(
|
|
|
|
|
struct ssh2_transport_state *s)
|
|
|
|
|
{
|
|
|
|
|
s->transient_hostkey_cache =
|
|
|
|
|
newtree234(ssh_transient_hostkey_cache_cmp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh_cleanup_transient_hostkey_store(
|
|
|
|
|
struct ssh2_transport_state *s)
|
|
|
|
|
{
|
|
|
|
|
struct ssh_transient_hostkey_cache_entry *ent;
|
|
|
|
|
while ((ent = delpos234(s->transient_hostkey_cache, 0)) != NULL) {
|
|
|
|
|
strbuf_free(ent->pub_blob);
|
|
|
|
|
sfree(ent);
|
|
|
|
|
}
|
|
|
|
|
freetree234(s->transient_hostkey_cache);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh_store_transient_hostkey(
|
|
|
|
|
struct ssh2_transport_state *s, ssh_key *key)
|
|
|
|
|
{
|
|
|
|
|
struct ssh_transient_hostkey_cache_entry *ent, *retd;
|
|
|
|
|
|
|
|
|
|
if ((ent = find234(s->transient_hostkey_cache, (void *)ssh_key_alg(key),
|
|
|
|
|
ssh_transient_hostkey_cache_find)) != NULL) {
|
|
|
|
|
strbuf_free(ent->pub_blob);
|
|
|
|
|
sfree(ent);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ent = snew(struct ssh_transient_hostkey_cache_entry);
|
|
|
|
|
ent->alg = ssh_key_alg(key);
|
|
|
|
|
ent->pub_blob = strbuf_new();
|
|
|
|
|
ssh_key_public_blob(key, BinarySink_UPCAST(ent->pub_blob));
|
|
|
|
|
retd = add234(s->transient_hostkey_cache, ent);
|
|
|
|
|
assert(retd == ent);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ssh_verify_transient_hostkey(
|
|
|
|
|
struct ssh2_transport_state *s, ssh_key *key)
|
|
|
|
|
{
|
|
|
|
|
struct ssh_transient_hostkey_cache_entry *ent;
|
|
|
|
|
int toret = FALSE;
|
|
|
|
|
|
|
|
|
|
if ((ent = find234(s->transient_hostkey_cache, (void *)ssh_key_alg(key),
|
|
|
|
|
ssh_transient_hostkey_cache_find)) != NULL) {
|
|
|
|
|
strbuf *this_blob = strbuf_new();
|
|
|
|
|
ssh_key_public_blob(key, BinarySink_UPCAST(this_blob));
|
|
|
|
|
|
|
|
|
|
if (this_blob->len == ent->pub_blob->len &&
|
|
|
|
|
!memcmp(this_blob->s, ent->pub_blob->s,
|
|
|
|
|
this_blob->len))
|
|
|
|
|
toret = TRUE;
|
|
|
|
|
|
|
|
|
|
strbuf_free(this_blob);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return toret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ssh_have_transient_hostkey(
|
|
|
|
|
struct ssh2_transport_state *s, const ssh_keyalg *alg)
|
|
|
|
|
{
|
|
|
|
|
struct ssh_transient_hostkey_cache_entry *ent =
|
|
|
|
|
find234(s->transient_hostkey_cache, (void *)alg,
|
|
|
|
|
ssh_transient_hostkey_cache_find);
|
|
|
|
|
return ent != NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ssh_have_any_transient_hostkey(
|
|
|
|
|
struct ssh2_transport_state *s)
|
|
|
|
|
{
|
|
|
|
|
return count234(s->transient_hostkey_cache) > 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ptrlen ssh2_transport_get_session_id(PacketProtocolLayer *ppl)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s;
|
|
|
|
|
|
|
|
|
|
assert(ppl->vt == &ssh2_transport_vtable);
|
2018-10-05 22:49:08 +00:00
|
|
|
s = container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
assert(s->got_session_id);
|
|
|
|
|
return make_ptrlen(s->session_id, s->session_id_len);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ssh2_transport_notify_auth_done(PacketProtocolLayer *ppl)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s;
|
|
|
|
|
|
|
|
|
|
assert(ppl->vt == &ssh2_transport_vtable);
|
2018-10-05 22:49:08 +00:00
|
|
|
s = container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
s->rekey_reason = NULL; /* will be filled in later */
|
|
|
|
|
s->rekey_class = RK_POST_USERAUTH;
|
|
|
|
|
queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* NO_GSSAPI */
|
|
|
|
|
|
|
|
|
|
static int ssh2_transport_get_specials(
|
|
|
|
|
PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s =
|
2018-10-05 22:49:08 +00:00
|
|
|
container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
int need_separator = FALSE;
|
|
|
|
|
int toret;
|
|
|
|
|
|
|
|
|
|
if (ssh_ppl_get_specials(s->higher_layer, add_special, ctx)) {
|
|
|
|
|
need_separator = TRUE;
|
|
|
|
|
toret = TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Don't bother offering rekey-based specials if we've decided the
|
|
|
|
|
* remote won't cope with it, since we wouldn't bother sending it
|
|
|
|
|
* if asked anyway.
|
|
|
|
|
*/
|
|
|
|
|
if (!(s->ppl.remote_bugs & BUG_SSH2_REKEY)) {
|
|
|
|
|
if (need_separator) {
|
|
|
|
|
add_special(ctx, NULL, SS_SEP, 0);
|
|
|
|
|
need_separator = FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
add_special(ctx, "Repeat key exchange", SS_REKEY, 0);
|
|
|
|
|
toret = TRUE;
|
|
|
|
|
|
|
|
|
|
if (s->n_uncert_hostkeys) {
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
add_special(ctx, NULL, SS_SEP, 0);
|
|
|
|
|
add_special(ctx, "Cache new host key type", SS_SUBMENU, 0);
|
|
|
|
|
for (i = 0; i < s->n_uncert_hostkeys; i++) {
|
|
|
|
|
const ssh_keyalg *alg =
|
|
|
|
|
hostkey_algs[s->uncert_hostkeys[i]].alg;
|
|
|
|
|
|
|
|
|
|
add_special(ctx, alg->ssh_id, SS_XCERT, s->uncert_hostkeys[i]);
|
|
|
|
|
}
|
|
|
|
|
add_special(ctx, NULL, SS_EXITMENU, 0);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return toret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
|
|
|
|
|
SessionSpecialCode code, int arg)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s =
|
2018-10-05 22:49:08 +00:00
|
|
|
container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
if (code == SS_REKEY) {
|
|
|
|
|
if (!s->kex_in_progress) {
|
|
|
|
|
s->rekey_reason = "at user request";
|
|
|
|
|
s->rekey_class = RK_NORMAL;
|
|
|
|
|
queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
|
|
}
|
|
|
|
|
} else if (code == SS_XCERT) {
|
|
|
|
|
if (!s->kex_in_progress) {
|
|
|
|
|
s->hostkey_alg = hostkey_algs[arg].alg;
|
|
|
|
|
s->cross_certifying = TRUE;
|
|
|
|
|
s->rekey_reason = "cross-certifying new host key";
|
|
|
|
|
s->rekey_class = RK_NORMAL;
|
|
|
|
|
queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* Send everything else to the next layer up. This includes
|
|
|
|
|
* SS_PING/SS_NOP, which we _could_ handle here - but it's
|
|
|
|
|
* better to put them in the connection layer, so they'll
|
|
|
|
|
* still work in bare connection mode. */
|
|
|
|
|
ssh_ppl_special_cmd(s->higher_layer, code, arg);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Safely convert rekey_time to unsigned long minutes */
|
|
|
|
|
static unsigned long sanitise_rekey_time(int rekey_time, unsigned long def)
|
|
|
|
|
{
|
|
|
|
|
if (rekey_time < 0 || rekey_time > MAX_TICK_MINS)
|
|
|
|
|
rekey_time = def;
|
|
|
|
|
return (unsigned long)rekey_time;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_set_max_data_size(struct ssh2_transport_state *s)
|
|
|
|
|
{
|
|
|
|
|
s->max_data_size = parse_blocksize(
|
|
|
|
|
conf_get_str(s->conf, CONF_ssh_rekey_data));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s;
|
|
|
|
|
const char *rekey_reason = NULL;
|
|
|
|
|
int rekey_mandatory = FALSE;
|
|
|
|
|
unsigned long old_max_data_size, rekey_time;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
assert(ppl->vt == &ssh2_transport_vtable);
|
2018-10-05 22:49:08 +00:00
|
|
|
s = container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
rekey_time = sanitise_rekey_time(
|
|
|
|
|
conf_get_int(conf, CONF_ssh_rekey_time), 60);
|
|
|
|
|
if (ssh2_transport_timer_update(s, rekey_time))
|
|
|
|
|
rekey_reason = "timeout shortened";
|
|
|
|
|
|
|
|
|
|
old_max_data_size = s->max_data_size;
|
|
|
|
|
ssh2_transport_set_max_data_size(s);
|
|
|
|
|
if (old_max_data_size != s->max_data_size &&
|
|
|
|
|
s->max_data_size != 0) {
|
|
|
|
|
if (s->max_data_size < old_max_data_size) {
|
|
|
|
|
unsigned long diff = old_max_data_size - s->max_data_size;
|
|
|
|
|
|
|
|
|
|
/* Intentionally use bitwise OR instead of logical, so
|
|
|
|
|
* that we decrement both counters even if the first one
|
|
|
|
|
* runs out */
|
|
|
|
|
if ((DTS_CONSUME(s->stats, out, diff) != 0) |
|
|
|
|
|
(DTS_CONSUME(s->stats, in, diff) != 0))
|
|
|
|
|
rekey_reason = "data limit lowered";
|
|
|
|
|
} else {
|
|
|
|
|
unsigned long diff = s->max_data_size - old_max_data_size;
|
|
|
|
|
if (s->stats->out.running)
|
|
|
|
|
s->stats->out.remaining += diff;
|
|
|
|
|
if (s->stats->in.running)
|
|
|
|
|
s->stats->in.remaining += diff;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (conf_get_int(s->conf, CONF_compression) !=
|
|
|
|
|
conf_get_int(conf, CONF_compression)) {
|
|
|
|
|
rekey_reason = "compression setting changed";
|
|
|
|
|
rekey_mandatory = TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < CIPHER_MAX; i++)
|
|
|
|
|
if (conf_get_int_int(s->conf, CONF_ssh_cipherlist, i) !=
|
|
|
|
|
conf_get_int_int(conf, CONF_ssh_cipherlist, i)) {
|
|
|
|
|
rekey_reason = "cipher settings changed";
|
|
|
|
|
rekey_mandatory = TRUE;
|
|
|
|
|
}
|
|
|
|
|
if (conf_get_int(s->conf, CONF_ssh2_des_cbc) !=
|
|
|
|
|
conf_get_int(conf, CONF_ssh2_des_cbc)) {
|
|
|
|
|
rekey_reason = "cipher settings changed";
|
|
|
|
|
rekey_mandatory = TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
conf_free(s->conf);
|
|
|
|
|
s->conf = conf_copy(conf);
|
|
|
|
|
|
|
|
|
|
if (rekey_reason) {
|
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.
My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.
I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.
Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.
(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)
One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
2018-10-07 08:10:14 +00:00
|
|
|
if (!s->kex_in_progress && !ssh2_bpp_rekey_inadvisable(s->ppl.bpp)) {
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
s->rekey_reason = rekey_reason;
|
|
|
|
|
s->rekey_class = RK_NORMAL;
|
|
|
|
|
queue_idempotent_callback(&s->ppl.ic_process_queue);
|
|
|
|
|
} else if (rekey_mandatory) {
|
|
|
|
|
s->deferred_rekey_reason = rekey_reason;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Also pass the configuration along to our higher layer */
|
|
|
|
|
ssh_ppl_reconfigure(s->higher_layer, conf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ssh2_transport_want_user_input(PacketProtocolLayer *ppl)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s =
|
2018-10-05 22:49:08 +00:00
|
|
|
container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
/* Just delegate this to the higher layer */
|
|
|
|
|
return ssh_ppl_want_user_input(s->higher_layer);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ssh2_transport_got_user_input(PacketProtocolLayer *ppl)
|
|
|
|
|
{
|
|
|
|
|
struct ssh2_transport_state *s =
|
2018-10-05 22:49:08 +00:00
|
|
|
container_of(ppl, struct ssh2_transport_state, ppl);
|
Move most of ssh.c out into separate source files.
I've tried to separate out as many individually coherent changes from
this work as I could into their own commits, but here's where I run
out and have to commit the rest of this major refactoring as a
big-bang change.
Most of ssh.c is now no longer in ssh.c: all five of the main
coroutines that handle layers of the SSH-1 and SSH-2 protocols now
each have their own source file to live in, and a lot of the
supporting functions have moved into the appropriate one of those too.
The new abstraction is a vtable called 'PacketProtocolLayer', which
has an input and output packet queue. Each layer's main coroutine is
invoked from the method ssh_ppl_process_queue(), which is usually
(though not exclusively) triggered automatically when things are
pushed on the input queue. In SSH-2, the base layer is the transport
protocol, and it contains a pair of subsidiary queues by which it
passes some of its packets to the higher SSH-2 layers - first userauth
and then connection, which are peers at the same level, with the
former abdicating in favour of the latter at the appropriate moment.
SSH-1 is simpler: the whole login phase of the protocol (crypto setup
and authentication) is all in one module, and since SSH-1 has no
repeat key exchange, that setup layer abdicates in favour of the
connection phase when it's done.
ssh.c itself is now about a tenth of its old size (which all by itself
is cause for celebration!). Its main job is to set up all the layers,
hook them up to each other and to the BPP, and to funnel data back and
forth between that collection of modules and external things such as
the network and the terminal. Once it's set up a collection of packet
protocol layers, it communicates with them partly by calling methods
of the base layer (and if that's ssh2transport then it will delegate
some functionality to the corresponding methods of its higher layer),
and partly by talking directly to the connection layer no matter where
it is in the stack by means of the separate ConnectionLayer vtable
which I introduced in commit 8001dd4cb, and to which I've now added
quite a few extra methods replacing services that used to be internal
function calls within ssh.c.
(One effect of this is that the SSH-1 and SSH-2 channel storage is now
no longer shared - there are distinct struct types ssh1_channel and
ssh2_channel. That means a bit more code duplication, but on the plus
side, a lot fewer confusing conditionals in the middle of half-shared
functions, and less risk of a piece of SSH-1 escaping into SSH-2 or
vice versa, which I remember has happened at least once in the past.)
The bulk of this commit introduces the five new source files, their
common header sshppl.h and some shared supporting routines in
sshcommon.c, and rewrites nearly all of ssh.c itself. But it also
includes a couple of other changes that I couldn't separate easily
enough:
Firstly, there's a new handling for socket EOF, in which ssh.c sets an
'input_eof' flag in the BPP, and that responds by checking a flag that
tells it whether to report the EOF as an error or not. (This is the
main reason for those new BPP_READ / BPP_WAITFOR macros - they can
check the EOF flag every time the coroutine is resumed.)
Secondly, the error reporting itself is changed around again. I'd
expected to put some data fields in the public PacketProtocolLayer
structure that it could set to report errors in the same way as the
BPPs have been doing, but in the end, I decided propagating all those
data fields around was a pain and that even the BPPs shouldn't have
been doing it that way. So I've reverted to a system where everything
calls back to functions in ssh.c itself to report any connection-
ending condition. But there's a new family of those functions,
categorising the possible such conditions by semantics, and each one
has a different set of detailed effects (e.g. how rudely to close the
network connection, what exit status should be passed back to the
whole application, whether to send a disconnect message and/or display
a GUI error box).
I don't expect this to be immediately perfect: of course, the code has
been through a big upheaval, new bugs are expected, and I haven't been
able to do a full job of testing (e.g. I haven't tested every auth or
kex method). But I've checked that it _basically_ works - both SSH
protocols, all the different kinds of forwarding channel, more than
one auth method, Windows and Linux, connection sharing - and I think
it's now at the point where the easiest way to find further bugs is to
let it out into the wild and see what users can spot.
2018-09-24 17:28:16 +00:00
|
|
|
|
|
|
|
|
/* Just delegate this to the higher layer */
|
|
|
|
|
ssh_ppl_got_user_input(s->higher_layer);
|
|
|
|
|
}
|