1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-06-30 19:12:48 -05:00

Support OpenSSH delayed compression without a rekey.

The problem with OpenSSH delayed compression is that the spec has a
race condition. Compression is enabled when the server sends
USERAUTH_SUCCESS. In the server->client direction, that's fine: the
USERAUTH_SUCCESS packet is not itself compressed, and the next packet
in the same direction is. But in the client->server direction, this
specification relies on there being a moment of half-duplex in the
connection: the client can't send any outgoing packet _after_ whatever
userauth packet the USERAUTH_SUCCESS was a response to, and _before_
finding out whether the response is USERAUTH_SUCCESS or something
else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey
(perhaps due to a timeout), then that might cross in the network with
USERAUTH_SUCCESS and the server wouldn't be able to know whether to
treat it as compressed.

My previous solution was to note the presence of delayed compression
options in the server KEXINIT, but not to negotiate them in the
initial key exchange. Instead, we conduct the userauth exchange with
compression="none", and then once userauth has concluded, we trigger
an immediate rekey in which we do accept delayed compression methods -
because of course by that time they're no different from the non-
delayed versions. And that means compression is enabled by the
bidirectional NEWKEYS exchange, which lacks that race condition.

I think OpenSSH itself gets away with this because its layer structure
is structure so as to never send any such asynchronous transport-layer
message in the middle of userauth. Ours is not. But my cunning plan is
that now that my BPP abstraction includes a queue of packets to be
sent and a callback that processes that queue on to the output raw
data bufchain, it's possible to make that callback terminate early, to
leave any dangerous transport-layer messages unsent while we wait for
a userauth response.

Specifically: if we've negotiated a delayed compression method and not
yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all
packets from its queue up to and including the last one in the
userauth type-code range, and keep back any further ones. The idea is
that _if_ that last userauth message was one that might provoke
USERAUTH_SUCCESS, we don't want to send any difficult things after it;
if it's not (e.g. it's in the middle of some ongoing userauth process
like k-i or GSS) then the userauth layer will know that, and will emit
some further userauth packet on its own initiative which will clue us
in that it's OK to release everything up to and including that one.

(So in particular it wasn't even necessary to forbid _all_ transport-
layer packets during userauth. I could have done that by reordering
the output queue - packets in that queue haven't been assigned their
sequence numbers yet, so that would have been safe - but it's more
elegant not to have to.)

One particular case we do have to be careful about is not trying to
initiate a _rekey_ during userauth, if delayed compression is in the
offing. That's because when we start rekeying, ssh2transport stops
sending any higher-layer packets at all, to discourage servers from
trying to ignore the KEXINIT and press on regardless - you don't get
your higher-layer replies until you actually respond to the
lower-layer interrupt. But in this case, if ssh2transport sent a
KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed
compression race and would only send if another userauth packet
followed it, which ssh2transport would never pass on to ssh2bpp's
output queue, there'd be a complete protocol deadlock. So instead I
defer any attempt to start a rekey until after userauth finishes
(using the existing system for starting a deferred rekey at that
moment, which was previously used for the _old_ delayed-compression
strategy, and still has to be here anyway for GSSAPI purposes).
This commit is contained in:
Simon Tatham
2018-10-07 09:10:14 +01:00
parent 2e7ced6480
commit 4c8c41b7a0
3 changed files with 203 additions and 81 deletions

View File

@ -49,7 +49,10 @@ struct kexinit_algorithm {
const struct ssh2_macalg *mac;
int etm;
} mac;
const struct ssh_compression_alg *comp;
struct {
const struct ssh_compression_alg *comp;
int delayed;
} comp;
} u;
};
@ -206,6 +209,7 @@ struct ssh2_transport_state {
const struct ssh2_macalg *mac;
int etm_mode;
const struct ssh_compression_alg *comp;
int comp_delayed;
} in, out;
ptrlen hostkeydata, sigdata;
char *keystr, *fingerprint;
@ -223,8 +227,6 @@ struct ssh2_transport_state {
int n_preferred_ciphers;
const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
const struct ssh_compression_alg *preferred_comp;
int userauth_succeeded; /* for delayed compression */
int pending_compression;
int got_session_id;
int dlgret;
int guessok;
@ -614,8 +616,6 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
s->in.comp = s->out.comp = NULL;
s->got_session_id = FALSE;
s->userauth_succeeded = FALSE;
s->pending_compression = FALSE;
s->need_gss_transient_hostkey = FALSE;
s->warned_about_no_gss_transient_hostkey = FALSE;
@ -935,22 +935,23 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
assert(lenof(compressions) > 1);
/* Prefer non-delayed versions */
alg = ssh2_kexinit_addalg(s->kexlists[j], s->preferred_comp->name);
alg->u.comp = s->preferred_comp;
/* We don't even list delayed versions of algorithms until
* they're allowed to be used, to avoid a race. See the end of
* this function. */
if (s->userauth_succeeded && s->preferred_comp->delayed_name) {
alg->u.comp.comp = s->preferred_comp;
alg->u.comp.delayed = FALSE;
if (s->preferred_comp->delayed_name) {
alg = ssh2_kexinit_addalg(s->kexlists[j],
s->preferred_comp->delayed_name);
alg->u.comp = s->preferred_comp;
alg->u.comp.comp = s->preferred_comp;
alg->u.comp.delayed = TRUE;
}
for (i = 0; i < lenof(compressions); i++) {
const struct ssh_compression_alg *c = compressions[i];
alg = ssh2_kexinit_addalg(s->kexlists[j], c->name);
alg->u.comp = c;
if (s->userauth_succeeded && c->delayed_name) {
alg->u.comp.comp = c;
alg->u.comp.delayed = FALSE;
if (c->delayed_name) {
alg = ssh2_kexinit_addalg(s->kexlists[j], c->delayed_name);
alg->u.comp = c;
alg->u.comp.comp = c;
alg->u.comp.delayed = TRUE;
}
}
}
@ -1006,6 +1007,7 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
s->in.cipher = s->out.cipher = NULL;
s->in.mac = s->out.mac = NULL;
s->in.comp = s->out.comp = NULL;
s->in.comp_delayed = s->out.comp_delayed = FALSE;
s->warn_kex = s->warn_hk = FALSE;
s->warn_cscipher = s->warn_sccipher = FALSE;
@ -1076,21 +1078,14 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
s->in.mac = alg->u.mac.mac;
s->in.etm_mode = alg->u.mac.etm;
} else if (i == KEXLIST_CSCOMP) {
s->out.comp = alg->u.comp;
s->out.comp = alg->u.comp.comp;
s->out.comp_delayed = alg->u.comp.delayed;
} else if (i == KEXLIST_SCCOMP) {
s->in.comp = alg->u.comp;
s->in.comp = alg->u.comp.comp;
s->in.comp_delayed = alg->u.comp.delayed;
}
goto matched;
}
/* Set a flag if there's a delayed compression option
* available for a compression method that we just
* failed to select the immediate version of. */
s->pending_compression = (
(i == KEXLIST_CSCOMP || i == KEXLIST_SCCOMP) &&
in_commasep_string(alg->u.comp->delayed_name,
str.ptr, str.len) &&
!s->userauth_succeeded);
}
ssh_sw_abort(s->ppl.ssh, "Couldn't agree a %s (available: %.*s)",
kexlist_descr[i], PTRLEN_PRINTF(str));
@ -1127,10 +1122,6 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
}
}
if (s->pending_compression) {
ppl_logevent(("Server supports delayed compression; "
"will try this later"));
}
get_string(pktin); /* client->server language */
get_string(pktin); /* server->client language */
s->ignorepkt = get_bool(pktin) && !s->guessok;
@ -2146,7 +2137,7 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
s->ppl.bpp,
s->out.cipher, cipher_key->u, cipher_iv->u,
s->out.mac, s->out.etm_mode, mac_key->u,
s->out.comp);
s->out.comp, s->out.comp_delayed);
strbuf_free(cipher_key);
strbuf_free(cipher_iv);
@ -2201,7 +2192,7 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
s->ppl.bpp,
s->in.cipher, cipher_key->u, cipher_iv->u,
s->in.mac, s->in.etm_mode, mac_key->u,
s->in.comp);
s->in.comp, s->in.comp_delayed);
strbuf_free(cipher_key);
strbuf_free(cipher_iv);
@ -2288,41 +2279,17 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
if (s->rekey_class == RK_POST_USERAUTH) {
/*
* userauth has seen a USERAUTH_SUCCEEDED. For a couple of
* reasons, this may be the moment to do an immediate
* rekey with different parameters. But it may not; so
* here we turn that rekey class into either RK_NONE or
* RK_NORMAL.
* userauth has seen a USERAUTH_SUCCESS. This may be the
* moment to do an immediate rekey with different
* parameters. But it may not; so here we turn that rekey
* class into either RK_NONE or RK_NORMAL.
*
* One is to turn on delayed compression. We do this by a
* rekey to work around a protocol design bug:
* draft-miller-secsh-compression-delayed-00 says that you
* negotiate delayed compression in the first key
* exchange, and both sides start compressing when the
* server has sent USERAUTH_SUCCESS. This has a race
* condition -- the server can't know when the client has
* seen it, and thus which incoming packets it should
* treat as compressed.
*
* Instead, we do the initial key exchange without
* offering the delayed methods, but note if the server
* offers them; when we get here, if a delayed method was
* available that was higher on our list than what we got,
* we initiate a rekey in which we _do_ list the delayed
* methods (and hopefully get it as a result). Subsequent
* rekeys will do the same.
*
* Another reason for a rekey at this point is if we've
* done a GSS key exchange and don't have anything in our
* Currently the only reason for this is if we've done a
* GSS key exchange and don't have anything in our
* transient hostkey cache, in which case we should make
* an attempt to populate the cache now.
*/
assert(!s->userauth_succeeded); /* should only happen once */
s->userauth_succeeded = TRUE;
if (s->pending_compression) {
s->rekey_reason = "enabling delayed compression";
s->rekey_class = RK_NORMAL;
} else if (s->need_gss_transient_hostkey) {
if (s->need_gss_transient_hostkey) {
s->rekey_reason = "populating transient host key cache";
s->rekey_class = RK_NORMAL;
} else {
@ -2908,7 +2875,7 @@ static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf)
s->conf = conf_copy(conf);
if (rekey_reason) {
if (!s->kex_in_progress) {
if (!s->kex_in_progress && !ssh2_bpp_rekey_inadvisable(s->ppl.bpp)) {
s->rekey_reason = rekey_reason;
s->rekey_class = RK_NORMAL;
queue_idempotent_callback(&s->ppl.ic_process_queue);