mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-06-30 19:12:48 -05:00
Support OpenSSH delayed compression without a rekey.
The problem with OpenSSH delayed compression is that the spec has a race condition. Compression is enabled when the server sends USERAUTH_SUCCESS. In the server->client direction, that's fine: the USERAUTH_SUCCESS packet is not itself compressed, and the next packet in the same direction is. But in the client->server direction, this specification relies on there being a moment of half-duplex in the connection: the client can't send any outgoing packet _after_ whatever userauth packet the USERAUTH_SUCCESS was a response to, and _before_ finding out whether the response is USERAUTH_SUCCESS or something else. If it emitted, say, an SSH_MSG_IGNORE or initiated a rekey (perhaps due to a timeout), then that might cross in the network with USERAUTH_SUCCESS and the server wouldn't be able to know whether to treat it as compressed. My previous solution was to note the presence of delayed compression options in the server KEXINIT, but not to negotiate them in the initial key exchange. Instead, we conduct the userauth exchange with compression="none", and then once userauth has concluded, we trigger an immediate rekey in which we do accept delayed compression methods - because of course by that time they're no different from the non- delayed versions. And that means compression is enabled by the bidirectional NEWKEYS exchange, which lacks that race condition. I think OpenSSH itself gets away with this because its layer structure is structure so as to never send any such asynchronous transport-layer message in the middle of userauth. Ours is not. But my cunning plan is that now that my BPP abstraction includes a queue of packets to be sent and a callback that processes that queue on to the output raw data bufchain, it's possible to make that callback terminate early, to leave any dangerous transport-layer messages unsent while we wait for a userauth response. Specifically: if we've negotiated a delayed compression method and not yet seen USERAUTH_SUCCESS, then ssh2_bpp_handle_output will emit all packets from its queue up to and including the last one in the userauth type-code range, and keep back any further ones. The idea is that _if_ that last userauth message was one that might provoke USERAUTH_SUCCESS, we don't want to send any difficult things after it; if it's not (e.g. it's in the middle of some ongoing userauth process like k-i or GSS) then the userauth layer will know that, and will emit some further userauth packet on its own initiative which will clue us in that it's OK to release everything up to and including that one. (So in particular it wasn't even necessary to forbid _all_ transport- layer packets during userauth. I could have done that by reordering the output queue - packets in that queue haven't been assigned their sequence numbers yet, so that would have been safe - but it's more elegant not to have to.) One particular case we do have to be careful about is not trying to initiate a _rekey_ during userauth, if delayed compression is in the offing. That's because when we start rekeying, ssh2transport stops sending any higher-layer packets at all, to discourage servers from trying to ignore the KEXINIT and press on regardless - you don't get your higher-layer replies until you actually respond to the lower-layer interrupt. But in this case, if ssh2transport sent a KEXINIT, which ssh2bpp kept back in the queue to avoid a delayed compression race and would only send if another userauth packet followed it, which ssh2transport would never pass on to ssh2bpp's output queue, there'd be a complete protocol deadlock. So instead I defer any attempt to start a rekey until after userauth finishes (using the existing system for starting a deferred rekey at that moment, which was previously used for the _old_ delayed-compression strategy, and still has to be here anyway for GSSAPI purposes).
This commit is contained in:
@ -49,7 +49,10 @@ struct kexinit_algorithm {
|
||||
const struct ssh2_macalg *mac;
|
||||
int etm;
|
||||
} mac;
|
||||
const struct ssh_compression_alg *comp;
|
||||
struct {
|
||||
const struct ssh_compression_alg *comp;
|
||||
int delayed;
|
||||
} comp;
|
||||
} u;
|
||||
};
|
||||
|
||||
@ -206,6 +209,7 @@ struct ssh2_transport_state {
|
||||
const struct ssh2_macalg *mac;
|
||||
int etm_mode;
|
||||
const struct ssh_compression_alg *comp;
|
||||
int comp_delayed;
|
||||
} in, out;
|
||||
ptrlen hostkeydata, sigdata;
|
||||
char *keystr, *fingerprint;
|
||||
@ -223,8 +227,6 @@ struct ssh2_transport_state {
|
||||
int n_preferred_ciphers;
|
||||
const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
|
||||
const struct ssh_compression_alg *preferred_comp;
|
||||
int userauth_succeeded; /* for delayed compression */
|
||||
int pending_compression;
|
||||
int got_session_id;
|
||||
int dlgret;
|
||||
int guessok;
|
||||
@ -614,8 +616,6 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||
s->in.comp = s->out.comp = NULL;
|
||||
|
||||
s->got_session_id = FALSE;
|
||||
s->userauth_succeeded = FALSE;
|
||||
s->pending_compression = FALSE;
|
||||
s->need_gss_transient_hostkey = FALSE;
|
||||
s->warned_about_no_gss_transient_hostkey = FALSE;
|
||||
|
||||
@ -935,22 +935,23 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||
assert(lenof(compressions) > 1);
|
||||
/* Prefer non-delayed versions */
|
||||
alg = ssh2_kexinit_addalg(s->kexlists[j], s->preferred_comp->name);
|
||||
alg->u.comp = s->preferred_comp;
|
||||
/* We don't even list delayed versions of algorithms until
|
||||
* they're allowed to be used, to avoid a race. See the end of
|
||||
* this function. */
|
||||
if (s->userauth_succeeded && s->preferred_comp->delayed_name) {
|
||||
alg->u.comp.comp = s->preferred_comp;
|
||||
alg->u.comp.delayed = FALSE;
|
||||
if (s->preferred_comp->delayed_name) {
|
||||
alg = ssh2_kexinit_addalg(s->kexlists[j],
|
||||
s->preferred_comp->delayed_name);
|
||||
alg->u.comp = s->preferred_comp;
|
||||
alg->u.comp.comp = s->preferred_comp;
|
||||
alg->u.comp.delayed = TRUE;
|
||||
}
|
||||
for (i = 0; i < lenof(compressions); i++) {
|
||||
const struct ssh_compression_alg *c = compressions[i];
|
||||
alg = ssh2_kexinit_addalg(s->kexlists[j], c->name);
|
||||
alg->u.comp = c;
|
||||
if (s->userauth_succeeded && c->delayed_name) {
|
||||
alg->u.comp.comp = c;
|
||||
alg->u.comp.delayed = FALSE;
|
||||
if (c->delayed_name) {
|
||||
alg = ssh2_kexinit_addalg(s->kexlists[j], c->delayed_name);
|
||||
alg->u.comp = c;
|
||||
alg->u.comp.comp = c;
|
||||
alg->u.comp.delayed = TRUE;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1006,6 +1007,7 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||
s->in.cipher = s->out.cipher = NULL;
|
||||
s->in.mac = s->out.mac = NULL;
|
||||
s->in.comp = s->out.comp = NULL;
|
||||
s->in.comp_delayed = s->out.comp_delayed = FALSE;
|
||||
s->warn_kex = s->warn_hk = FALSE;
|
||||
s->warn_cscipher = s->warn_sccipher = FALSE;
|
||||
|
||||
@ -1076,21 +1078,14 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||
s->in.mac = alg->u.mac.mac;
|
||||
s->in.etm_mode = alg->u.mac.etm;
|
||||
} else if (i == KEXLIST_CSCOMP) {
|
||||
s->out.comp = alg->u.comp;
|
||||
s->out.comp = alg->u.comp.comp;
|
||||
s->out.comp_delayed = alg->u.comp.delayed;
|
||||
} else if (i == KEXLIST_SCCOMP) {
|
||||
s->in.comp = alg->u.comp;
|
||||
s->in.comp = alg->u.comp.comp;
|
||||
s->in.comp_delayed = alg->u.comp.delayed;
|
||||
}
|
||||
goto matched;
|
||||
}
|
||||
|
||||
/* Set a flag if there's a delayed compression option
|
||||
* available for a compression method that we just
|
||||
* failed to select the immediate version of. */
|
||||
s->pending_compression = (
|
||||
(i == KEXLIST_CSCOMP || i == KEXLIST_SCCOMP) &&
|
||||
in_commasep_string(alg->u.comp->delayed_name,
|
||||
str.ptr, str.len) &&
|
||||
!s->userauth_succeeded);
|
||||
}
|
||||
ssh_sw_abort(s->ppl.ssh, "Couldn't agree a %s (available: %.*s)",
|
||||
kexlist_descr[i], PTRLEN_PRINTF(str));
|
||||
@ -1127,10 +1122,6 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||
}
|
||||
}
|
||||
|
||||
if (s->pending_compression) {
|
||||
ppl_logevent(("Server supports delayed compression; "
|
||||
"will try this later"));
|
||||
}
|
||||
get_string(pktin); /* client->server language */
|
||||
get_string(pktin); /* server->client language */
|
||||
s->ignorepkt = get_bool(pktin) && !s->guessok;
|
||||
@ -2146,7 +2137,7 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||
s->ppl.bpp,
|
||||
s->out.cipher, cipher_key->u, cipher_iv->u,
|
||||
s->out.mac, s->out.etm_mode, mac_key->u,
|
||||
s->out.comp);
|
||||
s->out.comp, s->out.comp_delayed);
|
||||
|
||||
strbuf_free(cipher_key);
|
||||
strbuf_free(cipher_iv);
|
||||
@ -2201,7 +2192,7 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||
s->ppl.bpp,
|
||||
s->in.cipher, cipher_key->u, cipher_iv->u,
|
||||
s->in.mac, s->in.etm_mode, mac_key->u,
|
||||
s->in.comp);
|
||||
s->in.comp, s->in.comp_delayed);
|
||||
|
||||
strbuf_free(cipher_key);
|
||||
strbuf_free(cipher_iv);
|
||||
@ -2288,41 +2279,17 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
|
||||
|
||||
if (s->rekey_class == RK_POST_USERAUTH) {
|
||||
/*
|
||||
* userauth has seen a USERAUTH_SUCCEEDED. For a couple of
|
||||
* reasons, this may be the moment to do an immediate
|
||||
* rekey with different parameters. But it may not; so
|
||||
* here we turn that rekey class into either RK_NONE or
|
||||
* RK_NORMAL.
|
||||
* userauth has seen a USERAUTH_SUCCESS. This may be the
|
||||
* moment to do an immediate rekey with different
|
||||
* parameters. But it may not; so here we turn that rekey
|
||||
* class into either RK_NONE or RK_NORMAL.
|
||||
*
|
||||
* One is to turn on delayed compression. We do this by a
|
||||
* rekey to work around a protocol design bug:
|
||||
* draft-miller-secsh-compression-delayed-00 says that you
|
||||
* negotiate delayed compression in the first key
|
||||
* exchange, and both sides start compressing when the
|
||||
* server has sent USERAUTH_SUCCESS. This has a race
|
||||
* condition -- the server can't know when the client has
|
||||
* seen it, and thus which incoming packets it should
|
||||
* treat as compressed.
|
||||
*
|
||||
* Instead, we do the initial key exchange without
|
||||
* offering the delayed methods, but note if the server
|
||||
* offers them; when we get here, if a delayed method was
|
||||
* available that was higher on our list than what we got,
|
||||
* we initiate a rekey in which we _do_ list the delayed
|
||||
* methods (and hopefully get it as a result). Subsequent
|
||||
* rekeys will do the same.
|
||||
*
|
||||
* Another reason for a rekey at this point is if we've
|
||||
* done a GSS key exchange and don't have anything in our
|
||||
* Currently the only reason for this is if we've done a
|
||||
* GSS key exchange and don't have anything in our
|
||||
* transient hostkey cache, in which case we should make
|
||||
* an attempt to populate the cache now.
|
||||
*/
|
||||
assert(!s->userauth_succeeded); /* should only happen once */
|
||||
s->userauth_succeeded = TRUE;
|
||||
if (s->pending_compression) {
|
||||
s->rekey_reason = "enabling delayed compression";
|
||||
s->rekey_class = RK_NORMAL;
|
||||
} else if (s->need_gss_transient_hostkey) {
|
||||
if (s->need_gss_transient_hostkey) {
|
||||
s->rekey_reason = "populating transient host key cache";
|
||||
s->rekey_class = RK_NORMAL;
|
||||
} else {
|
||||
@ -2908,7 +2875,7 @@ static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf)
|
||||
s->conf = conf_copy(conf);
|
||||
|
||||
if (rekey_reason) {
|
||||
if (!s->kex_in_progress) {
|
||||
if (!s->kex_in_progress && !ssh2_bpp_rekey_inadvisable(s->ppl.bpp)) {
|
||||
s->rekey_reason = rekey_reason;
|
||||
s->rekey_class = RK_NORMAL;
|
||||
queue_idempotent_callback(&s->ppl.ic_process_queue);
|
||||
|
Reference in New Issue
Block a user