mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-03-18 04:48:39 -05:00
3214563d8e
My normal habit these days, in new code, is to treat int and bool as _almost_ completely separate types. I'm still willing to use C's implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine, no need to spell it out as blob.len != 0), but generally, if a variable is going to be conceptually a boolean, I like to declare it bool and assign to it using 'true' or 'false' rather than 0 or 1. PuTTY is an exception, because it predates the C99 bool, and I've stuck to its existing coding style even when adding new code to it. But it's been annoying me more and more, so now that I've decided C99 bool is an acceptable thing to require from our toolchain in the first place, here's a quite thorough trawl through the source doing 'boolification'. Many variables and function parameters are now typed as bool rather than int; many assignments of 0 or 1 to those variables are now spelled 'true' or 'false'. I managed this thorough conversion with the help of a custom clang plugin that I wrote to trawl the AST and apply heuristics to point out where things might want changing. So I've even managed to do a decent job on parts of the code I haven't looked at in years! To make the plugin's work easier, I pushed platform front ends generally in the direction of using standard 'bool' in preference to platform-specific boolean types like Windows BOOL or GTK's gboolean; I've left the platform booleans in places they _have_ to be for the platform APIs to work right, but variables only used by my own code have been converted wherever I found them. In a few places there are int values that look very like booleans in _most_ of the places they're used, but have a rarely-used third value, or a distinction between different nonzero values that most users don't care about. In these cases, I've _removed_ uses of 'true' and 'false' for the return values, to emphasise that there's something more subtle going on than a simple boolean answer: - the 'multisel' field in dialog.h's list box structure, for which the GTK front end in particular recognises a difference between 1 and 2 but nearly everything else treats as boolean - the 'urgent' parameter to plug_receive, where 1 vs 2 tells you something about the specific location of the urgent pointer, but most clients only care about 0 vs 'something nonzero' - the return value of wc_match, where -1 indicates a syntax error in the wildcard. - the return values from SSH-1 RSA-key loading functions, which use -1 for 'wrong passphrase' and 0 for all other failures (so any caller which already knows it's not loading an _encrypted private_ key can treat them as boolean) - term->esc_query, and the 'query' parameter in toggle_mode in terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h, but can also hold -1 for some other intervening character that we don't support. In a few places there's an integer that I haven't turned into a bool even though it really _can_ only take values 0 or 1 (and, as above, tried to make the call sites consistent in not calling those values true and false), on the grounds that I thought it would make it more confusing to imply that the 0 value was in some sense 'negative' or bad and the 1 positive or good: - the return value of plug_accepting uses the POSIXish convention of 0=success and nonzero=error; I think if I made it bool then I'd also want to reverse its sense, and that's a job for a separate piece of work. - the 'screen' parameter to lineptr() in terminal.c, where 0 and 1 represent the default and alternate screens. There's no obvious reason why one of those should be considered 'true' or 'positive' or 'success' - they're just indices - so I've left it as int. ssh_scp_recv had particularly confusing semantics for its previous int return value: its call sites used '<= 0' to check for error, but it never actually returned a negative number, just 0 or 1. Now the function and its call sites agree that it's a bool. In a couple of places I've renamed variables called 'ret', because I don't like that name any more - it's unclear whether it means the return value (in preparation) for the _containing_ function or the return value received from a subroutine call, and occasionally I've accidentally used the same variable for both and introduced a bug. So where one of those got in my way, I've renamed it to 'toret' or 'retd' (the latter short for 'returned') in line with my usual modern practice, but I haven't done a thorough job of finding all of them. Finally, one amusing side effect of doing this is that I've had to separate quite a few chained assignments. It used to be perfectly fine to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a the 'true' defined by stdbool.h, that idiom provokes a warning from gcc: 'suggest parentheses around assignment used as truth value'!
421 lines
14 KiB
C
421 lines
14 KiB
C
/*
|
|
* Packet protocol layer for the SSH-1 login phase, from the server side.
|
|
*/
|
|
|
|
#include <assert.h>
|
|
|
|
#include "putty.h"
|
|
#include "ssh.h"
|
|
#include "sshbpp.h"
|
|
#include "sshppl.h"
|
|
#include "sshcr.h"
|
|
#include "sshserver.h"
|
|
|
|
struct ssh1_login_server_state {
|
|
int crState;
|
|
|
|
PacketProtocolLayer *successor_layer;
|
|
|
|
int remote_protoflags;
|
|
int local_protoflags;
|
|
unsigned long supported_ciphers_mask, supported_auths_mask;
|
|
unsigned cipher_type;
|
|
|
|
unsigned char cookie[8];
|
|
unsigned char session_key[32];
|
|
unsigned char session_id[16];
|
|
char *username_str;
|
|
ptrlen username;
|
|
|
|
struct RSAKey *servkey, *hostkey;
|
|
bool servkey_generated_here;
|
|
Bignum sesskey;
|
|
|
|
AuthPolicy *authpolicy;
|
|
unsigned ap_methods, current_method;
|
|
unsigned char auth_rsa_expected_response[16];
|
|
struct RSAKey *authkey;
|
|
bool auth_successful;
|
|
|
|
PacketProtocolLayer ppl;
|
|
};
|
|
|
|
static void ssh1_login_server_free(PacketProtocolLayer *);
|
|
static void ssh1_login_server_process_queue(PacketProtocolLayer *);
|
|
|
|
static bool ssh1_login_server_get_specials(
|
|
PacketProtocolLayer *ppl, add_special_fn_t add_special,
|
|
void *ctx) { return false; }
|
|
static void ssh1_login_server_special_cmd(PacketProtocolLayer *ppl,
|
|
SessionSpecialCode code, int arg) {}
|
|
static bool ssh1_login_server_want_user_input(
|
|
PacketProtocolLayer *ppl) { return false; }
|
|
static void ssh1_login_server_got_user_input(PacketProtocolLayer *ppl) {}
|
|
static void ssh1_login_server_reconfigure(
|
|
PacketProtocolLayer *ppl, Conf *conf) {}
|
|
|
|
static const struct PacketProtocolLayerVtable ssh1_login_server_vtable = {
|
|
ssh1_login_server_free,
|
|
ssh1_login_server_process_queue,
|
|
ssh1_login_server_get_specials,
|
|
ssh1_login_server_special_cmd,
|
|
ssh1_login_server_want_user_input,
|
|
ssh1_login_server_got_user_input,
|
|
ssh1_login_server_reconfigure,
|
|
NULL /* no layer names in SSH-1 */,
|
|
};
|
|
|
|
static void no_progress(void *param, int action, int phase, int iprogress) {}
|
|
|
|
PacketProtocolLayer *ssh1_login_server_new(
|
|
PacketProtocolLayer *successor_layer, struct RSAKey *hostkey,
|
|
AuthPolicy *authpolicy)
|
|
{
|
|
struct ssh1_login_server_state *s = snew(struct ssh1_login_server_state);
|
|
memset(s, 0, sizeof(*s));
|
|
s->ppl.vt = &ssh1_login_server_vtable;
|
|
|
|
s->hostkey = hostkey;
|
|
s->authpolicy = authpolicy;
|
|
|
|
s->successor_layer = successor_layer;
|
|
return &s->ppl;
|
|
}
|
|
|
|
static void ssh1_login_server_free(PacketProtocolLayer *ppl)
|
|
{
|
|
struct ssh1_login_server_state *s =
|
|
container_of(ppl, struct ssh1_login_server_state, ppl);
|
|
|
|
if (s->successor_layer)
|
|
ssh_ppl_free(s->successor_layer);
|
|
|
|
if (s->servkey_generated_here && s->servkey) {
|
|
freersakey(s->servkey);
|
|
sfree(s->servkey);
|
|
}
|
|
|
|
smemclr(s->session_key, sizeof(s->session_key));
|
|
sfree(s->username_str);
|
|
|
|
sfree(s);
|
|
}
|
|
|
|
static bool ssh1_login_server_filter_queue(struct ssh1_login_server_state *s)
|
|
{
|
|
return ssh1_common_filter_queue(&s->ppl);
|
|
}
|
|
|
|
static PktIn *ssh1_login_server_pop(struct ssh1_login_server_state *s)
|
|
{
|
|
if (ssh1_login_server_filter_queue(s))
|
|
return NULL;
|
|
return pq_pop(s->ppl.in_pq);
|
|
}
|
|
|
|
static void ssh1_login_server_process_queue(PacketProtocolLayer *ppl)
|
|
{
|
|
struct ssh1_login_server_state *s =
|
|
container_of(ppl, struct ssh1_login_server_state, ppl);
|
|
PktIn *pktin;
|
|
PktOut *pktout;
|
|
int i;
|
|
|
|
/* Filter centrally handled messages off the front of the queue on
|
|
* every entry to this coroutine, no matter where we're resuming
|
|
* from, even if we're _not_ looping on pq_pop. That way we can
|
|
* still proactively handle those messages even if we're waiting
|
|
* for a user response. */
|
|
if (ssh1_login_server_filter_queue(s))
|
|
return;
|
|
|
|
crBegin(s->crState);
|
|
|
|
if (!s->servkey) {
|
|
int server_key_bits = s->hostkey->bytes - 256;
|
|
if (server_key_bits < 512)
|
|
server_key_bits = s->hostkey->bytes + 256;
|
|
s->servkey = snew(struct RSAKey);
|
|
rsa_generate(s->servkey, server_key_bits, no_progress, NULL);
|
|
s->servkey->comment = NULL;
|
|
s->servkey_generated_here = true;
|
|
}
|
|
|
|
s->local_protoflags = SSH1_PROTOFLAGS_SUPPORTED;
|
|
/* FIXME: ability to configure this to a subset */
|
|
s->supported_ciphers_mask = ((1U << SSH_CIPHER_3DES) |
|
|
(1U << SSH_CIPHER_BLOWFISH) |
|
|
(1U << SSH_CIPHER_DES));
|
|
s->supported_auths_mask = 0;
|
|
s->ap_methods = auth_methods(s->authpolicy);
|
|
if (s->ap_methods & AUTHMETHOD_PASSWORD)
|
|
s->supported_auths_mask |= (1U << SSH1_AUTH_PASSWORD);
|
|
if (s->ap_methods & AUTHMETHOD_PUBLICKEY)
|
|
s->supported_auths_mask |= (1U << SSH1_AUTH_RSA);
|
|
if (s->ap_methods & AUTHMETHOD_TIS)
|
|
s->supported_auths_mask |= (1U << SSH1_AUTH_TIS);
|
|
if (s->ap_methods & AUTHMETHOD_CRYPTOCARD)
|
|
s->supported_auths_mask |= (1U << SSH1_AUTH_CCARD);
|
|
|
|
for (i = 0; i < 8; i++)
|
|
s->cookie[i] = random_byte();
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH1_SMSG_PUBLIC_KEY);
|
|
put_data(pktout, s->cookie, 8);
|
|
rsa_ssh1_public_blob(BinarySink_UPCAST(pktout),
|
|
s->servkey, RSA_SSH1_EXPONENT_FIRST);
|
|
rsa_ssh1_public_blob(BinarySink_UPCAST(pktout),
|
|
s->hostkey, RSA_SSH1_EXPONENT_FIRST);
|
|
put_uint32(pktout, s->local_protoflags);
|
|
put_uint32(pktout, s->supported_ciphers_mask);
|
|
put_uint32(pktout, s->supported_auths_mask);
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
crMaybeWaitUntilV((pktin = ssh1_login_server_pop(s)) != NULL);
|
|
if (pktin->type != SSH1_CMSG_SESSION_KEY) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet in response"
|
|
" to initial public key packet, type %d (%s)",
|
|
pktin->type, ssh1_pkt_type(pktin->type));
|
|
return;
|
|
}
|
|
|
|
{
|
|
ptrlen client_cookie;
|
|
s->cipher_type = get_byte(pktin);
|
|
client_cookie = get_data(pktin, 8);
|
|
s->sesskey = get_mp_ssh1(pktin);
|
|
s->remote_protoflags = get_uint32(pktin);
|
|
|
|
if (get_err(pktin)) {
|
|
ssh_proto_error(s->ppl.ssh, "Unable to parse session key packet");
|
|
return;
|
|
}
|
|
if (!ptrlen_eq_ptrlen(client_cookie, make_ptrlen(s->cookie, 8))) {
|
|
ssh_proto_error(s->ppl.ssh,
|
|
"Client sent incorrect anti-spoofing cookie");
|
|
return;
|
|
}
|
|
}
|
|
if (s->cipher_type >= 32 ||
|
|
!((s->supported_ciphers_mask >> s->cipher_type) & 1)) {
|
|
ssh_proto_error(s->ppl.ssh, "Client selected an unsupported cipher");
|
|
return;
|
|
}
|
|
|
|
{
|
|
struct RSAKey *smaller, *larger;
|
|
strbuf *data = strbuf_new();
|
|
|
|
if (bignum_bitcount(s->hostkey->modulus) >
|
|
bignum_bitcount(s->servkey->modulus)) {
|
|
larger = s->hostkey;
|
|
smaller = s->servkey;
|
|
} else {
|
|
smaller = s->hostkey;
|
|
larger = s->servkey;
|
|
}
|
|
|
|
if (rsa_ssh1_decrypt_pkcs1(s->sesskey, larger, data)) {
|
|
freebn(s->sesskey);
|
|
s->sesskey = bignum_from_bytes(data->u, data->len);
|
|
data->len = 0;
|
|
if (rsa_ssh1_decrypt_pkcs1(s->sesskey, smaller, data) &&
|
|
data->len == sizeof(s->session_key)) {
|
|
memcpy(s->session_key, data->u, sizeof(s->session_key));
|
|
freebn(s->sesskey);
|
|
s->sesskey = NULL; /* indicates success */
|
|
}
|
|
}
|
|
|
|
strbuf_free(data);
|
|
}
|
|
if (s->sesskey) {
|
|
ssh_proto_error(s->ppl.ssh, "Failed to decrypt session key");
|
|
return;
|
|
}
|
|
|
|
ssh1_compute_session_id(s->session_id, s->cookie, s->hostkey, s->servkey);
|
|
|
|
for (i = 0; i < 16; i++)
|
|
s->session_key[i] ^= s->session_id[i];
|
|
|
|
{
|
|
const struct ssh1_cipheralg *cipher =
|
|
(s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh1_blowfish :
|
|
s->cipher_type == SSH_CIPHER_DES ? &ssh1_des : &ssh1_3des);
|
|
ssh1_bpp_new_cipher(s->ppl.bpp, cipher, s->session_key);
|
|
}
|
|
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH1_SMSG_SUCCESS);
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
crMaybeWaitUntilV((pktin = ssh1_login_server_pop(s)) != NULL);
|
|
if (pktin->type != SSH1_CMSG_USER) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet while "
|
|
"expecting username, type %d (%s)",
|
|
pktin->type, ssh1_pkt_type(pktin->type));
|
|
return;
|
|
}
|
|
s->username = get_string(pktin);
|
|
s->username.ptr = s->username_str = mkstr(s->username);
|
|
ppl_logevent(("Received username '%.*s'", PTRLEN_PRINTF(s->username)));
|
|
|
|
s->auth_successful = auth_none(s->authpolicy, s->username);
|
|
while (1) {
|
|
/* Signal failed authentication */
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH1_SMSG_FAILURE);
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
crMaybeWaitUntilV((pktin = ssh1_login_server_pop(s)) != NULL);
|
|
if (pktin->type == SSH1_CMSG_AUTH_PASSWORD) {
|
|
s->current_method = AUTHMETHOD_PASSWORD;
|
|
if (!(s->ap_methods & s->current_method))
|
|
continue;
|
|
|
|
ptrlen password = get_string(pktin);
|
|
|
|
/* Tolerate historic traffic-analysis defence of NUL +
|
|
* garbage on the end of the binary password string */
|
|
char *nul = memchr(password.ptr, '\0', password.len);
|
|
if (nul)
|
|
password.len = (const char *)nul - (const char *)password.ptr;
|
|
|
|
if (auth_password(s->authpolicy, s->username, password, NULL))
|
|
goto auth_success;
|
|
} else if (pktin->type == SSH1_CMSG_AUTH_RSA) {
|
|
s->current_method = AUTHMETHOD_PUBLICKEY;
|
|
if (!(s->ap_methods & s->current_method))
|
|
continue;
|
|
|
|
{
|
|
Bignum modulus = get_mp_ssh1(pktin);
|
|
s->authkey = auth_publickey_ssh1(
|
|
s->authpolicy, s->username, modulus);
|
|
freebn(modulus);
|
|
}
|
|
|
|
if (!s->authkey)
|
|
continue;
|
|
|
|
if (s->authkey->bytes < 32) {
|
|
ppl_logevent(("Auth key far too small"));
|
|
continue;
|
|
}
|
|
|
|
{
|
|
unsigned char *rsabuf =
|
|
snewn(s->authkey->bytes, unsigned char);
|
|
struct MD5Context md5c;
|
|
|
|
for (i = 0; i < 32; i++)
|
|
rsabuf[i] = random_byte();
|
|
|
|
MD5Init(&md5c);
|
|
put_data(&md5c, rsabuf, 32);
|
|
put_data(&md5c, s->session_id, 16);
|
|
MD5Final(s->auth_rsa_expected_response, &md5c);
|
|
|
|
if (!rsa_ssh1_encrypt(rsabuf, 32, s->authkey)) {
|
|
sfree(rsabuf);
|
|
ppl_logevent(("Failed to encrypt auth challenge"));
|
|
continue;
|
|
}
|
|
|
|
Bignum bn = bignum_from_bytes(rsabuf, s->authkey->bytes);
|
|
smemclr(rsabuf, s->authkey->bytes);
|
|
sfree(rsabuf);
|
|
|
|
pktout = ssh_bpp_new_pktout(
|
|
s->ppl.bpp, SSH1_SMSG_AUTH_RSA_CHALLENGE);
|
|
put_mp_ssh1(pktout, bn);
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
freebn(bn);
|
|
}
|
|
|
|
crMaybeWaitUntilV((pktin = ssh1_login_server_pop(s)) != NULL);
|
|
if (pktin->type != SSH1_CMSG_AUTH_RSA_RESPONSE) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet in "
|
|
"response to RSA auth challenge, type %d (%s)",
|
|
pktin->type, ssh1_pkt_type(pktin->type));
|
|
return;
|
|
}
|
|
|
|
{
|
|
ptrlen response = get_data(pktin, 16);
|
|
ptrlen expected = make_ptrlen(
|
|
s->auth_rsa_expected_response, 16);
|
|
if (!ptrlen_eq_ptrlen(response, expected)) {
|
|
ppl_logevent(("Wrong response to auth challenge"));
|
|
continue;
|
|
}
|
|
}
|
|
|
|
goto auth_success;
|
|
} else if (pktin->type == SSH1_CMSG_AUTH_TIS ||
|
|
pktin->type == SSH1_CMSG_AUTH_CCARD) {
|
|
char *challenge;
|
|
unsigned response_type;
|
|
ptrlen response;
|
|
|
|
s->current_method = (pktin->type == SSH1_CMSG_AUTH_TIS ?
|
|
AUTHMETHOD_TIS : AUTHMETHOD_CRYPTOCARD);
|
|
if (!(s->ap_methods & s->current_method))
|
|
continue;
|
|
|
|
challenge = auth_ssh1int_challenge(
|
|
s->authpolicy, s->current_method, s->username);
|
|
if (!challenge)
|
|
continue;
|
|
pktout = ssh_bpp_new_pktout(
|
|
s->ppl.bpp,
|
|
(s->current_method == AUTHMETHOD_TIS ?
|
|
SSH1_SMSG_AUTH_TIS_CHALLENGE :
|
|
SSH1_SMSG_AUTH_CCARD_CHALLENGE));
|
|
put_stringz(pktout, challenge);
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
sfree(challenge);
|
|
|
|
crMaybeWaitUntilV((pktin = ssh1_login_server_pop(s)) != NULL);
|
|
response_type = (s->current_method == AUTHMETHOD_TIS ?
|
|
SSH1_CMSG_AUTH_TIS_RESPONSE :
|
|
SSH1_CMSG_AUTH_CCARD_RESPONSE);
|
|
if (pktin->type != response_type) {
|
|
ssh_proto_error(s->ppl.ssh, "Received unexpected packet in "
|
|
"response to %s challenge, type %d (%s)",
|
|
(s->current_method == AUTHMETHOD_TIS ?
|
|
"TIS" : "CryptoCard"),
|
|
pktin->type, ssh1_pkt_type(pktin->type));
|
|
return;
|
|
}
|
|
|
|
response = get_string(pktin);
|
|
|
|
if (auth_ssh1int_response(s->authpolicy, response))
|
|
goto auth_success;
|
|
}
|
|
}
|
|
|
|
auth_success:
|
|
if (!auth_successful(s->authpolicy, s->username, s->current_method)) {
|
|
ssh_sw_abort(s->ppl.ssh, "Multiple authentications required but SSH-1"
|
|
" cannot perform them");
|
|
return;
|
|
}
|
|
|
|
/* Signal successful authentication */
|
|
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH1_SMSG_SUCCESS);
|
|
pq_push(s->ppl.out_pq, pktout);
|
|
|
|
ssh1_connection_set_protoflags(
|
|
s->successor_layer, s->local_protoflags, s->remote_protoflags);
|
|
{
|
|
PacketProtocolLayer *successor = s->successor_layer;
|
|
s->successor_layer = NULL; /* avoid freeing it ourself */
|
|
ssh_ppl_replace(&s->ppl, successor);
|
|
return; /* we've just freed s, so avoid even touching s->crState */
|
|
}
|
|
|
|
crFinishV;
|
|
}
|