mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
c330156259
Finding even semi-official test vectors for this CRC implementation was hard, because it turns out not to _quite_ match any of the well known ones catalogued on the web. Its _polynomial_ is well known, but the combination of details that go alongside it (starting state, post-hashing transformation) are not quite the same as any other hash I know of. After trawling catalogue websites for a while I finally worked out that SSH-1's CRC and RFC 1662's CRC are basically the same except for different choices of starting value and final adjustment. And RFC 1662's CRC is common enough that there _are_ test vectors. So I've renamed the previous crc32_compute function to crc32_ssh1, reflecting that it seems to be its own thing unlike any other CRC; implemented the RFC 1662 CRC as well, as an alternative tiny wrapper on the inner crc32_update function; and exposed all three functions to testcrypt. That lets me run standard test vectors _and_ directed tests of the internal update routine, plus one check that crc32_ssh1 itself does what I expect. While I'm here, I've also modernised the code to use uint32_t in place of unsigned long, and ptrlen instead of separate pointer,length arguments. And I've removed the general primer on CRC theory from the header comment, in favour of the more specifically useful information about _which_ CRC this is and how it matches up to anything else out there. (I've bowed to inevitability and put the directed CRC tests in the 'crypt' class in cryptsuite.py. Of course this is a misnomer, since CRC isn't cryptography, but it falls into the same category in terms of the role it plays in SSH-1, and I didn't feel like making a new pointedly-named 'notreallycrypt' container class just for this :-)
370 lines
11 KiB
C
370 lines
11 KiB
C
/*
|
|
* Binary packet protocol for SSH-1.
|
|
*/
|
|
|
|
#include <assert.h>
|
|
|
|
#include "putty.h"
|
|
#include "ssh.h"
|
|
#include "sshbpp.h"
|
|
#include "sshcr.h"
|
|
|
|
struct ssh1_bpp_state {
|
|
int crState;
|
|
long len, pad, biglen, length, maxlen;
|
|
unsigned char *data;
|
|
uint32_t realcrc, gotcrc;
|
|
int chunk;
|
|
PktIn *pktin;
|
|
|
|
ssh1_cipher *cipher;
|
|
|
|
struct crcda_ctx *crcda_ctx;
|
|
|
|
bool pending_compression_request;
|
|
ssh_compressor *compctx;
|
|
ssh_decompressor *decompctx;
|
|
|
|
BinaryPacketProtocol bpp;
|
|
};
|
|
|
|
static void ssh1_bpp_free(BinaryPacketProtocol *bpp);
|
|
static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp);
|
|
static void ssh1_bpp_handle_output(BinaryPacketProtocol *bpp);
|
|
static void ssh1_bpp_queue_disconnect(BinaryPacketProtocol *bpp,
|
|
const char *msg, int category);
|
|
static PktOut *ssh1_bpp_new_pktout(int type);
|
|
|
|
static const struct BinaryPacketProtocolVtable ssh1_bpp_vtable = {
|
|
ssh1_bpp_free,
|
|
ssh1_bpp_handle_input,
|
|
ssh1_bpp_handle_output,
|
|
ssh1_bpp_new_pktout,
|
|
ssh1_bpp_queue_disconnect,
|
|
};
|
|
|
|
BinaryPacketProtocol *ssh1_bpp_new(LogContext *logctx)
|
|
{
|
|
struct ssh1_bpp_state *s = snew(struct ssh1_bpp_state);
|
|
memset(s, 0, sizeof(*s));
|
|
s->bpp.vt = &ssh1_bpp_vtable;
|
|
s->bpp.logctx = logctx;
|
|
ssh_bpp_common_setup(&s->bpp);
|
|
return &s->bpp;
|
|
}
|
|
|
|
static void ssh1_bpp_free(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh1_bpp_state *s = container_of(bpp, struct ssh1_bpp_state, bpp);
|
|
if (s->cipher)
|
|
ssh1_cipher_free(s->cipher);
|
|
if (s->compctx)
|
|
ssh_compressor_free(s->compctx);
|
|
if (s->decompctx)
|
|
ssh_decompressor_free(s->decompctx);
|
|
if (s->crcda_ctx)
|
|
crcda_free_context(s->crcda_ctx);
|
|
sfree(s->pktin);
|
|
sfree(s);
|
|
}
|
|
|
|
void ssh1_bpp_new_cipher(BinaryPacketProtocol *bpp,
|
|
const ssh1_cipheralg *cipher,
|
|
const void *session_key)
|
|
{
|
|
struct ssh1_bpp_state *s;
|
|
assert(bpp->vt == &ssh1_bpp_vtable);
|
|
s = container_of(bpp, struct ssh1_bpp_state, bpp);
|
|
|
|
assert(!s->cipher);
|
|
|
|
if (cipher) {
|
|
s->cipher = ssh1_cipher_new(cipher);
|
|
ssh1_cipher_sesskey(s->cipher, session_key);
|
|
|
|
assert(!s->crcda_ctx);
|
|
s->crcda_ctx = crcda_make_context();
|
|
|
|
bpp_logevent("Initialised %s encryption", cipher->text_name);
|
|
}
|
|
}
|
|
|
|
void ssh1_bpp_start_compression(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh1_bpp_state *s;
|
|
assert(bpp->vt == &ssh1_bpp_vtable);
|
|
s = container_of(bpp, struct ssh1_bpp_state, bpp);
|
|
|
|
assert(!s->compctx);
|
|
assert(!s->decompctx);
|
|
|
|
s->compctx = ssh_compressor_new(&ssh_zlib);
|
|
s->decompctx = ssh_decompressor_new(&ssh_zlib);
|
|
|
|
bpp_logevent("Started zlib (RFC1950) compression");
|
|
}
|
|
|
|
#define BPP_READ(ptr, len) do \
|
|
{ \
|
|
bool success; \
|
|
crMaybeWaitUntilV((success = bufchain_try_fetch_consume( \
|
|
s->bpp.in_raw, ptr, len)) || \
|
|
s->bpp.input_eof); \
|
|
if (!success) \
|
|
goto eof; \
|
|
} while (0)
|
|
|
|
static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh1_bpp_state *s = container_of(bpp, struct ssh1_bpp_state, bpp);
|
|
|
|
crBegin(s->crState);
|
|
|
|
while (1) {
|
|
s->maxlen = 0;
|
|
s->length = 0;
|
|
|
|
{
|
|
unsigned char lenbuf[4];
|
|
BPP_READ(lenbuf, 4);
|
|
s->len = toint(GET_32BIT_MSB_FIRST(lenbuf));
|
|
}
|
|
|
|
if (s->len < 0 || s->len > 262144) { /* SSH1.5-mandated max size */
|
|
ssh_sw_abort(s->bpp.ssh,
|
|
"Extremely large packet length from remote suggests"
|
|
" data stream corruption");
|
|
crStopV;
|
|
}
|
|
|
|
s->pad = 8 - (s->len % 8);
|
|
s->biglen = s->len + s->pad;
|
|
s->length = s->len - 5;
|
|
|
|
/*
|
|
* Allocate the packet to return, now we know its length.
|
|
*/
|
|
s->pktin = snew_plus(PktIn, s->biglen);
|
|
s->pktin->qnode.prev = s->pktin->qnode.next = NULL;
|
|
s->pktin->qnode.on_free_queue = false;
|
|
s->pktin->type = 0;
|
|
|
|
s->maxlen = s->biglen;
|
|
s->data = snew_plus_get_aux(s->pktin);
|
|
|
|
BPP_READ(s->data, s->biglen);
|
|
|
|
if (s->cipher && detect_attack(s->crcda_ctx,
|
|
s->data, s->biglen, NULL)) {
|
|
ssh_sw_abort(s->bpp.ssh,
|
|
"Network attack (CRC compensation) detected!");
|
|
crStopV;
|
|
}
|
|
|
|
if (s->cipher)
|
|
ssh1_cipher_decrypt(s->cipher, s->data, s->biglen);
|
|
|
|
s->realcrc = crc32_ssh1(make_ptrlen(s->data, s->biglen - 4));
|
|
s->gotcrc = GET_32BIT(s->data + s->biglen - 4);
|
|
if (s->gotcrc != s->realcrc) {
|
|
ssh_sw_abort(s->bpp.ssh, "Incorrect CRC received on packet");
|
|
crStopV;
|
|
}
|
|
|
|
if (s->decompctx) {
|
|
unsigned char *decompblk;
|
|
int decomplen;
|
|
if (!ssh_decompressor_decompress(
|
|
s->decompctx, s->data + s->pad, s->length + 1,
|
|
&decompblk, &decomplen)) {
|
|
ssh_sw_abort(s->bpp.ssh,
|
|
"Zlib decompression encountered invalid data");
|
|
crStopV;
|
|
}
|
|
|
|
if (s->maxlen < s->pad + decomplen) {
|
|
PktIn *old_pktin = s->pktin;
|
|
|
|
s->maxlen = s->pad + decomplen;
|
|
s->pktin = snew_plus(PktIn, s->maxlen);
|
|
*s->pktin = *old_pktin; /* structure copy */
|
|
s->data = snew_plus_get_aux(s->pktin);
|
|
|
|
smemclr(old_pktin, s->biglen);
|
|
sfree(old_pktin);
|
|
}
|
|
|
|
memcpy(s->data + s->pad, decompblk, decomplen);
|
|
sfree(decompblk);
|
|
s->length = decomplen - 1;
|
|
}
|
|
|
|
/*
|
|
* Now we can find the bounds of the semantic content of the
|
|
* packet, and the initial type byte.
|
|
*/
|
|
s->data += s->pad;
|
|
s->pktin->type = *s->data++;
|
|
BinarySource_INIT(s->pktin, s->data, s->length);
|
|
|
|
if (s->bpp.logctx) {
|
|
logblank_t blanks[MAX_BLANKS];
|
|
int nblanks = ssh1_censor_packet(
|
|
s->bpp.pls, s->pktin->type, false,
|
|
make_ptrlen(s->data, s->length), blanks);
|
|
log_packet(s->bpp.logctx, PKT_INCOMING, s->pktin->type,
|
|
ssh1_pkt_type(s->pktin->type),
|
|
get_ptr(s->pktin), get_avail(s->pktin), nblanks, blanks,
|
|
NULL, 0, NULL);
|
|
}
|
|
|
|
pq_push(&s->bpp.in_pq, s->pktin);
|
|
|
|
{
|
|
int type = s->pktin->type;
|
|
s->pktin = NULL;
|
|
|
|
switch (type) {
|
|
case SSH1_SMSG_SUCCESS:
|
|
case SSH1_SMSG_FAILURE:
|
|
if (s->pending_compression_request) {
|
|
/*
|
|
* This is the response to
|
|
* SSH1_CMSG_REQUEST_COMPRESSION.
|
|
*/
|
|
if (type == SSH1_SMSG_SUCCESS) {
|
|
/*
|
|
* If the response was positive, start
|
|
* compression.
|
|
*/
|
|
ssh1_bpp_start_compression(&s->bpp);
|
|
}
|
|
|
|
/*
|
|
* Either way, cancel the pending flag, and
|
|
* schedule a run of our output side in case we
|
|
* had any packets queued up in the meantime.
|
|
*/
|
|
s->pending_compression_request = false;
|
|
queue_idempotent_callback(&s->bpp.ic_out_pq);
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
eof:
|
|
if (!s->bpp.expect_close) {
|
|
ssh_remote_error(s->bpp.ssh,
|
|
"Remote side unexpectedly closed network connection");
|
|
} else {
|
|
ssh_remote_eof(s->bpp.ssh, "Remote side closed network connection");
|
|
}
|
|
return; /* avoid touching s now it's been freed */
|
|
|
|
crFinishV;
|
|
}
|
|
|
|
static PktOut *ssh1_bpp_new_pktout(int pkt_type)
|
|
{
|
|
PktOut *pkt = ssh_new_packet();
|
|
pkt->length = 4 + 8; /* space for length + max padding */
|
|
put_byte(pkt, pkt_type);
|
|
pkt->prefix = pkt->length;
|
|
pkt->type = pkt_type;
|
|
pkt->downstream_id = 0;
|
|
pkt->additional_log_text = NULL;
|
|
return pkt;
|
|
}
|
|
|
|
static void ssh1_bpp_format_packet(struct ssh1_bpp_state *s, PktOut *pkt)
|
|
{
|
|
int pad, biglen, i, pktoffs;
|
|
uint32_t crc;
|
|
int len;
|
|
|
|
if (s->bpp.logctx) {
|
|
ptrlen pktdata = make_ptrlen(pkt->data + pkt->prefix,
|
|
pkt->length - pkt->prefix);
|
|
logblank_t blanks[MAX_BLANKS];
|
|
int nblanks = ssh1_censor_packet(
|
|
s->bpp.pls, pkt->type, true, pktdata, blanks);
|
|
log_packet(s->bpp.logctx, PKT_OUTGOING, pkt->type,
|
|
ssh1_pkt_type(pkt->type),
|
|
pktdata.ptr, pktdata.len, nblanks, blanks,
|
|
NULL, 0, NULL);
|
|
}
|
|
|
|
if (s->compctx) {
|
|
unsigned char *compblk;
|
|
int complen;
|
|
ssh_compressor_compress(s->compctx, pkt->data + 12, pkt->length - 12,
|
|
&compblk, &complen, 0);
|
|
/* Replace the uncompressed packet data with the compressed
|
|
* version. */
|
|
pkt->length = 12;
|
|
put_data(pkt, compblk, complen);
|
|
sfree(compblk);
|
|
}
|
|
|
|
put_uint32(pkt, 0); /* space for CRC */
|
|
len = pkt->length - 4 - 8; /* len(type+data+CRC) */
|
|
pad = 8 - (len % 8);
|
|
pktoffs = 8 - pad;
|
|
biglen = len + pad; /* len(padding+type+data+CRC) */
|
|
|
|
for (i = pktoffs; i < 4+8; i++)
|
|
pkt->data[i] = random_byte();
|
|
crc = crc32_ssh1(
|
|
make_ptrlen(pkt->data + pktoffs + 4, biglen - 4)); /* all ex len */
|
|
PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
|
|
PUT_32BIT(pkt->data + pktoffs, len);
|
|
|
|
if (s->cipher)
|
|
ssh1_cipher_encrypt(s->cipher, pkt->data + pktoffs + 4, biglen);
|
|
|
|
bufchain_add(s->bpp.out_raw, pkt->data + pktoffs,
|
|
biglen + 4); /* len(length+padding+type+data+CRC) */
|
|
}
|
|
|
|
static void ssh1_bpp_handle_output(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh1_bpp_state *s = container_of(bpp, struct ssh1_bpp_state, bpp);
|
|
PktOut *pkt;
|
|
|
|
if (s->pending_compression_request) {
|
|
/*
|
|
* Don't send any output packets while we're awaiting a
|
|
* response to SSH1_CMSG_REQUEST_COMPRESSION, because if they
|
|
* cross over in transit with the responding SSH1_CMSG_SUCCESS
|
|
* then the other end could decode them with the wrong
|
|
* compression settings.
|
|
*/
|
|
return;
|
|
}
|
|
|
|
while ((pkt = pq_pop(&s->bpp.out_pq)) != NULL) {
|
|
int type = pkt->type;
|
|
ssh1_bpp_format_packet(s, pkt);
|
|
ssh_free_pktout(pkt);
|
|
|
|
if (type == SSH1_CMSG_REQUEST_COMPRESSION) {
|
|
/*
|
|
* When we see the actual compression request go past, set
|
|
* the pending flag, and stop processing packets this
|
|
* time.
|
|
*/
|
|
s->pending_compression_request = true;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
static void ssh1_bpp_queue_disconnect(BinaryPacketProtocol *bpp,
|
|
const char *msg, int category)
|
|
{
|
|
PktOut *pkt = ssh_bpp_new_pktout(bpp, SSH1_MSG_DISCONNECT);
|
|
put_stringz(pkt, msg);
|
|
pq_push(&bpp->out_pq, pkt);
|
|
}
|