1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
putty-source/ssh/transport2.h
Simon Tatham dc875ca0dc Make rekeys work when KEXINIT filtering is enabled.
I only realised this bug while writing up the feature for the
wishlist:

It's one thing _at connection startup_ to delay sending your KEXINIT
until the server has sent its: the server is very likely to send it
anyway (unless it's attempting the same workaround against us), so
probably nothing goes wrong.

But if we want to initiate a rekey, we do that _by_ sending a KEXINIT.
In that situation we can't just wait until the server sends one,
because it has no idea it's supposed to be doing so!

Happily, in that situation, we already have a KEXINIT from the server,
left over from the previous key exchange. So we can filter against
that, and still have the intended effect of not spending KEXINIT space
on algorithms the server doesn't know about.
2022-09-10 10:15:27 +01:00

262 lines
8.9 KiB
C

/*
* Header connecting the pieces of the SSH-2 transport layer.
*/
#ifndef PUTTY_SSH2TRANSPORT_H
#define PUTTY_SSH2TRANSPORT_H
#ifndef NO_GSSAPI
#include "gssc.h"
#include "gss.h"
#define MIN_CTXT_LIFETIME 5 /* Avoid rekey with short lifetime (seconds) */
#define GSS_KEX_CAPABLE (1<<0) /* Can do GSS KEX */
#define GSS_CRED_UPDATED (1<<1) /* Cred updated since previous delegation */
#define GSS_CTXT_EXPIRES (1<<2) /* Context expires before next timer */
#define GSS_CTXT_MAYFAIL (1<<3) /* Context may expire during handshake */
#endif
#define DH_MIN_SIZE 1024
#define DH_MAX_SIZE 8192
struct kexinit_algorithm {
ptrlen name;
union {
struct {
const ssh_kex *kex;
bool warn;
} kex;
struct {
const ssh_keyalg *hostkey;
unsigned hkflags;
bool warn;
} hk;
struct {
const ssh_cipheralg *cipher;
bool warn;
} cipher;
struct {
const ssh2_macalg *mac;
bool etm;
} mac;
struct {
const ssh_compression_alg *comp;
bool delayed;
} comp;
} u;
};
struct kexinit_algorithm_list {
struct kexinit_algorithm *algs;
size_t nalgs, algsize;
};
#define HOSTKEY_ALGORITHMS(X) \
X(HK_ED25519, ssh_ecdsa_ed25519) \
X(HK_ED448, ssh_ecdsa_ed448) \
X(HK_ECDSA, ssh_ecdsa_nistp256) \
X(HK_ECDSA, ssh_ecdsa_nistp384) \
X(HK_ECDSA, ssh_ecdsa_nistp521) \
X(HK_DSA, ssh_dsa) \
X(HK_RSA, ssh_rsa_sha512) \
X(HK_RSA, ssh_rsa_sha256) \
X(HK_RSA, ssh_rsa) \
X(HK_ED25519, opensshcert_ssh_ecdsa_ed25519) \
/* OpenSSH defines no certified version of Ed448 */ \
X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp256) \
X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp384) \
X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp521) \
X(HK_DSA, opensshcert_ssh_dsa) \
X(HK_RSA, opensshcert_ssh_rsa_sha512) \
X(HK_RSA, opensshcert_ssh_rsa_sha256) \
X(HK_RSA, opensshcert_ssh_rsa) \
/* end of list */
#define COUNT_HOSTKEY_ALGORITHM(type, alg) +1
#define N_HOSTKEY_ALGORITHMS (0 HOSTKEY_ALGORITHMS(COUNT_HOSTKEY_ALGORITHM))
struct ssh_signkey_with_user_pref_id {
const ssh_keyalg *alg;
int id;
};
extern const struct ssh_signkey_with_user_pref_id
ssh2_hostkey_algs[N_HOSTKEY_ALGORITHMS];
/*
* Enumeration of high-level classes of reason why we might need to do
* a repeat key exchange. A full detailed reason in human-readable
* string form for the Event Log is also provided, but this enum type
* is used to discriminate between classes of reason that the code
* needs to treat differently.
*
* RK_NONE == 0 is the value indicating that no rekey is currently
* needed at all. RK_INITIAL indicates that we haven't even done the
* _first_ key exchange yet. RK_SERVER indicates that we're rekeying
* because the server asked for it, not because we decided it
* ourselves. RK_NORMAL is the usual case. RK_GSS_UPDATE indicates
* that we're rekeying because we've just got new GSSAPI credentials
* (hence there's no point in doing a preliminary check for new GSS
* creds, because we already know the answer); RK_POST_USERAUTH
* indicates that _if_ we're going to need a post-userauth immediate
* rekey for any reason, this is the moment to do it.
*
* So RK_POST_USERAUTH only tells the transport layer to _consider_
* rekeying, not to definitely do it. Also, that one enum value is
* special in that the user-readable reason text is passed in to the
* transport layer as NULL, whereas fills in the reason text after it
* decides whether it needs a rekey at all. In the other cases,
* rekey_reason is passed in to the at the same time as rekey_class.
*/
typedef enum RekeyClass {
RK_NONE = 0,
RK_INITIAL,
RK_SERVER,
RK_NORMAL,
RK_POST_USERAUTH,
RK_GSS_UPDATE
} RekeyClass;
typedef struct transport_direction {
const ssh_cipheralg *cipher;
const ssh2_macalg *mac;
bool etm_mode;
const ssh_compression_alg *comp;
bool comp_delayed;
int mkkey_adjust;
} transport_direction;
struct ssh2_transport_state {
int crState, crStateKex;
PacketProtocolLayer *higher_layer;
PktInQueue pq_in_higher;
PktOutQueue pq_out_higher;
IdempotentCallback ic_pq_out_higher;
Conf *conf;
char *savedhost;
int savedport;
const char *rekey_reason;
enum RekeyClass rekey_class;
unsigned long max_data_size;
const ssh_kex *kex_alg;
const ssh_keyalg *hostkey_alg;
unsigned char session_id[MAX_HASH_LEN];
int session_id_len;
int dh_min_size, dh_max_size;
bool dh_got_size_bounds;
dh_ctx *dh_ctx;
ssh_hash *exhash;
struct DataTransferStats *stats;
const SshServerConfig *ssc;
char *client_greeting, *server_greeting;
bool kex_in_progress, kexinit_delayed;
unsigned long next_rekey, last_rekey;
const char *deferred_rekey_reason;
bool higher_layer_ok;
/*
* Fully qualified host name, which we need if doing GSSAPI.
*/
char *fullhostname;
/* shgss is outside the ifdef on purpose to keep APIs simple. If
* NO_GSSAPI is not defined, then it's just an opaque structure
* tag and the pointer will be NULL. */
struct ssh_connection_shared_gss_state *shgss;
#ifndef NO_GSSAPI
int gss_status;
time_t gss_cred_expiry; /* Re-delegate if newer */
unsigned long gss_ctxt_lifetime; /* Re-delegate when short */
#endif
ssh_transient_hostkey_cache *thc;
bool gss_kex_used;
tree234 *host_cas;
int nbits, pbits;
bool warn_kex, warn_hk, warn_cscipher, warn_sccipher;
mp_int *p, *g, *e, *f;
strbuf *ebuf, *fbuf;
strbuf *kex_shared_secret;
strbuf *outgoing_kexinit, *incoming_kexinit;
strbuf *client_kexinit, *server_kexinit; /* aliases to the above */
int kex_init_value, kex_reply_value;
transport_direction in, out, *cstrans, *sctrans;
ptrlen hostkeydata, sigdata;
strbuf *hostkeyblob; /* used in server to construct host key to
* send to client; in client to check in rekeys */
char *keystr;
ssh_key *hkey; /* actual host key */
unsigned hkflags; /* signing flags, used in server */
RSAKey *rsa_kex_key; /* for RSA kex */
bool rsa_kex_key_needs_freeing;
ecdh_key *ecdh_key; /* for ECDH kex */
unsigned char exchange_hash[MAX_HASH_LEN];
bool can_gssapi_keyex;
bool need_gss_transient_hostkey;
bool warned_about_no_gss_transient_hostkey;
bool got_session_id;
bool can_send_ext_info, post_newkeys_ext_info;
SeatPromptResult spr;
bool guessok;
bool ignorepkt;
struct kexinit_algorithm_list kexlists[NKEXLIST];
#ifndef NO_GSSAPI
Ssh_gss_buf gss_buf;
Ssh_gss_buf gss_rcvtok, gss_sndtok;
Ssh_gss_stat gss_stat;
Ssh_gss_buf mic;
bool init_token_sent;
bool complete_rcvd;
bool gss_delegate;
#endif
/* List of crypto primitives below the warning threshold that the
* user has already clicked OK to, so that we don't keep asking
* about them again during rekeys. This directly stores pointers
* to the algorithm vtables, compared by pointer value (which is
* not a determinism hazard, because we're only using it as a
* set). */
tree234 *weak_algorithms_consented_to;
/*
* List of host key algorithms for which we _don't_ have a stored
* host key. These are indices into the main hostkey_algs[] array
*/
int uncert_hostkeys[N_HOSTKEY_ALGORITHMS];
int n_uncert_hostkeys;
/*
* Indicate that the current rekey is intended to finish with a
* newly cross-certified host key. To double-check that we
* certified the right one, we set this to point to the host key
* algorithm we expect it to be.
*/
const ssh_keyalg *cross_certifying;
ssh_key *const *hostkeys;
int nhostkeys;
PacketProtocolLayer ppl;
};
/* Helpers shared between transport and kex */
PktIn *ssh2_transport_pop(struct ssh2_transport_state *s);
void ssh2_transport_dialog_callback(void *, SeatPromptResult);
/* Provided by transport for use in kex */
void ssh2transport_finalise_exhash(struct ssh2_transport_state *s);
/* Provided by kex for use in transport. Must set the 'aborted' flag
* if it throws a connection-terminating error, so that the caller
* won't have to check that by looking inside its state parameter
* which might already have been freed. */
void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted);
#endif /* PUTTY_SSH2TRANSPORT_H */