mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 01:18:00 +00:00
0b00e4ce26
If the KEXINIT exchange results in a vulnerable cipher mode, we now give a warning, similar to the 'we selected a crypto primitive below the warning threshold' one. But there's nothing we can do about it at that point other than let the user abort the connection.
268 lines
9.1 KiB
C
268 lines
9.1 KiB
C
/*
|
|
* Header connecting the pieces of the SSH-2 transport layer.
|
|
*/
|
|
|
|
#ifndef PUTTY_SSH2TRANSPORT_H
|
|
#define PUTTY_SSH2TRANSPORT_H
|
|
|
|
#ifndef NO_GSSAPI
|
|
#include "gssc.h"
|
|
#include "gss.h"
|
|
#define MIN_CTXT_LIFETIME 5 /* Avoid rekey with short lifetime (seconds) */
|
|
#define GSS_KEX_CAPABLE (1<<0) /* Can do GSS KEX */
|
|
#define GSS_CRED_UPDATED (1<<1) /* Cred updated since previous delegation */
|
|
#define GSS_CTXT_EXPIRES (1<<2) /* Context expires before next timer */
|
|
#define GSS_CTXT_MAYFAIL (1<<3) /* Context may expire during handshake */
|
|
#endif
|
|
|
|
#define DH_MIN_SIZE 1024
|
|
#define DH_MAX_SIZE 8192
|
|
|
|
struct kexinit_algorithm {
|
|
ptrlen name;
|
|
union {
|
|
struct {
|
|
const ssh_kex *kex;
|
|
bool warn;
|
|
} kex;
|
|
struct {
|
|
const ssh_keyalg *hostkey;
|
|
unsigned hkflags;
|
|
bool warn;
|
|
} hk;
|
|
struct {
|
|
const ssh_cipheralg *cipher;
|
|
bool warn;
|
|
} cipher;
|
|
struct {
|
|
const ssh2_macalg *mac;
|
|
bool etm;
|
|
} mac;
|
|
struct {
|
|
const ssh_compression_alg *comp;
|
|
bool delayed;
|
|
} comp;
|
|
} u;
|
|
};
|
|
struct kexinit_algorithm_list {
|
|
struct kexinit_algorithm *algs;
|
|
size_t nalgs, algsize;
|
|
};
|
|
|
|
#define HOSTKEY_ALGORITHMS(X) \
|
|
X(HK_ED25519, ssh_ecdsa_ed25519) \
|
|
X(HK_ED448, ssh_ecdsa_ed448) \
|
|
X(HK_ECDSA, ssh_ecdsa_nistp256) \
|
|
X(HK_ECDSA, ssh_ecdsa_nistp384) \
|
|
X(HK_ECDSA, ssh_ecdsa_nistp521) \
|
|
X(HK_DSA, ssh_dsa) \
|
|
X(HK_RSA, ssh_rsa_sha512) \
|
|
X(HK_RSA, ssh_rsa_sha256) \
|
|
X(HK_RSA, ssh_rsa) \
|
|
X(HK_ED25519, opensshcert_ssh_ecdsa_ed25519) \
|
|
/* OpenSSH defines no certified version of Ed448 */ \
|
|
X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp256) \
|
|
X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp384) \
|
|
X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp521) \
|
|
X(HK_DSA, opensshcert_ssh_dsa) \
|
|
X(HK_RSA, opensshcert_ssh_rsa_sha512) \
|
|
X(HK_RSA, opensshcert_ssh_rsa_sha256) \
|
|
X(HK_RSA, opensshcert_ssh_rsa) \
|
|
/* end of list */
|
|
#define COUNT_HOSTKEY_ALGORITHM(type, alg) +1
|
|
#define N_HOSTKEY_ALGORITHMS (0 HOSTKEY_ALGORITHMS(COUNT_HOSTKEY_ALGORITHM))
|
|
|
|
struct ssh_signkey_with_user_pref_id {
|
|
const ssh_keyalg *alg;
|
|
int id;
|
|
};
|
|
extern const struct ssh_signkey_with_user_pref_id
|
|
ssh2_hostkey_algs[N_HOSTKEY_ALGORITHMS];
|
|
|
|
/*
|
|
* Enumeration of high-level classes of reason why we might need to do
|
|
* a repeat key exchange. A full detailed reason in human-readable
|
|
* string form for the Event Log is also provided, but this enum type
|
|
* is used to discriminate between classes of reason that the code
|
|
* needs to treat differently.
|
|
*
|
|
* RK_NONE == 0 is the value indicating that no rekey is currently
|
|
* needed at all. RK_INITIAL indicates that we haven't even done the
|
|
* _first_ key exchange yet. RK_SERVER indicates that we're rekeying
|
|
* because the server asked for it, not because we decided it
|
|
* ourselves. RK_NORMAL is the usual case. RK_GSS_UPDATE indicates
|
|
* that we're rekeying because we've just got new GSSAPI credentials
|
|
* (hence there's no point in doing a preliminary check for new GSS
|
|
* creds, because we already know the answer); RK_POST_USERAUTH
|
|
* indicates that _if_ we're going to need a post-userauth immediate
|
|
* rekey for any reason, this is the moment to do it.
|
|
*
|
|
* So RK_POST_USERAUTH only tells the transport layer to _consider_
|
|
* rekeying, not to definitely do it. Also, that one enum value is
|
|
* special in that the user-readable reason text is passed in to the
|
|
* transport layer as NULL, whereas fills in the reason text after it
|
|
* decides whether it needs a rekey at all. In the other cases,
|
|
* rekey_reason is passed in to the at the same time as rekey_class.
|
|
*/
|
|
typedef enum RekeyClass {
|
|
RK_NONE = 0,
|
|
RK_INITIAL,
|
|
RK_SERVER,
|
|
RK_NORMAL,
|
|
RK_POST_USERAUTH,
|
|
RK_GSS_UPDATE
|
|
} RekeyClass;
|
|
|
|
typedef struct transport_direction {
|
|
const ssh_cipheralg *cipher;
|
|
const ssh2_macalg *mac;
|
|
bool etm_mode;
|
|
const ssh_compression_alg *comp;
|
|
bool comp_delayed;
|
|
int mkkey_adjust;
|
|
} transport_direction;
|
|
|
|
struct ssh2_transport_state {
|
|
int crState, crStateKex;
|
|
|
|
PacketProtocolLayer *higher_layer;
|
|
PktInQueue pq_in_higher;
|
|
PktOutQueue pq_out_higher;
|
|
IdempotentCallback ic_pq_out_higher;
|
|
|
|
Conf *conf;
|
|
char *savedhost;
|
|
int savedport;
|
|
const char *rekey_reason;
|
|
enum RekeyClass rekey_class;
|
|
|
|
unsigned long max_data_size;
|
|
|
|
const ssh_kex *kex_alg;
|
|
const ssh_keyalg *hostkey_alg;
|
|
unsigned char session_id[MAX_HASH_LEN];
|
|
int session_id_len;
|
|
int dh_min_size, dh_max_size;
|
|
bool dh_got_size_bounds;
|
|
dh_ctx *dh_ctx;
|
|
ssh_hash *exhash;
|
|
|
|
struct DataTransferStats *stats;
|
|
|
|
const SshServerConfig *ssc;
|
|
|
|
char *client_greeting, *server_greeting;
|
|
|
|
bool kex_in_progress, kexinit_delayed;
|
|
unsigned long next_rekey, last_rekey;
|
|
const char *deferred_rekey_reason;
|
|
bool higher_layer_ok;
|
|
|
|
/*
|
|
* Fully qualified host name, which we need if doing GSSAPI.
|
|
*/
|
|
char *fullhostname;
|
|
|
|
/* shgss is outside the ifdef on purpose to keep APIs simple. If
|
|
* NO_GSSAPI is not defined, then it's just an opaque structure
|
|
* tag and the pointer will be NULL. */
|
|
struct ssh_connection_shared_gss_state *shgss;
|
|
#ifndef NO_GSSAPI
|
|
int gss_status;
|
|
time_t gss_cred_expiry; /* Re-delegate if newer */
|
|
unsigned long gss_ctxt_lifetime; /* Re-delegate when short */
|
|
#endif
|
|
ssh_transient_hostkey_cache *thc;
|
|
|
|
bool gss_kex_used;
|
|
|
|
tree234 *host_cas;
|
|
|
|
int nbits, pbits;
|
|
bool warn_kex, warn_hk, warn_cscipher, warn_sccipher;
|
|
struct {
|
|
const char *csvuln, *scvuln;
|
|
WeakCryptoReason wcr;
|
|
} terrapin;
|
|
mp_int *p, *g, *e, *f;
|
|
strbuf *ebuf, *fbuf;
|
|
strbuf *kex_shared_secret;
|
|
strbuf *outgoing_kexinit, *incoming_kexinit;
|
|
strbuf *client_kexinit, *server_kexinit; /* aliases to the above */
|
|
int kex_init_value, kex_reply_value;
|
|
transport_direction in, out, *cstrans, *sctrans;
|
|
ptrlen hostkeydata, sigdata;
|
|
strbuf *hostkeyblob; /* used in server to construct host key to
|
|
* send to client; in client to check in rekeys */
|
|
char *keystr;
|
|
ssh_key *hkey; /* actual host key */
|
|
unsigned hkflags; /* signing flags, used in server */
|
|
RSAKey *rsa_kex_key; /* for RSA kex */
|
|
bool rsa_kex_key_needs_freeing;
|
|
ecdh_key *ecdh_key; /* for ECDH kex */
|
|
unsigned char exchange_hash[MAX_HASH_LEN];
|
|
bool can_gssapi_keyex;
|
|
bool need_gss_transient_hostkey;
|
|
bool warned_about_no_gss_transient_hostkey;
|
|
bool got_session_id;
|
|
bool can_send_ext_info, post_newkeys_ext_info;
|
|
bool strict_kex, enabled_outgoing_crypto, enabled_incoming_crypto;
|
|
bool seen_non_kexinit;
|
|
SeatPromptResult spr;
|
|
bool guessok;
|
|
bool ignorepkt;
|
|
struct kexinit_algorithm_list kexlists[NKEXLIST];
|
|
#ifndef NO_GSSAPI
|
|
Ssh_gss_buf gss_buf;
|
|
Ssh_gss_buf gss_rcvtok, gss_sndtok;
|
|
Ssh_gss_stat gss_stat;
|
|
Ssh_gss_buf mic;
|
|
bool init_token_sent;
|
|
bool complete_rcvd;
|
|
bool gss_delegate;
|
|
#endif
|
|
|
|
/* List of crypto primitives below the warning threshold that the
|
|
* user has already clicked OK to, so that we don't keep asking
|
|
* about them again during rekeys. This directly stores pointers
|
|
* to the algorithm vtables, compared by pointer value (which is
|
|
* not a determinism hazard, because we're only using it as a
|
|
* set). */
|
|
tree234 *weak_algorithms_consented_to;
|
|
|
|
/*
|
|
* List of host key algorithms for which we _don't_ have a stored
|
|
* host key. These are indices into the main hostkey_algs[] array
|
|
*/
|
|
int uncert_hostkeys[N_HOSTKEY_ALGORITHMS];
|
|
int n_uncert_hostkeys;
|
|
|
|
/*
|
|
* Indicate that the current rekey is intended to finish with a
|
|
* newly cross-certified host key. To double-check that we
|
|
* certified the right one, we set this to point to the host key
|
|
* algorithm we expect it to be.
|
|
*/
|
|
const ssh_keyalg *cross_certifying;
|
|
|
|
ssh_key *const *hostkeys;
|
|
int nhostkeys;
|
|
|
|
PacketProtocolLayer ppl;
|
|
};
|
|
|
|
/* Helpers shared between transport and kex */
|
|
PktIn *ssh2_transport_pop(struct ssh2_transport_state *s);
|
|
void ssh2_transport_dialog_callback(void *, SeatPromptResult);
|
|
|
|
/* Provided by transport for use in kex */
|
|
void ssh2transport_finalise_exhash(struct ssh2_transport_state *s);
|
|
|
|
/* Provided by kex for use in transport. Must set the 'aborted' flag
|
|
* if it throws a connection-terminating error, so that the caller
|
|
* won't have to check that by looking inside its state parameter
|
|
* which might already have been freed. */
|
|
void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted);
|
|
|
|
#endif /* PUTTY_SSH2TRANSPORT_H */
|