| blob | 56528ebf71da06894cd910a127f663e3ca55cfea |
1 #include <stdio.h>\r
2 #include <string.h>\r
3 \r
4 #include "puttymem.h"\r
5 #include "tree234.h"\r
6 #include "network.h"\r
7 #include "misc.h"\r
8 \r
9 struct ssh_channel;\r
10 \r
11 /*\r
12 * Buffer management constants. There are several of these for\r
13 * various different purposes:\r
14 *\r
15 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up\r
16 * on a local data stream before we throttle the whole SSH\r
17 * connection (in SSH-1 only). Throttling the whole connection is\r
18 * pretty drastic so we set this high in the hope it won't\r
19 * happen very often.\r
20 *\r
21 * - SSH_MAX_BACKLOG is the amount of backlog that must build up\r
22 * on the SSH connection itself before we defensively throttle\r
23 * _all_ local data streams. This is pretty drastic too (though\r
24 * thankfully unlikely in SSH-2 since the window mechanism should\r
25 * ensure that the server never has any need to throttle its end\r
26 * of the connection), so we set this high as well.\r
27 *\r
28 * - OUR_V2_WINSIZE is the default window size we present on SSH-2\r
29 * channels.\r
30 *\r
31 * - OUR_V2_BIGWIN is the window size we advertise for the only\r
32 * channel in a simple connection. It must be <= INT_MAX.\r
33 *\r
34 * - OUR_V2_MAXPKT is the official "maximum packet size" we send\r
35 * to the remote side. This actually has nothing to do with the\r
36 * size of the _packet_, but is instead a limit on the amount\r
37 * of data we're willing to receive in a single SSH2 channel\r
38 * data message.\r
39 *\r
40 * - OUR_V2_PACKETLIMIT is actually the maximum size of SSH\r
41 * _packet_ we're prepared to cope with. It must be a multiple\r
42 * of the cipher block size, and must be at least 35000.\r
43 */\r
44 \r
45 #define SSH1_BUFFER_LIMIT 32768\r
46 #define SSH_MAX_BACKLOG 32768\r
47 #define OUR_V2_WINSIZE 16384\r
48 #define OUR_V2_BIGWIN 0x7fffffff\r
49 #define OUR_V2_MAXPKT 0x4000UL\r
50 #define OUR_V2_PACKETLIMIT 0x9000UL\r
51 \r
52 typedef struct PacketQueueNode PacketQueueNode;\r
53 struct PacketQueueNode {\r
54 PacketQueueNode *next, *prev;\r
55 size_t formal_size; /* contribution to PacketQueueBase's total_size */\r
56 bool on_free_queue; /* is this packet scheduled for freeing? */\r
57 };\r
58 \r
59 typedef struct PktIn {\r
60 int type;\r
61 unsigned long sequence; /* SSH-2 incoming sequence number */\r
62 PacketQueueNode qnode; /* for linking this packet on to a queue */\r
63 BinarySource_IMPLEMENTATION;\r
64 } PktIn;\r
65 \r
66 typedef struct PktOut {\r
67 size_t prefix; /* bytes up to and including type field */\r
68 size_t length; /* total bytes, including prefix */\r
69 int type;\r
70 size_t minlen; /* SSH-2: ensure wire length is at least this */\r
71 unsigned char *data; /* allocated storage */\r
72 size_t maxlen; /* amount of storage allocated for `data' */\r
73 \r
74 /* Extra metadata used in SSH packet logging mode, allowing us to\r
75 * log in the packet header line that the packet came from a\r
76 * connection-sharing downstream and what if anything unusual was\r
77 * done to it. The additional_log_text field is expected to be a\r
78 * static string - it will not be freed. */\r
79 unsigned downstream_id;\r
80 const char *additional_log_text;\r
81 \r
82 PacketQueueNode qnode; /* for linking this packet on to a queue */\r
83 BinarySink_IMPLEMENTATION;\r
84 } PktOut;\r
85 \r
86 typedef struct PacketQueueBase {\r
87 PacketQueueNode end;\r
88 size_t total_size; /* sum of all formal_size fields on the queue */\r
89 struct IdempotentCallback *ic;\r
90 } PacketQueueBase;\r
91 \r
92 typedef struct PktInQueue {\r
93 PacketQueueBase pqb;\r
94 PktIn *(*after)(PacketQueueBase *, PacketQueueNode *prev, bool pop);\r
95 } PktInQueue;\r
96 \r
97 typedef struct PktOutQueue {\r
98 PacketQueueBase pqb;\r
99 PktOut *(*after)(PacketQueueBase *, PacketQueueNode *prev, bool pop);\r
100 } PktOutQueue;\r
101 \r
102 void pq_base_push(PacketQueueBase *pqb, PacketQueueNode *node);\r
103 void pq_base_push_front(PacketQueueBase *pqb, PacketQueueNode *node);\r
104 void pq_base_concatenate(PacketQueueBase *dest,\r
105 PacketQueueBase *q1, PacketQueueBase *q2);\r
106 \r
107 void pq_in_init(PktInQueue *pq);\r
108 void pq_out_init(PktOutQueue *pq);\r
109 void pq_in_clear(PktInQueue *pq);\r
110 void pq_out_clear(PktOutQueue *pq);\r
111 \r
112 #define pq_push(pq, pkt) \\r
113 TYPECHECK((pq)->after(&(pq)->pqb, NULL, false) == pkt, \\r
114 pq_base_push(&(pq)->pqb, &(pkt)->qnode))\r
115 #define pq_push_front(pq, pkt) \\r
116 TYPECHECK((pq)->after(&(pq)->pqb, NULL, false) == pkt, \\r
117 pq_base_push_front(&(pq)->pqb, &(pkt)->qnode))\r
118 #define pq_peek(pq) ((pq)->after(&(pq)->pqb, &(pq)->pqb.end, false))\r
119 #define pq_pop(pq) ((pq)->after(&(pq)->pqb, &(pq)->pqb.end, true))\r
120 #define pq_concatenate(dst, q1, q2) \\r
121 TYPECHECK((q1)->after(&(q1)->pqb, NULL, false) == \\r
122 (dst)->after(&(dst)->pqb, NULL, false) && \\r
123 (q2)->after(&(q2)->pqb, NULL, false) == \\r
124 (dst)->after(&(dst)->pqb, NULL, false), \\r
125 pq_base_concatenate(&(dst)->pqb, &(q1)->pqb, &(q2)->pqb))\r
126 \r
127 #define pq_first(pq) pq_peek(pq)\r
128 #define pq_next(pq, pkt) ((pq)->after(&(pq)->pqb, &(pkt)->qnode, false))\r
129 \r
130 /*\r
131 * Packet type contexts, so that ssh2_pkt_type can correctly decode\r
132 * the ambiguous type numbers back into the correct type strings.\r
133 */\r
134 typedef enum {\r
135 SSH2_PKTCTX_NOKEX,\r
136 SSH2_PKTCTX_DHGROUP,\r
137 SSH2_PKTCTX_DHGEX,\r
138 SSH2_PKTCTX_ECDHKEX,\r
139 SSH2_PKTCTX_GSSKEX,\r
140 SSH2_PKTCTX_RSAKEX\r
141 } Pkt_KCtx;\r
142 typedef enum {\r
143 SSH2_PKTCTX_NOAUTH,\r
144 SSH2_PKTCTX_PUBLICKEY,\r
145 SSH2_PKTCTX_PASSWORD,\r
146 SSH2_PKTCTX_GSSAPI,\r
147 SSH2_PKTCTX_KBDINTER\r
148 } Pkt_ACtx;\r
149 \r
150 typedef struct PacketLogSettings {\r
151 bool omit_passwords, omit_data;\r
152 Pkt_KCtx kctx;\r
153 Pkt_ACtx actx;\r
154 } PacketLogSettings;\r
155 \r
156 #define MAX_BLANKS 4 /* no packet needs more censored sections than this */\r
157 int ssh1_censor_packet(\r
158 const PacketLogSettings *pls, int type, bool sender_is_client,\r
159 ptrlen pkt, logblank_t *blanks);\r
160 int ssh2_censor_packet(\r
161 const PacketLogSettings *pls, int type, bool sender_is_client,\r
162 ptrlen pkt, logblank_t *blanks);\r
163 \r
164 PktOut *ssh_new_packet(void);\r
165 void ssh_free_pktout(PktOut *pkt);\r
166 \r
167 Socket *ssh_connection_sharing_init(\r
168 const char *host, int port, Conf *conf, LogContext *logctx,\r
169 Plug *sshplug, ssh_sharing_state **state);\r
170 void ssh_connshare_provide_connlayer(ssh_sharing_state *sharestate,\r
171 ConnectionLayer *cl);\r
172 bool ssh_share_test_for_upstream(const char *host, int port, Conf *conf);\r
173 void share_got_pkt_from_server(ssh_sharing_connstate *ctx, int type,\r
174 const void *pkt, int pktlen);\r
175 void share_activate(ssh_sharing_state *sharestate,\r
176 const char *server_verstring);\r
177 void sharestate_free(ssh_sharing_state *state);\r
178 int share_ndownstreams(ssh_sharing_state *state);\r
179 \r
180 void ssh_connshare_log(Ssh *ssh, int event, const char *logtext,\r
181 const char *ds_err, const char *us_err);\r
182 void share_setup_x11_channel(ssh_sharing_connstate *cs, share_channel *chan,\r
183 unsigned upstream_id, unsigned server_id,\r
184 unsigned server_currwin, unsigned server_maxpkt,\r
185 unsigned client_adjusted_window,\r
186 const char *peer_addr, int peer_port, int endian,\r
187 int protomajor, int protominor,\r
188 const void *initial_data, int initial_len);\r
189 \r
190 /* Per-application overrides for what roles we can take in connection\r
191 * sharing, regardless of user configuration (e.g. pscp will never be\r
192 * an upstream) */\r
193 extern const bool share_can_be_downstream;\r
194 extern const bool share_can_be_upstream;\r
195 \r
196 struct X11Display;\r
197 struct X11FakeAuth;\r
198 \r
199 /* Structure definition centralised here because the SSH-1 and SSH-2\r
200 * connection layers both use it. But the client module (portfwd.c)\r
201 * should not try to look inside here. */\r
202 struct ssh_rportfwd {\r
203 unsigned sport, dport;\r
204 char *shost, *dhost;\r
205 int addressfamily;\r
206 char *log_description; /* name of remote listening port, for logging */\r
207 ssh_sharing_connstate *share_ctx;\r
208 PortFwdRecord *pfr;\r
209 };\r
210 void free_rportfwd(struct ssh_rportfwd *rpf);\r
211 \r
212 typedef struct ConnectionLayerVtable ConnectionLayerVtable;\r
213 \r
214 struct ConnectionLayerVtable {\r
215 /* Allocate and free remote-to-local port forwardings, called by\r
216 * PortFwdManager or by connection sharing */\r
217 struct ssh_rportfwd *(*rportfwd_alloc)(\r
218 ConnectionLayer *cl,\r
219 const char *shost, int sport, const char *dhost, int dport,\r
220 int addressfamily, const char *log_description, PortFwdRecord *pfr,\r
221 ssh_sharing_connstate *share_ctx);\r
222 void (*rportfwd_remove)(ConnectionLayer *cl, struct ssh_rportfwd *rpf);\r
223 \r
224 /* Open a local-to-remote port forwarding channel, called by\r
225 * PortFwdManager */\r
226 SshChannel *(*lportfwd_open)(\r
227 ConnectionLayer *cl, const char *hostname, int port,\r
228 const char *description, const SocketPeerInfo *peerinfo,\r
229 Channel *chan);\r
230 \r
231 /* Initiate opening of a 'session'-type channel */\r
232 SshChannel *(*session_open)(ConnectionLayer *cl, Channel *chan);\r
233 \r
234 /* Open outgoing channels for X and agent forwarding. (Used in the\r
235 * SSH server.) */\r
236 SshChannel *(*serverside_x11_open)(ConnectionLayer *cl, Channel *chan,\r
237 const SocketPeerInfo *pi);\r
238 SshChannel *(*serverside_agent_open)(ConnectionLayer *cl, Channel *chan);\r
239 \r
240 /* Add an X11 display for ordinary X forwarding */\r
241 struct X11FakeAuth *(*add_x11_display)(\r
242 ConnectionLayer *cl, int authtype, struct X11Display *x11disp);\r
243 \r
244 /* Add and remove X11 displays for connection sharing downstreams */\r
245 struct X11FakeAuth *(*add_sharing_x11_display)(\r
246 ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,\r
247 share_channel *share_chan);\r
248 void (*remove_sharing_x11_display)(\r
249 ConnectionLayer *cl, struct X11FakeAuth *auth);\r
250 \r
251 /* Pass through an outgoing SSH packet from a downstream */\r
252 void (*send_packet_from_downstream)(\r
253 ConnectionLayer *cl, unsigned id, int type,\r
254 const void *pkt, int pktlen, const char *additional_log_text);\r
255 \r
256 /* Allocate/free an upstream channel number associated with a\r
257 * sharing downstream */\r
258 unsigned (*alloc_sharing_channel)(ConnectionLayer *cl,\r
259 ssh_sharing_connstate *connstate);\r
260 void (*delete_sharing_channel)(ConnectionLayer *cl, unsigned localid);\r
261 \r
262 /* Indicate that a downstream has sent a global request with the\r
263 * want-reply flag, so that when a reply arrives it will be passed\r
264 * back to that downstrean */\r
265 void (*sharing_queue_global_request)(\r
266 ConnectionLayer *cl, ssh_sharing_connstate *connstate);\r
267 \r
268 /* Indicate that the last downstream has disconnected */\r
269 void (*sharing_no_more_downstreams)(ConnectionLayer *cl);\r
270 \r
271 /* Query whether the connection layer is doing agent forwarding */\r
272 bool (*agent_forwarding_permitted)(ConnectionLayer *cl);\r
273 \r
274 /* Set the size of the main terminal window (if any) */\r
275 void (*terminal_size)(ConnectionLayer *cl, int width, int height);\r
276 \r
277 /* Indicate that the backlog on standard output has cleared */\r
278 void (*stdout_unthrottle)(ConnectionLayer *cl, size_t bufsize);\r
279 \r
280 /* Query the size of the backlog on standard _input_ */\r
281 size_t (*stdin_backlog)(ConnectionLayer *cl);\r
282 \r
283 /* Tell the connection layer that the SSH connection itself has\r
284 * backed up, so it should tell all currently open channels to\r
285 * cease reading from their local input sources if they can. (Or\r
286 * tell it that that state of affairs has gone away again.) */\r
287 void (*throttle_all_channels)(ConnectionLayer *cl, bool throttled);\r
288 \r
289 /* Ask the connection layer about its current preference for\r
290 * line-discipline options. */\r
291 bool (*ldisc_option)(ConnectionLayer *cl, int option);\r
292 \r
293 /* Communicate _to_ the connection layer (from the main session\r
294 * channel) what its preference for line-discipline options is. */\r
295 void (*set_ldisc_option)(ConnectionLayer *cl, int option, bool value);\r
296 \r
297 /* Communicate to the connection layer whether X forwarding was\r
298 * successfully enabled (for purposes of knowing whether to accept\r
299 * subsequent channel-opens). */\r
300 void (*enable_x_fwd)(ConnectionLayer *cl);\r
301 \r
302 /* Communicate / query whether the main session channel currently\r
303 * wants user input. The set function is called by mainchan; the\r
304 * query function is called by the top-level ssh.c. */\r
305 void (*set_wants_user_input)(ConnectionLayer *cl, bool wanted);\r
306 bool (*get_wants_user_input)(ConnectionLayer *cl);\r
307 \r
308 /* Notify the connection layer that more data has been added to\r
309 * the user input queue. */\r
310 void (*got_user_input)(ConnectionLayer *cl);\r
311 };\r
312 \r
313 struct ConnectionLayer {\r
314 LogContext *logctx;\r
315 const struct ConnectionLayerVtable *vt;\r
316 };\r
317 \r
318 static inline struct ssh_rportfwd *ssh_rportfwd_alloc(\r
319 ConnectionLayer *cl, const char *sh, int sp, const char *dh, int dp,\r
320 int af, const char *log, PortFwdRecord *pfr, ssh_sharing_connstate *cs)\r
321 { return cl->vt->rportfwd_alloc(cl, sh, sp, dh, dp, af, log, pfr, cs); }\r
322 static inline void ssh_rportfwd_remove(\r
323 ConnectionLayer *cl, struct ssh_rportfwd *rpf)\r
324 { cl->vt->rportfwd_remove(cl, rpf); }\r
325 static inline SshChannel *ssh_lportfwd_open(\r
326 ConnectionLayer *cl, const char *host, int port,\r
327 const char *desc, const SocketPeerInfo *pi, Channel *chan)\r
328 { return cl->vt->lportfwd_open(cl, host, port, desc, pi, chan); }\r
329 static inline SshChannel *ssh_session_open(ConnectionLayer *cl, Channel *chan)\r
330 { return cl->vt->session_open(cl, chan); }\r
331 static inline SshChannel *ssh_serverside_x11_open(\r
332 ConnectionLayer *cl, Channel *chan, const SocketPeerInfo *pi)\r
333 { return cl->vt->serverside_x11_open(cl, chan, pi); }\r
334 static inline SshChannel *ssh_serverside_agent_open(\r
335 ConnectionLayer *cl, Channel *chan)\r
336 { return cl->vt->serverside_agent_open(cl, chan); }\r
337 static inline struct X11FakeAuth *ssh_add_x11_display(\r
338 ConnectionLayer *cl, int authtype, struct X11Display *x11disp)\r
339 { return cl->vt->add_x11_display(cl, authtype, x11disp); }\r
340 static inline struct X11FakeAuth *ssh_add_sharing_x11_display(\r
341 ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,\r
342 share_channel *share_chan)\r
343 { return cl->vt->add_sharing_x11_display(cl, authtype, share_cs, share_chan); }\r
344 static inline void ssh_remove_sharing_x11_display(\r
345 ConnectionLayer *cl, struct X11FakeAuth *auth)\r
346 { cl->vt->remove_sharing_x11_display(cl, auth); }\r
347 static inline void ssh_send_packet_from_downstream(\r
348 ConnectionLayer *cl, unsigned id, int type,\r
349 const void *pkt, int len, const char *log)\r
350 { cl->vt->send_packet_from_downstream(cl, id, type, pkt, len, log); }\r
351 static inline unsigned ssh_alloc_sharing_channel(\r
352 ConnectionLayer *cl, ssh_sharing_connstate *connstate)\r
353 { return cl->vt->alloc_sharing_channel(cl, connstate); }\r
354 static inline void ssh_delete_sharing_channel(\r
355 ConnectionLayer *cl, unsigned localid)\r
356 { cl->vt->delete_sharing_channel(cl, localid); }\r
357 static inline void ssh_sharing_queue_global_request(\r
358 ConnectionLayer *cl, ssh_sharing_connstate *connstate)\r
359 { cl->vt->sharing_queue_global_request(cl, connstate); }\r
360 static inline void ssh_sharing_no_more_downstreams(ConnectionLayer *cl)\r
361 { cl->vt->sharing_no_more_downstreams(cl); }\r
362 static inline bool ssh_agent_forwarding_permitted(ConnectionLayer *cl)\r
363 { return cl->vt->agent_forwarding_permitted(cl); }\r
364 static inline void ssh_terminal_size(ConnectionLayer *cl, int w, int h)\r
365 { cl->vt->terminal_size(cl, w, h); }\r
366 static inline void ssh_stdout_unthrottle(ConnectionLayer *cl, size_t bufsize)\r
367 { cl->vt->stdout_unthrottle(cl, bufsize); }\r
368 static inline size_t ssh_stdin_backlog(ConnectionLayer *cl)\r
369 { return cl->vt->stdin_backlog(cl); }\r
370 static inline void ssh_throttle_all_channels(ConnectionLayer *cl, bool thr)\r
371 { cl->vt->throttle_all_channels(cl, thr); }\r
372 static inline bool ssh_ldisc_option(ConnectionLayer *cl, int option)\r
373 { return cl->vt->ldisc_option(cl, option); }\r
374 static inline void ssh_set_ldisc_option(ConnectionLayer *cl, int opt, bool val)\r
375 { cl->vt->set_ldisc_option(cl, opt, val); }\r
376 static inline void ssh_enable_x_fwd(ConnectionLayer *cl)\r
377 { cl->vt->enable_x_fwd(cl); }\r
378 static inline void ssh_set_wants_user_input(ConnectionLayer *cl, bool wanted)\r
379 { cl->vt->set_wants_user_input(cl, wanted); }\r
380 static inline bool ssh_get_wants_user_input(ConnectionLayer *cl)\r
381 { return cl->vt->get_wants_user_input(cl); }\r
382 static inline void ssh_got_user_input(ConnectionLayer *cl)\r
383 { cl->vt->got_user_input(cl); }\r
384 \r
385 /* Exports from portfwd.c */\r
386 PortFwdManager *portfwdmgr_new(ConnectionLayer *cl);\r
387 void portfwdmgr_free(PortFwdManager *mgr);\r
388 void portfwdmgr_config(PortFwdManager *mgr, Conf *conf);\r
389 void portfwdmgr_close(PortFwdManager *mgr, PortFwdRecord *pfr);\r
390 void portfwdmgr_close_all(PortFwdManager *mgr);\r
391 char *portfwdmgr_connect(PortFwdManager *mgr, Channel **chan_ret,\r
392 char *hostname, int port, SshChannel *c,\r
393 int addressfamily);\r
394 bool portfwdmgr_listen(PortFwdManager *mgr, const char *host, int port,\r
395 const char *keyhost, int keyport, Conf *conf);\r
396 bool portfwdmgr_unlisten(PortFwdManager *mgr, const char *host, int port);\r
397 Channel *portfwd_raw_new(ConnectionLayer *cl, Plug **plug, bool start_ready);\r
398 void portfwd_raw_free(Channel *pfchan);\r
399 void portfwd_raw_setup(Channel *pfchan, Socket *s, SshChannel *sc);\r
400 \r
401 Socket *platform_make_agent_socket(Plug *plug, const char *dirprefix,\r
402 char **error, char **name);\r
403 \r
404 LogContext *ssh_get_logctx(Ssh *ssh);\r
405 \r
406 /* Communications back to ssh.c from connection layers */\r
407 void ssh_throttle_conn(Ssh *ssh, int adjust);\r
408 void ssh_got_exitcode(Ssh *ssh, int status);\r
409 void ssh_ldisc_update(Ssh *ssh);\r
410 void ssh_check_sendok(Ssh *ssh);\r
411 void ssh_got_fallback_cmd(Ssh *ssh);\r
412 bool ssh_is_bare(Ssh *ssh);\r
413 \r
414 /* Communications back to ssh.c from the BPP */\r
415 void ssh_conn_processed_data(Ssh *ssh);\r
416 void ssh_sendbuffer_changed(Ssh *ssh);\r
417 void ssh_check_frozen(Ssh *ssh);\r
418 \r
419 /* Functions to abort the connection, for various reasons. */\r
420 void ssh_remote_error(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
421 void ssh_remote_eof(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
422 void ssh_proto_error(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
423 void ssh_sw_abort(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
424 void ssh_sw_abort_deferred(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
425 void ssh_user_close(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
426 void ssh_spr_close(Ssh *ssh, SeatPromptResult spr, const char *context);\r
427 \r
428 /* Bit positions in the SSH-1 cipher protocol word */\r
429 #define SSH1_CIPHER_IDEA 1\r
430 #define SSH1_CIPHER_DES 2\r
431 #define SSH1_CIPHER_3DES 3\r
432 #define SSH1_CIPHER_BLOWFISH 6\r
433 \r
434 /* The subset of those that we support, with names for selecting them\r
435 * on Uppity's command line */\r
436 #define SSH1_SUPPORTED_CIPHER_LIST(X) \\r
437 X(SSH1_CIPHER_3DES, "3des") \\r
438 X(SSH1_CIPHER_BLOWFISH, "blowfish") \\r
439 X(SSH1_CIPHER_DES, "des") \\r
440 /* end of list */\r
441 #define SSH1_CIPHER_LIST_MAKE_MASK(bitpos, name) | (1U << bitpos)\r
442 #define SSH1_SUPPORTED_CIPHER_MASK \\r
443 (0 SSH1_SUPPORTED_CIPHER_LIST(SSH1_CIPHER_LIST_MAKE_MASK))\r
444 \r
445 struct ssh_key {\r
446 const ssh_keyalg *vt;\r
447 };\r
448 \r
449 struct RSAKey {\r
450 int bits;\r
451 int bytes;\r
452 mp_int *modulus;\r
453 mp_int *exponent;\r
454 mp_int *private_exponent;\r
455 mp_int *p;\r
456 mp_int *q;\r
457 mp_int *iqmp;\r
458 char *comment;\r
459 ssh_key sshk;\r
460 };\r
461 \r
462 struct dsa_key {\r
463 mp_int *p, *q, *g, *y, *x;\r
464 ssh_key sshk;\r
465 };\r
466 \r
467 struct ec_curve;\r
468 \r
469 /* Weierstrass form curve */\r
470 struct ec_wcurve\r
471 {\r
472 WeierstrassCurve *wc;\r
473 WeierstrassPoint *G;\r
474 mp_int *G_order;\r
475 };\r
476 \r
477 /* Montgomery form curve */\r
478 struct ec_mcurve\r
479 {\r
480 MontgomeryCurve *mc;\r
481 MontgomeryPoint *G;\r
482 unsigned log2_cofactor;\r
483 };\r
484 \r
485 /* Edwards form curve */\r
486 struct ec_ecurve\r
487 {\r
488 EdwardsCurve *ec;\r
489 EdwardsPoint *G;\r
490 mp_int *G_order;\r
491 unsigned log2_cofactor;\r
492 };\r
493 \r
494 typedef enum EllipticCurveType {\r
495 EC_WEIERSTRASS, EC_MONTGOMERY, EC_EDWARDS\r
496 } EllipticCurveType;\r
497 \r
498 struct ec_curve {\r
499 EllipticCurveType type;\r
500 /* 'name' is the identifier of the curve when it has to appear in\r
501 * wire protocol encodings, as it does in e.g. the public key and\r
502 * signature formats for NIST curves. Curves which do not format\r
503 * their keys or signatures in this way just have name==NULL.\r
504 *\r
505 * 'textname' is non-NULL for all curves, and is a human-readable\r
506 * identification suitable for putting in log messages. */\r
507 const char *name, *textname;\r
508 size_t fieldBits, fieldBytes;\r
509 mp_int *p;\r
510 union {\r
511 struct ec_wcurve w;\r
512 struct ec_mcurve m;\r
513 struct ec_ecurve e;\r
514 };\r
515 };\r
516 \r
517 const ssh_keyalg *ec_alg_by_oid(int len, const void *oid,\r
518 const struct ec_curve **curve);\r
519 const unsigned char *ec_alg_oid(const ssh_keyalg *alg, int *oidlen);\r
520 extern const int ec_nist_curve_lengths[], n_ec_nist_curve_lengths;\r
521 extern const int ec_ed_curve_lengths[], n_ec_ed_curve_lengths;\r
522 bool ec_nist_alg_and_curve_by_bits(int bits,\r
523 const struct ec_curve **curve,\r
524 const ssh_keyalg **alg);\r
525 bool ec_ed_alg_and_curve_by_bits(int bits,\r
526 const struct ec_curve **curve,\r
527 const ssh_keyalg **alg);\r
528 \r
529 struct ecdsa_key {\r
530 const struct ec_curve *curve;\r
531 WeierstrassPoint *publicKey;\r
532 mp_int *privateKey;\r
533 ssh_key sshk;\r
534 };\r
535 struct eddsa_key {\r
536 const struct ec_curve *curve;\r
537 EdwardsPoint *publicKey;\r
538 mp_int *privateKey;\r
539 ssh_key sshk;\r
540 };\r
541 \r
542 WeierstrassPoint *ecdsa_public(mp_int *private_key, const ssh_keyalg *alg);\r
543 EdwardsPoint *eddsa_public(mp_int *private_key, const ssh_keyalg *alg);\r
544 \r
545 typedef enum KeyComponentType {\r
546 KCT_TEXT, KCT_BINARY, KCT_MPINT\r
547 } KeyComponentType;\r
548 typedef struct key_component {\r
549 char *name;\r
550 KeyComponentType type;\r
551 union {\r
552 strbuf *str; /* used for KCT_TEXT and KCT_BINARY */\r
553 mp_int *mp; /* used for KCT_MPINT */\r
554 };\r
555 } key_component;\r
556 typedef struct key_components {\r
557 size_t ncomponents, componentsize;\r
558 key_component *components;\r
559 } key_components;\r
560 key_components *key_components_new(void);\r
561 void key_components_add_text(key_components *kc,\r
562 const char *name, const char *value);\r
563 void key_components_add_text_pl(key_components *kc,\r
564 const char *name, ptrlen value);\r
565 void key_components_add_binary(key_components *kc,\r
566 const char *name, ptrlen value);\r
567 void key_components_add_mp(key_components *kc,\r
568 const char *name, mp_int *value);\r
569 void key_components_add_uint(key_components *kc,\r
570 const char *name, uintmax_t value);\r
571 void key_components_add_copy(key_components *kc,\r
572 const char *name, const key_component *value);\r
573 void key_components_free(key_components *kc);\r
574 \r
575 /*\r
576 * SSH-1 never quite decided which order to store the two components\r
577 * of an RSA key. During connection setup, the server sends its host\r
578 * and server keys with the exponent first; private key files store\r
579 * the modulus first. The agent protocol is even more confusing,\r
580 * because the client specifies a key to the server in one order and\r
581 * the server lists the keys it knows about in the other order!\r
582 */\r
583 typedef enum { RSA_SSH1_EXPONENT_FIRST, RSA_SSH1_MODULUS_FIRST } RsaSsh1Order;\r
584 \r
585 void BinarySource_get_rsa_ssh1_pub(\r
586 BinarySource *src, RSAKey *result, RsaSsh1Order order);\r
587 void BinarySource_get_rsa_ssh1_priv(\r
588 BinarySource *src, RSAKey *rsa);\r
589 RSAKey *BinarySource_get_rsa_ssh1_priv_agent(BinarySource *src);\r
590 bool rsa_ssh1_encrypt(unsigned char *data, int length, RSAKey *key);\r
591 mp_int *rsa_ssh1_decrypt(mp_int *input, RSAKey *key);\r
592 bool rsa_ssh1_decrypt_pkcs1(mp_int *input, RSAKey *key, strbuf *outbuf);\r
593 char *rsastr_fmt(RSAKey *key);\r
594 char *rsa_ssh1_fingerprint(RSAKey *key);\r
595 char **rsa_ssh1_fake_all_fingerprints(RSAKey *key);\r
596 bool rsa_verify(RSAKey *key);\r
597 void rsa_ssh1_public_blob(BinarySink *bs, RSAKey *key, RsaSsh1Order order);\r
598 int rsa_ssh1_public_blob_len(ptrlen data);\r
599 void rsa_ssh1_private_blob_agent(BinarySink *bs, RSAKey *key);\r
600 void duprsakey(RSAKey *dst, const RSAKey *src);\r
601 void freersapriv(RSAKey *key);\r
602 void freersakey(RSAKey *key);\r
603 key_components *rsa_components(RSAKey *key);\r
604 \r
605 uint32_t crc32_rfc1662(ptrlen data);\r
606 uint32_t crc32_ssh1(ptrlen data);\r
607 uint32_t crc32_update(uint32_t crc_input, ptrlen data);\r
608 \r
609 /* SSH CRC compensation attack detector */\r
610 struct crcda_ctx;\r
611 struct crcda_ctx *crcda_make_context(void);\r
612 void crcda_free_context(struct crcda_ctx *ctx);\r
613 bool detect_attack(struct crcda_ctx *ctx,\r
614 const unsigned char *buf, uint32_t len,\r
615 const unsigned char *IV);\r
616 \r
617 /*\r
618 * SSH2 RSA key exchange functions\r
619 */\r
620 struct ssh_rsa_kex_extra {\r
621 int minklen;\r
622 };\r
623 RSAKey *ssh_rsakex_newkey(ptrlen data);\r
624 void ssh_rsakex_freekey(RSAKey *key);\r
625 int ssh_rsakex_klen(RSAKey *key);\r
626 strbuf *ssh_rsakex_encrypt(\r
627 RSAKey *key, const ssh_hashalg *h, ptrlen plaintext);\r
628 mp_int *ssh_rsakex_decrypt(\r
629 RSAKey *key, const ssh_hashalg *h, ptrlen ciphertext);\r
630 \r
631 /*\r
632 * System for generating k in DSA and ECDSA.\r
633 */\r
634 struct RFC6979Result {\r
635 mp_int *k;\r
636 unsigned ok;\r
637 };\r
638 RFC6979 *rfc6979_new(const ssh_hashalg *hashalg, mp_int *q, mp_int *x);\r
639 void rfc6979_setup(RFC6979 *s, ptrlen message);\r
640 RFC6979Result rfc6979_attempt(RFC6979 *s);\r
641 void rfc6979_free(RFC6979 *s);\r
642 mp_int *rfc6979(const ssh_hashalg *hashalg, mp_int *modulus,\r
643 mp_int *private_key, ptrlen message);\r
644 \r
645 struct ssh_cipher {\r
646 const ssh_cipheralg *vt;\r
647 };\r
648 \r
649 struct ssh_cipheralg {\r
650 ssh_cipher *(*new)(const ssh_cipheralg *alg);\r
651 void (*free)(ssh_cipher *);\r
652 void (*setiv)(ssh_cipher *, const void *iv);\r
653 void (*setkey)(ssh_cipher *, const void *key);\r
654 void (*encrypt)(ssh_cipher *, void *blk, int len);\r
655 void (*decrypt)(ssh_cipher *, void *blk, int len);\r
656 /* Ignored unless SSH_CIPHER_SEPARATE_LENGTH flag set */\r
657 void (*encrypt_length)(ssh_cipher *, void *blk, int len,\r
658 unsigned long seq);\r
659 void (*decrypt_length)(ssh_cipher *, void *blk, int len,\r
660 unsigned long seq);\r
661 /* For ciphers that update their state per logical message\r
662 * (typically, per unit independently MACed) */\r
663 void (*next_message)(ssh_cipher *);\r
664 const char *ssh2_id;\r
665 int blksize;\r
666 /* real_keybits is the number of bits of entropy genuinely used by\r
667 * the cipher scheme; it's used for deciding how big a\r
668 * Diffie-Hellman group is needed to exchange a key for the\r
669 * cipher. */\r
670 int real_keybits;\r
671 /* padded_keybytes is the number of bytes of key data expected as\r
672 * input to the setkey function; it's used for deciding how much\r
673 * data needs to be generated from the post-kex generation of key\r
674 * material. In a sensible cipher which uses all its key bytes for\r
675 * real work, this will just be real_keybits/8, but in DES-type\r
676 * ciphers which ignore one bit in each byte, it'll be slightly\r
677 * different. */\r
678 int padded_keybytes;\r
679 unsigned int flags;\r
680 #define SSH_CIPHER_IS_CBC 1\r
681 #define SSH_CIPHER_SEPARATE_LENGTH 2\r
682 const char *text_name;\r
683 /* If set, this takes priority over other MAC. */\r
684 const ssh2_macalg *required_mac;\r
685 \r
686 /* Pointer to any extra data used by a particular implementation. */\r
687 const void *extra;\r
688 };\r
689 \r
690 static inline ssh_cipher *ssh_cipher_new(const ssh_cipheralg *alg)\r
691 { return alg->new(alg); }\r
692 static inline void ssh_cipher_free(ssh_cipher *c)\r
693 { c->vt->free(c); }\r
694 static inline void ssh_cipher_setiv(ssh_cipher *c, const void *iv)\r
695 { c->vt->setiv(c, iv); }\r
696 static inline void ssh_cipher_setkey(ssh_cipher *c, const void *key)\r
697 { c->vt->setkey(c, key); }\r
698 static inline void ssh_cipher_encrypt(ssh_cipher *c, void *blk, int len)\r
699 { c->vt->encrypt(c, blk, len); }\r
700 static inline void ssh_cipher_decrypt(ssh_cipher *c, void *blk, int len)\r
701 { c->vt->decrypt(c, blk, len); }\r
702 static inline void ssh_cipher_encrypt_length(\r
703 ssh_cipher *c, void *blk, int len, unsigned long seq)\r
704 { c->vt->encrypt_length(c, blk, len, seq); }\r
705 static inline void ssh_cipher_decrypt_length(\r
706 ssh_cipher *c, void *blk, int len, unsigned long seq)\r
707 { c->vt->decrypt_length(c, blk, len, seq); }\r
708 static inline void ssh_cipher_next_message(ssh_cipher *c)\r
709 { c->vt->next_message(c); }\r
710 static inline const struct ssh_cipheralg *ssh_cipher_alg(ssh_cipher *c)\r
711 { return c->vt; }\r
712 \r
713 void nullcipher_next_message(ssh_cipher *);\r
714 \r
715 struct ssh2_ciphers {\r
716 int nciphers;\r
717 const ssh_cipheralg *const *list;\r
718 };\r
719 \r
720 struct ssh2_mac {\r
721 const ssh2_macalg *vt;\r
722 BinarySink_DELEGATE_IMPLEMENTATION;\r
723 };\r
724 \r
725 struct ssh2_macalg {\r
726 /* Passes in the cipher context */\r
727 ssh2_mac *(*new)(const ssh2_macalg *alg, ssh_cipher *cipher);\r
728 void (*free)(ssh2_mac *);\r
729 void (*setkey)(ssh2_mac *, ptrlen key);\r
730 void (*start)(ssh2_mac *);\r
731 void (*genresult)(ssh2_mac *, unsigned char *);\r
732 void (*next_message)(ssh2_mac *);\r
733 const char *(*text_name)(ssh2_mac *);\r
734 const char *name, *etm_name;\r
735 int len, keylen;\r
736 \r
737 /* Pointer to any extra data used by a particular implementation. */\r
738 const void *extra;\r
739 };\r
740 \r
741 static inline ssh2_mac *ssh2_mac_new(\r
742 const ssh2_macalg *alg, ssh_cipher *cipher)\r
743 { return alg->new(alg, cipher); }\r
744 static inline void ssh2_mac_free(ssh2_mac *m)\r
745 { m->vt->free(m); }\r
746 static inline void ssh2_mac_setkey(ssh2_mac *m, ptrlen key)\r
747 { m->vt->setkey(m, key); }\r
748 static inline void ssh2_mac_start(ssh2_mac *m)\r
749 { m->vt->start(m); }\r
750 static inline void ssh2_mac_genresult(ssh2_mac *m, unsigned char *out)\r
751 { m->vt->genresult(m, out); }\r
752 static inline void ssh2_mac_next_message(ssh2_mac *m)\r
753 { m->vt->next_message(m); }\r
754 static inline const char *ssh2_mac_text_name(ssh2_mac *m)\r
755 { return m->vt->text_name(m); }\r
756 static inline const ssh2_macalg *ssh2_mac_alg(ssh2_mac *m)\r
757 { return m->vt; }\r
758 \r
759 /* Centralised 'methods' for ssh2_mac, defined in mac.c. These run\r
760 * the MAC in a specifically SSH-2 style, i.e. taking account of a\r
761 * packet sequence number as well as the data to be authenticated. */\r
762 bool ssh2_mac_verresult(ssh2_mac *, const void *);\r
763 void ssh2_mac_generate(ssh2_mac *, void *, int, unsigned long seq);\r
764 bool ssh2_mac_verify(ssh2_mac *, const void *, int, unsigned long seq);\r
765 \r
766 void nullmac_next_message(ssh2_mac *m);\r
767 \r
768 /* Use a MAC in its raw form, outside SSH-2 context, to MAC a given\r
769 * string with a given key in the most obvious way. */\r
770 void mac_simple(const ssh2_macalg *alg, ptrlen key, ptrlen data, void *output);\r
771 \r
772 /* Constructor that makes an HMAC object given just a MAC. This object\r
773 * will have empty 'name' and 'etm_name' fields, so it's not suitable\r
774 * for use in SSH. It's used as a subroutine in RFC 6979. */\r
775 ssh2_mac *hmac_new_from_hash(const ssh_hashalg *hash);\r
776 \r
777 struct ssh_hash {\r
778 const ssh_hashalg *vt;\r
779 BinarySink_DELEGATE_IMPLEMENTATION;\r
780 };\r
781 \r
782 struct ssh_hashalg {\r
783 ssh_hash *(*new)(const ssh_hashalg *alg);\r
784 void (*reset)(ssh_hash *);\r
785 void (*copyfrom)(ssh_hash *dest, ssh_hash *src);\r
786 void (*digest)(ssh_hash *, unsigned char *);\r
787 void (*free)(ssh_hash *);\r
788 size_t hlen; /* output length in bytes */\r
789 size_t blocklen; /* length of the hash's input block, or 0 for N/A */\r
790 const char *text_basename; /* the semantic name of the hash */\r
791 const char *annotation; /* extra info, e.g. which of multiple impls */\r
792 const char *text_name; /* both combined, e.g. "SHA-n (unaccelerated)" */\r
793 const void *extra; /* private to the hash implementation */\r
794 };\r
795 \r
796 static inline ssh_hash *ssh_hash_new(const ssh_hashalg *alg)\r
797 { ssh_hash *h = alg->new(alg); if (h) h->vt->reset(h); return h; }\r
798 static inline ssh_hash *ssh_hash_copy(ssh_hash *orig)\r
799 { ssh_hash *h = orig->vt->new(orig->vt); h->vt->copyfrom(h, orig); return h; }\r
800 static inline void ssh_hash_digest(ssh_hash *h, unsigned char *out)\r
801 { h->vt->digest(h, out); }\r
802 static inline void ssh_hash_free(ssh_hash *h)\r
803 { h->vt->free(h); }\r
804 static inline const ssh_hashalg *ssh_hash_alg(ssh_hash *h)\r
805 { return h->vt; }\r
806 \r
807 /* The reset and copyfrom vtable methods return void. But for call-site\r
808 * convenience, these wrappers return their input pointer. */\r
809 static inline ssh_hash *ssh_hash_reset(ssh_hash *h)\r
810 { h->vt->reset(h); return h; }\r
811 static inline ssh_hash *ssh_hash_copyfrom(ssh_hash *dest, ssh_hash *src)\r
812 { dest->vt->copyfrom(dest, src); return dest; }\r
813 \r
814 /* ssh_hash_final emits the digest _and_ frees the ssh_hash */\r
815 static inline void ssh_hash_final(ssh_hash *h, unsigned char *out)\r
816 { h->vt->digest(h, out); h->vt->free(h); }\r
817 \r
818 /* ssh_hash_digest_nondestructive generates a finalised hash from the\r
819 * given object without changing its state, so you can continue\r
820 * appending data to get a hash of an extended string. */\r
821 static inline void ssh_hash_digest_nondestructive(ssh_hash *h,\r
822 unsigned char *out)\r
823 { ssh_hash_final(ssh_hash_copy(h), out); }\r
824 \r
825 /* Handy macros for defining all those text-name fields at once */\r
826 #define HASHALG_NAMES_BARE(base) \\r
827 .text_basename = base, .annotation = NULL, .text_name = base\r
828 #define HASHALG_NAMES_ANNOTATED(base, ann) \\r
829 .text_basename = base, .annotation = ann, .text_name = base " (" ann ")"\r
830 \r
831 void hash_simple(const ssh_hashalg *alg, ptrlen data, void *output);\r
832 \r
833 struct ssh_kex {\r
834 const char *name, *groupname;\r
835 enum { KEXTYPE_DH, KEXTYPE_RSA, KEXTYPE_ECDH,\r
836 KEXTYPE_GSS, KEXTYPE_GSS_ECDH } main_type;\r
837 const ssh_hashalg *hash;\r
838 union { /* publicly visible data for each type */\r
839 const ecdh_keyalg *ecdh_vt; /* for KEXTYPE_ECDH, KEXTYPE_GSS_ECDH */\r
840 };\r
841 const void *extra; /* private to the kex methods */\r
842 };\r
843 \r
844 static inline bool kex_is_gss(const struct ssh_kex *kex)\r
845 {\r
846 return kex->main_type == KEXTYPE_GSS || kex->main_type == KEXTYPE_GSS_ECDH;\r
847 }\r
848 \r
849 struct ssh_kexes {\r
850 int nkexes;\r
851 const ssh_kex *const *list;\r
852 };\r
853 \r
854 /* Indices of the negotiation strings in the KEXINIT packet */\r
855 enum kexlist {\r
856 KEXLIST_KEX, KEXLIST_HOSTKEY, KEXLIST_CSCIPHER, KEXLIST_SCCIPHER,\r
857 KEXLIST_CSMAC, KEXLIST_SCMAC, KEXLIST_CSCOMP, KEXLIST_SCCOMP,\r
858 NKEXLIST\r
859 };\r
860 \r
861 struct ssh_keyalg {\r
862 /* Constructors that create an ssh_key */\r
863 ssh_key *(*new_pub) (const ssh_keyalg *self, ptrlen pub);\r
864 ssh_key *(*new_priv) (const ssh_keyalg *self, ptrlen pub, ptrlen priv);\r
865 ssh_key *(*new_priv_openssh) (const ssh_keyalg *self, BinarySource *);\r
866 \r
867 /* Methods that operate on an existing ssh_key */\r
868 void (*freekey) (ssh_key *key);\r
869 char *(*invalid) (ssh_key *key, unsigned flags);\r
870 void (*sign) (ssh_key *key, ptrlen data, unsigned flags, BinarySink *);\r
871 bool (*verify) (ssh_key *key, ptrlen sig, ptrlen data);\r
872 void (*public_blob)(ssh_key *key, BinarySink *);\r
873 void (*private_blob)(ssh_key *key, BinarySink *);\r
874 void (*openssh_blob) (ssh_key *key, BinarySink *);\r
875 bool (*has_private) (ssh_key *key);\r
876 char *(*cache_str) (ssh_key *key);\r
877 key_components *(*components) (ssh_key *key);\r
878 ssh_key *(*base_key) (ssh_key *key); /* does not confer ownership */\r
879 /* The following methods can be NULL if !is_certificate */\r
880 void (*ca_public_blob)(ssh_key *key, BinarySink *);\r
881 bool (*check_cert)(ssh_key *key, bool host, ptrlen principal,\r
882 uint64_t time, const ca_options *opts,\r
883 BinarySink *error);\r
884 void (*cert_id_string)(ssh_key *key, BinarySink *);\r
885 SeatDialogText *(*cert_info)(ssh_key *key);\r
886 \r
887 /* 'Class methods' that don't deal with an ssh_key at all */\r
888 int (*pubkey_bits) (const ssh_keyalg *self, ptrlen blob);\r
889 unsigned (*supported_flags) (const ssh_keyalg *self);\r
890 const char *(*alternate_ssh_id) (const ssh_keyalg *self, unsigned flags);\r
891 char *(*alg_desc)(const ssh_keyalg *self);\r
892 bool (*variable_size)(const ssh_keyalg *self);\r
893 /* The following methods can be NULL if !is_certificate */\r
894 const ssh_keyalg *(*related_alg)(const ssh_keyalg *self,\r
895 const ssh_keyalg *base);\r
896 \r
897 /* Constant data fields giving information about the key type */\r
898 const char *ssh_id; /* string identifier in the SSH protocol */\r
899 const char *cache_id; /* identifier used in PuTTY's host key cache */\r
900 const void *extra; /* private to the public key methods */\r
901 bool is_certificate; /* is this a certified key type? */\r
902 const ssh_keyalg *base_alg; /* if so, for what underlying key alg? */\r
903 };\r
904 \r
905 static inline ssh_key *ssh_key_new_pub(const ssh_keyalg *self, ptrlen pub)\r
906 { return self->new_pub(self, pub); }\r
907 static inline ssh_key *ssh_key_new_priv(\r
908 const ssh_keyalg *self, ptrlen pub, ptrlen priv)\r
909 { return self->new_priv(self, pub, priv); }\r
910 static inline ssh_key *ssh_key_new_priv_openssh(\r
911 const ssh_keyalg *self, BinarySource *src)\r
912 { return self->new_priv_openssh(self, src); }\r
913 static inline void ssh_key_free(ssh_key *key)\r
914 { key->vt->freekey(key); }\r
915 static inline char *ssh_key_invalid(ssh_key *key, unsigned flags)\r
916 { return key->vt->invalid(key, flags); }\r
917 static inline void ssh_key_sign(\r
918 ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs)\r
919 { key->vt->sign(key, data, flags, bs); }\r
920 static inline bool ssh_key_verify(ssh_key *key, ptrlen sig, ptrlen data)\r
921 { return key->vt->verify(key, sig, data); }\r
922 static inline void ssh_key_public_blob(ssh_key *key, BinarySink *bs)\r
923 { key->vt->public_blob(key, bs); }\r
924 static inline void ssh_key_private_blob(ssh_key *key, BinarySink *bs)\r
925 { key->vt->private_blob(key, bs); }\r
926 static inline void ssh_key_openssh_blob(ssh_key *key, BinarySink *bs)\r
927 { key->vt->openssh_blob(key, bs); }\r
928 static inline bool ssh_key_has_private(ssh_key *key)\r
929 { return key->vt->has_private(key); }\r
930 static inline char *ssh_key_cache_str(ssh_key *key)\r
931 { return key->vt->cache_str(key); }\r
932 static inline key_components *ssh_key_components(ssh_key *key)\r
933 { return key->vt->components(key); }\r
934 static inline ssh_key *ssh_key_base_key(ssh_key *key)\r
935 { return key->vt->base_key(key); }\r
936 static inline void ssh_key_ca_public_blob(ssh_key *key, BinarySink *bs)\r
937 { key->vt->ca_public_blob(key, bs); }\r
938 static inline void ssh_key_cert_id_string(ssh_key *key, BinarySink *bs)\r
939 { key->vt->cert_id_string(key, bs); }\r
940 static inline SeatDialogText *ssh_key_cert_info(ssh_key *key)\r
941 { return key->vt->cert_info(key); }\r
942 static inline bool ssh_key_check_cert(\r
943 ssh_key *key, bool host, ptrlen principal, uint64_t time,\r
944 const ca_options *opts, BinarySink *error)\r
945 { return key->vt->check_cert(key, host, principal, time, opts, error); }\r
946 static inline int ssh_key_public_bits(const ssh_keyalg *self, ptrlen blob)\r
947 { return self->pubkey_bits(self, blob); }\r
948 static inline const ssh_keyalg *ssh_key_alg(ssh_key *key)\r
949 { return key->vt; }\r
950 static inline const char *ssh_key_ssh_id(ssh_key *key)\r
951 { return key->vt->ssh_id; }\r
952 static inline const char *ssh_key_cache_id(ssh_key *key)\r
953 { return key->vt->cache_id; }\r
954 static inline unsigned ssh_key_supported_flags(ssh_key *key)\r
955 { return key->vt->supported_flags(key->vt); }\r
956 static inline unsigned ssh_keyalg_supported_flags(const ssh_keyalg *self)\r
957 { return self->supported_flags(self); }\r
958 static inline const char *ssh_keyalg_alternate_ssh_id(\r
959 const ssh_keyalg *self, unsigned flags)\r
960 { return self->alternate_ssh_id(self, flags); }\r
961 static inline char *ssh_keyalg_desc(const ssh_keyalg *self)\r
962 { return self->alg_desc(self); }\r
963 static inline bool ssh_keyalg_variable_size(const ssh_keyalg *self)\r
964 { return self->variable_size(self); }\r
965 static inline const ssh_keyalg *ssh_keyalg_related_alg(\r
966 const ssh_keyalg *self, const ssh_keyalg *base)\r
967 { return self->related_alg(self, base); }\r
968 \r
969 /* Stub functions shared between multiple key types */\r
970 unsigned nullkey_supported_flags(const ssh_keyalg *self);\r
971 const char *nullkey_alternate_ssh_id(const ssh_keyalg *self, unsigned flags);\r
972 ssh_key *nullkey_base_key(ssh_key *key);\r
973 bool nullkey_variable_size_no(const ssh_keyalg *self);\r
974 bool nullkey_variable_size_yes(const ssh_keyalg *self);\r
975 \r
976 /* Utility functions implemented centrally */\r
977 ssh_key *ssh_key_clone(ssh_key *key);\r
978 \r
979 /*\r
980 * SSH2 ECDH key exchange vtable\r
981 */\r
982 struct ecdh_key {\r
983 const ecdh_keyalg *vt;\r
984 };\r
985 struct ecdh_keyalg {\r
986 /* Unusually, the 'new' method here doesn't directly take a vt\r
987 * pointer, because it will also need the containing ssh_kex\r
988 * structure for top-level parameters, and since that contains a\r
989 * vt pointer anyway, we might as well _only_ pass that. */\r
990 ecdh_key *(*new)(const ssh_kex *kex, bool is_server);\r
991 void (*free)(ecdh_key *key);\r
992 void (*getpublic)(ecdh_key *key, BinarySink *bs);\r
993 bool (*getkey)(ecdh_key *key, ptrlen remoteKey, BinarySink *bs);\r
994 char *(*description)(const ssh_kex *kex);\r
995 };\r
996 static inline ecdh_key *ecdh_key_new(const ssh_kex *kex, bool is_server)\r
997 { return kex->ecdh_vt->new(kex, is_server); }\r
998 static inline void ecdh_key_free(ecdh_key *key)\r
999 { key->vt->free(key); }\r
1000 static inline void ecdh_key_getpublic(ecdh_key *key, BinarySink *bs)\r
1001 { key->vt->getpublic(key, bs); }\r
1002 static inline bool ecdh_key_getkey(ecdh_key *key, ptrlen remoteKey,\r
1003 BinarySink *bs)\r
1004 { return key->vt->getkey(key, remoteKey, bs); }\r
1005 static inline char *ecdh_keyalg_description(const ssh_kex *kex)\r
1006 { return kex->ecdh_vt->description(kex); }\r
1007 \r
1008 /*\r
1009 * Suffix on GSSAPI SSH protocol identifiers that indicates Kerberos 5\r
1010 * as the mechanism.\r
1011 *\r
1012 * This suffix is the base64-encoded MD5 hash of the byte sequence\r
1013 * 06 09 2A 86 48 86 F7 12 01 02 02, which in turn is the ASN.1 DER\r
1014 * encoding of the object ID 1.2.840.113554.1.2.2 which designates\r
1015 * Kerberos v5.\r
1016 *\r
1017 * (The same encoded OID, minus the two-byte DER header, is defined in\r
1018 * ssh/pgssapi.c as GSS_MECH_KRB5.)\r
1019 */\r
1020 #define GSS_KRB5_OID_HASH "toWM5Slw5Ew8Mqkay+al2g=="\r
1021 \r
1022 /*\r
1023 * Enumeration of signature flags from draft-miller-ssh-agent-02\r
1024 */\r
1025 #define SSH_AGENT_RSA_SHA2_256 2\r
1026 #define SSH_AGENT_RSA_SHA2_512 4\r
1027 \r
1028 struct ssh_compressor {\r
1029 const ssh_compression_alg *vt;\r
1030 };\r
1031 struct ssh_decompressor {\r
1032 const ssh_compression_alg *vt;\r
1033 };\r
1034 \r
1035 struct ssh_compression_alg {\r
1036 const char *name;\r
1037 /* For zlib@openssh.com: if non-NULL, this name will be considered once\r
1038 * userauth has completed successfully. */\r
1039 const char *delayed_name;\r
1040 ssh_compressor *(*compress_new)(void);\r
1041 void (*compress_free)(ssh_compressor *);\r
1042 void (*compress)(ssh_compressor *, const unsigned char *block, int len,\r
1043 unsigned char **outblock, int *outlen,\r
1044 int minlen);\r
1045 ssh_decompressor *(*decompress_new)(void);\r
1046 void (*decompress_free)(ssh_decompressor *);\r
1047 bool (*decompress)(ssh_decompressor *, const unsigned char *block, int len,\r
1048 unsigned char **outblock, int *outlen);\r
1049 const char *text_name;\r
1050 };\r
1051 \r
1052 static inline ssh_compressor *ssh_compressor_new(\r
1053 const ssh_compression_alg *alg)\r
1054 { return alg->compress_new(); }\r
1055 static inline ssh_decompressor *ssh_decompressor_new(\r
1056 const ssh_compression_alg *alg)\r
1057 { return alg->decompress_new(); }\r
1058 static inline void ssh_compressor_free(ssh_compressor *c)\r
1059 { c->vt->compress_free(c); }\r
1060 static inline void ssh_decompressor_free(ssh_decompressor *d)\r
1061 { d->vt->decompress_free(d); }\r
1062 static inline void ssh_compressor_compress(\r
1063 ssh_compressor *c, const unsigned char *block, int len,\r
1064 unsigned char **outblock, int *outlen, int minlen)\r
1065 { c->vt->compress(c, block, len, outblock, outlen, minlen); }\r
1066 static inline bool ssh_decompressor_decompress(\r
1067 ssh_decompressor *d, const unsigned char *block, int len,\r
1068 unsigned char **outblock, int *outlen)\r
1069 { return d->vt->decompress(d, block, len, outblock, outlen); }\r
1070 static inline const ssh_compression_alg *ssh_compressor_alg(\r
1071 ssh_compressor *c)\r
1072 { return c->vt; }\r
1073 static inline const ssh_compression_alg *ssh_decompressor_alg(\r
1074 ssh_decompressor *d)\r
1075 { return d->vt; }\r
1076 \r
1077 struct ssh2_userkey {\r
1078 ssh_key *key; /* the key itself */\r
1079 char *comment; /* the key comment */\r
1080 };\r
1081 \r
1082 /* Argon2 password hashing function */\r
1083 typedef enum { Argon2d = 0, Argon2i = 1, Argon2id = 2 } Argon2Flavour;\r
1084 void argon2(Argon2Flavour, uint32_t mem, uint32_t passes,\r
1085 uint32_t parallel, uint32_t taglen,\r
1086 ptrlen P, ptrlen S, ptrlen K, ptrlen X, strbuf *out);\r
1087 void argon2_choose_passes(\r
1088 Argon2Flavour, uint32_t mem, uint32_t milliseconds, uint32_t *passes,\r
1089 uint32_t parallel, uint32_t taglen, ptrlen P, ptrlen S, ptrlen K, ptrlen X,\r
1090 strbuf *out);\r
1091 /* The H' hash defined in Argon2, exposed just for testcrypt */\r
1092 strbuf *argon2_long_hash(unsigned length, ptrlen data);\r
1093 \r
1094 /* The maximum length of any hash algorithm. (bytes) */\r
1095 #define MAX_HASH_LEN (114) /* longest is SHAKE256 with 114-byte output */\r
1096 \r
1097 extern const ssh_cipheralg ssh_3des_ssh1;\r
1098 extern const ssh_cipheralg ssh_blowfish_ssh1;\r
1099 extern const ssh_cipheralg ssh_3des_ssh2_ctr;\r
1100 extern const ssh_cipheralg ssh_3des_ssh2;\r
1101 extern const ssh_cipheralg ssh_des;\r
1102 extern const ssh_cipheralg ssh_des_sshcom_ssh2;\r
1103 extern const ssh_cipheralg ssh_aes256_sdctr;\r
1104 extern const ssh_cipheralg ssh_aes256_sdctr_ni;\r
1105 extern const ssh_cipheralg ssh_aes256_sdctr_neon;\r
1106 extern const ssh_cipheralg ssh_aes256_sdctr_sw;\r
1107 extern const ssh_cipheralg ssh_aes256_gcm;\r
1108 extern const ssh_cipheralg ssh_aes256_gcm_ni;\r
1109 extern const ssh_cipheralg ssh_aes256_gcm_neon;\r
1110 extern const ssh_cipheralg ssh_aes256_gcm_sw;\r
1111 extern const ssh_cipheralg ssh_aes256_cbc;\r
1112 extern const ssh_cipheralg ssh_aes256_cbc_ni;\r
1113 extern const ssh_cipheralg ssh_aes256_cbc_neon;\r
1114 extern const ssh_cipheralg ssh_aes256_cbc_sw;\r
1115 extern const ssh_cipheralg ssh_aes192_sdctr;\r
1116 extern const ssh_cipheralg ssh_aes192_sdctr_ni;\r
1117 extern const ssh_cipheralg ssh_aes192_sdctr_neon;\r
1118 extern const ssh_cipheralg ssh_aes192_sdctr_sw;\r
1119 extern const ssh_cipheralg ssh_aes192_gcm;\r
1120 extern const ssh_cipheralg ssh_aes192_gcm_ni;\r
1121 extern const ssh_cipheralg ssh_aes192_gcm_neon;\r
1122 extern const ssh_cipheralg ssh_aes192_gcm_sw;\r
1123 extern const ssh_cipheralg ssh_aes192_cbc;\r
1124 extern const ssh_cipheralg ssh_aes192_cbc_ni;\r
1125 extern const ssh_cipheralg ssh_aes192_cbc_neon;\r
1126 extern const ssh_cipheralg ssh_aes192_cbc_sw;\r
1127 extern const ssh_cipheralg ssh_aes128_sdctr;\r
1128 extern const ssh_cipheralg ssh_aes128_sdctr_ni;\r
1129 extern const ssh_cipheralg ssh_aes128_sdctr_neon;\r
1130 extern const ssh_cipheralg ssh_aes128_sdctr_sw;\r
1131 extern const ssh_cipheralg ssh_aes128_gcm;\r
1132 extern const ssh_cipheralg ssh_aes128_gcm_ni;\r
1133 extern const ssh_cipheralg ssh_aes128_gcm_neon;\r
1134 extern const ssh_cipheralg ssh_aes128_gcm_sw;\r
1135 extern const ssh_cipheralg ssh_aes128_cbc;\r
1136 extern const ssh_cipheralg ssh_aes128_cbc_ni;\r
1137 extern const ssh_cipheralg ssh_aes128_cbc_neon;\r
1138 extern const ssh_cipheralg ssh_aes128_cbc_sw;\r
1139 extern const ssh_cipheralg ssh_blowfish_ssh2_ctr;\r
1140 extern const ssh_cipheralg ssh_blowfish_ssh2;\r
1141 extern const ssh_cipheralg ssh_arcfour256_ssh2;\r
1142 extern const ssh_cipheralg ssh_arcfour128_ssh2;\r
1143 extern const ssh_cipheralg ssh2_chacha20_poly1305;\r
1144 extern const ssh2_ciphers ssh2_3des;\r
1145 extern const ssh2_ciphers ssh2_des;\r
1146 extern const ssh2_ciphers ssh2_aes;\r
1147 extern const ssh2_ciphers ssh2_blowfish;\r
1148 extern const ssh2_ciphers ssh2_arcfour;\r
1149 extern const ssh2_ciphers ssh2_ccp;\r
1150 extern const ssh2_ciphers ssh2_aesgcm;\r
1151 extern const ssh_hashalg ssh_md5;\r
1152 extern const ssh_hashalg ssh_sha1;\r
1153 extern const ssh_hashalg ssh_sha1_ni;\r
1154 extern const ssh_hashalg ssh_sha1_neon;\r
1155 extern const ssh_hashalg ssh_sha1_sw;\r
1156 extern const ssh_hashalg ssh_sha256;\r
1157 extern const ssh_hashalg ssh_sha256_ni;\r
1158 extern const ssh_hashalg ssh_sha256_neon;\r
1159 extern const ssh_hashalg ssh_sha256_sw;\r
1160 extern const ssh_hashalg ssh_sha384;\r
1161 extern const ssh_hashalg ssh_sha384_neon;\r
1162 extern const ssh_hashalg ssh_sha384_sw;\r
1163 extern const ssh_hashalg ssh_sha512;\r
1164 extern const ssh_hashalg ssh_sha512_neon;\r
1165 extern const ssh_hashalg ssh_sha512_sw;\r
1166 extern const ssh_hashalg ssh_sha3_224;\r
1167 extern const ssh_hashalg ssh_sha3_256;\r
1168 extern const ssh_hashalg ssh_sha3_384;\r
1169 extern const ssh_hashalg ssh_sha3_512;\r
1170 extern const ssh_hashalg ssh_shake256_114bytes;\r
1171 extern const ssh_hashalg ssh_blake2b;\r
1172 extern const ssh_kexes ssh_diffiehellman_group1;\r
1173 extern const ssh_kexes ssh_diffiehellman_group14;\r
1174 extern const ssh_kexes ssh_diffiehellman_group15;\r
1175 extern const ssh_kexes ssh_diffiehellman_group16;\r
1176 extern const ssh_kexes ssh_diffiehellman_group17;\r
1177 extern const ssh_kexes ssh_diffiehellman_group18;\r
1178 extern const ssh_kexes ssh_diffiehellman_gex;\r
1179 extern const ssh_kex ssh_diffiehellman_group1_sha1;\r
1180 extern const ssh_kex ssh_diffiehellman_group14_sha256;\r
1181 extern const ssh_kex ssh_diffiehellman_group14_sha1;\r
1182 extern const ssh_kex ssh_diffiehellman_group15_sha512;\r
1183 extern const ssh_kex ssh_diffiehellman_group16_sha512;\r
1184 extern const ssh_kex ssh_diffiehellman_group17_sha512;\r
1185 extern const ssh_kex ssh_diffiehellman_group18_sha512;\r
1186 extern const ssh_kexes ssh_gssk5_sha1_kex;\r
1187 extern const ssh_kexes ssh_gssk5_sha2_kex;\r
1188 extern const ssh_kexes ssh_gssk5_ecdh_kex;\r
1189 extern const ssh_kexes ssh_rsa_kex;\r
1190 extern const ssh_kex ssh_ec_kex_curve25519;\r
1191 extern const ssh_kex ssh_ec_kex_curve448;\r
1192 extern const ssh_kex ssh_ec_kex_nistp256;\r
1193 extern const ssh_kex ssh_ec_kex_nistp384;\r
1194 extern const ssh_kex ssh_ec_kex_nistp521;\r
1195 extern const ssh_kexes ssh_ecdh_kex;\r
1196 extern const ssh_kexes ssh_ntru_hybrid_kex;\r
1197 extern const ssh_keyalg ssh_dsa;\r
1198 extern const ssh_keyalg ssh_rsa;\r
1199 extern const ssh_keyalg ssh_rsa_sha256;\r
1200 extern const ssh_keyalg ssh_rsa_sha512;\r
1201 extern const ssh_keyalg ssh_ecdsa_ed25519;\r
1202 extern const ssh_keyalg ssh_ecdsa_ed448;\r
1203 extern const ssh_keyalg ssh_ecdsa_nistp256;\r
1204 extern const ssh_keyalg ssh_ecdsa_nistp384;\r
1205 extern const ssh_keyalg ssh_ecdsa_nistp521;\r
1206 extern const ssh_keyalg opensshcert_ssh_dsa;\r
1207 extern const ssh_keyalg opensshcert_ssh_rsa;\r
1208 extern const ssh_keyalg opensshcert_ssh_rsa_sha256;\r
1209 extern const ssh_keyalg opensshcert_ssh_rsa_sha512;\r
1210 extern const ssh_keyalg opensshcert_ssh_ecdsa_ed25519;\r
1211 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp256;\r
1212 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp384;\r
1213 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp521;\r
1214 extern const ssh2_macalg ssh_hmac_md5;\r
1215 extern const ssh2_macalg ssh_hmac_sha1;\r
1216 extern const ssh2_macalg ssh_hmac_sha1_buggy;\r
1217 extern const ssh2_macalg ssh_hmac_sha1_96;\r
1218 extern const ssh2_macalg ssh_hmac_sha1_96_buggy;\r
1219 extern const ssh2_macalg ssh_hmac_sha256;\r
1220 extern const ssh2_macalg ssh_hmac_sha384;\r
1221 extern const ssh2_macalg ssh_hmac_sha512;\r
1222 extern const ssh2_macalg ssh2_poly1305;\r
1223 extern const ssh2_macalg ssh2_aesgcm_mac;\r
1224 extern const ssh2_macalg ssh2_aesgcm_mac_sw;\r
1225 extern const ssh2_macalg ssh2_aesgcm_mac_ref_poly;\r
1226 extern const ssh2_macalg ssh2_aesgcm_mac_clmul;\r
1227 extern const ssh2_macalg ssh2_aesgcm_mac_neon;\r
1228 extern const ssh_compression_alg ssh_zlib;\r
1229 \r
1230 /* Special constructor: BLAKE2b can be instantiated with any hash\r
1231 * length up to 128 bytes */\r
1232 ssh_hash *blake2b_new_general(unsigned hashlen);\r
1233 \r
1234 /* Special test function for AES-GCM */\r
1235 void aesgcm_set_prefix_lengths(ssh2_mac *mac, size_t skip, size_t aad);\r
1236 \r
1237 /*\r
1238 * On some systems, you have to detect hardware crypto acceleration by\r
1239 * asking the local OS API rather than OS-agnostically asking the CPU\r
1240 * itself. If so, then this function should be implemented in each\r
1241 * platform subdirectory.\r
1242 */\r
1243 bool platform_aes_neon_available(void);\r
1244 bool platform_pmull_neon_available(void);\r
1245 bool platform_sha256_neon_available(void);\r
1246 bool platform_sha1_neon_available(void);\r
1247 bool platform_sha512_neon_available(void);\r
1248 \r
1249 /*\r
1250 * PuTTY version number formatted as an SSH version string.\r
1251 */\r
1252 extern const char sshver[];\r
1253 \r
1254 /*\r
1255 * Gross hack: pscp will try to start SFTP but fall back to scp1 if\r
1256 * that fails. This variable is the means by which pscp.c can reach\r
1257 * into the SSH code and find out which one it got.\r
1258 */\r
1259 extern bool ssh_fallback_cmd(Backend *backend);\r
1260 \r
1261 /*\r
1262 * The PRNG type, defined in prng.c. Visible data fields are\r
1263 * 'savesize', which suggests how many random bytes you should request\r
1264 * from a particular PRNG instance to write to putty.rnd, and a\r
1265 * BinarySink implementation which you can use to write seed data in\r
1266 * between calling prng_seed_{begin,finish}.\r
1267 */\r
1268 struct prng {\r
1269 size_t savesize;\r
1270 BinarySink_IMPLEMENTATION;\r
1271 /* (also there's a surrounding implementation struct in prng.c) */\r
1272 };\r
1273 prng *prng_new(const ssh_hashalg *hashalg);\r
1274 void prng_free(prng *p);\r
1275 void prng_seed_begin(prng *p);\r
1276 void prng_seed_finish(prng *p);\r
1277 void prng_read(prng *p, void *vout, size_t size);\r
1278 void prng_add_entropy(prng *p, unsigned source_id, ptrlen data);\r
1279 size_t prng_seed_bits(prng *p);\r
1280 \r
1281 /* This function must be implemented by the platform, and returns a\r
1282 * timer in milliseconds that the PRNG can use to know whether it's\r
1283 * been reseeded too recently to do it again.\r
1284 *\r
1285 * The PRNG system has its own special timing function not because its\r
1286 * timing needs are unusual in the real applications, but simply so\r
1287 * that testcrypt can mock it to keep the tests deterministic. */\r
1288 uint64_t prng_reseed_time_ms(void);\r
1289 \r
1290 void random_read(void *out, size_t size);\r
1291 \r
1292 /* Exports from x11fwd.c */\r
1293 enum {\r
1294 X11_TRANS_IPV4 = 0, X11_TRANS_IPV6 = 6, X11_TRANS_UNIX = 256\r
1295 };\r
1296 struct X11Display {\r
1297 /* Broken-down components of the display name itself */\r
1298 bool unixdomain;\r
1299 char *hostname;\r
1300 int displaynum;\r
1301 int screennum;\r
1302 /* OSX sometimes replaces all the above with a full Unix-socket pathname */\r
1303 char *unixsocketpath;\r
1304 \r
1305 /* PuTTY networking SockAddr to connect to the display, and associated\r
1306 * gubbins */\r
1307 SockAddr *addr;\r
1308 int port;\r
1309 char *realhost;\r
1310 \r
1311 /* Our local auth details for talking to the real X display. */\r
1312 int localauthproto;\r
1313 unsigned char *localauthdata;\r
1314 int localauthdatalen;\r
1315 };\r
1316 struct X11FakeAuth {\r
1317 /* Auth details we invented for a virtual display on the SSH server. */\r
1318 int proto;\r
1319 unsigned char *data;\r
1320 int datalen;\r
1321 char *protoname;\r
1322 char *datastring;\r
1323 \r
1324 /* The encrypted form of the first block, in XDM-AUTHORIZATION-1.\r
1325 * Used as part of the key when these structures are organised\r
1326 * into a tree. See x11_invent_fake_auth for explanation. */\r
1327 unsigned char *xa1_firstblock;\r
1328 \r
1329 /*\r
1330 * Used inside x11fwd.c to remember recently seen\r
1331 * XDM-AUTHORIZATION-1 strings, to avoid replay attacks.\r
1332 */\r
1333 tree234 *xdmseen;\r
1334 \r
1335 /*\r
1336 * What to do with an X connection matching this auth data.\r
1337 */\r
1338 struct X11Display *disp;\r
1339 ssh_sharing_connstate *share_cs;\r
1340 share_channel *share_chan;\r
1341 };\r
1342 int x11_authcmp(void *av, void *bv); /* for putting X11FakeAuth in a tree234 */\r
1343 /*\r
1344 * x11_setup_display() parses the display variable and fills in an\r
1345 * X11Display structure. Some remote auth details are invented;\r
1346 * the supplied authtype parameter configures the preferred\r
1347 * authorisation protocol to use at the remote end. The local auth\r
1348 * details are looked up by calling platform_get_x11_auth.\r
1349 *\r
1350 * If the returned pointer is NULL, then *error_msg will contain a\r
1351 * dynamically allocated error message string.\r
1352 */\r
1353 extern struct X11Display *x11_setup_display(const char *display, Conf *,\r
1354 char **error_msg);\r
1355 void x11_free_display(struct X11Display *disp);\r
1356 struct X11FakeAuth *x11_invent_fake_auth(tree234 *t, int authtype);\r
1357 void x11_free_fake_auth(struct X11FakeAuth *auth);\r
1358 Channel *x11_new_channel(tree234 *authtree, SshChannel *c,\r
1359 const char *peeraddr, int peerport,\r
1360 bool connection_sharing_possible);\r
1361 char *x11_display(const char *display);\r
1362 /* Platform-dependent X11 functions */\r
1363 extern void platform_get_x11_auth(struct X11Display *display, Conf *);\r
1364 /* examine a mostly-filled-in X11Display and fill in localauth* */\r
1365 extern const bool platform_uses_x11_unix_by_default;\r
1366 /* choose default X transport in the absence of a specified one */\r
1367 SockAddr *platform_get_x11_unix_address(const char *path, int displaynum);\r
1368 /* make up a SockAddr naming the address for displaynum */\r
1369 char *platform_get_x_display(void);\r
1370 /* allocated local X display string, if any */\r
1371 /* X11-related helper functions in utils */\r
1372 /*\r
1373 * This function does the job of platform_get_x11_auth, provided\r
1374 * it is told where to find a normally formatted .Xauthority file:\r
1375 * it opens that file, parses it to find an auth record which\r
1376 * matches the display details in "display", and fills in the\r
1377 * localauth fields.\r
1378 *\r
1379 * It is expected that most implementations of\r
1380 * platform_get_x11_auth() will work by finding their system's\r
1381 * .Xauthority file, adjusting the display details if necessary\r
1382 * for local oddities like Unix-domain socket transport, and\r
1383 * calling this function to do the rest of the work.\r
1384 */\r
1385 void x11_get_auth_from_authfile(struct X11Display *display,\r
1386 const char *authfilename);\r
1387 void x11_format_auth_for_authfile(\r
1388 BinarySink *bs, SockAddr *addr, int display_no,\r
1389 ptrlen authproto, ptrlen authdata);\r
1390 void *x11_make_greeting(int endian, int protomajor, int protominor,\r
1391 int auth_proto, const void *auth_data, int auth_len,\r
1392 const char *peer_ip, int peer_port,\r
1393 int *outlen);\r
1394 int x11_identify_auth_proto(ptrlen protoname);\r
1395 void *x11_dehexify(ptrlen hex, int *outlen);\r
1396 bool x11_parse_ip(const char *addr_string, unsigned long *ip);\r
1397 \r
1398 Channel *agentf_new(SshChannel *c);\r
1399 \r
1400 bool dh_is_gex(const ssh_kex *kex);\r
1401 dh_ctx *dh_setup_group(const ssh_kex *kex);\r
1402 dh_ctx *dh_setup_gex(mp_int *pval, mp_int *gval);\r
1403 int dh_modulus_bit_size(const dh_ctx *ctx);\r
1404 void dh_cleanup(dh_ctx *);\r
1405 mp_int *dh_create_e(dh_ctx *);\r
1406 const char *dh_validate_f(dh_ctx *, mp_int *f);\r
1407 mp_int *dh_find_K(dh_ctx *, mp_int *f);\r
1408 \r
1409 static inline bool is_base64_char(char c)\r
1410 {\r
1411 return ((c >= '0' && c <= '9') ||\r
1412 (c >= 'a' && c <= 'z') ||\r
1413 (c >= 'A' && c <= 'Z') ||\r
1414 c == '+' || c == '/' || c == '=');\r
1415 }\r
1416 \r
1417 extern int base64_lines(int datalen);\r
1418 \r
1419 /* ppk_load_* can return this as an error */\r
1420 extern ssh2_userkey ssh2_wrong_passphrase;\r
1421 #define SSH2_WRONG_PASSPHRASE (&ssh2_wrong_passphrase)\r
1422 \r
1423 bool ppk_encrypted_s(BinarySource *src, char **comment);\r
1424 bool ppk_encrypted_f(const Filename *filename, char **comment);\r
1425 bool rsa1_encrypted_s(BinarySource *src, char **comment);\r
1426 bool rsa1_encrypted_f(const Filename *filename, char **comment);\r
1427 \r
1428 ssh2_userkey *ppk_load_s(BinarySource *src, const char *passphrase,\r
1429 const char **errorstr);\r
1430 ssh2_userkey *ppk_load_f(const Filename *filename, const char *passphrase,\r
1431 const char **errorstr);\r
1432 int rsa1_load_s(BinarySource *src, RSAKey *key,\r
1433 const char *passphrase, const char **errorstr);\r
1434 int rsa1_load_f(const Filename *filename, RSAKey *key,\r
1435 const char *passphrase, const char **errorstr);\r
1436 \r
1437 typedef struct ppk_save_parameters {\r
1438 unsigned fmt_version; /* currently 2 or 3 */\r
1439 \r
1440 /*\r
1441 * Parameters for fmt_version == 3\r
1442 */\r
1443 Argon2Flavour argon2_flavour;\r
1444 uint32_t argon2_mem; /* in Kbyte */\r
1445 bool argon2_passes_auto;\r
1446 union {\r
1447 uint32_t argon2_passes; /* if auto == false */\r
1448 uint32_t argon2_milliseconds; /* if auto == true */\r
1449 };\r
1450 uint32_t argon2_parallelism;\r
1451 \r
1452 /* The ability to choose a specific salt is only intended for the\r
1453 * use of the automated test of PuTTYgen. It's a (mild) security\r
1454 * risk to do it with any passphrase you actually care about,\r
1455 * because it invalidates the entire point of having a salt in the\r
1456 * first place. */\r
1457 const uint8_t *salt;\r
1458 size_t saltlen;\r
1459 } ppk_save_parameters;\r
1460 extern const ppk_save_parameters ppk_save_default_parameters;\r
1461 \r
1462 strbuf *ppk_save_sb(ssh2_userkey *key, const char *passphrase,\r
1463 const ppk_save_parameters *params);\r
1464 bool ppk_save_f(const Filename *filename, ssh2_userkey *key,\r
1465 const char *passphrase, const ppk_save_parameters *params);\r
1466 strbuf *rsa1_save_sb(RSAKey *key, const char *passphrase);\r
1467 bool rsa1_save_f(const Filename *filename, RSAKey *key,\r
1468 const char *passphrase);\r
1469 \r
1470 bool ppk_loadpub_s(BinarySource *src, char **algorithm, BinarySink *bs,\r
1471 char **commentptr, const char **errorstr);\r
1472 bool ppk_loadpub_f(const Filename *filename, char **algorithm, BinarySink *bs,\r
1473 char **commentptr, const char **errorstr);\r
1474 int rsa1_loadpub_s(BinarySource *src, BinarySink *bs,\r
1475 char **commentptr, const char **errorstr);\r
1476 int rsa1_loadpub_f(const Filename *filename, BinarySink *bs,\r
1477 char **commentptr, const char **errorstr);\r
1478 \r
1479 extern const ssh_keyalg *const all_keyalgs[];\r
1480 extern const size_t n_keyalgs;\r
1481 const ssh_keyalg *find_pubkey_alg(const char *name);\r
1482 const ssh_keyalg *find_pubkey_alg_len(ptrlen name);\r
1483 \r
1484 ptrlen pubkey_blob_to_alg_name(ptrlen blob);\r
1485 const ssh_keyalg *pubkey_blob_to_alg(ptrlen blob);\r
1486 \r
1487 /* Convenient wrappers on the LoadedFile mechanism suitable for key files */\r
1488 LoadedFile *lf_load_keyfile(const Filename *filename, const char **errptr);\r
1489 LoadedFile *lf_load_keyfile_fp(FILE *fp, const char **errptr);\r
1490 \r
1491 enum {\r
1492 SSH_KEYTYPE_UNOPENABLE,\r
1493 SSH_KEYTYPE_UNKNOWN,\r
1494 SSH_KEYTYPE_SSH1, SSH_KEYTYPE_SSH2,\r
1495 /*\r
1496 * The OpenSSH key types deserve a little explanation. OpenSSH has\r
1497 * two physical formats for private key storage: an old PEM-based\r
1498 * one largely dictated by their use of OpenSSL and full of ASN.1,\r
1499 * and a new one using the same private key formats used over the\r
1500 * wire for talking to ssh-agent. The old format can only support\r
1501 * a subset of the key types, because it needs redesign for each\r
1502 * key type, and after a while they decided to move to the new\r
1503 * format so as not to have to do that.\r
1504 *\r
1505 * On input, key files are identified as either\r
1506 * SSH_KEYTYPE_OPENSSH_PEM or SSH_KEYTYPE_OPENSSH_NEW, describing\r
1507 * accurately which actual format the keys are stored in.\r
1508 *\r
1509 * On output, however, we default to following OpenSSH's own\r
1510 * policy of writing out PEM-style keys for maximum backwards\r
1511 * compatibility if the key type supports it, and otherwise\r
1512 * switching to the new format. So the formats you can select for\r
1513 * output are SSH_KEYTYPE_OPENSSH_NEW (forcing the new format for\r
1514 * any key type), and SSH_KEYTYPE_OPENSSH_AUTO to use the oldest\r
1515 * format supported by whatever key type you're writing out.\r
1516 *\r
1517 * So we have three type codes, but only two of them usable in any\r
1518 * given circumstance. An input key file will never be identified\r
1519 * as AUTO, only PEM or NEW; key export UIs should not be able to\r
1520 * select PEM, only AUTO or NEW.\r
1521 */\r
1522 SSH_KEYTYPE_OPENSSH_AUTO,\r
1523 SSH_KEYTYPE_OPENSSH_PEM,\r
1524 SSH_KEYTYPE_OPENSSH_NEW,\r
1525 SSH_KEYTYPE_SSHCOM,\r
1526 /*\r
1527 * Public-key-only formats, which we still want to be able to read\r
1528 * for various purposes.\r
1529 */\r
1530 SSH_KEYTYPE_SSH1_PUBLIC,\r
1531 SSH_KEYTYPE_SSH2_PUBLIC_RFC4716,\r
1532 SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH\r
1533 };\r
1534 \r
1535 typedef enum {\r
1536 /* Default fingerprint types strip off a certificate to show you\r
1537 * the fingerprint of the underlying public key */\r
1538 SSH_FPTYPE_MD5,\r
1539 SSH_FPTYPE_SHA256,\r
1540 /* Non-default version of each fingerprint type which is 'raw',\r
1541 * giving you the true hash of the public key blob even if it\r
1542 * includes a certificate */\r
1543 SSH_FPTYPE_MD5_CERT,\r
1544 SSH_FPTYPE_SHA256_CERT,\r
1545 } FingerprintType;\r
1546 \r
1547 static inline bool ssh_fptype_is_cert(FingerprintType fptype)\r
1548 {\r
1549 return fptype >= SSH_FPTYPE_MD5_CERT;\r
1550 }\r
1551 static inline FingerprintType ssh_fptype_from_cert(FingerprintType fptype)\r
1552 {\r
1553 if (ssh_fptype_is_cert(fptype))\r
1554 fptype -= (SSH_FPTYPE_MD5_CERT - SSH_FPTYPE_MD5);\r
1555 return fptype;\r
1556 }\r
1557 static inline FingerprintType ssh_fptype_to_cert(FingerprintType fptype)\r
1558 {\r
1559 if (!ssh_fptype_is_cert(fptype))\r
1560 fptype += (SSH_FPTYPE_MD5_CERT - SSH_FPTYPE_MD5);\r
1561 return fptype;\r
1562 }\r
1563 \r
1564 #define SSH_N_FPTYPES (SSH_FPTYPE_SHA256_CERT + 1)\r
1565 #define SSH_FPTYPE_DEFAULT SSH_FPTYPE_SHA256\r
1566 \r
1567 FingerprintType ssh2_pick_fingerprint(char **fingerprints,\r
1568 FingerprintType preferred_type);\r
1569 FingerprintType ssh2_pick_default_fingerprint(char **fingerprints);\r
1570 \r
1571 char *ssh1_pubkey_str(RSAKey *ssh1key);\r
1572 void ssh1_write_pubkey(FILE *fp, RSAKey *ssh1key);\r
1573 char *ssh2_pubkey_openssh_str(ssh2_userkey *key);\r
1574 void ssh2_write_pubkey(FILE *fp, const char *comment,\r
1575 const void *v_pub_blob, int pub_len,\r
1576 int keytype);\r
1577 char *ssh2_fingerprint_blob(ptrlen, FingerprintType);\r
1578 char *ssh2_fingerprint(ssh_key *key, FingerprintType);\r
1579 char *ssh2_double_fingerprint_blob(ptrlen, FingerprintType);\r
1580 char *ssh2_double_fingerprint(ssh_key *key, FingerprintType);\r
1581 char **ssh2_all_fingerprints_for_blob(ptrlen);\r
1582 char **ssh2_all_fingerprints(ssh_key *key);\r
1583 void ssh2_free_all_fingerprints(char **);\r
1584 int key_type(const Filename *filename);\r
1585 int key_type_s(BinarySource *src);\r
1586 const char *key_type_to_str(int type);\r
1587 \r
1588 bool import_possible(int type);\r
1589 int import_target_type(int type);\r
1590 bool import_encrypted(const Filename *filename, int type, char **comment);\r
1591 bool import_encrypted_s(const Filename *filename, BinarySource *src,\r
1592 int type, char **comment);\r
1593 int import_ssh1(const Filename *filename, int type,\r
1594 RSAKey *key, char *passphrase, const char **errmsg_p);\r
1595 int import_ssh1_s(BinarySource *src, int type,\r
1596 RSAKey *key, char *passphrase, const char **errmsg_p);\r
1597 ssh2_userkey *import_ssh2(const Filename *filename, int type,\r
1598 char *passphrase, const char **errmsg_p);\r
1599 ssh2_userkey *import_ssh2_s(BinarySource *src, int type,\r
1600 char *passphrase, const char **errmsg_p);\r
1601 bool export_ssh1(const Filename *filename, int type,\r
1602 RSAKey *key, char *passphrase);\r
1603 bool export_ssh2(const Filename *filename, int type,\r
1604 ssh2_userkey *key, char *passphrase);\r
1605 \r
1606 void des3_decrypt_pubkey(const void *key, void *blk, int len);\r
1607 void des3_encrypt_pubkey(const void *key, void *blk, int len);\r
1608 void des3_decrypt_pubkey_ossh(const void *key, const void *iv,\r
1609 void *blk, int len);\r
1610 void des3_encrypt_pubkey_ossh(const void *key, const void *iv,\r
1611 void *blk, int len);\r
1612 void aes256_encrypt_pubkey(const void *key, const void *iv,\r
1613 void *blk, int len);\r
1614 void aes256_decrypt_pubkey(const void *key, const void *iv,\r
1615 void *blk, int len);\r
1616 \r
1617 void des_encrypt_xdmauth(const void *key, void *blk, int len);\r
1618 void des_decrypt_xdmauth(const void *key, void *blk, int len);\r
1619 \r
1620 void openssh_bcrypt(ptrlen passphrase, ptrlen salt,\r
1621 int rounds, unsigned char *out, int outbytes);\r
1622 \r
1623 /*\r
1624 * Connection-sharing API provided by platforms. This function must\r
1625 * either:\r
1626 * - return SHARE_NONE and do nothing\r
1627 * - return SHARE_DOWNSTREAM and set *sock to a Socket connected to\r
1628 * downplug\r
1629 * - return SHARE_UPSTREAM and set *sock to a Socket connected to\r
1630 * upplug.\r
1631 */\r
1632 enum { SHARE_NONE, SHARE_DOWNSTREAM, SHARE_UPSTREAM };\r
1633 int platform_ssh_share(const char *name, Conf *conf,\r
1634 Plug *downplug, Plug *upplug, Socket **sock,\r
1635 char **logtext, char **ds_err, char **us_err,\r
1636 bool can_upstream, bool can_downstream);\r
1637 void platform_ssh_share_cleanup(const char *name);\r
1638 \r
1639 /*\r
1640 * List macro defining the SSH-1 message type codes.\r
1641 */\r
1642 #define SSH1_MESSAGE_TYPES(X, y) \\r
1643 X(y, SSH1_MSG_DISCONNECT, 1) \\r
1644 X(y, SSH1_SMSG_PUBLIC_KEY, 2) \\r
1645 X(y, SSH1_CMSG_SESSION_KEY, 3) \\r
1646 X(y, SSH1_CMSG_USER, 4) \\r
1647 X(y, SSH1_CMSG_AUTH_RSA, 6) \\r
1648 X(y, SSH1_SMSG_AUTH_RSA_CHALLENGE, 7) \\r
1649 X(y, SSH1_CMSG_AUTH_RSA_RESPONSE, 8) \\r
1650 X(y, SSH1_CMSG_AUTH_PASSWORD, 9) \\r
1651 X(y, SSH1_CMSG_REQUEST_PTY, 10) \\r
1652 X(y, SSH1_CMSG_WINDOW_SIZE, 11) \\r
1653 X(y, SSH1_CMSG_EXEC_SHELL, 12) \\r
1654 X(y, SSH1_CMSG_EXEC_CMD, 13) \\r
1655 X(y, SSH1_SMSG_SUCCESS, 14) \\r
1656 X(y, SSH1_SMSG_FAILURE, 15) \\r
1657 X(y, SSH1_CMSG_STDIN_DATA, 16) \\r
1658 X(y, SSH1_SMSG_STDOUT_DATA, 17) \\r
1659 X(y, SSH1_SMSG_STDERR_DATA, 18) \\r
1660 X(y, SSH1_CMSG_EOF, 19) \\r
1661 X(y, SSH1_SMSG_EXIT_STATUS, 20) \\r
1662 X(y, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION, 21) \\r
1663 X(y, SSH1_MSG_CHANNEL_OPEN_FAILURE, 22) \\r
1664 X(y, SSH1_MSG_CHANNEL_DATA, 23) \\r
1665 X(y, SSH1_MSG_CHANNEL_CLOSE, 24) \\r
1666 X(y, SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION, 25) \\r
1667 X(y, SSH1_SMSG_X11_OPEN, 27) \\r
1668 X(y, SSH1_CMSG_PORT_FORWARD_REQUEST, 28) \\r
1669 X(y, SSH1_MSG_PORT_OPEN, 29) \\r
1670 X(y, SSH1_CMSG_AGENT_REQUEST_FORWARDING, 30) \\r
1671 X(y, SSH1_SMSG_AGENT_OPEN, 31) \\r
1672 X(y, SSH1_MSG_IGNORE, 32) \\r
1673 X(y, SSH1_CMSG_EXIT_CONFIRMATION, 33) \\r
1674 X(y, SSH1_CMSG_X11_REQUEST_FORWARDING, 34) \\r
1675 X(y, SSH1_CMSG_AUTH_RHOSTS_RSA, 35) \\r
1676 X(y, SSH1_MSG_DEBUG, 36) \\r
1677 X(y, SSH1_CMSG_REQUEST_COMPRESSION, 37) \\r
1678 X(y, SSH1_CMSG_AUTH_TIS, 39) \\r
1679 X(y, SSH1_SMSG_AUTH_TIS_CHALLENGE, 40) \\r
1680 X(y, SSH1_CMSG_AUTH_TIS_RESPONSE, 41) \\r
1681 X(y, SSH1_CMSG_AUTH_CCARD, 70) \\r
1682 X(y, SSH1_SMSG_AUTH_CCARD_CHALLENGE, 71) \\r
1683 X(y, SSH1_CMSG_AUTH_CCARD_RESPONSE, 72) \\r
1684 /* end of list */\r
1685 \r
1686 #define SSH1_AUTH_RHOSTS 1 /* 0x1 */\r
1687 #define SSH1_AUTH_RSA 2 /* 0x2 */\r
1688 #define SSH1_AUTH_PASSWORD 3 /* 0x3 */\r
1689 #define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */\r
1690 #define SSH1_AUTH_TIS 5 /* 0x5 */\r
1691 #define SSH1_AUTH_CCARD 16 /* 0x10 */\r
1692 \r
1693 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */\r
1694 /* Mask for protoflags we will echo back to server if seen */\r
1695 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */\r
1696 \r
1697 /*\r
1698 * List macro defining SSH-2 message type codes. Some of these depend\r
1699 * on particular contexts (i.e. a previously negotiated kex or auth\r
1700 * method)\r
1701 */\r
1702 #define SSH2_MESSAGE_TYPES(X, K, A, y) \\r
1703 X(y, SSH2_MSG_DISCONNECT, 1) \\r
1704 X(y, SSH2_MSG_IGNORE, 2) \\r
1705 X(y, SSH2_MSG_UNIMPLEMENTED, 3) \\r
1706 X(y, SSH2_MSG_DEBUG, 4) \\r
1707 X(y, SSH2_MSG_SERVICE_REQUEST, 5) \\r
1708 X(y, SSH2_MSG_SERVICE_ACCEPT, 6) \\r
1709 X(y, SSH2_MSG_EXT_INFO, 7) \\r
1710 X(y, SSH2_MSG_KEXINIT, 20) \\r
1711 X(y, SSH2_MSG_NEWKEYS, 21) \\r
1712 K(y, SSH2_MSG_KEXDH_INIT, 30, SSH2_PKTCTX_DHGROUP) \\r
1713 K(y, SSH2_MSG_KEXDH_REPLY, 31, SSH2_PKTCTX_DHGROUP) \\r
1714 K(y, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD, 30, SSH2_PKTCTX_DHGEX) \\r
1715 K(y, SSH2_MSG_KEX_DH_GEX_REQUEST, 34, SSH2_PKTCTX_DHGEX) \\r
1716 K(y, SSH2_MSG_KEX_DH_GEX_GROUP, 31, SSH2_PKTCTX_DHGEX) \\r
1717 K(y, SSH2_MSG_KEX_DH_GEX_INIT, 32, SSH2_PKTCTX_DHGEX) \\r
1718 K(y, SSH2_MSG_KEX_DH_GEX_REPLY, 33, SSH2_PKTCTX_DHGEX) \\r
1719 K(y, SSH2_MSG_KEXGSS_INIT, 30, SSH2_PKTCTX_GSSKEX) \\r
1720 K(y, SSH2_MSG_KEXGSS_CONTINUE, 31, SSH2_PKTCTX_GSSKEX) \\r
1721 K(y, SSH2_MSG_KEXGSS_COMPLETE, 32, SSH2_PKTCTX_GSSKEX) \\r
1722 K(y, SSH2_MSG_KEXGSS_HOSTKEY, 33, SSH2_PKTCTX_GSSKEX) \\r
1723 K(y, SSH2_MSG_KEXGSS_ERROR, 34, SSH2_PKTCTX_GSSKEX) \\r
1724 K(y, SSH2_MSG_KEXGSS_GROUPREQ, 40, SSH2_PKTCTX_GSSKEX) \\r
1725 K(y, SSH2_MSG_KEXGSS_GROUP, 41, SSH2_PKTCTX_GSSKEX) \\r
1726 K(y, SSH2_MSG_KEXRSA_PUBKEY, 30, SSH2_PKTCTX_RSAKEX) \\r
1727 K(y, SSH2_MSG_KEXRSA_SECRET, 31, SSH2_PKTCTX_RSAKEX) \\r
1728 K(y, SSH2_MSG_KEXRSA_DONE, 32, SSH2_PKTCTX_RSAKEX) \\r
1729 K(y, SSH2_MSG_KEX_ECDH_INIT, 30, SSH2_PKTCTX_ECDHKEX) \\r
1730 K(y, SSH2_MSG_KEX_ECDH_REPLY, 31, SSH2_PKTCTX_ECDHKEX) \\r
1731 X(y, SSH2_MSG_USERAUTH_REQUEST, 50) \\r
1732 X(y, SSH2_MSG_USERAUTH_FAILURE, 51) \\r
1733 X(y, SSH2_MSG_USERAUTH_SUCCESS, 52) \\r
1734 X(y, SSH2_MSG_USERAUTH_BANNER, 53) \\r
1735 A(y, SSH2_MSG_USERAUTH_PK_OK, 60, SSH2_PKTCTX_PUBLICKEY) \\r
1736 A(y, SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, 60, SSH2_PKTCTX_PASSWORD) \\r
1737 A(y, SSH2_MSG_USERAUTH_INFO_REQUEST, 60, SSH2_PKTCTX_KBDINTER) \\r
1738 A(y, SSH2_MSG_USERAUTH_INFO_RESPONSE, 61, SSH2_PKTCTX_KBDINTER) \\r
1739 A(y, SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, 60, SSH2_PKTCTX_GSSAPI) \\r
1740 A(y, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, 61, SSH2_PKTCTX_GSSAPI) \\r
1741 A(y, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 63, SSH2_PKTCTX_GSSAPI) \\r
1742 A(y, SSH2_MSG_USERAUTH_GSSAPI_ERROR, 64, SSH2_PKTCTX_GSSAPI) \\r
1743 A(y, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, 65, SSH2_PKTCTX_GSSAPI) \\r
1744 A(y, SSH2_MSG_USERAUTH_GSSAPI_MIC, 66, SSH2_PKTCTX_GSSAPI) \\r
1745 X(y, SSH2_MSG_GLOBAL_REQUEST, 80) \\r
1746 X(y, SSH2_MSG_REQUEST_SUCCESS, 81) \\r
1747 X(y, SSH2_MSG_REQUEST_FAILURE, 82) \\r
1748 X(y, SSH2_MSG_CHANNEL_OPEN, 90) \\r
1749 X(y, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, 91) \\r
1750 X(y, SSH2_MSG_CHANNEL_OPEN_FAILURE, 92) \\r
1751 X(y, SSH2_MSG_CHANNEL_WINDOW_ADJUST, 93) \\r
1752 X(y, SSH2_MSG_CHANNEL_DATA, 94) \\r
1753 X(y, SSH2_MSG_CHANNEL_EXTENDED_DATA, 95) \\r
1754 X(y, SSH2_MSG_CHANNEL_EOF, 96) \\r
1755 X(y, SSH2_MSG_CHANNEL_CLOSE, 97) \\r
1756 X(y, SSH2_MSG_CHANNEL_REQUEST, 98) \\r
1757 X(y, SSH2_MSG_CHANNEL_SUCCESS, 99) \\r
1758 X(y, SSH2_MSG_CHANNEL_FAILURE, 100) \\r
1759 /* end of list */\r
1760 \r
1761 #define DEF_ENUM_UNIVERSAL(y, name, value) name = value,\r
1762 #define DEF_ENUM_CONTEXTUAL(y, name, value, context) name = value,\r
1763 enum {\r
1764 SSH1_MESSAGE_TYPES(DEF_ENUM_UNIVERSAL, y)\r
1765 SSH2_MESSAGE_TYPES(DEF_ENUM_UNIVERSAL,\r
1766 DEF_ENUM_CONTEXTUAL, DEF_ENUM_CONTEXTUAL, y)\r
1767 /* Virtual packet type, for packets too short to even have a type */\r
1768 SSH_MSG_NO_TYPE_CODE = 256\r
1769 };\r
1770 #undef DEF_ENUM_UNIVERSAL\r
1771 #undef DEF_ENUM_CONTEXTUAL\r
1772 \r
1773 /*\r
1774 * SSH-1 agent messages.\r
1775 */\r
1776 #define SSH1_AGENTC_REQUEST_RSA_IDENTITIES 1\r
1777 #define SSH1_AGENT_RSA_IDENTITIES_ANSWER 2\r
1778 #define SSH1_AGENTC_RSA_CHALLENGE 3\r
1779 #define SSH1_AGENT_RSA_RESPONSE 4\r
1780 #define SSH1_AGENTC_ADD_RSA_IDENTITY 7\r
1781 #define SSH1_AGENTC_REMOVE_RSA_IDENTITY 8\r
1782 #define SSH1_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 /* openssh private? */\r
1783 \r
1784 /*\r
1785 * Messages common to SSH-1 and OpenSSH's SSH-2.\r
1786 */\r
1787 #define SSH_AGENT_FAILURE 5\r
1788 #define SSH_AGENT_SUCCESS 6\r
1789 \r
1790 /*\r
1791 * OpenSSH's SSH-2 agent messages.\r
1792 */\r
1793 #define SSH2_AGENTC_REQUEST_IDENTITIES 11\r
1794 #define SSH2_AGENT_IDENTITIES_ANSWER 12\r
1795 #define SSH2_AGENTC_SIGN_REQUEST 13\r
1796 #define SSH2_AGENT_SIGN_RESPONSE 14\r
1797 #define SSH2_AGENTC_ADD_IDENTITY 17\r
1798 #define SSH2_AGENTC_REMOVE_IDENTITY 18\r
1799 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19\r
1800 #define SSH2_AGENTC_EXTENSION 27\r
1801 #define SSH_AGENT_EXTENSION_FAILURE 28\r
1802 \r
1803 /*\r
1804 * Assorted other SSH-related enumerations.\r
1805 */\r
1806 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */\r
1807 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */\r
1808 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */\r
1809 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */\r
1810 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */\r
1811 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */\r
1812 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */\r
1813 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */\r
1814 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */\r
1815 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */\r
1816 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */\r
1817 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */\r
1818 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */\r
1819 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */\r
1820 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */\r
1821 \r
1822 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */\r
1823 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */\r
1824 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */\r
1825 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */\r
1826 \r
1827 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */\r
1828 \r
1829 enum {\r
1830 /* TTY modes with opcodes defined consistently in the SSH specs. */\r
1831 #define TTYMODE_CHAR(name, val, index) SSH_TTYMODE_##name = val,\r
1832 #define TTYMODE_FLAG(name, val, field, mask) SSH_TTYMODE_##name = val,\r
1833 #include "ssh/ttymode-list.h"\r
1834 #undef TTYMODE_CHAR\r
1835 #undef TTYMODE_FLAG\r
1836 \r
1837 /* Modes encoded differently between SSH-1 and SSH-2, for which we\r
1838 * make up our own dummy opcodes to avoid confusion. */\r
1839 TTYMODE_dummy = 255,\r
1840 TTYMODE_ISPEED, TTYMODE_OSPEED,\r
1841 \r
1842 /* Limiting value that we can use as an array bound below */\r
1843 TTYMODE_LIMIT,\r
1844 \r
1845 /* The real opcodes for terminal speeds. */\r
1846 TTYMODE_ISPEED_SSH1 = 192,\r
1847 TTYMODE_OSPEED_SSH1 = 193,\r
1848 TTYMODE_ISPEED_SSH2 = 128,\r
1849 TTYMODE_OSPEED_SSH2 = 129,\r
1850 \r
1851 /* And the opcode that ends a list. */\r
1852 TTYMODE_END_OF_LIST = 0\r
1853 };\r
1854 \r
1855 struct ssh_ttymodes {\r
1856 /* A boolean per mode, indicating whether it's set. */\r
1857 bool have_mode[TTYMODE_LIMIT];\r
1858 \r
1859 /* The actual value for each mode. */\r
1860 unsigned mode_val[TTYMODE_LIMIT];\r
1861 };\r
1862 \r
1863 struct ssh_ttymodes get_ttymodes_from_conf(Seat *seat, Conf *conf);\r
1864 struct ssh_ttymodes read_ttymodes_from_packet(\r
1865 BinarySource *bs, int ssh_version);\r
1866 void write_ttymodes_to_packet(BinarySink *bs, int ssh_version,\r
1867 struct ssh_ttymodes modes);\r
1868 \r
1869 const char *ssh1_pkt_type(int type);\r
1870 const char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type);\r
1871 bool ssh2_pkt_type_code_valid(unsigned type);\r
1872 \r
1873 /*\r
1874 * Need this to warn about support for the original SSH-2 keyfile\r
1875 * format.\r
1876 */\r
1877 void old_keyfile_warning(void);\r
1878 \r
1879 /*\r
1880 * Flags indicating implementation bugs that we know how to mitigate\r
1881 * if we think the other end has them.\r
1882 */\r
1883 #define SSH_IMPL_BUG_LIST(X) \\r
1884 X(BUG_CHOKES_ON_SSH1_IGNORE) \\r
1885 X(BUG_SSH2_HMAC) \\r
1886 X(BUG_NEEDS_SSH1_PLAIN_PASSWORD) \\r
1887 X(BUG_CHOKES_ON_RSA) \\r
1888 X(BUG_SSH2_RSA_PADDING) \\r
1889 X(BUG_SSH2_DERIVEKEY) \\r
1890 X(BUG_SSH2_REKEY) \\r
1891 X(BUG_SSH2_PK_SESSIONID) \\r
1892 X(BUG_SSH2_MAXPKT) \\r
1893 X(BUG_CHOKES_ON_SSH2_IGNORE) \\r
1894 X(BUG_CHOKES_ON_WINADJ) \\r
1895 X(BUG_SENDS_LATE_REQUEST_REPLY) \\r
1896 X(BUG_SSH2_OLDGEX) \\r
1897 X(BUG_REQUIRES_FILTERED_KEXINIT) \\r
1898 X(BUG_RSA_SHA2_CERT_USERAUTH) \\r
1899 /* end of list */\r
1900 #define TMP_DECLARE_LOG2_ENUM(thing) log2_##thing,\r
1901 enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_LOG2_ENUM) };\r
1902 #undef TMP_DECLARE_LOG2_ENUM\r
1903 #define TMP_DECLARE_REAL_ENUM(thing) thing = 1 << log2_##thing,\r
1904 enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_REAL_ENUM) };\r
1905 #undef TMP_DECLARE_REAL_ENUM\r
1906 \r
1907 /* Shared system for allocating local SSH channel ids. Expects to be\r
1908 * passed a tree full of structs that have a field called 'localid' of\r
1909 * type unsigned, and will check that! */\r
1910 unsigned alloc_channel_id_general(tree234 *channels, size_t localid_offset);\r
1911 #define alloc_channel_id(tree, type) \\r
1912 TYPECHECK(&((type *)0)->localid == (unsigned *)0, \\r
1913 alloc_channel_id_general(tree, offsetof(type, localid)))\r
1914 \r
1915 void add_to_commasep(strbuf *buf, const char *data);\r
1916 void add_to_commasep_pl(strbuf *buf, ptrlen data);\r
1917 bool get_commasep_word(ptrlen *list, ptrlen *word);\r
1918 \r
1919 /* Reasons why something warned by confirm_weak_crypto_primitive might\r
1920 * be considered weak */\r
1921 typedef enum WeakCryptoReason {\r
1922 WCR_BELOW_THRESHOLD, /* user has told us to consider it weak */\r
1923 WCR_TERRAPIN, /* known vulnerability CVE-2023-48795 */\r
1924 WCR_TERRAPIN_AVOIDABLE, /* same, but demoting ChaCha20 can avoid it */\r
1925 } WeakCryptoReason;\r
1926 \r
1927 SeatPromptResult verify_ssh_host_key(\r
1928 InteractionReadySeat iseat, Conf *conf, const char *host, int port,\r
1929 ssh_key *key, const char *keytype, char *keystr, const char *keydisp,\r
1930 char **fingerprints, int ca_count,\r
1931 void (*callback)(void *ctx, SeatPromptResult result), void *ctx);\r
1932 SeatPromptResult confirm_weak_crypto_primitive(\r
1933 InteractionReadySeat iseat, const char *algtype, const char *algname,\r
1934 void (*callback)(void *ctx, SeatPromptResult result), void *ctx,\r
1935 WeakCryptoReason wcr);\r
1936 SeatPromptResult confirm_weak_cached_hostkey(\r
1937 InteractionReadySeat iseat, const char *algname, const char **betteralgs,\r
1938 void (*callback)(void *ctx, SeatPromptResult result), void *ctx);\r
1939 \r
1940 typedef struct ssh_transient_hostkey_cache ssh_transient_hostkey_cache;\r
1941 ssh_transient_hostkey_cache *ssh_transient_hostkey_cache_new(void);\r
1942 void ssh_transient_hostkey_cache_free(ssh_transient_hostkey_cache *thc);\r
1943 void ssh_transient_hostkey_cache_add(\r
1944 ssh_transient_hostkey_cache *thc, ssh_key *key);\r
1945 bool ssh_transient_hostkey_cache_verify(\r
1946 ssh_transient_hostkey_cache *thc, ssh_key *key);\r
1947 bool ssh_transient_hostkey_cache_has(\r
1948 ssh_transient_hostkey_cache *thc, const ssh_keyalg *alg);\r
1949 bool ssh_transient_hostkey_cache_non_empty(ssh_transient_hostkey_cache *thc);\r
1950 \r
1951 /*\r
1952 * Protocol definitions for authentication helper plugins\r
1953 */\r
1954 \r
1955 #define AUTHPLUGIN_MSG_NAMES(X) \\r
1956 X(PLUGIN_INIT, 1) \\r
1957 X(PLUGIN_INIT_RESPONSE, 2) \\r
1958 X(PLUGIN_PROTOCOL, 3) \\r
1959 X(PLUGIN_PROTOCOL_ACCEPT, 4) \\r
1960 X(PLUGIN_PROTOCOL_REJECT, 5) \\r
1961 X(PLUGIN_AUTH_SUCCESS, 6) \\r
1962 X(PLUGIN_AUTH_FAILURE, 7) \\r
1963 X(PLUGIN_INIT_FAILURE, 8) \\r
1964 X(PLUGIN_KI_SERVER_REQUEST, 20) \\r
1965 X(PLUGIN_KI_SERVER_RESPONSE, 21) \\r
1966 X(PLUGIN_KI_USER_REQUEST, 22) \\r
1967 X(PLUGIN_KI_USER_RESPONSE, 23) \\r
1968 /* end of list */\r
1969 \r
1970 #define PLUGIN_PROTOCOL_MAX_VERSION 2 /* the highest version we speak */\r
1971 \r
1972 enum {\r
1973 #define ENUMDECL(name, value) name = value,\r
1974 AUTHPLUGIN_MSG_NAMES(ENUMDECL)\r
1975 #undef ENUMDECL\r
1976 \r
1977 /* Error codes internal to this implementation, indicating failure\r
1978 * to receive a meaningful packet at all */\r
1979 PLUGIN_NOTYPE = 256, /* packet too short to have a type */\r
1980 PLUGIN_EOF = 257 /* EOF from auth plugin */\r
1981 };\r