4 #include "puttymem.h"
\r
12 * Buffer management constants. There are several of these for
\r
13 * various different purposes:
\r
15 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
\r
16 * on a local data stream before we throttle the whole SSH
\r
17 * connection (in SSH-1 only). Throttling the whole connection is
\r
18 * pretty drastic so we set this high in the hope it won't
\r
19 * happen very often.
\r
21 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
\r
22 * on the SSH connection itself before we defensively throttle
\r
23 * _all_ local data streams. This is pretty drastic too (though
\r
24 * thankfully unlikely in SSH-2 since the window mechanism should
\r
25 * ensure that the server never has any need to throttle its end
\r
26 * of the connection), so we set this high as well.
\r
28 * - OUR_V2_WINSIZE is the default window size we present on SSH-2
\r
31 * - OUR_V2_BIGWIN is the window size we advertise for the only
\r
32 * channel in a simple connection. It must be <= INT_MAX.
\r
34 * - OUR_V2_MAXPKT is the official "maximum packet size" we send
\r
35 * to the remote side. This actually has nothing to do with the
\r
36 * size of the _packet_, but is instead a limit on the amount
\r
37 * of data we're willing to receive in a single SSH2 channel
\r
40 * - OUR_V2_PACKETLIMIT is actually the maximum size of SSH
\r
41 * _packet_ we're prepared to cope with. It must be a multiple
\r
42 * of the cipher block size, and must be at least 35000.
\r
45 #define SSH1_BUFFER_LIMIT 32768
\r
46 #define SSH_MAX_BACKLOG 32768
\r
47 #define OUR_V2_WINSIZE 16384
\r
48 #define OUR_V2_BIGWIN 0x7fffffff
\r
49 #define OUR_V2_MAXPKT 0x4000UL
\r
50 #define OUR_V2_PACKETLIMIT 0x9000UL
\r
52 typedef struct PacketQueueNode PacketQueueNode;
\r
53 struct PacketQueueNode {
\r
54 PacketQueueNode *next, *prev;
\r
55 size_t formal_size; /* contribution to PacketQueueBase's total_size */
\r
56 bool on_free_queue; /* is this packet scheduled for freeing? */
\r
59 typedef struct PktIn {
\r
61 unsigned long sequence; /* SSH-2 incoming sequence number */
\r
62 PacketQueueNode qnode; /* for linking this packet on to a queue */
\r
63 BinarySource_IMPLEMENTATION;
\r
66 typedef struct PktOut {
\r
67 size_t prefix; /* bytes up to and including type field */
\r
68 size_t length; /* total bytes, including prefix */
\r
70 size_t minlen; /* SSH-2: ensure wire length is at least this */
\r
71 unsigned char *data; /* allocated storage */
\r
72 size_t maxlen; /* amount of storage allocated for `data' */
\r
74 /* Extra metadata used in SSH packet logging mode, allowing us to
\r
75 * log in the packet header line that the packet came from a
\r
76 * connection-sharing downstream and what if anything unusual was
\r
77 * done to it. The additional_log_text field is expected to be a
\r
78 * static string - it will not be freed. */
\r
79 unsigned downstream_id;
\r
80 const char *additional_log_text;
\r
82 PacketQueueNode qnode; /* for linking this packet on to a queue */
\r
83 BinarySink_IMPLEMENTATION;
\r
86 typedef struct PacketQueueBase {
\r
87 PacketQueueNode end;
\r
88 size_t total_size; /* sum of all formal_size fields on the queue */
\r
89 struct IdempotentCallback *ic;
\r
92 typedef struct PktInQueue {
\r
93 PacketQueueBase pqb;
\r
94 PktIn *(*after)(PacketQueueBase *, PacketQueueNode *prev, bool pop);
\r
97 typedef struct PktOutQueue {
\r
98 PacketQueueBase pqb;
\r
99 PktOut *(*after)(PacketQueueBase *, PacketQueueNode *prev, bool pop);
\r
102 void pq_base_push(PacketQueueBase *pqb, PacketQueueNode *node);
\r
103 void pq_base_push_front(PacketQueueBase *pqb, PacketQueueNode *node);
\r
104 void pq_base_concatenate(PacketQueueBase *dest,
\r
105 PacketQueueBase *q1, PacketQueueBase *q2);
\r
107 void pq_in_init(PktInQueue *pq);
\r
108 void pq_out_init(PktOutQueue *pq);
\r
109 void pq_in_clear(PktInQueue *pq);
\r
110 void pq_out_clear(PktOutQueue *pq);
\r
112 #define pq_push(pq, pkt) \
\r
113 TYPECHECK((pq)->after(&(pq)->pqb, NULL, false) == pkt, \
\r
114 pq_base_push(&(pq)->pqb, &(pkt)->qnode))
\r
115 #define pq_push_front(pq, pkt) \
\r
116 TYPECHECK((pq)->after(&(pq)->pqb, NULL, false) == pkt, \
\r
117 pq_base_push_front(&(pq)->pqb, &(pkt)->qnode))
\r
118 #define pq_peek(pq) ((pq)->after(&(pq)->pqb, &(pq)->pqb.end, false))
\r
119 #define pq_pop(pq) ((pq)->after(&(pq)->pqb, &(pq)->pqb.end, true))
\r
120 #define pq_concatenate(dst, q1, q2) \
\r
121 TYPECHECK((q1)->after(&(q1)->pqb, NULL, false) == \
\r
122 (dst)->after(&(dst)->pqb, NULL, false) && \
\r
123 (q2)->after(&(q2)->pqb, NULL, false) == \
\r
124 (dst)->after(&(dst)->pqb, NULL, false), \
\r
125 pq_base_concatenate(&(dst)->pqb, &(q1)->pqb, &(q2)->pqb))
\r
127 #define pq_first(pq) pq_peek(pq)
\r
128 #define pq_next(pq, pkt) ((pq)->after(&(pq)->pqb, &(pkt)->qnode, false))
\r
131 * Packet type contexts, so that ssh2_pkt_type can correctly decode
\r
132 * the ambiguous type numbers back into the correct type strings.
\r
136 SSH2_PKTCTX_DHGROUP,
\r
138 SSH2_PKTCTX_ECDHKEX,
\r
139 SSH2_PKTCTX_GSSKEX,
\r
143 SSH2_PKTCTX_NOAUTH,
\r
144 SSH2_PKTCTX_PUBLICKEY,
\r
145 SSH2_PKTCTX_PASSWORD,
\r
146 SSH2_PKTCTX_GSSAPI,
\r
147 SSH2_PKTCTX_KBDINTER
\r
150 typedef struct PacketLogSettings {
\r
151 bool omit_passwords, omit_data;
\r
154 } PacketLogSettings;
\r
156 #define MAX_BLANKS 4 /* no packet needs more censored sections than this */
\r
157 int ssh1_censor_packet(
\r
158 const PacketLogSettings *pls, int type, bool sender_is_client,
\r
159 ptrlen pkt, logblank_t *blanks);
\r
160 int ssh2_censor_packet(
\r
161 const PacketLogSettings *pls, int type, bool sender_is_client,
\r
162 ptrlen pkt, logblank_t *blanks);
\r
164 PktOut *ssh_new_packet(void);
\r
165 void ssh_free_pktout(PktOut *pkt);
\r
167 Socket *ssh_connection_sharing_init(
\r
168 const char *host, int port, Conf *conf, LogContext *logctx,
\r
169 Plug *sshplug, ssh_sharing_state **state);
\r
170 void ssh_connshare_provide_connlayer(ssh_sharing_state *sharestate,
\r
171 ConnectionLayer *cl);
\r
172 bool ssh_share_test_for_upstream(const char *host, int port, Conf *conf);
\r
173 void share_got_pkt_from_server(ssh_sharing_connstate *ctx, int type,
\r
174 const void *pkt, int pktlen);
\r
175 void share_activate(ssh_sharing_state *sharestate,
\r
176 const char *server_verstring);
\r
177 void sharestate_free(ssh_sharing_state *state);
\r
178 int share_ndownstreams(ssh_sharing_state *state);
\r
180 void ssh_connshare_log(Ssh *ssh, int event, const char *logtext,
\r
181 const char *ds_err, const char *us_err);
\r
182 void share_setup_x11_channel(ssh_sharing_connstate *cs, share_channel *chan,
\r
183 unsigned upstream_id, unsigned server_id,
\r
184 unsigned server_currwin, unsigned server_maxpkt,
\r
185 unsigned client_adjusted_window,
\r
186 const char *peer_addr, int peer_port, int endian,
\r
187 int protomajor, int protominor,
\r
188 const void *initial_data, int initial_len);
\r
190 /* Per-application overrides for what roles we can take in connection
\r
191 * sharing, regardless of user configuration (e.g. pscp will never be
\r
193 extern const bool share_can_be_downstream;
\r
194 extern const bool share_can_be_upstream;
\r
197 struct X11FakeAuth;
\r
199 /* Structure definition centralised here because the SSH-1 and SSH-2
\r
200 * connection layers both use it. But the client module (portfwd.c)
\r
201 * should not try to look inside here. */
\r
202 struct ssh_rportfwd {
\r
203 unsigned sport, dport;
\r
204 char *shost, *dhost;
\r
206 char *log_description; /* name of remote listening port, for logging */
\r
207 ssh_sharing_connstate *share_ctx;
\r
208 PortFwdRecord *pfr;
\r
210 void free_rportfwd(struct ssh_rportfwd *rpf);
\r
212 typedef struct ConnectionLayerVtable ConnectionLayerVtable;
\r
214 struct ConnectionLayerVtable {
\r
215 /* Allocate and free remote-to-local port forwardings, called by
\r
216 * PortFwdManager or by connection sharing */
\r
217 struct ssh_rportfwd *(*rportfwd_alloc)(
\r
218 ConnectionLayer *cl,
\r
219 const char *shost, int sport, const char *dhost, int dport,
\r
220 int addressfamily, const char *log_description, PortFwdRecord *pfr,
\r
221 ssh_sharing_connstate *share_ctx);
\r
222 void (*rportfwd_remove)(ConnectionLayer *cl, struct ssh_rportfwd *rpf);
\r
224 /* Open a local-to-remote port forwarding channel, called by
\r
225 * PortFwdManager */
\r
226 SshChannel *(*lportfwd_open)(
\r
227 ConnectionLayer *cl, const char *hostname, int port,
\r
228 const char *description, const SocketPeerInfo *peerinfo,
\r
231 /* Initiate opening of a 'session'-type channel */
\r
232 SshChannel *(*session_open)(ConnectionLayer *cl, Channel *chan);
\r
234 /* Open outgoing channels for X and agent forwarding. (Used in the
\r
236 SshChannel *(*serverside_x11_open)(ConnectionLayer *cl, Channel *chan,
\r
237 const SocketPeerInfo *pi);
\r
238 SshChannel *(*serverside_agent_open)(ConnectionLayer *cl, Channel *chan);
\r
240 /* Add an X11 display for ordinary X forwarding */
\r
241 struct X11FakeAuth *(*add_x11_display)(
\r
242 ConnectionLayer *cl, int authtype, struct X11Display *x11disp);
\r
244 /* Add and remove X11 displays for connection sharing downstreams */
\r
245 struct X11FakeAuth *(*add_sharing_x11_display)(
\r
246 ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,
\r
247 share_channel *share_chan);
\r
248 void (*remove_sharing_x11_display)(
\r
249 ConnectionLayer *cl, struct X11FakeAuth *auth);
\r
251 /* Pass through an outgoing SSH packet from a downstream */
\r
252 void (*send_packet_from_downstream)(
\r
253 ConnectionLayer *cl, unsigned id, int type,
\r
254 const void *pkt, int pktlen, const char *additional_log_text);
\r
256 /* Allocate/free an upstream channel number associated with a
\r
257 * sharing downstream */
\r
258 unsigned (*alloc_sharing_channel)(ConnectionLayer *cl,
\r
259 ssh_sharing_connstate *connstate);
\r
260 void (*delete_sharing_channel)(ConnectionLayer *cl, unsigned localid);
\r
262 /* Indicate that a downstream has sent a global request with the
\r
263 * want-reply flag, so that when a reply arrives it will be passed
\r
264 * back to that downstrean */
\r
265 void (*sharing_queue_global_request)(
\r
266 ConnectionLayer *cl, ssh_sharing_connstate *connstate);
\r
268 /* Indicate that the last downstream has disconnected */
\r
269 void (*sharing_no_more_downstreams)(ConnectionLayer *cl);
\r
271 /* Query whether the connection layer is doing agent forwarding */
\r
272 bool (*agent_forwarding_permitted)(ConnectionLayer *cl);
\r
274 /* Set the size of the main terminal window (if any) */
\r
275 void (*terminal_size)(ConnectionLayer *cl, int width, int height);
\r
277 /* Indicate that the backlog on standard output has cleared */
\r
278 void (*stdout_unthrottle)(ConnectionLayer *cl, size_t bufsize);
\r
280 /* Query the size of the backlog on standard _input_ */
\r
281 size_t (*stdin_backlog)(ConnectionLayer *cl);
\r
283 /* Tell the connection layer that the SSH connection itself has
\r
284 * backed up, so it should tell all currently open channels to
\r
285 * cease reading from their local input sources if they can. (Or
\r
286 * tell it that that state of affairs has gone away again.) */
\r
287 void (*throttle_all_channels)(ConnectionLayer *cl, bool throttled);
\r
289 /* Ask the connection layer about its current preference for
\r
290 * line-discipline options. */
\r
291 bool (*ldisc_option)(ConnectionLayer *cl, int option);
\r
293 /* Communicate _to_ the connection layer (from the main session
\r
294 * channel) what its preference for line-discipline options is. */
\r
295 void (*set_ldisc_option)(ConnectionLayer *cl, int option, bool value);
\r
297 /* Communicate to the connection layer whether X forwarding was
\r
298 * successfully enabled (for purposes of knowing whether to accept
\r
299 * subsequent channel-opens). */
\r
300 void (*enable_x_fwd)(ConnectionLayer *cl);
\r
302 /* Communicate / query whether the main session channel currently
\r
303 * wants user input. The set function is called by mainchan; the
\r
304 * query function is called by the top-level ssh.c. */
\r
305 void (*set_wants_user_input)(ConnectionLayer *cl, bool wanted);
\r
306 bool (*get_wants_user_input)(ConnectionLayer *cl);
\r
308 /* Notify the connection layer that more data has been added to
\r
309 * the user input queue. */
\r
310 void (*got_user_input)(ConnectionLayer *cl);
\r
313 struct ConnectionLayer {
\r
314 LogContext *logctx;
\r
315 const struct ConnectionLayerVtable *vt;
\r
318 static inline struct ssh_rportfwd *ssh_rportfwd_alloc(
\r
319 ConnectionLayer *cl, const char *sh, int sp, const char *dh, int dp,
\r
320 int af, const char *log, PortFwdRecord *pfr, ssh_sharing_connstate *cs)
\r
321 { return cl->vt->rportfwd_alloc(cl, sh, sp, dh, dp, af, log, pfr, cs); }
\r
322 static inline void ssh_rportfwd_remove(
\r
323 ConnectionLayer *cl, struct ssh_rportfwd *rpf)
\r
324 { cl->vt->rportfwd_remove(cl, rpf); }
\r
325 static inline SshChannel *ssh_lportfwd_open(
\r
326 ConnectionLayer *cl, const char *host, int port,
\r
327 const char *desc, const SocketPeerInfo *pi, Channel *chan)
\r
328 { return cl->vt->lportfwd_open(cl, host, port, desc, pi, chan); }
\r
329 static inline SshChannel *ssh_session_open(ConnectionLayer *cl, Channel *chan)
\r
330 { return cl->vt->session_open(cl, chan); }
\r
331 static inline SshChannel *ssh_serverside_x11_open(
\r
332 ConnectionLayer *cl, Channel *chan, const SocketPeerInfo *pi)
\r
333 { return cl->vt->serverside_x11_open(cl, chan, pi); }
\r
334 static inline SshChannel *ssh_serverside_agent_open(
\r
335 ConnectionLayer *cl, Channel *chan)
\r
336 { return cl->vt->serverside_agent_open(cl, chan); }
\r
337 static inline struct X11FakeAuth *ssh_add_x11_display(
\r
338 ConnectionLayer *cl, int authtype, struct X11Display *x11disp)
\r
339 { return cl->vt->add_x11_display(cl, authtype, x11disp); }
\r
340 static inline struct X11FakeAuth *ssh_add_sharing_x11_display(
\r
341 ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,
\r
342 share_channel *share_chan)
\r
343 { return cl->vt->add_sharing_x11_display(cl, authtype, share_cs, share_chan); }
\r
344 static inline void ssh_remove_sharing_x11_display(
\r
345 ConnectionLayer *cl, struct X11FakeAuth *auth)
\r
346 { cl->vt->remove_sharing_x11_display(cl, auth); }
\r
347 static inline void ssh_send_packet_from_downstream(
\r
348 ConnectionLayer *cl, unsigned id, int type,
\r
349 const void *pkt, int len, const char *log)
\r
350 { cl->vt->send_packet_from_downstream(cl, id, type, pkt, len, log); }
\r
351 static inline unsigned ssh_alloc_sharing_channel(
\r
352 ConnectionLayer *cl, ssh_sharing_connstate *connstate)
\r
353 { return cl->vt->alloc_sharing_channel(cl, connstate); }
\r
354 static inline void ssh_delete_sharing_channel(
\r
355 ConnectionLayer *cl, unsigned localid)
\r
356 { cl->vt->delete_sharing_channel(cl, localid); }
\r
357 static inline void ssh_sharing_queue_global_request(
\r
358 ConnectionLayer *cl, ssh_sharing_connstate *connstate)
\r
359 { cl->vt->sharing_queue_global_request(cl, connstate); }
\r
360 static inline void ssh_sharing_no_more_downstreams(ConnectionLayer *cl)
\r
361 { cl->vt->sharing_no_more_downstreams(cl); }
\r
362 static inline bool ssh_agent_forwarding_permitted(ConnectionLayer *cl)
\r
363 { return cl->vt->agent_forwarding_permitted(cl); }
\r
364 static inline void ssh_terminal_size(ConnectionLayer *cl, int w, int h)
\r
365 { cl->vt->terminal_size(cl, w, h); }
\r
366 static inline void ssh_stdout_unthrottle(ConnectionLayer *cl, size_t bufsize)
\r
367 { cl->vt->stdout_unthrottle(cl, bufsize); }
\r
368 static inline size_t ssh_stdin_backlog(ConnectionLayer *cl)
\r
369 { return cl->vt->stdin_backlog(cl); }
\r
370 static inline void ssh_throttle_all_channels(ConnectionLayer *cl, bool thr)
\r
371 { cl->vt->throttle_all_channels(cl, thr); }
\r
372 static inline bool ssh_ldisc_option(ConnectionLayer *cl, int option)
\r
373 { return cl->vt->ldisc_option(cl, option); }
\r
374 static inline void ssh_set_ldisc_option(ConnectionLayer *cl, int opt, bool val)
\r
375 { cl->vt->set_ldisc_option(cl, opt, val); }
\r
376 static inline void ssh_enable_x_fwd(ConnectionLayer *cl)
\r
377 { cl->vt->enable_x_fwd(cl); }
\r
378 static inline void ssh_set_wants_user_input(ConnectionLayer *cl, bool wanted)
\r
379 { cl->vt->set_wants_user_input(cl, wanted); }
\r
380 static inline bool ssh_get_wants_user_input(ConnectionLayer *cl)
\r
381 { return cl->vt->get_wants_user_input(cl); }
\r
382 static inline void ssh_got_user_input(ConnectionLayer *cl)
\r
383 { cl->vt->got_user_input(cl); }
\r
385 /* Exports from portfwd.c */
\r
386 PortFwdManager *portfwdmgr_new(ConnectionLayer *cl);
\r
387 void portfwdmgr_free(PortFwdManager *mgr);
\r
388 void portfwdmgr_config(PortFwdManager *mgr, Conf *conf);
\r
389 void portfwdmgr_close(PortFwdManager *mgr, PortFwdRecord *pfr);
\r
390 void portfwdmgr_close_all(PortFwdManager *mgr);
\r
391 char *portfwdmgr_connect(PortFwdManager *mgr, Channel **chan_ret,
\r
392 char *hostname, int port, SshChannel *c,
\r
393 int addressfamily);
\r
394 bool portfwdmgr_listen(PortFwdManager *mgr, const char *host, int port,
\r
395 const char *keyhost, int keyport, Conf *conf);
\r
396 bool portfwdmgr_unlisten(PortFwdManager *mgr, const char *host, int port);
\r
397 Channel *portfwd_raw_new(ConnectionLayer *cl, Plug **plug, bool start_ready);
\r
398 void portfwd_raw_free(Channel *pfchan);
\r
399 void portfwd_raw_setup(Channel *pfchan, Socket *s, SshChannel *sc);
\r
401 Socket *platform_make_agent_socket(Plug *plug, const char *dirprefix,
\r
402 char **error, char **name);
\r
404 LogContext *ssh_get_logctx(Ssh *ssh);
\r
406 /* Communications back to ssh.c from connection layers */
\r
407 void ssh_throttle_conn(Ssh *ssh, int adjust);
\r
408 void ssh_got_exitcode(Ssh *ssh, int status);
\r
409 void ssh_ldisc_update(Ssh *ssh);
\r
410 void ssh_check_sendok(Ssh *ssh);
\r
411 void ssh_got_fallback_cmd(Ssh *ssh);
\r
412 bool ssh_is_bare(Ssh *ssh);
\r
414 /* Communications back to ssh.c from the BPP */
\r
415 void ssh_conn_processed_data(Ssh *ssh);
\r
416 void ssh_sendbuffer_changed(Ssh *ssh);
\r
417 void ssh_check_frozen(Ssh *ssh);
\r
419 /* Functions to abort the connection, for various reasons. */
\r
420 void ssh_remote_error(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
421 void ssh_remote_eof(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
422 void ssh_proto_error(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
423 void ssh_sw_abort(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
424 void ssh_sw_abort_deferred(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
425 void ssh_user_close(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
426 void ssh_spr_close(Ssh *ssh, SeatPromptResult spr, const char *context);
\r
428 /* Bit positions in the SSH-1 cipher protocol word */
\r
429 #define SSH1_CIPHER_IDEA 1
\r
430 #define SSH1_CIPHER_DES 2
\r
431 #define SSH1_CIPHER_3DES 3
\r
432 #define SSH1_CIPHER_BLOWFISH 6
\r
434 /* The subset of those that we support, with names for selecting them
\r
435 * on Uppity's command line */
\r
436 #define SSH1_SUPPORTED_CIPHER_LIST(X) \
\r
437 X(SSH1_CIPHER_3DES, "3des") \
\r
438 X(SSH1_CIPHER_BLOWFISH, "blowfish") \
\r
439 X(SSH1_CIPHER_DES, "des") \
\r
441 #define SSH1_CIPHER_LIST_MAKE_MASK(bitpos, name) | (1U << bitpos)
\r
442 #define SSH1_SUPPORTED_CIPHER_MASK \
\r
443 (0 SSH1_SUPPORTED_CIPHER_LIST(SSH1_CIPHER_LIST_MAKE_MASK))
\r
446 const ssh_keyalg *vt;
\r
454 mp_int *private_exponent;
\r
463 mp_int *p, *q, *g, *y, *x;
\r
469 /* Weierstrass form curve */
\r
472 WeierstrassCurve *wc;
\r
473 WeierstrassPoint *G;
\r
477 /* Montgomery form curve */
\r
480 MontgomeryCurve *mc;
\r
481 MontgomeryPoint *G;
\r
482 unsigned log2_cofactor;
\r
485 /* Edwards form curve */
\r
491 unsigned log2_cofactor;
\r
494 typedef enum EllipticCurveType {
\r
495 EC_WEIERSTRASS, EC_MONTGOMERY, EC_EDWARDS
\r
496 } EllipticCurveType;
\r
499 EllipticCurveType type;
\r
500 /* 'name' is the identifier of the curve when it has to appear in
\r
501 * wire protocol encodings, as it does in e.g. the public key and
\r
502 * signature formats for NIST curves. Curves which do not format
\r
503 * their keys or signatures in this way just have name==NULL.
\r
505 * 'textname' is non-NULL for all curves, and is a human-readable
\r
506 * identification suitable for putting in log messages. */
\r
507 const char *name, *textname;
\r
508 size_t fieldBits, fieldBytes;
\r
511 struct ec_wcurve w;
\r
512 struct ec_mcurve m;
\r
513 struct ec_ecurve e;
\r
517 const ssh_keyalg *ec_alg_by_oid(int len, const void *oid,
\r
518 const struct ec_curve **curve);
\r
519 const unsigned char *ec_alg_oid(const ssh_keyalg *alg, int *oidlen);
\r
520 extern const int ec_nist_curve_lengths[], n_ec_nist_curve_lengths;
\r
521 extern const int ec_ed_curve_lengths[], n_ec_ed_curve_lengths;
\r
522 bool ec_nist_alg_and_curve_by_bits(int bits,
\r
523 const struct ec_curve **curve,
\r
524 const ssh_keyalg **alg);
\r
525 bool ec_ed_alg_and_curve_by_bits(int bits,
\r
526 const struct ec_curve **curve,
\r
527 const ssh_keyalg **alg);
\r
530 const struct ec_curve *curve;
\r
531 WeierstrassPoint *publicKey;
\r
532 mp_int *privateKey;
\r
536 const struct ec_curve *curve;
\r
537 EdwardsPoint *publicKey;
\r
538 mp_int *privateKey;
\r
542 WeierstrassPoint *ecdsa_public(mp_int *private_key, const ssh_keyalg *alg);
\r
543 EdwardsPoint *eddsa_public(mp_int *private_key, const ssh_keyalg *alg);
\r
545 typedef enum KeyComponentType {
\r
546 KCT_TEXT, KCT_BINARY, KCT_MPINT
\r
547 } KeyComponentType;
\r
548 typedef struct key_component {
\r
550 KeyComponentType type;
\r
552 strbuf *str; /* used for KCT_TEXT and KCT_BINARY */
\r
553 mp_int *mp; /* used for KCT_MPINT */
\r
556 typedef struct key_components {
\r
557 size_t ncomponents, componentsize;
\r
558 key_component *components;
\r
560 key_components *key_components_new(void);
\r
561 void key_components_add_text(key_components *kc,
\r
562 const char *name, const char *value);
\r
563 void key_components_add_text_pl(key_components *kc,
\r
564 const char *name, ptrlen value);
\r
565 void key_components_add_binary(key_components *kc,
\r
566 const char *name, ptrlen value);
\r
567 void key_components_add_mp(key_components *kc,
\r
568 const char *name, mp_int *value);
\r
569 void key_components_add_uint(key_components *kc,
\r
570 const char *name, uintmax_t value);
\r
571 void key_components_add_copy(key_components *kc,
\r
572 const char *name, const key_component *value);
\r
573 void key_components_free(key_components *kc);
\r
576 * SSH-1 never quite decided which order to store the two components
\r
577 * of an RSA key. During connection setup, the server sends its host
\r
578 * and server keys with the exponent first; private key files store
\r
579 * the modulus first. The agent protocol is even more confusing,
\r
580 * because the client specifies a key to the server in one order and
\r
581 * the server lists the keys it knows about in the other order!
\r
583 typedef enum { RSA_SSH1_EXPONENT_FIRST, RSA_SSH1_MODULUS_FIRST } RsaSsh1Order;
\r
585 void BinarySource_get_rsa_ssh1_pub(
\r
586 BinarySource *src, RSAKey *result, RsaSsh1Order order);
\r
587 void BinarySource_get_rsa_ssh1_priv(
\r
588 BinarySource *src, RSAKey *rsa);
\r
589 RSAKey *BinarySource_get_rsa_ssh1_priv_agent(BinarySource *src);
\r
590 bool rsa_ssh1_encrypt(unsigned char *data, int length, RSAKey *key);
\r
591 mp_int *rsa_ssh1_decrypt(mp_int *input, RSAKey *key);
\r
592 bool rsa_ssh1_decrypt_pkcs1(mp_int *input, RSAKey *key, strbuf *outbuf);
\r
593 char *rsastr_fmt(RSAKey *key);
\r
594 char *rsa_ssh1_fingerprint(RSAKey *key);
\r
595 char **rsa_ssh1_fake_all_fingerprints(RSAKey *key);
\r
596 bool rsa_verify(RSAKey *key);
\r
597 void rsa_ssh1_public_blob(BinarySink *bs, RSAKey *key, RsaSsh1Order order);
\r
598 int rsa_ssh1_public_blob_len(ptrlen data);
\r
599 void rsa_ssh1_private_blob_agent(BinarySink *bs, RSAKey *key);
\r
600 void duprsakey(RSAKey *dst, const RSAKey *src);
\r
601 void freersapriv(RSAKey *key);
\r
602 void freersakey(RSAKey *key);
\r
603 key_components *rsa_components(RSAKey *key);
\r
605 uint32_t crc32_rfc1662(ptrlen data);
\r
606 uint32_t crc32_ssh1(ptrlen data);
\r
607 uint32_t crc32_update(uint32_t crc_input, ptrlen data);
\r
609 /* SSH CRC compensation attack detector */
\r
611 struct crcda_ctx *crcda_make_context(void);
\r
612 void crcda_free_context(struct crcda_ctx *ctx);
\r
613 bool detect_attack(struct crcda_ctx *ctx,
\r
614 const unsigned char *buf, uint32_t len,
\r
615 const unsigned char *IV);
\r
618 * SSH2 RSA key exchange functions
\r
620 struct ssh_rsa_kex_extra {
\r
623 RSAKey *ssh_rsakex_newkey(ptrlen data);
\r
624 void ssh_rsakex_freekey(RSAKey *key);
\r
625 int ssh_rsakex_klen(RSAKey *key);
\r
626 strbuf *ssh_rsakex_encrypt(
\r
627 RSAKey *key, const ssh_hashalg *h, ptrlen plaintext);
\r
628 mp_int *ssh_rsakex_decrypt(
\r
629 RSAKey *key, const ssh_hashalg *h, ptrlen ciphertext);
\r
632 * System for generating k in DSA and ECDSA.
\r
634 struct RFC6979Result {
\r
638 RFC6979 *rfc6979_new(const ssh_hashalg *hashalg, mp_int *q, mp_int *x);
\r
639 void rfc6979_setup(RFC6979 *s, ptrlen message);
\r
640 RFC6979Result rfc6979_attempt(RFC6979 *s);
\r
641 void rfc6979_free(RFC6979 *s);
\r
642 mp_int *rfc6979(const ssh_hashalg *hashalg, mp_int *modulus,
\r
643 mp_int *private_key, ptrlen message);
\r
645 struct ssh_cipher {
\r
646 const ssh_cipheralg *vt;
\r
649 struct ssh_cipheralg {
\r
650 ssh_cipher *(*new)(const ssh_cipheralg *alg);
\r
651 void (*free)(ssh_cipher *);
\r
652 void (*setiv)(ssh_cipher *, const void *iv);
\r
653 void (*setkey)(ssh_cipher *, const void *key);
\r
654 void (*encrypt)(ssh_cipher *, void *blk, int len);
\r
655 void (*decrypt)(ssh_cipher *, void *blk, int len);
\r
656 /* Ignored unless SSH_CIPHER_SEPARATE_LENGTH flag set */
\r
657 void (*encrypt_length)(ssh_cipher *, void *blk, int len,
\r
658 unsigned long seq);
\r
659 void (*decrypt_length)(ssh_cipher *, void *blk, int len,
\r
660 unsigned long seq);
\r
661 /* For ciphers that update their state per logical message
\r
662 * (typically, per unit independently MACed) */
\r
663 void (*next_message)(ssh_cipher *);
\r
664 const char *ssh2_id;
\r
666 /* real_keybits is the number of bits of entropy genuinely used by
\r
667 * the cipher scheme; it's used for deciding how big a
\r
668 * Diffie-Hellman group is needed to exchange a key for the
\r
671 /* padded_keybytes is the number of bytes of key data expected as
\r
672 * input to the setkey function; it's used for deciding how much
\r
673 * data needs to be generated from the post-kex generation of key
\r
674 * material. In a sensible cipher which uses all its key bytes for
\r
675 * real work, this will just be real_keybits/8, but in DES-type
\r
676 * ciphers which ignore one bit in each byte, it'll be slightly
\r
678 int padded_keybytes;
\r
679 unsigned int flags;
\r
680 #define SSH_CIPHER_IS_CBC 1
\r
681 #define SSH_CIPHER_SEPARATE_LENGTH 2
\r
682 const char *text_name;
\r
683 /* If set, this takes priority over other MAC. */
\r
684 const ssh2_macalg *required_mac;
\r
686 /* Pointer to any extra data used by a particular implementation. */
\r
690 static inline ssh_cipher *ssh_cipher_new(const ssh_cipheralg *alg)
\r
691 { return alg->new(alg); }
\r
692 static inline void ssh_cipher_free(ssh_cipher *c)
\r
693 { c->vt->free(c); }
\r
694 static inline void ssh_cipher_setiv(ssh_cipher *c, const void *iv)
\r
695 { c->vt->setiv(c, iv); }
\r
696 static inline void ssh_cipher_setkey(ssh_cipher *c, const void *key)
\r
697 { c->vt->setkey(c, key); }
\r
698 static inline void ssh_cipher_encrypt(ssh_cipher *c, void *blk, int len)
\r
699 { c->vt->encrypt(c, blk, len); }
\r
700 static inline void ssh_cipher_decrypt(ssh_cipher *c, void *blk, int len)
\r
701 { c->vt->decrypt(c, blk, len); }
\r
702 static inline void ssh_cipher_encrypt_length(
\r
703 ssh_cipher *c, void *blk, int len, unsigned long seq)
\r
704 { c->vt->encrypt_length(c, blk, len, seq); }
\r
705 static inline void ssh_cipher_decrypt_length(
\r
706 ssh_cipher *c, void *blk, int len, unsigned long seq)
\r
707 { c->vt->decrypt_length(c, blk, len, seq); }
\r
708 static inline void ssh_cipher_next_message(ssh_cipher *c)
\r
709 { c->vt->next_message(c); }
\r
710 static inline const struct ssh_cipheralg *ssh_cipher_alg(ssh_cipher *c)
\r
713 void nullcipher_next_message(ssh_cipher *);
\r
715 struct ssh2_ciphers {
\r
717 const ssh_cipheralg *const *list;
\r
721 const ssh2_macalg *vt;
\r
722 BinarySink_DELEGATE_IMPLEMENTATION;
\r
725 struct ssh2_macalg {
\r
726 /* Passes in the cipher context */
\r
727 ssh2_mac *(*new)(const ssh2_macalg *alg, ssh_cipher *cipher);
\r
728 void (*free)(ssh2_mac *);
\r
729 void (*setkey)(ssh2_mac *, ptrlen key);
\r
730 void (*start)(ssh2_mac *);
\r
731 void (*genresult)(ssh2_mac *, unsigned char *);
\r
732 void (*next_message)(ssh2_mac *);
\r
733 const char *(*text_name)(ssh2_mac *);
\r
734 const char *name, *etm_name;
\r
737 /* Pointer to any extra data used by a particular implementation. */
\r
741 static inline ssh2_mac *ssh2_mac_new(
\r
742 const ssh2_macalg *alg, ssh_cipher *cipher)
\r
743 { return alg->new(alg, cipher); }
\r
744 static inline void ssh2_mac_free(ssh2_mac *m)
\r
745 { m->vt->free(m); }
\r
746 static inline void ssh2_mac_setkey(ssh2_mac *m, ptrlen key)
\r
747 { m->vt->setkey(m, key); }
\r
748 static inline void ssh2_mac_start(ssh2_mac *m)
\r
749 { m->vt->start(m); }
\r
750 static inline void ssh2_mac_genresult(ssh2_mac *m, unsigned char *out)
\r
751 { m->vt->genresult(m, out); }
\r
752 static inline void ssh2_mac_next_message(ssh2_mac *m)
\r
753 { m->vt->next_message(m); }
\r
754 static inline const char *ssh2_mac_text_name(ssh2_mac *m)
\r
755 { return m->vt->text_name(m); }
\r
756 static inline const ssh2_macalg *ssh2_mac_alg(ssh2_mac *m)
\r
759 /* Centralised 'methods' for ssh2_mac, defined in mac.c. These run
\r
760 * the MAC in a specifically SSH-2 style, i.e. taking account of a
\r
761 * packet sequence number as well as the data to be authenticated. */
\r
762 bool ssh2_mac_verresult(ssh2_mac *, const void *);
\r
763 void ssh2_mac_generate(ssh2_mac *, void *, int, unsigned long seq);
\r
764 bool ssh2_mac_verify(ssh2_mac *, const void *, int, unsigned long seq);
\r
766 void nullmac_next_message(ssh2_mac *m);
\r
768 /* Use a MAC in its raw form, outside SSH-2 context, to MAC a given
\r
769 * string with a given key in the most obvious way. */
\r
770 void mac_simple(const ssh2_macalg *alg, ptrlen key, ptrlen data, void *output);
\r
772 /* Constructor that makes an HMAC object given just a MAC. This object
\r
773 * will have empty 'name' and 'etm_name' fields, so it's not suitable
\r
774 * for use in SSH. It's used as a subroutine in RFC 6979. */
\r
775 ssh2_mac *hmac_new_from_hash(const ssh_hashalg *hash);
\r
778 const ssh_hashalg *vt;
\r
779 BinarySink_DELEGATE_IMPLEMENTATION;
\r
782 struct ssh_hashalg {
\r
783 ssh_hash *(*new)(const ssh_hashalg *alg);
\r
784 void (*reset)(ssh_hash *);
\r
785 void (*copyfrom)(ssh_hash *dest, ssh_hash *src);
\r
786 void (*digest)(ssh_hash *, unsigned char *);
\r
787 void (*free)(ssh_hash *);
\r
788 size_t hlen; /* output length in bytes */
\r
789 size_t blocklen; /* length of the hash's input block, or 0 for N/A */
\r
790 const char *text_basename; /* the semantic name of the hash */
\r
791 const char *annotation; /* extra info, e.g. which of multiple impls */
\r
792 const char *text_name; /* both combined, e.g. "SHA-n (unaccelerated)" */
\r
793 const void *extra; /* private to the hash implementation */
\r
796 static inline ssh_hash *ssh_hash_new(const ssh_hashalg *alg)
\r
797 { ssh_hash *h = alg->new(alg); if (h) h->vt->reset(h); return h; }
\r
798 static inline ssh_hash *ssh_hash_copy(ssh_hash *orig)
\r
799 { ssh_hash *h = orig->vt->new(orig->vt); h->vt->copyfrom(h, orig); return h; }
\r
800 static inline void ssh_hash_digest(ssh_hash *h, unsigned char *out)
\r
801 { h->vt->digest(h, out); }
\r
802 static inline void ssh_hash_free(ssh_hash *h)
\r
803 { h->vt->free(h); }
\r
804 static inline const ssh_hashalg *ssh_hash_alg(ssh_hash *h)
\r
807 /* The reset and copyfrom vtable methods return void. But for call-site
\r
808 * convenience, these wrappers return their input pointer. */
\r
809 static inline ssh_hash *ssh_hash_reset(ssh_hash *h)
\r
810 { h->vt->reset(h); return h; }
\r
811 static inline ssh_hash *ssh_hash_copyfrom(ssh_hash *dest, ssh_hash *src)
\r
812 { dest->vt->copyfrom(dest, src); return dest; }
\r
814 /* ssh_hash_final emits the digest _and_ frees the ssh_hash */
\r
815 static inline void ssh_hash_final(ssh_hash *h, unsigned char *out)
\r
816 { h->vt->digest(h, out); h->vt->free(h); }
\r
818 /* ssh_hash_digest_nondestructive generates a finalised hash from the
\r
819 * given object without changing its state, so you can continue
\r
820 * appending data to get a hash of an extended string. */
\r
821 static inline void ssh_hash_digest_nondestructive(ssh_hash *h,
\r
822 unsigned char *out)
\r
823 { ssh_hash_final(ssh_hash_copy(h), out); }
\r
825 /* Handy macros for defining all those text-name fields at once */
\r
826 #define HASHALG_NAMES_BARE(base) \
\r
827 .text_basename = base, .annotation = NULL, .text_name = base
\r
828 #define HASHALG_NAMES_ANNOTATED(base, ann) \
\r
829 .text_basename = base, .annotation = ann, .text_name = base " (" ann ")"
\r
831 void hash_simple(const ssh_hashalg *alg, ptrlen data, void *output);
\r
834 const char *name, *groupname;
\r
835 enum { KEXTYPE_DH, KEXTYPE_RSA, KEXTYPE_ECDH,
\r
836 KEXTYPE_GSS, KEXTYPE_GSS_ECDH } main_type;
\r
837 const ssh_hashalg *hash;
\r
838 union { /* publicly visible data for each type */
\r
839 const ecdh_keyalg *ecdh_vt; /* for KEXTYPE_ECDH, KEXTYPE_GSS_ECDH */
\r
841 const void *extra; /* private to the kex methods */
\r
844 static inline bool kex_is_gss(const struct ssh_kex *kex)
\r
846 return kex->main_type == KEXTYPE_GSS || kex->main_type == KEXTYPE_GSS_ECDH;
\r
851 const ssh_kex *const *list;
\r
854 /* Indices of the negotiation strings in the KEXINIT packet */
\r
856 KEXLIST_KEX, KEXLIST_HOSTKEY, KEXLIST_CSCIPHER, KEXLIST_SCCIPHER,
\r
857 KEXLIST_CSMAC, KEXLIST_SCMAC, KEXLIST_CSCOMP, KEXLIST_SCCOMP,
\r
861 struct ssh_keyalg {
\r
862 /* Constructors that create an ssh_key */
\r
863 ssh_key *(*new_pub) (const ssh_keyalg *self, ptrlen pub);
\r
864 ssh_key *(*new_priv) (const ssh_keyalg *self, ptrlen pub, ptrlen priv);
\r
865 ssh_key *(*new_priv_openssh) (const ssh_keyalg *self, BinarySource *);
\r
867 /* Methods that operate on an existing ssh_key */
\r
868 void (*freekey) (ssh_key *key);
\r
869 char *(*invalid) (ssh_key *key, unsigned flags);
\r
870 void (*sign) (ssh_key *key, ptrlen data, unsigned flags, BinarySink *);
\r
871 bool (*verify) (ssh_key *key, ptrlen sig, ptrlen data);
\r
872 void (*public_blob)(ssh_key *key, BinarySink *);
\r
873 void (*private_blob)(ssh_key *key, BinarySink *);
\r
874 void (*openssh_blob) (ssh_key *key, BinarySink *);
\r
875 bool (*has_private) (ssh_key *key);
\r
876 char *(*cache_str) (ssh_key *key);
\r
877 key_components *(*components) (ssh_key *key);
\r
878 ssh_key *(*base_key) (ssh_key *key); /* does not confer ownership */
\r
879 /* The following methods can be NULL if !is_certificate */
\r
880 void (*ca_public_blob)(ssh_key *key, BinarySink *);
\r
881 bool (*check_cert)(ssh_key *key, bool host, ptrlen principal,
\r
882 uint64_t time, const ca_options *opts,
\r
883 BinarySink *error);
\r
884 void (*cert_id_string)(ssh_key *key, BinarySink *);
\r
885 SeatDialogText *(*cert_info)(ssh_key *key);
\r
887 /* 'Class methods' that don't deal with an ssh_key at all */
\r
888 int (*pubkey_bits) (const ssh_keyalg *self, ptrlen blob);
\r
889 unsigned (*supported_flags) (const ssh_keyalg *self);
\r
890 const char *(*alternate_ssh_id) (const ssh_keyalg *self, unsigned flags);
\r
891 char *(*alg_desc)(const ssh_keyalg *self);
\r
892 bool (*variable_size)(const ssh_keyalg *self);
\r
893 /* The following methods can be NULL if !is_certificate */
\r
894 const ssh_keyalg *(*related_alg)(const ssh_keyalg *self,
\r
895 const ssh_keyalg *base);
\r
897 /* Constant data fields giving information about the key type */
\r
898 const char *ssh_id; /* string identifier in the SSH protocol */
\r
899 const char *cache_id; /* identifier used in PuTTY's host key cache */
\r
900 const void *extra; /* private to the public key methods */
\r
901 bool is_certificate; /* is this a certified key type? */
\r
902 const ssh_keyalg *base_alg; /* if so, for what underlying key alg? */
\r
905 static inline ssh_key *ssh_key_new_pub(const ssh_keyalg *self, ptrlen pub)
\r
906 { return self->new_pub(self, pub); }
\r
907 static inline ssh_key *ssh_key_new_priv(
\r
908 const ssh_keyalg *self, ptrlen pub, ptrlen priv)
\r
909 { return self->new_priv(self, pub, priv); }
\r
910 static inline ssh_key *ssh_key_new_priv_openssh(
\r
911 const ssh_keyalg *self, BinarySource *src)
\r
912 { return self->new_priv_openssh(self, src); }
\r
913 static inline void ssh_key_free(ssh_key *key)
\r
914 { key->vt->freekey(key); }
\r
915 static inline char *ssh_key_invalid(ssh_key *key, unsigned flags)
\r
916 { return key->vt->invalid(key, flags); }
\r
917 static inline void ssh_key_sign(
\r
918 ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs)
\r
919 { key->vt->sign(key, data, flags, bs); }
\r
920 static inline bool ssh_key_verify(ssh_key *key, ptrlen sig, ptrlen data)
\r
921 { return key->vt->verify(key, sig, data); }
\r
922 static inline void ssh_key_public_blob(ssh_key *key, BinarySink *bs)
\r
923 { key->vt->public_blob(key, bs); }
\r
924 static inline void ssh_key_private_blob(ssh_key *key, BinarySink *bs)
\r
925 { key->vt->private_blob(key, bs); }
\r
926 static inline void ssh_key_openssh_blob(ssh_key *key, BinarySink *bs)
\r
927 { key->vt->openssh_blob(key, bs); }
\r
928 static inline bool ssh_key_has_private(ssh_key *key)
\r
929 { return key->vt->has_private(key); }
\r
930 static inline char *ssh_key_cache_str(ssh_key *key)
\r
931 { return key->vt->cache_str(key); }
\r
932 static inline key_components *ssh_key_components(ssh_key *key)
\r
933 { return key->vt->components(key); }
\r
934 static inline ssh_key *ssh_key_base_key(ssh_key *key)
\r
935 { return key->vt->base_key(key); }
\r
936 static inline void ssh_key_ca_public_blob(ssh_key *key, BinarySink *bs)
\r
937 { key->vt->ca_public_blob(key, bs); }
\r
938 static inline void ssh_key_cert_id_string(ssh_key *key, BinarySink *bs)
\r
939 { key->vt->cert_id_string(key, bs); }
\r
940 static inline SeatDialogText *ssh_key_cert_info(ssh_key *key)
\r
941 { return key->vt->cert_info(key); }
\r
942 static inline bool ssh_key_check_cert(
\r
943 ssh_key *key, bool host, ptrlen principal, uint64_t time,
\r
944 const ca_options *opts, BinarySink *error)
\r
945 { return key->vt->check_cert(key, host, principal, time, opts, error); }
\r
946 static inline int ssh_key_public_bits(const ssh_keyalg *self, ptrlen blob)
\r
947 { return self->pubkey_bits(self, blob); }
\r
948 static inline const ssh_keyalg *ssh_key_alg(ssh_key *key)
\r
949 { return key->vt; }
\r
950 static inline const char *ssh_key_ssh_id(ssh_key *key)
\r
951 { return key->vt->ssh_id; }
\r
952 static inline const char *ssh_key_cache_id(ssh_key *key)
\r
953 { return key->vt->cache_id; }
\r
954 static inline unsigned ssh_key_supported_flags(ssh_key *key)
\r
955 { return key->vt->supported_flags(key->vt); }
\r
956 static inline unsigned ssh_keyalg_supported_flags(const ssh_keyalg *self)
\r
957 { return self->supported_flags(self); }
\r
958 static inline const char *ssh_keyalg_alternate_ssh_id(
\r
959 const ssh_keyalg *self, unsigned flags)
\r
960 { return self->alternate_ssh_id(self, flags); }
\r
961 static inline char *ssh_keyalg_desc(const ssh_keyalg *self)
\r
962 { return self->alg_desc(self); }
\r
963 static inline bool ssh_keyalg_variable_size(const ssh_keyalg *self)
\r
964 { return self->variable_size(self); }
\r
965 static inline const ssh_keyalg *ssh_keyalg_related_alg(
\r
966 const ssh_keyalg *self, const ssh_keyalg *base)
\r
967 { return self->related_alg(self, base); }
\r
969 /* Stub functions shared between multiple key types */
\r
970 unsigned nullkey_supported_flags(const ssh_keyalg *self);
\r
971 const char *nullkey_alternate_ssh_id(const ssh_keyalg *self, unsigned flags);
\r
972 ssh_key *nullkey_base_key(ssh_key *key);
\r
973 bool nullkey_variable_size_no(const ssh_keyalg *self);
\r
974 bool nullkey_variable_size_yes(const ssh_keyalg *self);
\r
976 /* Utility functions implemented centrally */
\r
977 ssh_key *ssh_key_clone(ssh_key *key);
\r
980 * SSH2 ECDH key exchange vtable
\r
983 const ecdh_keyalg *vt;
\r
985 struct ecdh_keyalg {
\r
986 /* Unusually, the 'new' method here doesn't directly take a vt
\r
987 * pointer, because it will also need the containing ssh_kex
\r
988 * structure for top-level parameters, and since that contains a
\r
989 * vt pointer anyway, we might as well _only_ pass that. */
\r
990 ecdh_key *(*new)(const ssh_kex *kex, bool is_server);
\r
991 void (*free)(ecdh_key *key);
\r
992 void (*getpublic)(ecdh_key *key, BinarySink *bs);
\r
993 bool (*getkey)(ecdh_key *key, ptrlen remoteKey, BinarySink *bs);
\r
994 char *(*description)(const ssh_kex *kex);
\r
996 static inline ecdh_key *ecdh_key_new(const ssh_kex *kex, bool is_server)
\r
997 { return kex->ecdh_vt->new(kex, is_server); }
\r
998 static inline void ecdh_key_free(ecdh_key *key)
\r
999 { key->vt->free(key); }
\r
1000 static inline void ecdh_key_getpublic(ecdh_key *key, BinarySink *bs)
\r
1001 { key->vt->getpublic(key, bs); }
\r
1002 static inline bool ecdh_key_getkey(ecdh_key *key, ptrlen remoteKey,
\r
1004 { return key->vt->getkey(key, remoteKey, bs); }
\r
1005 static inline char *ecdh_keyalg_description(const ssh_kex *kex)
\r
1006 { return kex->ecdh_vt->description(kex); }
\r
1009 * Suffix on GSSAPI SSH protocol identifiers that indicates Kerberos 5
\r
1010 * as the mechanism.
\r
1012 * This suffix is the base64-encoded MD5 hash of the byte sequence
\r
1013 * 06 09 2A 86 48 86 F7 12 01 02 02, which in turn is the ASN.1 DER
\r
1014 * encoding of the object ID 1.2.840.113554.1.2.2 which designates
\r
1017 * (The same encoded OID, minus the two-byte DER header, is defined in
\r
1018 * ssh/pgssapi.c as GSS_MECH_KRB5.)
\r
1020 #define GSS_KRB5_OID_HASH "toWM5Slw5Ew8Mqkay+al2g=="
\r
1023 * Enumeration of signature flags from draft-miller-ssh-agent-02
\r
1025 #define SSH_AGENT_RSA_SHA2_256 2
\r
1026 #define SSH_AGENT_RSA_SHA2_512 4
\r
1028 struct ssh_compressor {
\r
1029 const ssh_compression_alg *vt;
\r
1031 struct ssh_decompressor {
\r
1032 const ssh_compression_alg *vt;
\r
1035 struct ssh_compression_alg {
\r
1037 /* For zlib@openssh.com: if non-NULL, this name will be considered once
\r
1038 * userauth has completed successfully. */
\r
1039 const char *delayed_name;
\r
1040 ssh_compressor *(*compress_new)(void);
\r
1041 void (*compress_free)(ssh_compressor *);
\r
1042 void (*compress)(ssh_compressor *, const unsigned char *block, int len,
\r
1043 unsigned char **outblock, int *outlen,
\r
1045 ssh_decompressor *(*decompress_new)(void);
\r
1046 void (*decompress_free)(ssh_decompressor *);
\r
1047 bool (*decompress)(ssh_decompressor *, const unsigned char *block, int len,
\r
1048 unsigned char **outblock, int *outlen);
\r
1049 const char *text_name;
\r
1052 static inline ssh_compressor *ssh_compressor_new(
\r
1053 const ssh_compression_alg *alg)
\r
1054 { return alg->compress_new(); }
\r
1055 static inline ssh_decompressor *ssh_decompressor_new(
\r
1056 const ssh_compression_alg *alg)
\r
1057 { return alg->decompress_new(); }
\r
1058 static inline void ssh_compressor_free(ssh_compressor *c)
\r
1059 { c->vt->compress_free(c); }
\r
1060 static inline void ssh_decompressor_free(ssh_decompressor *d)
\r
1061 { d->vt->decompress_free(d); }
\r
1062 static inline void ssh_compressor_compress(
\r
1063 ssh_compressor *c, const unsigned char *block, int len,
\r
1064 unsigned char **outblock, int *outlen, int minlen)
\r
1065 { c->vt->compress(c, block, len, outblock, outlen, minlen); }
\r
1066 static inline bool ssh_decompressor_decompress(
\r
1067 ssh_decompressor *d, const unsigned char *block, int len,
\r
1068 unsigned char **outblock, int *outlen)
\r
1069 { return d->vt->decompress(d, block, len, outblock, outlen); }
\r
1070 static inline const ssh_compression_alg *ssh_compressor_alg(
\r
1071 ssh_compressor *c)
\r
1073 static inline const ssh_compression_alg *ssh_decompressor_alg(
\r
1074 ssh_decompressor *d)
\r
1077 struct ssh2_userkey {
\r
1078 ssh_key *key; /* the key itself */
\r
1079 char *comment; /* the key comment */
\r
1082 /* Argon2 password hashing function */
\r
1083 typedef enum { Argon2d = 0, Argon2i = 1, Argon2id = 2 } Argon2Flavour;
\r
1084 void argon2(Argon2Flavour, uint32_t mem, uint32_t passes,
\r
1085 uint32_t parallel, uint32_t taglen,
\r
1086 ptrlen P, ptrlen S, ptrlen K, ptrlen X, strbuf *out);
\r
1087 void argon2_choose_passes(
\r
1088 Argon2Flavour, uint32_t mem, uint32_t milliseconds, uint32_t *passes,
\r
1089 uint32_t parallel, uint32_t taglen, ptrlen P, ptrlen S, ptrlen K, ptrlen X,
\r
1091 /* The H' hash defined in Argon2, exposed just for testcrypt */
\r
1092 strbuf *argon2_long_hash(unsigned length, ptrlen data);
\r
1094 /* The maximum length of any hash algorithm. (bytes) */
\r
1095 #define MAX_HASH_LEN (114) /* longest is SHAKE256 with 114-byte output */
\r
1097 extern const ssh_cipheralg ssh_3des_ssh1;
\r
1098 extern const ssh_cipheralg ssh_blowfish_ssh1;
\r
1099 extern const ssh_cipheralg ssh_3des_ssh2_ctr;
\r
1100 extern const ssh_cipheralg ssh_3des_ssh2;
\r
1101 extern const ssh_cipheralg ssh_des;
\r
1102 extern const ssh_cipheralg ssh_des_sshcom_ssh2;
\r
1103 extern const ssh_cipheralg ssh_aes256_sdctr;
\r
1104 extern const ssh_cipheralg ssh_aes256_sdctr_ni;
\r
1105 extern const ssh_cipheralg ssh_aes256_sdctr_neon;
\r
1106 extern const ssh_cipheralg ssh_aes256_sdctr_sw;
\r
1107 extern const ssh_cipheralg ssh_aes256_gcm;
\r
1108 extern const ssh_cipheralg ssh_aes256_gcm_ni;
\r
1109 extern const ssh_cipheralg ssh_aes256_gcm_neon;
\r
1110 extern const ssh_cipheralg ssh_aes256_gcm_sw;
\r
1111 extern const ssh_cipheralg ssh_aes256_cbc;
\r
1112 extern const ssh_cipheralg ssh_aes256_cbc_ni;
\r
1113 extern const ssh_cipheralg ssh_aes256_cbc_neon;
\r
1114 extern const ssh_cipheralg ssh_aes256_cbc_sw;
\r
1115 extern const ssh_cipheralg ssh_aes192_sdctr;
\r
1116 extern const ssh_cipheralg ssh_aes192_sdctr_ni;
\r
1117 extern const ssh_cipheralg ssh_aes192_sdctr_neon;
\r
1118 extern const ssh_cipheralg ssh_aes192_sdctr_sw;
\r
1119 extern const ssh_cipheralg ssh_aes192_gcm;
\r
1120 extern const ssh_cipheralg ssh_aes192_gcm_ni;
\r
1121 extern const ssh_cipheralg ssh_aes192_gcm_neon;
\r
1122 extern const ssh_cipheralg ssh_aes192_gcm_sw;
\r
1123 extern const ssh_cipheralg ssh_aes192_cbc;
\r
1124 extern const ssh_cipheralg ssh_aes192_cbc_ni;
\r
1125 extern const ssh_cipheralg ssh_aes192_cbc_neon;
\r
1126 extern const ssh_cipheralg ssh_aes192_cbc_sw;
\r
1127 extern const ssh_cipheralg ssh_aes128_sdctr;
\r
1128 extern const ssh_cipheralg ssh_aes128_sdctr_ni;
\r
1129 extern const ssh_cipheralg ssh_aes128_sdctr_neon;
\r
1130 extern const ssh_cipheralg ssh_aes128_sdctr_sw;
\r
1131 extern const ssh_cipheralg ssh_aes128_gcm;
\r
1132 extern const ssh_cipheralg ssh_aes128_gcm_ni;
\r
1133 extern const ssh_cipheralg ssh_aes128_gcm_neon;
\r
1134 extern const ssh_cipheralg ssh_aes128_gcm_sw;
\r
1135 extern const ssh_cipheralg ssh_aes128_cbc;
\r
1136 extern const ssh_cipheralg ssh_aes128_cbc_ni;
\r
1137 extern const ssh_cipheralg ssh_aes128_cbc_neon;
\r
1138 extern const ssh_cipheralg ssh_aes128_cbc_sw;
\r
1139 extern const ssh_cipheralg ssh_blowfish_ssh2_ctr;
\r
1140 extern const ssh_cipheralg ssh_blowfish_ssh2;
\r
1141 extern const ssh_cipheralg ssh_arcfour256_ssh2;
\r
1142 extern const ssh_cipheralg ssh_arcfour128_ssh2;
\r
1143 extern const ssh_cipheralg ssh2_chacha20_poly1305;
\r
1144 extern const ssh2_ciphers ssh2_3des;
\r
1145 extern const ssh2_ciphers ssh2_des;
\r
1146 extern const ssh2_ciphers ssh2_aes;
\r
1147 extern const ssh2_ciphers ssh2_blowfish;
\r
1148 extern const ssh2_ciphers ssh2_arcfour;
\r
1149 extern const ssh2_ciphers ssh2_ccp;
\r
1150 extern const ssh2_ciphers ssh2_aesgcm;
\r
1151 extern const ssh_hashalg ssh_md5;
\r
1152 extern const ssh_hashalg ssh_sha1;
\r
1153 extern const ssh_hashalg ssh_sha1_ni;
\r
1154 extern const ssh_hashalg ssh_sha1_neon;
\r
1155 extern const ssh_hashalg ssh_sha1_sw;
\r
1156 extern const ssh_hashalg ssh_sha256;
\r
1157 extern const ssh_hashalg ssh_sha256_ni;
\r
1158 extern const ssh_hashalg ssh_sha256_neon;
\r
1159 extern const ssh_hashalg ssh_sha256_sw;
\r
1160 extern const ssh_hashalg ssh_sha384;
\r
1161 extern const ssh_hashalg ssh_sha384_neon;
\r
1162 extern const ssh_hashalg ssh_sha384_sw;
\r
1163 extern const ssh_hashalg ssh_sha512;
\r
1164 extern const ssh_hashalg ssh_sha512_neon;
\r
1165 extern const ssh_hashalg ssh_sha512_sw;
\r
1166 extern const ssh_hashalg ssh_sha3_224;
\r
1167 extern const ssh_hashalg ssh_sha3_256;
\r
1168 extern const ssh_hashalg ssh_sha3_384;
\r
1169 extern const ssh_hashalg ssh_sha3_512;
\r
1170 extern const ssh_hashalg ssh_shake256_114bytes;
\r
1171 extern const ssh_hashalg ssh_blake2b;
\r
1172 extern const ssh_kexes ssh_diffiehellman_group1;
\r
1173 extern const ssh_kexes ssh_diffiehellman_group14;
\r
1174 extern const ssh_kexes ssh_diffiehellman_group15;
\r
1175 extern const ssh_kexes ssh_diffiehellman_group16;
\r
1176 extern const ssh_kexes ssh_diffiehellman_group17;
\r
1177 extern const ssh_kexes ssh_diffiehellman_group18;
\r
1178 extern const ssh_kexes ssh_diffiehellman_gex;
\r
1179 extern const ssh_kex ssh_diffiehellman_group1_sha1;
\r
1180 extern const ssh_kex ssh_diffiehellman_group14_sha256;
\r
1181 extern const ssh_kex ssh_diffiehellman_group14_sha1;
\r
1182 extern const ssh_kex ssh_diffiehellman_group15_sha512;
\r
1183 extern const ssh_kex ssh_diffiehellman_group16_sha512;
\r
1184 extern const ssh_kex ssh_diffiehellman_group17_sha512;
\r
1185 extern const ssh_kex ssh_diffiehellman_group18_sha512;
\r
1186 extern const ssh_kexes ssh_gssk5_sha1_kex;
\r
1187 extern const ssh_kexes ssh_gssk5_sha2_kex;
\r
1188 extern const ssh_kexes ssh_gssk5_ecdh_kex;
\r
1189 extern const ssh_kexes ssh_rsa_kex;
\r
1190 extern const ssh_kex ssh_ec_kex_curve25519;
\r
1191 extern const ssh_kex ssh_ec_kex_curve448;
\r
1192 extern const ssh_kex ssh_ec_kex_nistp256;
\r
1193 extern const ssh_kex ssh_ec_kex_nistp384;
\r
1194 extern const ssh_kex ssh_ec_kex_nistp521;
\r
1195 extern const ssh_kexes ssh_ecdh_kex;
\r
1196 extern const ssh_kexes ssh_ntru_hybrid_kex;
\r
1197 extern const ssh_keyalg ssh_dsa;
\r
1198 extern const ssh_keyalg ssh_rsa;
\r
1199 extern const ssh_keyalg ssh_rsa_sha256;
\r
1200 extern const ssh_keyalg ssh_rsa_sha512;
\r
1201 extern const ssh_keyalg ssh_ecdsa_ed25519;
\r
1202 extern const ssh_keyalg ssh_ecdsa_ed448;
\r
1203 extern const ssh_keyalg ssh_ecdsa_nistp256;
\r
1204 extern const ssh_keyalg ssh_ecdsa_nistp384;
\r
1205 extern const ssh_keyalg ssh_ecdsa_nistp521;
\r
1206 extern const ssh_keyalg opensshcert_ssh_dsa;
\r
1207 extern const ssh_keyalg opensshcert_ssh_rsa;
\r
1208 extern const ssh_keyalg opensshcert_ssh_rsa_sha256;
\r
1209 extern const ssh_keyalg opensshcert_ssh_rsa_sha512;
\r
1210 extern const ssh_keyalg opensshcert_ssh_ecdsa_ed25519;
\r
1211 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp256;
\r
1212 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp384;
\r
1213 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp521;
\r
1214 extern const ssh2_macalg ssh_hmac_md5;
\r
1215 extern const ssh2_macalg ssh_hmac_sha1;
\r
1216 extern const ssh2_macalg ssh_hmac_sha1_buggy;
\r
1217 extern const ssh2_macalg ssh_hmac_sha1_96;
\r
1218 extern const ssh2_macalg ssh_hmac_sha1_96_buggy;
\r
1219 extern const ssh2_macalg ssh_hmac_sha256;
\r
1220 extern const ssh2_macalg ssh_hmac_sha384;
\r
1221 extern const ssh2_macalg ssh_hmac_sha512;
\r
1222 extern const ssh2_macalg ssh2_poly1305;
\r
1223 extern const ssh2_macalg ssh2_aesgcm_mac;
\r
1224 extern const ssh2_macalg ssh2_aesgcm_mac_sw;
\r
1225 extern const ssh2_macalg ssh2_aesgcm_mac_ref_poly;
\r
1226 extern const ssh2_macalg ssh2_aesgcm_mac_clmul;
\r
1227 extern const ssh2_macalg ssh2_aesgcm_mac_neon;
\r
1228 extern const ssh_compression_alg ssh_zlib;
\r
1230 /* Special constructor: BLAKE2b can be instantiated with any hash
\r
1231 * length up to 128 bytes */
\r
1232 ssh_hash *blake2b_new_general(unsigned hashlen);
\r
1234 /* Special test function for AES-GCM */
\r
1235 void aesgcm_set_prefix_lengths(ssh2_mac *mac, size_t skip, size_t aad);
\r
1238 * On some systems, you have to detect hardware crypto acceleration by
\r
1239 * asking the local OS API rather than OS-agnostically asking the CPU
\r
1240 * itself. If so, then this function should be implemented in each
\r
1241 * platform subdirectory.
\r
1243 bool platform_aes_neon_available(void);
\r
1244 bool platform_pmull_neon_available(void);
\r
1245 bool platform_sha256_neon_available(void);
\r
1246 bool platform_sha1_neon_available(void);
\r
1247 bool platform_sha512_neon_available(void);
\r
1250 * PuTTY version number formatted as an SSH version string.
\r
1252 extern const char sshver[];
\r
1255 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
\r
1256 * that fails. This variable is the means by which pscp.c can reach
\r
1257 * into the SSH code and find out which one it got.
\r
1259 extern bool ssh_fallback_cmd(Backend *backend);
\r
1262 * The PRNG type, defined in prng.c. Visible data fields are
\r
1263 * 'savesize', which suggests how many random bytes you should request
\r
1264 * from a particular PRNG instance to write to putty.rnd, and a
\r
1265 * BinarySink implementation which you can use to write seed data in
\r
1266 * between calling prng_seed_{begin,finish}.
\r
1270 BinarySink_IMPLEMENTATION;
\r
1271 /* (also there's a surrounding implementation struct in prng.c) */
\r
1273 prng *prng_new(const ssh_hashalg *hashalg);
\r
1274 void prng_free(prng *p);
\r
1275 void prng_seed_begin(prng *p);
\r
1276 void prng_seed_finish(prng *p);
\r
1277 void prng_read(prng *p, void *vout, size_t size);
\r
1278 void prng_add_entropy(prng *p, unsigned source_id, ptrlen data);
\r
1279 size_t prng_seed_bits(prng *p);
\r
1281 /* This function must be implemented by the platform, and returns a
\r
1282 * timer in milliseconds that the PRNG can use to know whether it's
\r
1283 * been reseeded too recently to do it again.
\r
1285 * The PRNG system has its own special timing function not because its
\r
1286 * timing needs are unusual in the real applications, but simply so
\r
1287 * that testcrypt can mock it to keep the tests deterministic. */
\r
1288 uint64_t prng_reseed_time_ms(void);
\r
1290 void random_read(void *out, size_t size);
\r
1292 /* Exports from x11fwd.c */
\r
1294 X11_TRANS_IPV4 = 0, X11_TRANS_IPV6 = 6, X11_TRANS_UNIX = 256
\r
1296 struct X11Display {
\r
1297 /* Broken-down components of the display name itself */
\r
1302 /* OSX sometimes replaces all the above with a full Unix-socket pathname */
\r
1303 char *unixsocketpath;
\r
1305 /* PuTTY networking SockAddr to connect to the display, and associated
\r
1311 /* Our local auth details for talking to the real X display. */
\r
1312 int localauthproto;
\r
1313 unsigned char *localauthdata;
\r
1314 int localauthdatalen;
\r
1316 struct X11FakeAuth {
\r
1317 /* Auth details we invented for a virtual display on the SSH server. */
\r
1319 unsigned char *data;
\r
1324 /* The encrypted form of the first block, in XDM-AUTHORIZATION-1.
\r
1325 * Used as part of the key when these structures are organised
\r
1326 * into a tree. See x11_invent_fake_auth for explanation. */
\r
1327 unsigned char *xa1_firstblock;
\r
1330 * Used inside x11fwd.c to remember recently seen
\r
1331 * XDM-AUTHORIZATION-1 strings, to avoid replay attacks.
\r
1336 * What to do with an X connection matching this auth data.
\r
1338 struct X11Display *disp;
\r
1339 ssh_sharing_connstate *share_cs;
\r
1340 share_channel *share_chan;
\r
1342 int x11_authcmp(void *av, void *bv); /* for putting X11FakeAuth in a tree234 */
\r
1344 * x11_setup_display() parses the display variable and fills in an
\r
1345 * X11Display structure. Some remote auth details are invented;
\r
1346 * the supplied authtype parameter configures the preferred
\r
1347 * authorisation protocol to use at the remote end. The local auth
\r
1348 * details are looked up by calling platform_get_x11_auth.
\r
1350 * If the returned pointer is NULL, then *error_msg will contain a
\r
1351 * dynamically allocated error message string.
\r
1353 extern struct X11Display *x11_setup_display(const char *display, Conf *,
\r
1354 char **error_msg);
\r
1355 void x11_free_display(struct X11Display *disp);
\r
1356 struct X11FakeAuth *x11_invent_fake_auth(tree234 *t, int authtype);
\r
1357 void x11_free_fake_auth(struct X11FakeAuth *auth);
\r
1358 Channel *x11_new_channel(tree234 *authtree, SshChannel *c,
\r
1359 const char *peeraddr, int peerport,
\r
1360 bool connection_sharing_possible);
\r
1361 char *x11_display(const char *display);
\r
1362 /* Platform-dependent X11 functions */
\r
1363 extern void platform_get_x11_auth(struct X11Display *display, Conf *);
\r
1364 /* examine a mostly-filled-in X11Display and fill in localauth* */
\r
1365 extern const bool platform_uses_x11_unix_by_default;
\r
1366 /* choose default X transport in the absence of a specified one */
\r
1367 SockAddr *platform_get_x11_unix_address(const char *path, int displaynum);
\r
1368 /* make up a SockAddr naming the address for displaynum */
\r
1369 char *platform_get_x_display(void);
\r
1370 /* allocated local X display string, if any */
\r
1371 /* X11-related helper functions in utils */
\r
1373 * This function does the job of platform_get_x11_auth, provided
\r
1374 * it is told where to find a normally formatted .Xauthority file:
\r
1375 * it opens that file, parses it to find an auth record which
\r
1376 * matches the display details in "display", and fills in the
\r
1377 * localauth fields.
\r
1379 * It is expected that most implementations of
\r
1380 * platform_get_x11_auth() will work by finding their system's
\r
1381 * .Xauthority file, adjusting the display details if necessary
\r
1382 * for local oddities like Unix-domain socket transport, and
\r
1383 * calling this function to do the rest of the work.
\r
1385 void x11_get_auth_from_authfile(struct X11Display *display,
\r
1386 const char *authfilename);
\r
1387 void x11_format_auth_for_authfile(
\r
1388 BinarySink *bs, SockAddr *addr, int display_no,
\r
1389 ptrlen authproto, ptrlen authdata);
\r
1390 void *x11_make_greeting(int endian, int protomajor, int protominor,
\r
1391 int auth_proto, const void *auth_data, int auth_len,
\r
1392 const char *peer_ip, int peer_port,
\r
1394 int x11_identify_auth_proto(ptrlen protoname);
\r
1395 void *x11_dehexify(ptrlen hex, int *outlen);
\r
1396 bool x11_parse_ip(const char *addr_string, unsigned long *ip);
\r
1398 Channel *agentf_new(SshChannel *c);
\r
1400 bool dh_is_gex(const ssh_kex *kex);
\r
1401 dh_ctx *dh_setup_group(const ssh_kex *kex);
\r
1402 dh_ctx *dh_setup_gex(mp_int *pval, mp_int *gval);
\r
1403 int dh_modulus_bit_size(const dh_ctx *ctx);
\r
1404 void dh_cleanup(dh_ctx *);
\r
1405 mp_int *dh_create_e(dh_ctx *);
\r
1406 const char *dh_validate_f(dh_ctx *, mp_int *f);
\r
1407 mp_int *dh_find_K(dh_ctx *, mp_int *f);
\r
1409 static inline bool is_base64_char(char c)
\r
1411 return ((c >= '0' && c <= '9') ||
\r
1412 (c >= 'a' && c <= 'z') ||
\r
1413 (c >= 'A' && c <= 'Z') ||
\r
1414 c == '+' || c == '/' || c == '=');
\r
1417 extern int base64_lines(int datalen);
\r
1419 /* ppk_load_* can return this as an error */
\r
1420 extern ssh2_userkey ssh2_wrong_passphrase;
\r
1421 #define SSH2_WRONG_PASSPHRASE (&ssh2_wrong_passphrase)
\r
1423 bool ppk_encrypted_s(BinarySource *src, char **comment);
\r
1424 bool ppk_encrypted_f(const Filename *filename, char **comment);
\r
1425 bool rsa1_encrypted_s(BinarySource *src, char **comment);
\r
1426 bool rsa1_encrypted_f(const Filename *filename, char **comment);
\r
1428 ssh2_userkey *ppk_load_s(BinarySource *src, const char *passphrase,
\r
1429 const char **errorstr);
\r
1430 ssh2_userkey *ppk_load_f(const Filename *filename, const char *passphrase,
\r
1431 const char **errorstr);
\r
1432 int rsa1_load_s(BinarySource *src, RSAKey *key,
\r
1433 const char *passphrase, const char **errorstr);
\r
1434 int rsa1_load_f(const Filename *filename, RSAKey *key,
\r
1435 const char *passphrase, const char **errorstr);
\r
1437 typedef struct ppk_save_parameters {
\r
1438 unsigned fmt_version; /* currently 2 or 3 */
\r
1441 * Parameters for fmt_version == 3
\r
1443 Argon2Flavour argon2_flavour;
\r
1444 uint32_t argon2_mem; /* in Kbyte */
\r
1445 bool argon2_passes_auto;
\r
1447 uint32_t argon2_passes; /* if auto == false */
\r
1448 uint32_t argon2_milliseconds; /* if auto == true */
\r
1450 uint32_t argon2_parallelism;
\r
1452 /* The ability to choose a specific salt is only intended for the
\r
1453 * use of the automated test of PuTTYgen. It's a (mild) security
\r
1454 * risk to do it with any passphrase you actually care about,
\r
1455 * because it invalidates the entire point of having a salt in the
\r
1457 const uint8_t *salt;
\r
1459 } ppk_save_parameters;
\r
1460 extern const ppk_save_parameters ppk_save_default_parameters;
\r
1462 strbuf *ppk_save_sb(ssh2_userkey *key, const char *passphrase,
\r
1463 const ppk_save_parameters *params);
\r
1464 bool ppk_save_f(const Filename *filename, ssh2_userkey *key,
\r
1465 const char *passphrase, const ppk_save_parameters *params);
\r
1466 strbuf *rsa1_save_sb(RSAKey *key, const char *passphrase);
\r
1467 bool rsa1_save_f(const Filename *filename, RSAKey *key,
\r
1468 const char *passphrase);
\r
1470 bool ppk_loadpub_s(BinarySource *src, char **algorithm, BinarySink *bs,
\r
1471 char **commentptr, const char **errorstr);
\r
1472 bool ppk_loadpub_f(const Filename *filename, char **algorithm, BinarySink *bs,
\r
1473 char **commentptr, const char **errorstr);
\r
1474 int rsa1_loadpub_s(BinarySource *src, BinarySink *bs,
\r
1475 char **commentptr, const char **errorstr);
\r
1476 int rsa1_loadpub_f(const Filename *filename, BinarySink *bs,
\r
1477 char **commentptr, const char **errorstr);
\r
1479 extern const ssh_keyalg *const all_keyalgs[];
\r
1480 extern const size_t n_keyalgs;
\r
1481 const ssh_keyalg *find_pubkey_alg(const char *name);
\r
1482 const ssh_keyalg *find_pubkey_alg_len(ptrlen name);
\r
1484 ptrlen pubkey_blob_to_alg_name(ptrlen blob);
\r
1485 const ssh_keyalg *pubkey_blob_to_alg(ptrlen blob);
\r
1487 /* Convenient wrappers on the LoadedFile mechanism suitable for key files */
\r
1488 LoadedFile *lf_load_keyfile(const Filename *filename, const char **errptr);
\r
1489 LoadedFile *lf_load_keyfile_fp(FILE *fp, const char **errptr);
\r
1492 SSH_KEYTYPE_UNOPENABLE,
\r
1493 SSH_KEYTYPE_UNKNOWN,
\r
1494 SSH_KEYTYPE_SSH1, SSH_KEYTYPE_SSH2,
\r
1496 * The OpenSSH key types deserve a little explanation. OpenSSH has
\r
1497 * two physical formats for private key storage: an old PEM-based
\r
1498 * one largely dictated by their use of OpenSSL and full of ASN.1,
\r
1499 * and a new one using the same private key formats used over the
\r
1500 * wire for talking to ssh-agent. The old format can only support
\r
1501 * a subset of the key types, because it needs redesign for each
\r
1502 * key type, and after a while they decided to move to the new
\r
1503 * format so as not to have to do that.
\r
1505 * On input, key files are identified as either
\r
1506 * SSH_KEYTYPE_OPENSSH_PEM or SSH_KEYTYPE_OPENSSH_NEW, describing
\r
1507 * accurately which actual format the keys are stored in.
\r
1509 * On output, however, we default to following OpenSSH's own
\r
1510 * policy of writing out PEM-style keys for maximum backwards
\r
1511 * compatibility if the key type supports it, and otherwise
\r
1512 * switching to the new format. So the formats you can select for
\r
1513 * output are SSH_KEYTYPE_OPENSSH_NEW (forcing the new format for
\r
1514 * any key type), and SSH_KEYTYPE_OPENSSH_AUTO to use the oldest
\r
1515 * format supported by whatever key type you're writing out.
\r
1517 * So we have three type codes, but only two of them usable in any
\r
1518 * given circumstance. An input key file will never be identified
\r
1519 * as AUTO, only PEM or NEW; key export UIs should not be able to
\r
1520 * select PEM, only AUTO or NEW.
\r
1522 SSH_KEYTYPE_OPENSSH_AUTO,
\r
1523 SSH_KEYTYPE_OPENSSH_PEM,
\r
1524 SSH_KEYTYPE_OPENSSH_NEW,
\r
1525 SSH_KEYTYPE_SSHCOM,
\r
1527 * Public-key-only formats, which we still want to be able to read
\r
1528 * for various purposes.
\r
1530 SSH_KEYTYPE_SSH1_PUBLIC,
\r
1531 SSH_KEYTYPE_SSH2_PUBLIC_RFC4716,
\r
1532 SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH
\r
1536 /* Default fingerprint types strip off a certificate to show you
\r
1537 * the fingerprint of the underlying public key */
\r
1539 SSH_FPTYPE_SHA256,
\r
1540 /* Non-default version of each fingerprint type which is 'raw',
\r
1541 * giving you the true hash of the public key blob even if it
\r
1542 * includes a certificate */
\r
1543 SSH_FPTYPE_MD5_CERT,
\r
1544 SSH_FPTYPE_SHA256_CERT,
\r
1545 } FingerprintType;
\r
1547 static inline bool ssh_fptype_is_cert(FingerprintType fptype)
\r
1549 return fptype >= SSH_FPTYPE_MD5_CERT;
\r
1551 static inline FingerprintType ssh_fptype_from_cert(FingerprintType fptype)
\r
1553 if (ssh_fptype_is_cert(fptype))
\r
1554 fptype -= (SSH_FPTYPE_MD5_CERT - SSH_FPTYPE_MD5);
\r
1557 static inline FingerprintType ssh_fptype_to_cert(FingerprintType fptype)
\r
1559 if (!ssh_fptype_is_cert(fptype))
\r
1560 fptype += (SSH_FPTYPE_MD5_CERT - SSH_FPTYPE_MD5);
\r
1564 #define SSH_N_FPTYPES (SSH_FPTYPE_SHA256_CERT + 1)
\r
1565 #define SSH_FPTYPE_DEFAULT SSH_FPTYPE_SHA256
\r
1567 FingerprintType ssh2_pick_fingerprint(char **fingerprints,
\r
1568 FingerprintType preferred_type);
\r
1569 FingerprintType ssh2_pick_default_fingerprint(char **fingerprints);
\r
1571 char *ssh1_pubkey_str(RSAKey *ssh1key);
\r
1572 void ssh1_write_pubkey(FILE *fp, RSAKey *ssh1key);
\r
1573 char *ssh2_pubkey_openssh_str(ssh2_userkey *key);
\r
1574 void ssh2_write_pubkey(FILE *fp, const char *comment,
\r
1575 const void *v_pub_blob, int pub_len,
\r
1577 char *ssh2_fingerprint_blob(ptrlen, FingerprintType);
\r
1578 char *ssh2_fingerprint(ssh_key *key, FingerprintType);
\r
1579 char *ssh2_double_fingerprint_blob(ptrlen, FingerprintType);
\r
1580 char *ssh2_double_fingerprint(ssh_key *key, FingerprintType);
\r
1581 char **ssh2_all_fingerprints_for_blob(ptrlen);
\r
1582 char **ssh2_all_fingerprints(ssh_key *key);
\r
1583 void ssh2_free_all_fingerprints(char **);
\r
1584 int key_type(const Filename *filename);
\r
1585 int key_type_s(BinarySource *src);
\r
1586 const char *key_type_to_str(int type);
\r
1588 bool import_possible(int type);
\r
1589 int import_target_type(int type);
\r
1590 bool import_encrypted(const Filename *filename, int type, char **comment);
\r
1591 bool import_encrypted_s(const Filename *filename, BinarySource *src,
\r
1592 int type, char **comment);
\r
1593 int import_ssh1(const Filename *filename, int type,
\r
1594 RSAKey *key, char *passphrase, const char **errmsg_p);
\r
1595 int import_ssh1_s(BinarySource *src, int type,
\r
1596 RSAKey *key, char *passphrase, const char **errmsg_p);
\r
1597 ssh2_userkey *import_ssh2(const Filename *filename, int type,
\r
1598 char *passphrase, const char **errmsg_p);
\r
1599 ssh2_userkey *import_ssh2_s(BinarySource *src, int type,
\r
1600 char *passphrase, const char **errmsg_p);
\r
1601 bool export_ssh1(const Filename *filename, int type,
\r
1602 RSAKey *key, char *passphrase);
\r
1603 bool export_ssh2(const Filename *filename, int type,
\r
1604 ssh2_userkey *key, char *passphrase);
\r
1606 void des3_decrypt_pubkey(const void *key, void *blk, int len);
\r
1607 void des3_encrypt_pubkey(const void *key, void *blk, int len);
\r
1608 void des3_decrypt_pubkey_ossh(const void *key, const void *iv,
\r
1609 void *blk, int len);
\r
1610 void des3_encrypt_pubkey_ossh(const void *key, const void *iv,
\r
1611 void *blk, int len);
\r
1612 void aes256_encrypt_pubkey(const void *key, const void *iv,
\r
1613 void *blk, int len);
\r
1614 void aes256_decrypt_pubkey(const void *key, const void *iv,
\r
1615 void *blk, int len);
\r
1617 void des_encrypt_xdmauth(const void *key, void *blk, int len);
\r
1618 void des_decrypt_xdmauth(const void *key, void *blk, int len);
\r
1620 void openssh_bcrypt(ptrlen passphrase, ptrlen salt,
\r
1621 int rounds, unsigned char *out, int outbytes);
\r
1624 * Connection-sharing API provided by platforms. This function must
\r
1626 * - return SHARE_NONE and do nothing
\r
1627 * - return SHARE_DOWNSTREAM and set *sock to a Socket connected to
\r
1629 * - return SHARE_UPSTREAM and set *sock to a Socket connected to
\r
1632 enum { SHARE_NONE, SHARE_DOWNSTREAM, SHARE_UPSTREAM };
\r
1633 int platform_ssh_share(const char *name, Conf *conf,
\r
1634 Plug *downplug, Plug *upplug, Socket **sock,
\r
1635 char **logtext, char **ds_err, char **us_err,
\r
1636 bool can_upstream, bool can_downstream);
\r
1637 void platform_ssh_share_cleanup(const char *name);
\r
1640 * List macro defining the SSH-1 message type codes.
\r
1642 #define SSH1_MESSAGE_TYPES(X, y) \
\r
1643 X(y, SSH1_MSG_DISCONNECT, 1) \
\r
1644 X(y, SSH1_SMSG_PUBLIC_KEY, 2) \
\r
1645 X(y, SSH1_CMSG_SESSION_KEY, 3) \
\r
1646 X(y, SSH1_CMSG_USER, 4) \
\r
1647 X(y, SSH1_CMSG_AUTH_RSA, 6) \
\r
1648 X(y, SSH1_SMSG_AUTH_RSA_CHALLENGE, 7) \
\r
1649 X(y, SSH1_CMSG_AUTH_RSA_RESPONSE, 8) \
\r
1650 X(y, SSH1_CMSG_AUTH_PASSWORD, 9) \
\r
1651 X(y, SSH1_CMSG_REQUEST_PTY, 10) \
\r
1652 X(y, SSH1_CMSG_WINDOW_SIZE, 11) \
\r
1653 X(y, SSH1_CMSG_EXEC_SHELL, 12) \
\r
1654 X(y, SSH1_CMSG_EXEC_CMD, 13) \
\r
1655 X(y, SSH1_SMSG_SUCCESS, 14) \
\r
1656 X(y, SSH1_SMSG_FAILURE, 15) \
\r
1657 X(y, SSH1_CMSG_STDIN_DATA, 16) \
\r
1658 X(y, SSH1_SMSG_STDOUT_DATA, 17) \
\r
1659 X(y, SSH1_SMSG_STDERR_DATA, 18) \
\r
1660 X(y, SSH1_CMSG_EOF, 19) \
\r
1661 X(y, SSH1_SMSG_EXIT_STATUS, 20) \
\r
1662 X(y, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION, 21) \
\r
1663 X(y, SSH1_MSG_CHANNEL_OPEN_FAILURE, 22) \
\r
1664 X(y, SSH1_MSG_CHANNEL_DATA, 23) \
\r
1665 X(y, SSH1_MSG_CHANNEL_CLOSE, 24) \
\r
1666 X(y, SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION, 25) \
\r
1667 X(y, SSH1_SMSG_X11_OPEN, 27) \
\r
1668 X(y, SSH1_CMSG_PORT_FORWARD_REQUEST, 28) \
\r
1669 X(y, SSH1_MSG_PORT_OPEN, 29) \
\r
1670 X(y, SSH1_CMSG_AGENT_REQUEST_FORWARDING, 30) \
\r
1671 X(y, SSH1_SMSG_AGENT_OPEN, 31) \
\r
1672 X(y, SSH1_MSG_IGNORE, 32) \
\r
1673 X(y, SSH1_CMSG_EXIT_CONFIRMATION, 33) \
\r
1674 X(y, SSH1_CMSG_X11_REQUEST_FORWARDING, 34) \
\r
1675 X(y, SSH1_CMSG_AUTH_RHOSTS_RSA, 35) \
\r
1676 X(y, SSH1_MSG_DEBUG, 36) \
\r
1677 X(y, SSH1_CMSG_REQUEST_COMPRESSION, 37) \
\r
1678 X(y, SSH1_CMSG_AUTH_TIS, 39) \
\r
1679 X(y, SSH1_SMSG_AUTH_TIS_CHALLENGE, 40) \
\r
1680 X(y, SSH1_CMSG_AUTH_TIS_RESPONSE, 41) \
\r
1681 X(y, SSH1_CMSG_AUTH_CCARD, 70) \
\r
1682 X(y, SSH1_SMSG_AUTH_CCARD_CHALLENGE, 71) \
\r
1683 X(y, SSH1_CMSG_AUTH_CCARD_RESPONSE, 72) \
\r
1686 #define SSH1_AUTH_RHOSTS 1 /* 0x1 */
\r
1687 #define SSH1_AUTH_RSA 2 /* 0x2 */
\r
1688 #define SSH1_AUTH_PASSWORD 3 /* 0x3 */
\r
1689 #define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */
\r
1690 #define SSH1_AUTH_TIS 5 /* 0x5 */
\r
1691 #define SSH1_AUTH_CCARD 16 /* 0x10 */
\r
1693 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
\r
1694 /* Mask for protoflags we will echo back to server if seen */
\r
1695 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
\r
1698 * List macro defining SSH-2 message type codes. Some of these depend
\r
1699 * on particular contexts (i.e. a previously negotiated kex or auth
\r
1702 #define SSH2_MESSAGE_TYPES(X, K, A, y) \
\r
1703 X(y, SSH2_MSG_DISCONNECT, 1) \
\r
1704 X(y, SSH2_MSG_IGNORE, 2) \
\r
1705 X(y, SSH2_MSG_UNIMPLEMENTED, 3) \
\r
1706 X(y, SSH2_MSG_DEBUG, 4) \
\r
1707 X(y, SSH2_MSG_SERVICE_REQUEST, 5) \
\r
1708 X(y, SSH2_MSG_SERVICE_ACCEPT, 6) \
\r
1709 X(y, SSH2_MSG_EXT_INFO, 7) \
\r
1710 X(y, SSH2_MSG_KEXINIT, 20) \
\r
1711 X(y, SSH2_MSG_NEWKEYS, 21) \
\r
1712 K(y, SSH2_MSG_KEXDH_INIT, 30, SSH2_PKTCTX_DHGROUP) \
\r
1713 K(y, SSH2_MSG_KEXDH_REPLY, 31, SSH2_PKTCTX_DHGROUP) \
\r
1714 K(y, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD, 30, SSH2_PKTCTX_DHGEX) \
\r
1715 K(y, SSH2_MSG_KEX_DH_GEX_REQUEST, 34, SSH2_PKTCTX_DHGEX) \
\r
1716 K(y, SSH2_MSG_KEX_DH_GEX_GROUP, 31, SSH2_PKTCTX_DHGEX) \
\r
1717 K(y, SSH2_MSG_KEX_DH_GEX_INIT, 32, SSH2_PKTCTX_DHGEX) \
\r
1718 K(y, SSH2_MSG_KEX_DH_GEX_REPLY, 33, SSH2_PKTCTX_DHGEX) \
\r
1719 K(y, SSH2_MSG_KEXGSS_INIT, 30, SSH2_PKTCTX_GSSKEX) \
\r
1720 K(y, SSH2_MSG_KEXGSS_CONTINUE, 31, SSH2_PKTCTX_GSSKEX) \
\r
1721 K(y, SSH2_MSG_KEXGSS_COMPLETE, 32, SSH2_PKTCTX_GSSKEX) \
\r
1722 K(y, SSH2_MSG_KEXGSS_HOSTKEY, 33, SSH2_PKTCTX_GSSKEX) \
\r
1723 K(y, SSH2_MSG_KEXGSS_ERROR, 34, SSH2_PKTCTX_GSSKEX) \
\r
1724 K(y, SSH2_MSG_KEXGSS_GROUPREQ, 40, SSH2_PKTCTX_GSSKEX) \
\r
1725 K(y, SSH2_MSG_KEXGSS_GROUP, 41, SSH2_PKTCTX_GSSKEX) \
\r
1726 K(y, SSH2_MSG_KEXRSA_PUBKEY, 30, SSH2_PKTCTX_RSAKEX) \
\r
1727 K(y, SSH2_MSG_KEXRSA_SECRET, 31, SSH2_PKTCTX_RSAKEX) \
\r
1728 K(y, SSH2_MSG_KEXRSA_DONE, 32, SSH2_PKTCTX_RSAKEX) \
\r
1729 K(y, SSH2_MSG_KEX_ECDH_INIT, 30, SSH2_PKTCTX_ECDHKEX) \
\r
1730 K(y, SSH2_MSG_KEX_ECDH_REPLY, 31, SSH2_PKTCTX_ECDHKEX) \
\r
1731 X(y, SSH2_MSG_USERAUTH_REQUEST, 50) \
\r
1732 X(y, SSH2_MSG_USERAUTH_FAILURE, 51) \
\r
1733 X(y, SSH2_MSG_USERAUTH_SUCCESS, 52) \
\r
1734 X(y, SSH2_MSG_USERAUTH_BANNER, 53) \
\r
1735 A(y, SSH2_MSG_USERAUTH_PK_OK, 60, SSH2_PKTCTX_PUBLICKEY) \
\r
1736 A(y, SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, 60, SSH2_PKTCTX_PASSWORD) \
\r
1737 A(y, SSH2_MSG_USERAUTH_INFO_REQUEST, 60, SSH2_PKTCTX_KBDINTER) \
\r
1738 A(y, SSH2_MSG_USERAUTH_INFO_RESPONSE, 61, SSH2_PKTCTX_KBDINTER) \
\r
1739 A(y, SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, 60, SSH2_PKTCTX_GSSAPI) \
\r
1740 A(y, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, 61, SSH2_PKTCTX_GSSAPI) \
\r
1741 A(y, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 63, SSH2_PKTCTX_GSSAPI) \
\r
1742 A(y, SSH2_MSG_USERAUTH_GSSAPI_ERROR, 64, SSH2_PKTCTX_GSSAPI) \
\r
1743 A(y, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, 65, SSH2_PKTCTX_GSSAPI) \
\r
1744 A(y, SSH2_MSG_USERAUTH_GSSAPI_MIC, 66, SSH2_PKTCTX_GSSAPI) \
\r
1745 X(y, SSH2_MSG_GLOBAL_REQUEST, 80) \
\r
1746 X(y, SSH2_MSG_REQUEST_SUCCESS, 81) \
\r
1747 X(y, SSH2_MSG_REQUEST_FAILURE, 82) \
\r
1748 X(y, SSH2_MSG_CHANNEL_OPEN, 90) \
\r
1749 X(y, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, 91) \
\r
1750 X(y, SSH2_MSG_CHANNEL_OPEN_FAILURE, 92) \
\r
1751 X(y, SSH2_MSG_CHANNEL_WINDOW_ADJUST, 93) \
\r
1752 X(y, SSH2_MSG_CHANNEL_DATA, 94) \
\r
1753 X(y, SSH2_MSG_CHANNEL_EXTENDED_DATA, 95) \
\r
1754 X(y, SSH2_MSG_CHANNEL_EOF, 96) \
\r
1755 X(y, SSH2_MSG_CHANNEL_CLOSE, 97) \
\r
1756 X(y, SSH2_MSG_CHANNEL_REQUEST, 98) \
\r
1757 X(y, SSH2_MSG_CHANNEL_SUCCESS, 99) \
\r
1758 X(y, SSH2_MSG_CHANNEL_FAILURE, 100) \
\r
1761 #define DEF_ENUM_UNIVERSAL(y, name, value) name = value,
\r
1762 #define DEF_ENUM_CONTEXTUAL(y, name, value, context) name = value,
\r
1764 SSH1_MESSAGE_TYPES(DEF_ENUM_UNIVERSAL, y)
\r
1765 SSH2_MESSAGE_TYPES(DEF_ENUM_UNIVERSAL,
\r
1766 DEF_ENUM_CONTEXTUAL, DEF_ENUM_CONTEXTUAL, y)
\r
1767 /* Virtual packet type, for packets too short to even have a type */
\r
1768 SSH_MSG_NO_TYPE_CODE = 256
\r
1770 #undef DEF_ENUM_UNIVERSAL
\r
1771 #undef DEF_ENUM_CONTEXTUAL
\r
1774 * SSH-1 agent messages.
\r
1776 #define SSH1_AGENTC_REQUEST_RSA_IDENTITIES 1
\r
1777 #define SSH1_AGENT_RSA_IDENTITIES_ANSWER 2
\r
1778 #define SSH1_AGENTC_RSA_CHALLENGE 3
\r
1779 #define SSH1_AGENT_RSA_RESPONSE 4
\r
1780 #define SSH1_AGENTC_ADD_RSA_IDENTITY 7
\r
1781 #define SSH1_AGENTC_REMOVE_RSA_IDENTITY 8
\r
1782 #define SSH1_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 /* openssh private? */
\r
1785 * Messages common to SSH-1 and OpenSSH's SSH-2.
\r
1787 #define SSH_AGENT_FAILURE 5
\r
1788 #define SSH_AGENT_SUCCESS 6
\r
1791 * OpenSSH's SSH-2 agent messages.
\r
1793 #define SSH2_AGENTC_REQUEST_IDENTITIES 11
\r
1794 #define SSH2_AGENT_IDENTITIES_ANSWER 12
\r
1795 #define SSH2_AGENTC_SIGN_REQUEST 13
\r
1796 #define SSH2_AGENT_SIGN_RESPONSE 14
\r
1797 #define SSH2_AGENTC_ADD_IDENTITY 17
\r
1798 #define SSH2_AGENTC_REMOVE_IDENTITY 18
\r
1799 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19
\r
1800 #define SSH2_AGENTC_EXTENSION 27
\r
1801 #define SSH_AGENT_EXTENSION_FAILURE 28
\r
1804 * Assorted other SSH-related enumerations.
\r
1806 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
\r
1807 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
\r
1808 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
\r
1809 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
\r
1810 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
\r
1811 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
\r
1812 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
\r
1813 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
\r
1814 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
\r
1815 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
\r
1816 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
\r
1817 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
\r
1818 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
\r
1819 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
\r
1820 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
\r
1822 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
\r
1823 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
\r
1824 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
\r
1825 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
\r
1827 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
\r
1830 /* TTY modes with opcodes defined consistently in the SSH specs. */
\r
1831 #define TTYMODE_CHAR(name, val, index) SSH_TTYMODE_##name = val,
\r
1832 #define TTYMODE_FLAG(name, val, field, mask) SSH_TTYMODE_##name = val,
\r
1833 #include "ssh/ttymode-list.h"
\r
1834 #undef TTYMODE_CHAR
\r
1835 #undef TTYMODE_FLAG
\r
1837 /* Modes encoded differently between SSH-1 and SSH-2, for which we
\r
1838 * make up our own dummy opcodes to avoid confusion. */
\r
1839 TTYMODE_dummy = 255,
\r
1840 TTYMODE_ISPEED, TTYMODE_OSPEED,
\r
1842 /* Limiting value that we can use as an array bound below */
\r
1845 /* The real opcodes for terminal speeds. */
\r
1846 TTYMODE_ISPEED_SSH1 = 192,
\r
1847 TTYMODE_OSPEED_SSH1 = 193,
\r
1848 TTYMODE_ISPEED_SSH2 = 128,
\r
1849 TTYMODE_OSPEED_SSH2 = 129,
\r
1851 /* And the opcode that ends a list. */
\r
1852 TTYMODE_END_OF_LIST = 0
\r
1855 struct ssh_ttymodes {
\r
1856 /* A boolean per mode, indicating whether it's set. */
\r
1857 bool have_mode[TTYMODE_LIMIT];
\r
1859 /* The actual value for each mode. */
\r
1860 unsigned mode_val[TTYMODE_LIMIT];
\r
1863 struct ssh_ttymodes get_ttymodes_from_conf(Seat *seat, Conf *conf);
\r
1864 struct ssh_ttymodes read_ttymodes_from_packet(
\r
1865 BinarySource *bs, int ssh_version);
\r
1866 void write_ttymodes_to_packet(BinarySink *bs, int ssh_version,
\r
1867 struct ssh_ttymodes modes);
\r
1869 const char *ssh1_pkt_type(int type);
\r
1870 const char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type);
\r
1871 bool ssh2_pkt_type_code_valid(unsigned type);
\r
1874 * Need this to warn about support for the original SSH-2 keyfile
\r
1877 void old_keyfile_warning(void);
\r
1880 * Flags indicating implementation bugs that we know how to mitigate
\r
1881 * if we think the other end has them.
\r
1883 #define SSH_IMPL_BUG_LIST(X) \
\r
1884 X(BUG_CHOKES_ON_SSH1_IGNORE) \
\r
1885 X(BUG_SSH2_HMAC) \
\r
1886 X(BUG_NEEDS_SSH1_PLAIN_PASSWORD) \
\r
1887 X(BUG_CHOKES_ON_RSA) \
\r
1888 X(BUG_SSH2_RSA_PADDING) \
\r
1889 X(BUG_SSH2_DERIVEKEY) \
\r
1890 X(BUG_SSH2_REKEY) \
\r
1891 X(BUG_SSH2_PK_SESSIONID) \
\r
1892 X(BUG_SSH2_MAXPKT) \
\r
1893 X(BUG_CHOKES_ON_SSH2_IGNORE) \
\r
1894 X(BUG_CHOKES_ON_WINADJ) \
\r
1895 X(BUG_SENDS_LATE_REQUEST_REPLY) \
\r
1896 X(BUG_SSH2_OLDGEX) \
\r
1897 X(BUG_REQUIRES_FILTERED_KEXINIT) \
\r
1898 X(BUG_RSA_SHA2_CERT_USERAUTH) \
\r
1900 #define TMP_DECLARE_LOG2_ENUM(thing) log2_##thing,
\r
1901 enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_LOG2_ENUM) };
\r
1902 #undef TMP_DECLARE_LOG2_ENUM
\r
1903 #define TMP_DECLARE_REAL_ENUM(thing) thing = 1 << log2_##thing,
\r
1904 enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_REAL_ENUM) };
\r
1905 #undef TMP_DECLARE_REAL_ENUM
\r
1907 /* Shared system for allocating local SSH channel ids. Expects to be
\r
1908 * passed a tree full of structs that have a field called 'localid' of
\r
1909 * type unsigned, and will check that! */
\r
1910 unsigned alloc_channel_id_general(tree234 *channels, size_t localid_offset);
\r
1911 #define alloc_channel_id(tree, type) \
\r
1912 TYPECHECK(&((type *)0)->localid == (unsigned *)0, \
\r
1913 alloc_channel_id_general(tree, offsetof(type, localid)))
\r
1915 void add_to_commasep(strbuf *buf, const char *data);
\r
1916 void add_to_commasep_pl(strbuf *buf, ptrlen data);
\r
1917 bool get_commasep_word(ptrlen *list, ptrlen *word);
\r
1919 /* Reasons why something warned by confirm_weak_crypto_primitive might
\r
1920 * be considered weak */
\r
1921 typedef enum WeakCryptoReason {
\r
1922 WCR_BELOW_THRESHOLD, /* user has told us to consider it weak */
\r
1923 WCR_TERRAPIN, /* known vulnerability CVE-2023-48795 */
\r
1924 WCR_TERRAPIN_AVOIDABLE, /* same, but demoting ChaCha20 can avoid it */
\r
1925 } WeakCryptoReason;
\r
1927 SeatPromptResult verify_ssh_host_key(
\r
1928 InteractionReadySeat iseat, Conf *conf, const char *host, int port,
\r
1929 ssh_key *key, const char *keytype, char *keystr, const char *keydisp,
\r
1930 char **fingerprints, int ca_count,
\r
1931 void (*callback)(void *ctx, SeatPromptResult result), void *ctx);
\r
1932 SeatPromptResult confirm_weak_crypto_primitive(
\r
1933 InteractionReadySeat iseat, const char *algtype, const char *algname,
\r
1934 void (*callback)(void *ctx, SeatPromptResult result), void *ctx,
\r
1935 WeakCryptoReason wcr);
\r
1936 SeatPromptResult confirm_weak_cached_hostkey(
\r
1937 InteractionReadySeat iseat, const char *algname, const char **betteralgs,
\r
1938 void (*callback)(void *ctx, SeatPromptResult result), void *ctx);
\r
1940 typedef struct ssh_transient_hostkey_cache ssh_transient_hostkey_cache;
\r
1941 ssh_transient_hostkey_cache *ssh_transient_hostkey_cache_new(void);
\r
1942 void ssh_transient_hostkey_cache_free(ssh_transient_hostkey_cache *thc);
\r
1943 void ssh_transient_hostkey_cache_add(
\r
1944 ssh_transient_hostkey_cache *thc, ssh_key *key);
\r
1945 bool ssh_transient_hostkey_cache_verify(
\r
1946 ssh_transient_hostkey_cache *thc, ssh_key *key);
\r
1947 bool ssh_transient_hostkey_cache_has(
\r
1948 ssh_transient_hostkey_cache *thc, const ssh_keyalg *alg);
\r
1949 bool ssh_transient_hostkey_cache_non_empty(ssh_transient_hostkey_cache *thc);
\r
1952 * Protocol definitions for authentication helper plugins
\r
1955 #define AUTHPLUGIN_MSG_NAMES(X) \
\r
1956 X(PLUGIN_INIT, 1) \
\r
1957 X(PLUGIN_INIT_RESPONSE, 2) \
\r
1958 X(PLUGIN_PROTOCOL, 3) \
\r
1959 X(PLUGIN_PROTOCOL_ACCEPT, 4) \
\r
1960 X(PLUGIN_PROTOCOL_REJECT, 5) \
\r
1961 X(PLUGIN_AUTH_SUCCESS, 6) \
\r
1962 X(PLUGIN_AUTH_FAILURE, 7) \
\r
1963 X(PLUGIN_INIT_FAILURE, 8) \
\r
1964 X(PLUGIN_KI_SERVER_REQUEST, 20) \
\r
1965 X(PLUGIN_KI_SERVER_RESPONSE, 21) \
\r
1966 X(PLUGIN_KI_USER_REQUEST, 22) \
\r
1967 X(PLUGIN_KI_USER_RESPONSE, 23) \
\r
1970 #define PLUGIN_PROTOCOL_MAX_VERSION 2 /* the highest version we speak */
\r
1973 #define ENUMDECL(name, value) name = value,
\r
1974 AUTHPLUGIN_MSG_NAMES(ENUMDECL)
\r
1977 /* Error codes internal to this implementation, indicating failure
\r
1978 * to receive a meaningful packet at all */
\r
1979 PLUGIN_NOTYPE = 256, /* packet too short to have a type */
\r
1980 PLUGIN_EOF = 257 /* EOF from auth plugin */
\r