4 #include "puttymem.h"
\r
12 * Buffer management constants. There are several of these for
\r
13 * various different purposes:
\r
15 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
\r
16 * on a local data stream before we throttle the whole SSH
\r
17 * connection (in SSH-1 only). Throttling the whole connection is
\r
18 * pretty drastic so we set this high in the hope it won't
\r
19 * happen very often.
\r
21 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
\r
22 * on the SSH connection itself before we defensively throttle
\r
23 * _all_ local data streams. This is pretty drastic too (though
\r
24 * thankfully unlikely in SSH-2 since the window mechanism should
\r
25 * ensure that the server never has any need to throttle its end
\r
26 * of the connection), so we set this high as well.
\r
28 * - OUR_V2_WINSIZE is the default window size we present on SSH-2
\r
31 * - OUR_V2_BIGWIN is the window size we advertise for the only
\r
32 * channel in a simple connection. It must be <= INT_MAX.
\r
34 * - OUR_V2_MAXPKT is the official "maximum packet size" we send
\r
35 * to the remote side. This actually has nothing to do with the
\r
36 * size of the _packet_, but is instead a limit on the amount
\r
37 * of data we're willing to receive in a single SSH2 channel
\r
40 * - OUR_V2_PACKETLIMIT is actually the maximum size of SSH
\r
41 * _packet_ we're prepared to cope with. It must be a multiple
\r
42 * of the cipher block size, and must be at least 35000.
\r
45 #define SSH1_BUFFER_LIMIT 32768
\r
46 #define SSH_MAX_BACKLOG 32768
\r
47 #define OUR_V2_WINSIZE 16384
\r
48 #define OUR_V2_BIGWIN 0x7fffffff
\r
49 #define OUR_V2_MAXPKT 0x4000UL
\r
50 #define OUR_V2_PACKETLIMIT 0x9000UL
\r
52 typedef struct PacketQueueNode PacketQueueNode;
\r
53 struct PacketQueueNode {
\r
54 PacketQueueNode *next, *prev;
\r
55 size_t formal_size; /* contribution to PacketQueueBase's total_size */
\r
56 bool on_free_queue; /* is this packet scheduled for freeing? */
\r
59 typedef struct PktIn {
\r
61 unsigned long sequence; /* SSH-2 incoming sequence number */
\r
62 PacketQueueNode qnode; /* for linking this packet on to a queue */
\r
63 BinarySource_IMPLEMENTATION;
\r
66 typedef struct PktOut {
\r
67 size_t prefix; /* bytes up to and including type field */
\r
68 size_t length; /* total bytes, including prefix */
\r
70 size_t minlen; /* SSH-2: ensure wire length is at least this */
\r
71 unsigned char *data; /* allocated storage */
\r
72 size_t maxlen; /* amount of storage allocated for `data' */
\r
74 /* Extra metadata used in SSH packet logging mode, allowing us to
\r
75 * log in the packet header line that the packet came from a
\r
76 * connection-sharing downstream and what if anything unusual was
\r
77 * done to it. The additional_log_text field is expected to be a
\r
78 * static string - it will not be freed. */
\r
79 unsigned downstream_id;
\r
80 const char *additional_log_text;
\r
82 PacketQueueNode qnode; /* for linking this packet on to a queue */
\r
83 BinarySink_IMPLEMENTATION;
\r
86 typedef struct PacketQueueBase {
\r
87 PacketQueueNode end;
\r
88 size_t total_size; /* sum of all formal_size fields on the queue */
\r
89 struct IdempotentCallback *ic;
\r
92 typedef struct PktInQueue {
\r
93 PacketQueueBase pqb;
\r
94 PktIn *(*after)(PacketQueueBase *, PacketQueueNode *prev, bool pop);
\r
97 typedef struct PktOutQueue {
\r
98 PacketQueueBase pqb;
\r
99 PktOut *(*after)(PacketQueueBase *, PacketQueueNode *prev, bool pop);
\r
102 void pq_base_push(PacketQueueBase *pqb, PacketQueueNode *node);
\r
103 void pq_base_push_front(PacketQueueBase *pqb, PacketQueueNode *node);
\r
104 void pq_base_concatenate(PacketQueueBase *dest,
\r
105 PacketQueueBase *q1, PacketQueueBase *q2);
\r
107 void pq_in_init(PktInQueue *pq);
\r
108 void pq_out_init(PktOutQueue *pq);
\r
109 void pq_in_clear(PktInQueue *pq);
\r
110 void pq_out_clear(PktOutQueue *pq);
\r
112 #define pq_push(pq, pkt) \
\r
113 TYPECHECK((pq)->after(&(pq)->pqb, NULL, false) == pkt, \
\r
114 pq_base_push(&(pq)->pqb, &(pkt)->qnode))
\r
115 #define pq_push_front(pq, pkt) \
\r
116 TYPECHECK((pq)->after(&(pq)->pqb, NULL, false) == pkt, \
\r
117 pq_base_push_front(&(pq)->pqb, &(pkt)->qnode))
\r
118 #define pq_peek(pq) ((pq)->after(&(pq)->pqb, &(pq)->pqb.end, false))
\r
119 #define pq_pop(pq) ((pq)->after(&(pq)->pqb, &(pq)->pqb.end, true))
\r
120 #define pq_concatenate(dst, q1, q2) \
\r
121 TYPECHECK((q1)->after(&(q1)->pqb, NULL, false) == \
\r
122 (dst)->after(&(dst)->pqb, NULL, false) && \
\r
123 (q2)->after(&(q2)->pqb, NULL, false) == \
\r
124 (dst)->after(&(dst)->pqb, NULL, false), \
\r
125 pq_base_concatenate(&(dst)->pqb, &(q1)->pqb, &(q2)->pqb))
\r
127 #define pq_first(pq) pq_peek(pq)
\r
128 #define pq_next(pq, pkt) ((pq)->after(&(pq)->pqb, &(pkt)->qnode, false))
\r
131 * Packet type contexts, so that ssh2_pkt_type can correctly decode
\r
132 * the ambiguous type numbers back into the correct type strings.
\r
136 SSH2_PKTCTX_DHGROUP,
\r
138 SSH2_PKTCTX_ECDHKEX,
\r
139 SSH2_PKTCTX_GSSKEX,
\r
143 SSH2_PKTCTX_NOAUTH,
\r
144 SSH2_PKTCTX_PUBLICKEY,
\r
145 SSH2_PKTCTX_PASSWORD,
\r
146 SSH2_PKTCTX_GSSAPI,
\r
147 SSH2_PKTCTX_KBDINTER
\r
150 typedef struct PacketLogSettings {
\r
151 bool omit_passwords, omit_data;
\r
154 } PacketLogSettings;
\r
156 #define MAX_BLANKS 4 /* no packet needs more censored sections than this */
\r
157 int ssh1_censor_packet(
\r
158 const PacketLogSettings *pls, int type, bool sender_is_client,
\r
159 ptrlen pkt, logblank_t *blanks);
\r
160 int ssh2_censor_packet(
\r
161 const PacketLogSettings *pls, int type, bool sender_is_client,
\r
162 ptrlen pkt, logblank_t *blanks);
\r
164 PktOut *ssh_new_packet(void);
\r
165 void ssh_free_pktout(PktOut *pkt);
\r
167 Socket *ssh_connection_sharing_init(
\r
168 const char *host, int port, Conf *conf, LogContext *logctx,
\r
169 Plug *sshplug, ssh_sharing_state **state);
\r
170 void ssh_connshare_provide_connlayer(ssh_sharing_state *sharestate,
\r
171 ConnectionLayer *cl);
\r
172 bool ssh_share_test_for_upstream(const char *host, int port, Conf *conf);
\r
173 void share_got_pkt_from_server(ssh_sharing_connstate *ctx, int type,
\r
174 const void *pkt, int pktlen);
\r
175 void share_activate(ssh_sharing_state *sharestate,
\r
176 const char *server_verstring);
\r
177 void sharestate_free(ssh_sharing_state *state);
\r
178 int share_ndownstreams(ssh_sharing_state *state);
\r
180 void ssh_connshare_log(Ssh *ssh, int event, const char *logtext,
\r
181 const char *ds_err, const char *us_err);
\r
182 void share_setup_x11_channel(ssh_sharing_connstate *cs, share_channel *chan,
\r
183 unsigned upstream_id, unsigned server_id,
\r
184 unsigned server_currwin, unsigned server_maxpkt,
\r
185 unsigned client_adjusted_window,
\r
186 const char *peer_addr, int peer_port, int endian,
\r
187 int protomajor, int protominor,
\r
188 const void *initial_data, int initial_len);
\r
190 /* Per-application overrides for what roles we can take in connection
\r
191 * sharing, regardless of user configuration (e.g. pscp will never be
\r
193 extern const bool share_can_be_downstream;
\r
194 extern const bool share_can_be_upstream;
\r
197 struct X11FakeAuth;
\r
199 /* Structure definition centralised here because the SSH-1 and SSH-2
\r
200 * connection layers both use it. But the client module (portfwd.c)
\r
201 * should not try to look inside here. */
\r
202 struct ssh_rportfwd {
\r
203 unsigned sport, dport;
\r
204 char *shost, *dhost;
\r
206 char *log_description; /* name of remote listening port, for logging */
\r
207 ssh_sharing_connstate *share_ctx;
\r
208 PortFwdRecord *pfr;
\r
210 void free_rportfwd(struct ssh_rportfwd *rpf);
\r
212 typedef struct ConnectionLayerVtable ConnectionLayerVtable;
\r
214 struct ConnectionLayerVtable {
\r
215 /* Allocate and free remote-to-local port forwardings, called by
\r
216 * PortFwdManager or by connection sharing */
\r
217 struct ssh_rportfwd *(*rportfwd_alloc)(
\r
218 ConnectionLayer *cl,
\r
219 const char *shost, int sport, const char *dhost, int dport,
\r
220 int addressfamily, const char *log_description, PortFwdRecord *pfr,
\r
221 ssh_sharing_connstate *share_ctx);
\r
222 void (*rportfwd_remove)(ConnectionLayer *cl, struct ssh_rportfwd *rpf);
\r
224 /* Open a local-to-remote port forwarding channel, called by
\r
225 * PortFwdManager */
\r
226 SshChannel *(*lportfwd_open)(
\r
227 ConnectionLayer *cl, const char *hostname, int port,
\r
228 const char *description, const SocketPeerInfo *peerinfo,
\r
231 /* Initiate opening of a 'session'-type channel */
\r
232 SshChannel *(*session_open)(ConnectionLayer *cl, Channel *chan);
\r
234 /* Open outgoing channels for X and agent forwarding. (Used in the
\r
236 SshChannel *(*serverside_x11_open)(ConnectionLayer *cl, Channel *chan,
\r
237 const SocketPeerInfo *pi);
\r
238 SshChannel *(*serverside_agent_open)(ConnectionLayer *cl, Channel *chan);
\r
240 /* Add an X11 display for ordinary X forwarding */
\r
241 struct X11FakeAuth *(*add_x11_display)(
\r
242 ConnectionLayer *cl, int authtype, struct X11Display *x11disp);
\r
244 /* Add and remove X11 displays for connection sharing downstreams */
\r
245 struct X11FakeAuth *(*add_sharing_x11_display)(
\r
246 ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,
\r
247 share_channel *share_chan);
\r
248 void (*remove_sharing_x11_display)(
\r
249 ConnectionLayer *cl, struct X11FakeAuth *auth);
\r
251 /* Pass through an outgoing SSH packet from a downstream */
\r
252 void (*send_packet_from_downstream)(
\r
253 ConnectionLayer *cl, unsigned id, int type,
\r
254 const void *pkt, int pktlen, const char *additional_log_text);
\r
256 /* Allocate/free an upstream channel number associated with a
\r
257 * sharing downstream */
\r
258 unsigned (*alloc_sharing_channel)(ConnectionLayer *cl,
\r
259 ssh_sharing_connstate *connstate);
\r
260 void (*delete_sharing_channel)(ConnectionLayer *cl, unsigned localid);
\r
262 /* Indicate that a downstream has sent a global request with the
\r
263 * want-reply flag, so that when a reply arrives it will be passed
\r
264 * back to that downstrean */
\r
265 void (*sharing_queue_global_request)(
\r
266 ConnectionLayer *cl, ssh_sharing_connstate *connstate);
\r
268 /* Indicate that the last downstream has disconnected */
\r
269 void (*sharing_no_more_downstreams)(ConnectionLayer *cl);
\r
271 /* Query whether the connection layer is doing agent forwarding */
\r
272 bool (*agent_forwarding_permitted)(ConnectionLayer *cl);
\r
274 /* Set the size of the main terminal window (if any) */
\r
275 void (*terminal_size)(ConnectionLayer *cl, int width, int height);
\r
277 /* Indicate that the backlog on standard output has cleared */
\r
278 void (*stdout_unthrottle)(ConnectionLayer *cl, size_t bufsize);
\r
280 /* Query the size of the backlog on standard _input_ */
\r
281 size_t (*stdin_backlog)(ConnectionLayer *cl);
\r
283 /* Tell the connection layer that the SSH connection itself has
\r
284 * backed up, so it should tell all currently open channels to
\r
285 * cease reading from their local input sources if they can. (Or
\r
286 * tell it that that state of affairs has gone away again.) */
\r
287 void (*throttle_all_channels)(ConnectionLayer *cl, bool throttled);
\r
289 /* Ask the connection layer about its current preference for
\r
290 * line-discipline options. */
\r
291 bool (*ldisc_option)(ConnectionLayer *cl, int option);
\r
293 /* Communicate _to_ the connection layer (from the main session
\r
294 * channel) what its preference for line-discipline options is. */
\r
295 void (*set_ldisc_option)(ConnectionLayer *cl, int option, bool value);
\r
297 /* Communicate to the connection layer whether X forwarding was
\r
298 * successfully enabled (for purposes of knowing whether to accept
\r
299 * subsequent channel-opens). */
\r
300 void (*enable_x_fwd)(ConnectionLayer *cl);
\r
302 /* Communicate to the connection layer whether the main session
\r
303 * channel currently wants user input. */
\r
304 void (*set_wants_user_input)(ConnectionLayer *cl, bool wanted);
\r
307 struct ConnectionLayer {
\r
308 LogContext *logctx;
\r
309 const struct ConnectionLayerVtable *vt;
\r
312 static inline struct ssh_rportfwd *ssh_rportfwd_alloc(
\r
313 ConnectionLayer *cl, const char *sh, int sp, const char *dh, int dp,
\r
314 int af, const char *log, PortFwdRecord *pfr, ssh_sharing_connstate *cs)
\r
315 { return cl->vt->rportfwd_alloc(cl, sh, sp, dh, dp, af, log, pfr, cs); }
\r
316 static inline void ssh_rportfwd_remove(
\r
317 ConnectionLayer *cl, struct ssh_rportfwd *rpf)
\r
318 { cl->vt->rportfwd_remove(cl, rpf); }
\r
319 static inline SshChannel *ssh_lportfwd_open(
\r
320 ConnectionLayer *cl, const char *host, int port,
\r
321 const char *desc, const SocketPeerInfo *pi, Channel *chan)
\r
322 { return cl->vt->lportfwd_open(cl, host, port, desc, pi, chan); }
\r
323 static inline SshChannel *ssh_session_open(ConnectionLayer *cl, Channel *chan)
\r
324 { return cl->vt->session_open(cl, chan); }
\r
325 static inline SshChannel *ssh_serverside_x11_open(
\r
326 ConnectionLayer *cl, Channel *chan, const SocketPeerInfo *pi)
\r
327 { return cl->vt->serverside_x11_open(cl, chan, pi); }
\r
328 static inline SshChannel *ssh_serverside_agent_open(
\r
329 ConnectionLayer *cl, Channel *chan)
\r
330 { return cl->vt->serverside_agent_open(cl, chan); }
\r
331 static inline struct X11FakeAuth *ssh_add_x11_display(
\r
332 ConnectionLayer *cl, int authtype, struct X11Display *x11disp)
\r
333 { return cl->vt->add_x11_display(cl, authtype, x11disp); }
\r
334 static inline struct X11FakeAuth *ssh_add_sharing_x11_display(
\r
335 ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,
\r
336 share_channel *share_chan)
\r
337 { return cl->vt->add_sharing_x11_display(cl, authtype, share_cs, share_chan); }
\r
338 static inline void ssh_remove_sharing_x11_display(
\r
339 ConnectionLayer *cl, struct X11FakeAuth *auth)
\r
340 { cl->vt->remove_sharing_x11_display(cl, auth); }
\r
341 static inline void ssh_send_packet_from_downstream(
\r
342 ConnectionLayer *cl, unsigned id, int type,
\r
343 const void *pkt, int len, const char *log)
\r
344 { cl->vt->send_packet_from_downstream(cl, id, type, pkt, len, log); }
\r
345 static inline unsigned ssh_alloc_sharing_channel(
\r
346 ConnectionLayer *cl, ssh_sharing_connstate *connstate)
\r
347 { return cl->vt->alloc_sharing_channel(cl, connstate); }
\r
348 static inline void ssh_delete_sharing_channel(
\r
349 ConnectionLayer *cl, unsigned localid)
\r
350 { cl->vt->delete_sharing_channel(cl, localid); }
\r
351 static inline void ssh_sharing_queue_global_request(
\r
352 ConnectionLayer *cl, ssh_sharing_connstate *connstate)
\r
353 { cl->vt->sharing_queue_global_request(cl, connstate); }
\r
354 static inline void ssh_sharing_no_more_downstreams(ConnectionLayer *cl)
\r
355 { cl->vt->sharing_no_more_downstreams(cl); }
\r
356 static inline bool ssh_agent_forwarding_permitted(ConnectionLayer *cl)
\r
357 { return cl->vt->agent_forwarding_permitted(cl); }
\r
358 static inline void ssh_terminal_size(ConnectionLayer *cl, int w, int h)
\r
359 { cl->vt->terminal_size(cl, w, h); }
\r
360 static inline void ssh_stdout_unthrottle(ConnectionLayer *cl, size_t bufsize)
\r
361 { cl->vt->stdout_unthrottle(cl, bufsize); }
\r
362 static inline size_t ssh_stdin_backlog(ConnectionLayer *cl)
\r
363 { return cl->vt->stdin_backlog(cl); }
\r
364 static inline void ssh_throttle_all_channels(ConnectionLayer *cl, bool thr)
\r
365 { cl->vt->throttle_all_channels(cl, thr); }
\r
366 static inline bool ssh_ldisc_option(ConnectionLayer *cl, int option)
\r
367 { return cl->vt->ldisc_option(cl, option); }
\r
368 static inline void ssh_set_ldisc_option(ConnectionLayer *cl, int opt, bool val)
\r
369 { cl->vt->set_ldisc_option(cl, opt, val); }
\r
370 static inline void ssh_enable_x_fwd(ConnectionLayer *cl)
\r
371 { cl->vt->enable_x_fwd(cl); }
\r
372 static inline void ssh_set_wants_user_input(ConnectionLayer *cl, bool wanted)
\r
373 { cl->vt->set_wants_user_input(cl, wanted); }
\r
375 /* Exports from portfwd.c */
\r
376 PortFwdManager *portfwdmgr_new(ConnectionLayer *cl);
\r
377 void portfwdmgr_free(PortFwdManager *mgr);
\r
378 void portfwdmgr_config(PortFwdManager *mgr, Conf *conf);
\r
379 void portfwdmgr_close(PortFwdManager *mgr, PortFwdRecord *pfr);
\r
380 void portfwdmgr_close_all(PortFwdManager *mgr);
\r
381 char *portfwdmgr_connect(PortFwdManager *mgr, Channel **chan_ret,
\r
382 char *hostname, int port, SshChannel *c,
\r
383 int addressfamily);
\r
384 bool portfwdmgr_listen(PortFwdManager *mgr, const char *host, int port,
\r
385 const char *keyhost, int keyport, Conf *conf);
\r
386 bool portfwdmgr_unlisten(PortFwdManager *mgr, const char *host, int port);
\r
387 Channel *portfwd_raw_new(ConnectionLayer *cl, Plug **plug, bool start_ready);
\r
388 void portfwd_raw_free(Channel *pfchan);
\r
389 void portfwd_raw_setup(Channel *pfchan, Socket *s, SshChannel *sc);
\r
391 Socket *platform_make_agent_socket(Plug *plug, const char *dirprefix,
\r
392 char **error, char **name);
\r
394 LogContext *ssh_get_logctx(Ssh *ssh);
\r
396 /* Communications back to ssh.c from connection layers */
\r
397 void ssh_throttle_conn(Ssh *ssh, int adjust);
\r
398 void ssh_got_exitcode(Ssh *ssh, int status);
\r
399 void ssh_ldisc_update(Ssh *ssh);
\r
400 void ssh_got_fallback_cmd(Ssh *ssh);
\r
401 bool ssh_is_bare(Ssh *ssh);
\r
403 /* Communications back to ssh.c from the BPP */
\r
404 void ssh_conn_processed_data(Ssh *ssh);
\r
405 void ssh_check_frozen(Ssh *ssh);
\r
407 /* Functions to abort the connection, for various reasons. */
\r
408 void ssh_remote_error(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
409 void ssh_remote_eof(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
410 void ssh_proto_error(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
411 void ssh_sw_abort(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
412 void ssh_sw_abort_deferred(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
413 void ssh_user_close(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);
\r
415 /* Bit positions in the SSH-1 cipher protocol word */
\r
416 #define SSH1_CIPHER_IDEA 1
\r
417 #define SSH1_CIPHER_DES 2
\r
418 #define SSH1_CIPHER_3DES 3
\r
419 #define SSH1_CIPHER_BLOWFISH 6
\r
421 /* The subset of those that we support, with names for selecting them
\r
422 * on Uppity's command line */
\r
423 #define SSH1_SUPPORTED_CIPHER_LIST(X) \
\r
424 X(SSH1_CIPHER_3DES, "3des") \
\r
425 X(SSH1_CIPHER_BLOWFISH, "blowfish") \
\r
426 X(SSH1_CIPHER_DES, "des") \
\r
428 #define SSH1_CIPHER_LIST_MAKE_MASK(bitpos, name) | (1U << bitpos)
\r
429 #define SSH1_SUPPORTED_CIPHER_MASK \
\r
430 (0 SSH1_SUPPORTED_CIPHER_LIST(SSH1_CIPHER_LIST_MAKE_MASK))
\r
433 const ssh_keyalg *vt;
\r
441 mp_int *private_exponent;
\r
450 mp_int *p, *q, *g, *y, *x;
\r
456 /* Weierstrass form curve */
\r
459 WeierstrassCurve *wc;
\r
460 WeierstrassPoint *G;
\r
464 /* Montgomery form curve */
\r
467 MontgomeryCurve *mc;
\r
468 MontgomeryPoint *G;
\r
469 unsigned log2_cofactor;
\r
472 /* Edwards form curve */
\r
478 unsigned log2_cofactor;
\r
481 typedef enum EllipticCurveType {
\r
482 EC_WEIERSTRASS, EC_MONTGOMERY, EC_EDWARDS
\r
483 } EllipticCurveType;
\r
486 EllipticCurveType type;
\r
487 /* 'name' is the identifier of the curve when it has to appear in
\r
488 * wire protocol encodings, as it does in e.g. the public key and
\r
489 * signature formats for NIST curves. Curves which do not format
\r
490 * their keys or signatures in this way just have name==NULL.
\r
492 * 'textname' is non-NULL for all curves, and is a human-readable
\r
493 * identification suitable for putting in log messages. */
\r
494 const char *name, *textname;
\r
495 size_t fieldBits, fieldBytes;
\r
498 struct ec_wcurve w;
\r
499 struct ec_mcurve m;
\r
500 struct ec_ecurve e;
\r
504 const ssh_keyalg *ec_alg_by_oid(int len, const void *oid,
\r
505 const struct ec_curve **curve);
\r
506 const unsigned char *ec_alg_oid(const ssh_keyalg *alg, int *oidlen);
\r
507 extern const int ec_nist_curve_lengths[], n_ec_nist_curve_lengths;
\r
508 extern const int ec_ed_curve_lengths[], n_ec_ed_curve_lengths;
\r
509 bool ec_nist_alg_and_curve_by_bits(int bits,
\r
510 const struct ec_curve **curve,
\r
511 const ssh_keyalg **alg);
\r
512 bool ec_ed_alg_and_curve_by_bits(int bits,
\r
513 const struct ec_curve **curve,
\r
514 const ssh_keyalg **alg);
\r
517 const struct ec_curve *curve;
\r
518 WeierstrassPoint *publicKey;
\r
519 mp_int *privateKey;
\r
523 const struct ec_curve *curve;
\r
524 EdwardsPoint *publicKey;
\r
525 mp_int *privateKey;
\r
529 WeierstrassPoint *ecdsa_public(mp_int *private_key, const ssh_keyalg *alg);
\r
530 EdwardsPoint *eddsa_public(mp_int *private_key, const ssh_keyalg *alg);
\r
532 typedef struct key_components {
\r
533 size_t ncomponents, componentsize;
\r
543 key_components *key_components_new(void);
\r
544 void key_components_add_text(key_components *kc,
\r
545 const char *name, const char *value);
\r
546 void key_components_add_mp(key_components *kc,
\r
547 const char *name, mp_int *value);
\r
548 void key_components_free(key_components *kc);
\r
551 * SSH-1 never quite decided which order to store the two components
\r
552 * of an RSA key. During connection setup, the server sends its host
\r
553 * and server keys with the exponent first; private key files store
\r
554 * the modulus first. The agent protocol is even more confusing,
\r
555 * because the client specifies a key to the server in one order and
\r
556 * the server lists the keys it knows about in the other order!
\r
558 typedef enum { RSA_SSH1_EXPONENT_FIRST, RSA_SSH1_MODULUS_FIRST } RsaSsh1Order;
\r
560 void BinarySource_get_rsa_ssh1_pub(
\r
561 BinarySource *src, RSAKey *result, RsaSsh1Order order);
\r
562 void BinarySource_get_rsa_ssh1_priv(
\r
563 BinarySource *src, RSAKey *rsa);
\r
564 RSAKey *BinarySource_get_rsa_ssh1_priv_agent(BinarySource *src);
\r
565 bool rsa_ssh1_encrypt(unsigned char *data, int length, RSAKey *key);
\r
566 mp_int *rsa_ssh1_decrypt(mp_int *input, RSAKey *key);
\r
567 bool rsa_ssh1_decrypt_pkcs1(mp_int *input, RSAKey *key, strbuf *outbuf);
\r
568 char *rsastr_fmt(RSAKey *key);
\r
569 char *rsa_ssh1_fingerprint(RSAKey *key);
\r
570 char **rsa_ssh1_fake_all_fingerprints(RSAKey *key);
\r
571 bool rsa_verify(RSAKey *key);
\r
572 void rsa_ssh1_public_blob(BinarySink *bs, RSAKey *key, RsaSsh1Order order);
\r
573 int rsa_ssh1_public_blob_len(ptrlen data);
\r
574 void rsa_ssh1_private_blob_agent(BinarySink *bs, RSAKey *key);
\r
575 void freersapriv(RSAKey *key);
\r
576 void freersakey(RSAKey *key);
\r
577 key_components *rsa_components(RSAKey *key);
\r
579 uint32_t crc32_rfc1662(ptrlen data);
\r
580 uint32_t crc32_ssh1(ptrlen data);
\r
581 uint32_t crc32_update(uint32_t crc_input, ptrlen data);
\r
583 /* SSH CRC compensation attack detector */
\r
585 struct crcda_ctx *crcda_make_context(void);
\r
586 void crcda_free_context(struct crcda_ctx *ctx);
\r
587 bool detect_attack(struct crcda_ctx *ctx,
\r
588 const unsigned char *buf, uint32_t len,
\r
589 const unsigned char *IV);
\r
592 * SSH2 RSA key exchange functions
\r
594 struct ssh_rsa_kex_extra {
\r
597 RSAKey *ssh_rsakex_newkey(ptrlen data);
\r
598 void ssh_rsakex_freekey(RSAKey *key);
\r
599 int ssh_rsakex_klen(RSAKey *key);
\r
600 strbuf *ssh_rsakex_encrypt(
\r
601 RSAKey *key, const ssh_hashalg *h, ptrlen plaintext);
\r
602 mp_int *ssh_rsakex_decrypt(
\r
603 RSAKey *key, const ssh_hashalg *h, ptrlen ciphertext);
\r
606 * SSH2 ECDH key exchange functions
\r
608 const char *ssh_ecdhkex_curve_textname(const ssh_kex *kex);
\r
609 ecdh_key *ssh_ecdhkex_newkey(const ssh_kex *kex);
\r
610 void ssh_ecdhkex_freekey(ecdh_key *key);
\r
611 void ssh_ecdhkex_getpublic(ecdh_key *key, BinarySink *bs);
\r
612 mp_int *ssh_ecdhkex_getkey(ecdh_key *key, ptrlen remoteKey);
\r
615 * Helper function for k generation in DSA, reused in ECDSA
\r
617 mp_int *dss_gen_k(const char *id_string,
\r
618 mp_int *modulus, mp_int *private_key,
\r
619 unsigned char *digest, int digest_len);
\r
621 struct ssh_cipher {
\r
622 const ssh_cipheralg *vt;
\r
625 struct ssh_cipheralg {
\r
626 ssh_cipher *(*new)(const ssh_cipheralg *alg);
\r
627 void (*free)(ssh_cipher *);
\r
628 void (*setiv)(ssh_cipher *, const void *iv);
\r
629 void (*setkey)(ssh_cipher *, const void *key);
\r
630 void (*encrypt)(ssh_cipher *, void *blk, int len);
\r
631 void (*decrypt)(ssh_cipher *, void *blk, int len);
\r
632 /* Ignored unless SSH_CIPHER_SEPARATE_LENGTH flag set */
\r
633 void (*encrypt_length)(ssh_cipher *, void *blk, int len,
\r
634 unsigned long seq);
\r
635 void (*decrypt_length)(ssh_cipher *, void *blk, int len,
\r
636 unsigned long seq);
\r
637 const char *ssh2_id;
\r
639 /* real_keybits is the number of bits of entropy genuinely used by
\r
640 * the cipher scheme; it's used for deciding how big a
\r
641 * Diffie-Hellman group is needed to exchange a key for the
\r
644 /* padded_keybytes is the number of bytes of key data expected as
\r
645 * input to the setkey function; it's used for deciding how much
\r
646 * data needs to be generated from the post-kex generation of key
\r
647 * material. In a sensible cipher which uses all its key bytes for
\r
648 * real work, this will just be real_keybits/8, but in DES-type
\r
649 * ciphers which ignore one bit in each byte, it'll be slightly
\r
651 int padded_keybytes;
\r
652 unsigned int flags;
\r
653 #define SSH_CIPHER_IS_CBC 1
\r
654 #define SSH_CIPHER_SEPARATE_LENGTH 2
\r
655 const char *text_name;
\r
656 /* If set, this takes priority over other MAC. */
\r
657 const ssh2_macalg *required_mac;
\r
659 /* Pointer to any extra data used by a particular implementation. */
\r
663 static inline ssh_cipher *ssh_cipher_new(const ssh_cipheralg *alg)
\r
664 { return alg->new(alg); }
\r
665 static inline void ssh_cipher_free(ssh_cipher *c)
\r
666 { c->vt->free(c); }
\r
667 static inline void ssh_cipher_setiv(ssh_cipher *c, const void *iv)
\r
668 { c->vt->setiv(c, iv); }
\r
669 static inline void ssh_cipher_setkey(ssh_cipher *c, const void *key)
\r
670 { c->vt->setkey(c, key); }
\r
671 static inline void ssh_cipher_encrypt(ssh_cipher *c, void *blk, int len)
\r
672 { c->vt->encrypt(c, blk, len); }
\r
673 static inline void ssh_cipher_decrypt(ssh_cipher *c, void *blk, int len)
\r
674 { c->vt->decrypt(c, blk, len); }
\r
675 static inline void ssh_cipher_encrypt_length(
\r
676 ssh_cipher *c, void *blk, int len, unsigned long seq)
\r
677 { c->vt->encrypt_length(c, blk, len, seq); }
\r
678 static inline void ssh_cipher_decrypt_length(
\r
679 ssh_cipher *c, void *blk, int len, unsigned long seq)
\r
680 { c->vt->decrypt_length(c, blk, len, seq); }
\r
681 static inline const struct ssh_cipheralg *ssh_cipher_alg(ssh_cipher *c)
\r
684 struct ssh2_ciphers {
\r
686 const ssh_cipheralg *const *list;
\r
690 const ssh2_macalg *vt;
\r
691 BinarySink_DELEGATE_IMPLEMENTATION;
\r
694 struct ssh2_macalg {
\r
695 /* Passes in the cipher context */
\r
696 ssh2_mac *(*new)(const ssh2_macalg *alg, ssh_cipher *cipher);
\r
697 void (*free)(ssh2_mac *);
\r
698 void (*setkey)(ssh2_mac *, ptrlen key);
\r
699 void (*start)(ssh2_mac *);
\r
700 void (*genresult)(ssh2_mac *, unsigned char *);
\r
701 const char *(*text_name)(ssh2_mac *);
\r
702 const char *name, *etm_name;
\r
705 /* Pointer to any extra data used by a particular implementation. */
\r
709 static inline ssh2_mac *ssh2_mac_new(
\r
710 const ssh2_macalg *alg, ssh_cipher *cipher)
\r
711 { return alg->new(alg, cipher); }
\r
712 static inline void ssh2_mac_free(ssh2_mac *m)
\r
713 { m->vt->free(m); }
\r
714 static inline void ssh2_mac_setkey(ssh2_mac *m, ptrlen key)
\r
715 { m->vt->setkey(m, key); }
\r
716 static inline void ssh2_mac_start(ssh2_mac *m)
\r
717 { m->vt->start(m); }
\r
718 static inline void ssh2_mac_genresult(ssh2_mac *m, unsigned char *out)
\r
719 { m->vt->genresult(m, out); }
\r
720 static inline const char *ssh2_mac_text_name(ssh2_mac *m)
\r
721 { return m->vt->text_name(m); }
\r
722 static inline const ssh2_macalg *ssh2_mac_alg(ssh2_mac *m)
\r
725 /* Centralised 'methods' for ssh2_mac, defined in sshmac.c. These run
\r
726 * the MAC in a specifically SSH-2 style, i.e. taking account of a
\r
727 * packet sequence number as well as the data to be authenticated. */
\r
728 bool ssh2_mac_verresult(ssh2_mac *, const void *);
\r
729 void ssh2_mac_generate(ssh2_mac *, void *, int, unsigned long seq);
\r
730 bool ssh2_mac_verify(ssh2_mac *, const void *, int, unsigned long seq);
\r
732 /* Use a MAC in its raw form, outside SSH-2 context, to MAC a given
\r
733 * string with a given key in the most obvious way. */
\r
734 void mac_simple(const ssh2_macalg *alg, ptrlen key, ptrlen data, void *output);
\r
737 const ssh_hashalg *vt;
\r
738 BinarySink_DELEGATE_IMPLEMENTATION;
\r
741 struct ssh_hashalg {
\r
742 ssh_hash *(*new)(const ssh_hashalg *alg);
\r
743 void (*reset)(ssh_hash *);
\r
744 void (*copyfrom)(ssh_hash *dest, ssh_hash *src);
\r
745 void (*digest)(ssh_hash *, unsigned char *);
\r
746 void (*free)(ssh_hash *);
\r
747 size_t hlen; /* output length in bytes */
\r
748 size_t blocklen; /* length of the hash's input block, or 0 for N/A */
\r
749 const char *text_basename; /* the semantic name of the hash */
\r
750 const char *annotation; /* extra info, e.g. which of multiple impls */
\r
751 const char *text_name; /* both combined, e.g. "SHA-n (unaccelerated)" */
\r
752 const void *extra; /* private to the hash implementation */
\r
755 static inline ssh_hash *ssh_hash_new(const ssh_hashalg *alg)
\r
756 { ssh_hash *h = alg->new(alg); if (h) h->vt->reset(h); return h; }
\r
757 static inline ssh_hash *ssh_hash_copy(ssh_hash *orig)
\r
758 { ssh_hash *h = orig->vt->new(orig->vt); h->vt->copyfrom(h, orig); return h; }
\r
759 static inline void ssh_hash_digest(ssh_hash *h, unsigned char *out)
\r
760 { h->vt->digest(h, out); }
\r
761 static inline void ssh_hash_free(ssh_hash *h)
\r
762 { h->vt->free(h); }
\r
763 static inline const ssh_hashalg *ssh_hash_alg(ssh_hash *h)
\r
766 /* The reset and copyfrom vtable methods return void. But for call-site
\r
767 * convenience, these wrappers return their input pointer. */
\r
768 static inline ssh_hash *ssh_hash_reset(ssh_hash *h)
\r
769 { h->vt->reset(h); return h; }
\r
770 static inline ssh_hash *ssh_hash_copyfrom(ssh_hash *dest, ssh_hash *src)
\r
771 { dest->vt->copyfrom(dest, src); return dest; }
\r
773 /* ssh_hash_final emits the digest _and_ frees the ssh_hash */
\r
774 static inline void ssh_hash_final(ssh_hash *h, unsigned char *out)
\r
775 { h->vt->digest(h, out); h->vt->free(h); }
\r
777 /* ssh_hash_digest_nondestructive generates a finalised hash from the
\r
778 * given object without changing its state, so you can continue
\r
779 * appending data to get a hash of an extended string. */
\r
780 static inline void ssh_hash_digest_nondestructive(ssh_hash *h,
\r
781 unsigned char *out)
\r
782 { ssh_hash_final(ssh_hash_copy(h), out); }
\r
784 /* Handy macros for defining all those text-name fields at once */
\r
785 #define HASHALG_NAMES_BARE(base) \
\r
786 .text_basename = base, .annotation = NULL, .text_name = base
\r
787 #define HASHALG_NAMES_ANNOTATED(base, ann) \
\r
788 .text_basename = base, .annotation = ann, .text_name = base " (" ann ")"
\r
790 void hash_simple(const ssh_hashalg *alg, ptrlen data, void *output);
\r
793 const char *name, *groupname;
\r
794 enum { KEXTYPE_DH, KEXTYPE_RSA, KEXTYPE_ECDH, KEXTYPE_GSS } main_type;
\r
795 const ssh_hashalg *hash;
\r
796 const void *extra; /* private to the kex methods */
\r
801 const ssh_kex *const *list;
\r
804 /* Indices of the negotiation strings in the KEXINIT packet */
\r
806 KEXLIST_KEX, KEXLIST_HOSTKEY, KEXLIST_CSCIPHER, KEXLIST_SCCIPHER,
\r
807 KEXLIST_CSMAC, KEXLIST_SCMAC, KEXLIST_CSCOMP, KEXLIST_SCCOMP,
\r
811 struct ssh_keyalg {
\r
812 /* Constructors that create an ssh_key */
\r
813 ssh_key *(*new_pub) (const ssh_keyalg *self, ptrlen pub);
\r
814 ssh_key *(*new_priv) (const ssh_keyalg *self, ptrlen pub, ptrlen priv);
\r
815 ssh_key *(*new_priv_openssh) (const ssh_keyalg *self, BinarySource *);
\r
817 /* Methods that operate on an existing ssh_key */
\r
818 void (*freekey) (ssh_key *key);
\r
819 char *(*invalid) (ssh_key *key, unsigned flags);
\r
820 void (*sign) (ssh_key *key, ptrlen data, unsigned flags, BinarySink *);
\r
821 bool (*verify) (ssh_key *key, ptrlen sig, ptrlen data);
\r
822 void (*public_blob)(ssh_key *key, BinarySink *);
\r
823 void (*private_blob)(ssh_key *key, BinarySink *);
\r
824 void (*openssh_blob) (ssh_key *key, BinarySink *);
\r
825 char *(*cache_str) (ssh_key *key);
\r
826 key_components *(*components) (ssh_key *key);
\r
828 /* 'Class methods' that don't deal with an ssh_key at all */
\r
829 int (*pubkey_bits) (const ssh_keyalg *self, ptrlen blob);
\r
831 /* Constant data fields giving information about the key type */
\r
832 const char *ssh_id; /* string identifier in the SSH protocol */
\r
833 const char *cache_id; /* identifier used in PuTTY's host key cache */
\r
834 const void *extra; /* private to the public key methods */
\r
835 const unsigned supported_flags; /* signature-type flags we understand */
\r
838 static inline ssh_key *ssh_key_new_pub(const ssh_keyalg *self, ptrlen pub)
\r
839 { return self->new_pub(self, pub); }
\r
840 static inline ssh_key *ssh_key_new_priv(
\r
841 const ssh_keyalg *self, ptrlen pub, ptrlen priv)
\r
842 { return self->new_priv(self, pub, priv); }
\r
843 static inline ssh_key *ssh_key_new_priv_openssh(
\r
844 const ssh_keyalg *self, BinarySource *src)
\r
845 { return self->new_priv_openssh(self, src); }
\r
846 static inline void ssh_key_free(ssh_key *key)
\r
847 { key->vt->freekey(key); }
\r
848 static inline char *ssh_key_invalid(ssh_key *key, unsigned flags)
\r
849 { return key->vt->invalid(key, flags); }
\r
850 static inline void ssh_key_sign(
\r
851 ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs)
\r
852 { key->vt->sign(key, data, flags, bs); }
\r
853 static inline bool ssh_key_verify(ssh_key *key, ptrlen sig, ptrlen data)
\r
854 { return key->vt->verify(key, sig, data); }
\r
855 static inline void ssh_key_public_blob(ssh_key *key, BinarySink *bs)
\r
856 { key->vt->public_blob(key, bs); }
\r
857 static inline void ssh_key_private_blob(ssh_key *key, BinarySink *bs)
\r
858 { key->vt->private_blob(key, bs); }
\r
859 static inline void ssh_key_openssh_blob(ssh_key *key, BinarySink *bs)
\r
860 { key->vt->openssh_blob(key, bs); }
\r
861 static inline char *ssh_key_cache_str(ssh_key *key)
\r
862 { return key->vt->cache_str(key); }
\r
863 static inline key_components *ssh_key_components(ssh_key *key)
\r
864 { return key->vt->components(key); }
\r
865 static inline int ssh_key_public_bits(const ssh_keyalg *self, ptrlen blob)
\r
866 { return self->pubkey_bits(self, blob); }
\r
867 static inline const ssh_keyalg *ssh_key_alg(ssh_key *key)
\r
868 { return key->vt; }
\r
869 static inline const char *ssh_key_ssh_id(ssh_key *key)
\r
870 { return key->vt->ssh_id; }
\r
871 static inline const char *ssh_key_cache_id(ssh_key *key)
\r
872 { return key->vt->cache_id; }
\r
875 * Enumeration of signature flags from draft-miller-ssh-agent-02
\r
877 #define SSH_AGENT_RSA_SHA2_256 2
\r
878 #define SSH_AGENT_RSA_SHA2_512 4
\r
880 struct ssh_compressor {
\r
881 const ssh_compression_alg *vt;
\r
883 struct ssh_decompressor {
\r
884 const ssh_compression_alg *vt;
\r
887 struct ssh_compression_alg {
\r
889 /* For zlib@openssh.com: if non-NULL, this name will be considered once
\r
890 * userauth has completed successfully. */
\r
891 const char *delayed_name;
\r
892 ssh_compressor *(*compress_new)(void);
\r
893 void (*compress_free)(ssh_compressor *);
\r
894 void (*compress)(ssh_compressor *, const unsigned char *block, int len,
\r
895 unsigned char **outblock, int *outlen,
\r
897 ssh_decompressor *(*decompress_new)(void);
\r
898 void (*decompress_free)(ssh_decompressor *);
\r
899 bool (*decompress)(ssh_decompressor *, const unsigned char *block, int len,
\r
900 unsigned char **outblock, int *outlen);
\r
901 const char *text_name;
\r
904 static inline ssh_compressor *ssh_compressor_new(
\r
905 const ssh_compression_alg *alg)
\r
906 { return alg->compress_new(); }
\r
907 static inline ssh_decompressor *ssh_decompressor_new(
\r
908 const ssh_compression_alg *alg)
\r
909 { return alg->decompress_new(); }
\r
910 static inline void ssh_compressor_free(ssh_compressor *c)
\r
911 { c->vt->compress_free(c); }
\r
912 static inline void ssh_decompressor_free(ssh_decompressor *d)
\r
913 { d->vt->decompress_free(d); }
\r
914 static inline void ssh_compressor_compress(
\r
915 ssh_compressor *c, const unsigned char *block, int len,
\r
916 unsigned char **outblock, int *outlen, int minlen)
\r
917 { c->vt->compress(c, block, len, outblock, outlen, minlen); }
\r
918 static inline bool ssh_decompressor_decompress(
\r
919 ssh_decompressor *d, const unsigned char *block, int len,
\r
920 unsigned char **outblock, int *outlen)
\r
921 { return d->vt->decompress(d, block, len, outblock, outlen); }
\r
922 static inline const ssh_compression_alg *ssh_compressor_alg(
\r
925 static inline const ssh_compression_alg *ssh_decompressor_alg(
\r
926 ssh_decompressor *d)
\r
929 struct ssh2_userkey {
\r
930 ssh_key *key; /* the key itself */
\r
931 char *comment; /* the key comment */
\r
934 /* Argon2 password hashing function */
\r
935 typedef enum { Argon2d = 0, Argon2i = 1, Argon2id = 2 } Argon2Flavour;
\r
936 void argon2(Argon2Flavour, uint32_t mem, uint32_t passes,
\r
937 uint32_t parallel, uint32_t taglen,
\r
938 ptrlen P, ptrlen S, ptrlen K, ptrlen X, strbuf *out);
\r
939 void argon2_choose_passes(
\r
940 Argon2Flavour, uint32_t mem, uint32_t milliseconds, uint32_t *passes,
\r
941 uint32_t parallel, uint32_t taglen, ptrlen P, ptrlen S, ptrlen K, ptrlen X,
\r
943 /* The H' hash defined in Argon2, exposed just for testcrypt */
\r
944 strbuf *argon2_long_hash(unsigned length, ptrlen data);
\r
946 /* The maximum length of any hash algorithm. (bytes) */
\r
947 #define MAX_HASH_LEN (114) /* longest is SHAKE256 with 114-byte output */
\r
949 extern const ssh_cipheralg ssh_3des_ssh1;
\r
950 extern const ssh_cipheralg ssh_blowfish_ssh1;
\r
951 extern const ssh_cipheralg ssh_3des_ssh2_ctr;
\r
952 extern const ssh_cipheralg ssh_3des_ssh2;
\r
953 extern const ssh_cipheralg ssh_des;
\r
954 extern const ssh_cipheralg ssh_des_sshcom_ssh2;
\r
955 extern const ssh_cipheralg ssh_aes256_sdctr;
\r
956 extern const ssh_cipheralg ssh_aes256_sdctr_hw;
\r
957 extern const ssh_cipheralg ssh_aes256_sdctr_sw;
\r
958 extern const ssh_cipheralg ssh_aes256_cbc;
\r
959 extern const ssh_cipheralg ssh_aes256_cbc_hw;
\r
960 extern const ssh_cipheralg ssh_aes256_cbc_sw;
\r
961 extern const ssh_cipheralg ssh_aes192_sdctr;
\r
962 extern const ssh_cipheralg ssh_aes192_sdctr_hw;
\r
963 extern const ssh_cipheralg ssh_aes192_sdctr_sw;
\r
964 extern const ssh_cipheralg ssh_aes192_cbc;
\r
965 extern const ssh_cipheralg ssh_aes192_cbc_hw;
\r
966 extern const ssh_cipheralg ssh_aes192_cbc_sw;
\r
967 extern const ssh_cipheralg ssh_aes128_sdctr;
\r
968 extern const ssh_cipheralg ssh_aes128_sdctr_hw;
\r
969 extern const ssh_cipheralg ssh_aes128_sdctr_sw;
\r
970 extern const ssh_cipheralg ssh_aes128_cbc;
\r
971 extern const ssh_cipheralg ssh_aes128_cbc_hw;
\r
972 extern const ssh_cipheralg ssh_aes128_cbc_sw;
\r
973 extern const ssh_cipheralg ssh_blowfish_ssh2_ctr;
\r
974 extern const ssh_cipheralg ssh_blowfish_ssh2;
\r
975 extern const ssh_cipheralg ssh_arcfour256_ssh2;
\r
976 extern const ssh_cipheralg ssh_arcfour128_ssh2;
\r
977 extern const ssh_cipheralg ssh2_chacha20_poly1305;
\r
978 extern const ssh2_ciphers ssh2_3des;
\r
979 extern const ssh2_ciphers ssh2_des;
\r
980 extern const ssh2_ciphers ssh2_aes;
\r
981 extern const ssh2_ciphers ssh2_blowfish;
\r
982 extern const ssh2_ciphers ssh2_arcfour;
\r
983 extern const ssh2_ciphers ssh2_ccp;
\r
984 extern const ssh_hashalg ssh_md5;
\r
985 extern const ssh_hashalg ssh_sha1;
\r
986 extern const ssh_hashalg ssh_sha1_hw;
\r
987 extern const ssh_hashalg ssh_sha1_sw;
\r
988 extern const ssh_hashalg ssh_sha256;
\r
989 extern const ssh_hashalg ssh_sha256_hw;
\r
990 extern const ssh_hashalg ssh_sha256_sw;
\r
991 extern const ssh_hashalg ssh_sha384;
\r
992 extern const ssh_hashalg ssh_sha384_hw;
\r
993 extern const ssh_hashalg ssh_sha384_sw;
\r
994 extern const ssh_hashalg ssh_sha512;
\r
995 extern const ssh_hashalg ssh_sha512_hw;
\r
996 extern const ssh_hashalg ssh_sha512_sw;
\r
997 extern const ssh_hashalg ssh_sha3_224;
\r
998 extern const ssh_hashalg ssh_sha3_256;
\r
999 extern const ssh_hashalg ssh_sha3_384;
\r
1000 extern const ssh_hashalg ssh_sha3_512;
\r
1001 extern const ssh_hashalg ssh_shake256_114bytes;
\r
1002 extern const ssh_hashalg ssh_blake2b;
\r
1003 extern const ssh_kexes ssh_diffiehellman_group1;
\r
1004 extern const ssh_kexes ssh_diffiehellman_group14;
\r
1005 extern const ssh_kexes ssh_diffiehellman_gex;
\r
1006 extern const ssh_kexes ssh_gssk5_sha1_kex;
\r
1007 extern const ssh_kexes ssh_rsa_kex;
\r
1008 extern const ssh_kex ssh_ec_kex_curve25519;
\r
1009 extern const ssh_kex ssh_ec_kex_curve448;
\r
1010 extern const ssh_kex ssh_ec_kex_nistp256;
\r
1011 extern const ssh_kex ssh_ec_kex_nistp384;
\r
1012 extern const ssh_kex ssh_ec_kex_nistp521;
\r
1013 extern const ssh_kexes ssh_ecdh_kex;
\r
1014 extern const ssh_keyalg ssh_dss;
\r
1015 extern const ssh_keyalg ssh_rsa;
\r
1016 extern const ssh_keyalg ssh_rsa_sha256;
\r
1017 extern const ssh_keyalg ssh_rsa_sha512;
\r
1018 extern const ssh_keyalg ssh_ecdsa_ed25519;
\r
1019 extern const ssh_keyalg ssh_ecdsa_ed448;
\r
1020 extern const ssh_keyalg ssh_ecdsa_nistp256;
\r
1021 extern const ssh_keyalg ssh_ecdsa_nistp384;
\r
1022 extern const ssh_keyalg ssh_ecdsa_nistp521;
\r
1023 extern const ssh2_macalg ssh_hmac_md5;
\r
1024 extern const ssh2_macalg ssh_hmac_sha1;
\r
1025 extern const ssh2_macalg ssh_hmac_sha1_buggy;
\r
1026 extern const ssh2_macalg ssh_hmac_sha1_96;
\r
1027 extern const ssh2_macalg ssh_hmac_sha1_96_buggy;
\r
1028 extern const ssh2_macalg ssh_hmac_sha256;
\r
1029 extern const ssh2_macalg ssh2_poly1305;
\r
1030 extern const ssh_compression_alg ssh_zlib;
\r
1032 /* Special constructor: BLAKE2b can be instantiated with any hash
\r
1033 * length up to 128 bytes */
\r
1034 ssh_hash *blake2b_new_general(unsigned hashlen);
\r
1037 * On some systems, you have to detect hardware crypto acceleration by
\r
1038 * asking the local OS API rather than OS-agnostically asking the CPU
\r
1039 * itself. If so, then this function should be implemented in each
\r
1040 * platform subdirectory.
\r
1042 bool platform_aes_hw_available(void);
\r
1043 bool platform_sha256_hw_available(void);
\r
1044 bool platform_sha1_hw_available(void);
\r
1045 bool platform_sha512_hw_available(void);
\r
1048 * PuTTY version number formatted as an SSH version string.
\r
1050 extern const char sshver[];
\r
1053 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
\r
1054 * that fails. This variable is the means by which scp.c can reach
\r
1055 * into the SSH code and find out which one it got.
\r
1057 extern bool ssh_fallback_cmd(Backend *backend);
\r
1060 * The PRNG type, defined in sshprng.c. Visible data fields are
\r
1061 * 'savesize', which suggests how many random bytes you should request
\r
1062 * from a particular PRNG instance to write to putty.rnd, and a
\r
1063 * BinarySink implementation which you can use to write seed data in
\r
1064 * between calling prng_seed_{begin,finish}.
\r
1068 BinarySink_IMPLEMENTATION;
\r
1069 /* (also there's a surrounding implementation struct in sshprng.c) */
\r
1071 prng *prng_new(const ssh_hashalg *hashalg);
\r
1072 void prng_free(prng *p);
\r
1073 void prng_seed_begin(prng *p);
\r
1074 void prng_seed_finish(prng *p);
\r
1075 void prng_read(prng *p, void *vout, size_t size);
\r
1076 void prng_add_entropy(prng *p, unsigned source_id, ptrlen data);
\r
1077 size_t prng_seed_bits(prng *p);
\r
1079 /* This function must be implemented by the platform, and returns a
\r
1080 * timer in milliseconds that the PRNG can use to know whether it's
\r
1081 * been reseeded too recently to do it again.
\r
1083 * The PRNG system has its own special timing function not because its
\r
1084 * timing needs are unusual in the real applications, but simply so
\r
1085 * that testcrypt can mock it to keep the tests deterministic. */
\r
1086 uint64_t prng_reseed_time_ms(void);
\r
1088 void random_read(void *out, size_t size);
\r
1090 /* Exports from x11fwd.c */
\r
1092 X11_TRANS_IPV4 = 0, X11_TRANS_IPV6 = 6, X11_TRANS_UNIX = 256
\r
1094 struct X11Display {
\r
1095 /* Broken-down components of the display name itself */
\r
1100 /* OSX sometimes replaces all the above with a full Unix-socket pathname */
\r
1101 char *unixsocketpath;
\r
1103 /* PuTTY networking SockAddr to connect to the display, and associated
\r
1109 /* Our local auth details for talking to the real X display. */
\r
1110 int localauthproto;
\r
1111 unsigned char *localauthdata;
\r
1112 int localauthdatalen;
\r
1114 struct X11FakeAuth {
\r
1115 /* Auth details we invented for a virtual display on the SSH server. */
\r
1117 unsigned char *data;
\r
1122 /* The encrypted form of the first block, in XDM-AUTHORIZATION-1.
\r
1123 * Used as part of the key when these structures are organised
\r
1124 * into a tree. See x11_invent_fake_auth for explanation. */
\r
1125 unsigned char *xa1_firstblock;
\r
1128 * Used inside x11fwd.c to remember recently seen
\r
1129 * XDM-AUTHORIZATION-1 strings, to avoid replay attacks.
\r
1134 * What to do with an X connection matching this auth data.
\r
1136 struct X11Display *disp;
\r
1137 ssh_sharing_connstate *share_cs;
\r
1138 share_channel *share_chan;
\r
1140 void *x11_make_greeting(int endian, int protomajor, int protominor,
\r
1141 int auth_proto, const void *auth_data, int auth_len,
\r
1142 const char *peer_ip, int peer_port,
\r
1144 int x11_authcmp(void *av, void *bv); /* for putting X11FakeAuth in a tree234 */
\r
1146 * x11_setup_display() parses the display variable and fills in an
\r
1147 * X11Display structure. Some remote auth details are invented;
\r
1148 * the supplied authtype parameter configures the preferred
\r
1149 * authorisation protocol to use at the remote end. The local auth
\r
1150 * details are looked up by calling platform_get_x11_auth.
\r
1152 * If the returned pointer is NULL, then *error_msg will contain a
\r
1153 * dynamically allocated error message string.
\r
1155 extern struct X11Display *x11_setup_display(const char *display, Conf *,
\r
1156 char **error_msg);
\r
1157 void x11_free_display(struct X11Display *disp);
\r
1158 struct X11FakeAuth *x11_invent_fake_auth(tree234 *t, int authtype);
\r
1159 void x11_free_fake_auth(struct X11FakeAuth *auth);
\r
1160 Channel *x11_new_channel(tree234 *authtree, SshChannel *c,
\r
1161 const char *peeraddr, int peerport,
\r
1162 bool connection_sharing_possible);
\r
1163 char *x11_display(const char *display);
\r
1164 /* Platform-dependent X11 functions */
\r
1165 extern void platform_get_x11_auth(struct X11Display *display, Conf *);
\r
1166 /* examine a mostly-filled-in X11Display and fill in localauth* */
\r
1167 extern const bool platform_uses_x11_unix_by_default;
\r
1168 /* choose default X transport in the absence of a specified one */
\r
1169 SockAddr *platform_get_x11_unix_address(const char *path, int displaynum);
\r
1170 /* make up a SockAddr naming the address for displaynum */
\r
1171 char *platform_get_x_display(void);
\r
1172 /* allocated local X display string, if any */
\r
1173 /* Callbacks in x11.c usable _by_ platform X11 functions */
\r
1175 * This function does the job of platform_get_x11_auth, provided
\r
1176 * it is told where to find a normally formatted .Xauthority file:
\r
1177 * it opens that file, parses it to find an auth record which
\r
1178 * matches the display details in "display", and fills in the
\r
1179 * localauth fields.
\r
1181 * It is expected that most implementations of
\r
1182 * platform_get_x11_auth() will work by finding their system's
\r
1183 * .Xauthority file, adjusting the display details if necessary
\r
1184 * for local oddities like Unix-domain socket transport, and
\r
1185 * calling this function to do the rest of the work.
\r
1187 void x11_get_auth_from_authfile(struct X11Display *display,
\r
1188 const char *authfilename);
\r
1189 void x11_format_auth_for_authfile(
\r
1190 BinarySink *bs, SockAddr *addr, int display_no,
\r
1191 ptrlen authproto, ptrlen authdata);
\r
1192 int x11_identify_auth_proto(ptrlen protoname);
\r
1193 void *x11_dehexify(ptrlen hex, int *outlen);
\r
1195 Channel *agentf_new(SshChannel *c);
\r
1197 bool dh_is_gex(const ssh_kex *kex);
\r
1198 dh_ctx *dh_setup_group(const ssh_kex *kex);
\r
1199 dh_ctx *dh_setup_gex(mp_int *pval, mp_int *gval);
\r
1200 int dh_modulus_bit_size(const dh_ctx *ctx);
\r
1201 void dh_cleanup(dh_ctx *);
\r
1202 mp_int *dh_create_e(dh_ctx *, int nbits);
\r
1203 const char *dh_validate_f(dh_ctx *, mp_int *f);
\r
1204 mp_int *dh_find_K(dh_ctx *, mp_int *f);
\r
1206 static inline bool is_base64_char(char c)
\r
1208 return ((c >= '0' && c <= '9') ||
\r
1209 (c >= 'a' && c <= 'z') ||
\r
1210 (c >= 'A' && c <= 'Z') ||
\r
1211 c == '+' || c == '/' || c == '=');
\r
1214 extern int base64_decode_atom(const char *atom, unsigned char *out);
\r
1215 extern int base64_lines(int datalen);
\r
1216 extern void base64_encode_atom(const unsigned char *data, int n, char *out);
\r
1217 extern void base64_encode(FILE *fp, const unsigned char *data, int datalen,
\r
1220 /* ppk_load_* can return this as an error */
\r
1221 extern ssh2_userkey ssh2_wrong_passphrase;
\r
1222 #define SSH2_WRONG_PASSPHRASE (&ssh2_wrong_passphrase)
\r
1224 bool ppk_encrypted_s(BinarySource *src, char **comment);
\r
1225 bool ppk_encrypted_f(const Filename *filename, char **comment);
\r
1226 bool rsa1_encrypted_s(BinarySource *src, char **comment);
\r
1227 bool rsa1_encrypted_f(const Filename *filename, char **comment);
\r
1229 ssh2_userkey *ppk_load_s(BinarySource *src, const char *passphrase,
\r
1230 const char **errorstr);
\r
1231 ssh2_userkey *ppk_load_f(const Filename *filename, const char *passphrase,
\r
1232 const char **errorstr);
\r
1233 int rsa1_load_s(BinarySource *src, RSAKey *key,
\r
1234 const char *passphrase, const char **errorstr);
\r
1235 int rsa1_load_f(const Filename *filename, RSAKey *key,
\r
1236 const char *passphrase, const char **errorstr);
\r
1238 typedef struct ppk_save_parameters {
\r
1239 unsigned fmt_version; /* currently 2 or 3 */
\r
1242 * Parameters for fmt_version == 3
\r
1244 Argon2Flavour argon2_flavour;
\r
1245 uint32_t argon2_mem; /* in Kbyte */
\r
1246 bool argon2_passes_auto;
\r
1248 uint32_t argon2_passes; /* if auto == false */
\r
1249 uint32_t argon2_milliseconds; /* if auto == true */
\r
1251 uint32_t argon2_parallelism;
\r
1253 /* The ability to choose a specific salt is only intended for the
\r
1254 * use of the automated test of PuTTYgen. It's a (mild) security
\r
1255 * risk to do it with any passphrase you actually care about,
\r
1256 * because it invalidates the entire point of having a salt in the
\r
1258 const uint8_t *salt;
\r
1260 } ppk_save_parameters;
\r
1261 extern const ppk_save_parameters ppk_save_default_parameters;
\r
1263 strbuf *ppk_save_sb(ssh2_userkey *key, const char *passphrase,
\r
1264 const ppk_save_parameters *params);
\r
1265 bool ppk_save_f(const Filename *filename, ssh2_userkey *key,
\r
1266 const char *passphrase, const ppk_save_parameters *params);
\r
1267 strbuf *rsa1_save_sb(RSAKey *key, const char *passphrase);
\r
1268 bool rsa1_save_f(const Filename *filename, RSAKey *key,
\r
1269 const char *passphrase);
\r
1271 bool ppk_loadpub_s(BinarySource *src, char **algorithm, BinarySink *bs,
\r
1272 char **commentptr, const char **errorstr);
\r
1273 bool ppk_loadpub_f(const Filename *filename, char **algorithm, BinarySink *bs,
\r
1274 char **commentptr, const char **errorstr);
\r
1275 int rsa1_loadpub_s(BinarySource *src, BinarySink *bs,
\r
1276 char **commentptr, const char **errorstr);
\r
1277 int rsa1_loadpub_f(const Filename *filename, BinarySink *bs,
\r
1278 char **commentptr, const char **errorstr);
\r
1280 extern const ssh_keyalg *const all_keyalgs[];
\r
1281 extern const size_t n_keyalgs;
\r
1282 const ssh_keyalg *find_pubkey_alg(const char *name);
\r
1283 const ssh_keyalg *find_pubkey_alg_len(ptrlen name);
\r
1285 /* Convenient wrappers on the LoadedFile mechanism suitable for key files */
\r
1286 LoadedFile *lf_load_keyfile(const Filename *filename, const char **errptr);
\r
1287 LoadedFile *lf_load_keyfile_fp(FILE *fp, const char **errptr);
\r
1290 SSH_KEYTYPE_UNOPENABLE,
\r
1291 SSH_KEYTYPE_UNKNOWN,
\r
1292 SSH_KEYTYPE_SSH1, SSH_KEYTYPE_SSH2,
\r
1294 * The OpenSSH key types deserve a little explanation. OpenSSH has
\r
1295 * two physical formats for private key storage: an old PEM-based
\r
1296 * one largely dictated by their use of OpenSSL and full of ASN.1,
\r
1297 * and a new one using the same private key formats used over the
\r
1298 * wire for talking to ssh-agent. The old format can only support
\r
1299 * a subset of the key types, because it needs redesign for each
\r
1300 * key type, and after a while they decided to move to the new
\r
1301 * format so as not to have to do that.
\r
1303 * On input, key files are identified as either
\r
1304 * SSH_KEYTYPE_OPENSSH_PEM or SSH_KEYTYPE_OPENSSH_NEW, describing
\r
1305 * accurately which actual format the keys are stored in.
\r
1307 * On output, however, we default to following OpenSSH's own
\r
1308 * policy of writing out PEM-style keys for maximum backwards
\r
1309 * compatibility if the key type supports it, and otherwise
\r
1310 * switching to the new format. So the formats you can select for
\r
1311 * output are SSH_KEYTYPE_OPENSSH_NEW (forcing the new format for
\r
1312 * any key type), and SSH_KEYTYPE_OPENSSH_AUTO to use the oldest
\r
1313 * format supported by whatever key type you're writing out.
\r
1315 * So we have three type codes, but only two of them usable in any
\r
1316 * given circumstance. An input key file will never be identified
\r
1317 * as AUTO, only PEM or NEW; key export UIs should not be able to
\r
1318 * select PEM, only AUTO or NEW.
\r
1320 SSH_KEYTYPE_OPENSSH_AUTO,
\r
1321 SSH_KEYTYPE_OPENSSH_PEM,
\r
1322 SSH_KEYTYPE_OPENSSH_NEW,
\r
1323 SSH_KEYTYPE_SSHCOM,
\r
1325 * Public-key-only formats, which we still want to be able to read
\r
1326 * for various purposes.
\r
1328 SSH_KEYTYPE_SSH1_PUBLIC,
\r
1329 SSH_KEYTYPE_SSH2_PUBLIC_RFC4716,
\r
1330 SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH
\r
1335 SSH_FPTYPE_SHA256,
\r
1336 } FingerprintType;
\r
1338 #define SSH_FPTYPE_DEFAULT SSH_FPTYPE_SHA256
\r
1339 #define SSH_N_FPTYPES (SSH_FPTYPE_SHA256 + 1)
\r
1341 FingerprintType ssh2_pick_fingerprint(char **fingerprints,
\r
1342 FingerprintType preferred_type);
\r
1343 FingerprintType ssh2_pick_default_fingerprint(char **fingerprints);
\r
1345 char *ssh1_pubkey_str(RSAKey *ssh1key);
\r
1346 void ssh1_write_pubkey(FILE *fp, RSAKey *ssh1key);
\r
1347 char *ssh2_pubkey_openssh_str(ssh2_userkey *key);
\r
1348 void ssh2_write_pubkey(FILE *fp, const char *comment,
\r
1349 const void *v_pub_blob, int pub_len,
\r
1351 char *ssh2_fingerprint_blob(ptrlen, FingerprintType);
\r
1352 char *ssh2_fingerprint(ssh_key *key, FingerprintType);
\r
1353 char **ssh2_all_fingerprints_for_blob(ptrlen);
\r
1354 char **ssh2_all_fingerprints(ssh_key *key);
\r
1355 void ssh2_free_all_fingerprints(char **);
\r
1356 int key_type(const Filename *filename);
\r
1357 int key_type_s(BinarySource *src);
\r
1358 const char *key_type_to_str(int type);
\r
1360 bool import_possible(int type);
\r
1361 int import_target_type(int type);
\r
1362 bool import_encrypted(const Filename *filename, int type, char **comment);
\r
1363 bool import_encrypted_s(const Filename *filename, BinarySource *src,
\r
1364 int type, char **comment);
\r
1365 int import_ssh1(const Filename *filename, int type,
\r
1366 RSAKey *key, char *passphrase, const char **errmsg_p);
\r
1367 int import_ssh1_s(BinarySource *src, int type,
\r
1368 RSAKey *key, char *passphrase, const char **errmsg_p);
\r
1369 ssh2_userkey *import_ssh2(const Filename *filename, int type,
\r
1370 char *passphrase, const char **errmsg_p);
\r
1371 ssh2_userkey *import_ssh2_s(BinarySource *src, int type,
\r
1372 char *passphrase, const char **errmsg_p);
\r
1373 bool export_ssh1(const Filename *filename, int type,
\r
1374 RSAKey *key, char *passphrase);
\r
1375 bool export_ssh2(const Filename *filename, int type,
\r
1376 ssh2_userkey *key, char *passphrase);
\r
1378 void des3_decrypt_pubkey(const void *key, void *blk, int len);
\r
1379 void des3_encrypt_pubkey(const void *key, void *blk, int len);
\r
1380 void des3_decrypt_pubkey_ossh(const void *key, const void *iv,
\r
1381 void *blk, int len);
\r
1382 void des3_encrypt_pubkey_ossh(const void *key, const void *iv,
\r
1383 void *blk, int len);
\r
1384 void aes256_encrypt_pubkey(const void *key, const void *iv,
\r
1385 void *blk, int len);
\r
1386 void aes256_decrypt_pubkey(const void *key, const void *iv,
\r
1387 void *blk, int len);
\r
1389 void des_encrypt_xdmauth(const void *key, void *blk, int len);
\r
1390 void des_decrypt_xdmauth(const void *key, void *blk, int len);
\r
1392 void openssh_bcrypt(const char *passphrase,
\r
1393 const unsigned char *salt, int saltbytes,
\r
1394 int rounds, unsigned char *out, int outbytes);
\r
1397 * Connection-sharing API provided by platforms. This function must
\r
1399 * - return SHARE_NONE and do nothing
\r
1400 * - return SHARE_DOWNSTREAM and set *sock to a Socket connected to
\r
1402 * - return SHARE_UPSTREAM and set *sock to a Socket connected to
\r
1405 enum { SHARE_NONE, SHARE_DOWNSTREAM, SHARE_UPSTREAM };
\r
1406 int platform_ssh_share(const char *name, Conf *conf,
\r
1407 Plug *downplug, Plug *upplug, Socket **sock,
\r
1408 char **logtext, char **ds_err, char **us_err,
\r
1409 bool can_upstream, bool can_downstream);
\r
1410 void platform_ssh_share_cleanup(const char *name);
\r
1413 * List macro defining the SSH-1 message type codes.
\r
1415 #define SSH1_MESSAGE_TYPES(X, y) \
\r
1416 X(y, SSH1_MSG_DISCONNECT, 1) \
\r
1417 X(y, SSH1_SMSG_PUBLIC_KEY, 2) \
\r
1418 X(y, SSH1_CMSG_SESSION_KEY, 3) \
\r
1419 X(y, SSH1_CMSG_USER, 4) \
\r
1420 X(y, SSH1_CMSG_AUTH_RSA, 6) \
\r
1421 X(y, SSH1_SMSG_AUTH_RSA_CHALLENGE, 7) \
\r
1422 X(y, SSH1_CMSG_AUTH_RSA_RESPONSE, 8) \
\r
1423 X(y, SSH1_CMSG_AUTH_PASSWORD, 9) \
\r
1424 X(y, SSH1_CMSG_REQUEST_PTY, 10) \
\r
1425 X(y, SSH1_CMSG_WINDOW_SIZE, 11) \
\r
1426 X(y, SSH1_CMSG_EXEC_SHELL, 12) \
\r
1427 X(y, SSH1_CMSG_EXEC_CMD, 13) \
\r
1428 X(y, SSH1_SMSG_SUCCESS, 14) \
\r
1429 X(y, SSH1_SMSG_FAILURE, 15) \
\r
1430 X(y, SSH1_CMSG_STDIN_DATA, 16) \
\r
1431 X(y, SSH1_SMSG_STDOUT_DATA, 17) \
\r
1432 X(y, SSH1_SMSG_STDERR_DATA, 18) \
\r
1433 X(y, SSH1_CMSG_EOF, 19) \
\r
1434 X(y, SSH1_SMSG_EXIT_STATUS, 20) \
\r
1435 X(y, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION, 21) \
\r
1436 X(y, SSH1_MSG_CHANNEL_OPEN_FAILURE, 22) \
\r
1437 X(y, SSH1_MSG_CHANNEL_DATA, 23) \
\r
1438 X(y, SSH1_MSG_CHANNEL_CLOSE, 24) \
\r
1439 X(y, SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION, 25) \
\r
1440 X(y, SSH1_SMSG_X11_OPEN, 27) \
\r
1441 X(y, SSH1_CMSG_PORT_FORWARD_REQUEST, 28) \
\r
1442 X(y, SSH1_MSG_PORT_OPEN, 29) \
\r
1443 X(y, SSH1_CMSG_AGENT_REQUEST_FORWARDING, 30) \
\r
1444 X(y, SSH1_SMSG_AGENT_OPEN, 31) \
\r
1445 X(y, SSH1_MSG_IGNORE, 32) \
\r
1446 X(y, SSH1_CMSG_EXIT_CONFIRMATION, 33) \
\r
1447 X(y, SSH1_CMSG_X11_REQUEST_FORWARDING, 34) \
\r
1448 X(y, SSH1_CMSG_AUTH_RHOSTS_RSA, 35) \
\r
1449 X(y, SSH1_MSG_DEBUG, 36) \
\r
1450 X(y, SSH1_CMSG_REQUEST_COMPRESSION, 37) \
\r
1451 X(y, SSH1_CMSG_AUTH_TIS, 39) \
\r
1452 X(y, SSH1_SMSG_AUTH_TIS_CHALLENGE, 40) \
\r
1453 X(y, SSH1_CMSG_AUTH_TIS_RESPONSE, 41) \
\r
1454 X(y, SSH1_CMSG_AUTH_CCARD, 70) \
\r
1455 X(y, SSH1_SMSG_AUTH_CCARD_CHALLENGE, 71) \
\r
1456 X(y, SSH1_CMSG_AUTH_CCARD_RESPONSE, 72) \
\r
1459 #define SSH1_AUTH_RHOSTS 1 /* 0x1 */
\r
1460 #define SSH1_AUTH_RSA 2 /* 0x2 */
\r
1461 #define SSH1_AUTH_PASSWORD 3 /* 0x3 */
\r
1462 #define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */
\r
1463 #define SSH1_AUTH_TIS 5 /* 0x5 */
\r
1464 #define SSH1_AUTH_CCARD 16 /* 0x10 */
\r
1466 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */
\r
1467 /* Mask for protoflags we will echo back to server if seen */
\r
1468 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */
\r
1471 * List macro defining SSH-2 message type codes. Some of these depend
\r
1472 * on particular contexts (i.e. a previously negotiated kex or auth
\r
1475 #define SSH2_MESSAGE_TYPES(X, K, A, y) \
\r
1476 X(y, SSH2_MSG_DISCONNECT, 1) \
\r
1477 X(y, SSH2_MSG_IGNORE, 2) \
\r
1478 X(y, SSH2_MSG_UNIMPLEMENTED, 3) \
\r
1479 X(y, SSH2_MSG_DEBUG, 4) \
\r
1480 X(y, SSH2_MSG_SERVICE_REQUEST, 5) \
\r
1481 X(y, SSH2_MSG_SERVICE_ACCEPT, 6) \
\r
1482 X(y, SSH2_MSG_EXT_INFO, 7) \
\r
1483 X(y, SSH2_MSG_KEXINIT, 20) \
\r
1484 X(y, SSH2_MSG_NEWKEYS, 21) \
\r
1485 K(y, SSH2_MSG_KEXDH_INIT, 30, SSH2_PKTCTX_DHGROUP) \
\r
1486 K(y, SSH2_MSG_KEXDH_REPLY, 31, SSH2_PKTCTX_DHGROUP) \
\r
1487 K(y, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD, 30, SSH2_PKTCTX_DHGEX) \
\r
1488 K(y, SSH2_MSG_KEX_DH_GEX_REQUEST, 34, SSH2_PKTCTX_DHGEX) \
\r
1489 K(y, SSH2_MSG_KEX_DH_GEX_GROUP, 31, SSH2_PKTCTX_DHGEX) \
\r
1490 K(y, SSH2_MSG_KEX_DH_GEX_INIT, 32, SSH2_PKTCTX_DHGEX) \
\r
1491 K(y, SSH2_MSG_KEX_DH_GEX_REPLY, 33, SSH2_PKTCTX_DHGEX) \
\r
1492 K(y, SSH2_MSG_KEXGSS_INIT, 30, SSH2_PKTCTX_GSSKEX) \
\r
1493 K(y, SSH2_MSG_KEXGSS_CONTINUE, 31, SSH2_PKTCTX_GSSKEX) \
\r
1494 K(y, SSH2_MSG_KEXGSS_COMPLETE, 32, SSH2_PKTCTX_GSSKEX) \
\r
1495 K(y, SSH2_MSG_KEXGSS_HOSTKEY, 33, SSH2_PKTCTX_GSSKEX) \
\r
1496 K(y, SSH2_MSG_KEXGSS_ERROR, 34, SSH2_PKTCTX_GSSKEX) \
\r
1497 K(y, SSH2_MSG_KEXGSS_GROUPREQ, 40, SSH2_PKTCTX_GSSKEX) \
\r
1498 K(y, SSH2_MSG_KEXGSS_GROUP, 41, SSH2_PKTCTX_GSSKEX) \
\r
1499 K(y, SSH2_MSG_KEXRSA_PUBKEY, 30, SSH2_PKTCTX_RSAKEX) \
\r
1500 K(y, SSH2_MSG_KEXRSA_SECRET, 31, SSH2_PKTCTX_RSAKEX) \
\r
1501 K(y, SSH2_MSG_KEXRSA_DONE, 32, SSH2_PKTCTX_RSAKEX) \
\r
1502 K(y, SSH2_MSG_KEX_ECDH_INIT, 30, SSH2_PKTCTX_ECDHKEX) \
\r
1503 K(y, SSH2_MSG_KEX_ECDH_REPLY, 31, SSH2_PKTCTX_ECDHKEX) \
\r
1504 X(y, SSH2_MSG_USERAUTH_REQUEST, 50) \
\r
1505 X(y, SSH2_MSG_USERAUTH_FAILURE, 51) \
\r
1506 X(y, SSH2_MSG_USERAUTH_SUCCESS, 52) \
\r
1507 X(y, SSH2_MSG_USERAUTH_BANNER, 53) \
\r
1508 A(y, SSH2_MSG_USERAUTH_PK_OK, 60, SSH2_PKTCTX_PUBLICKEY) \
\r
1509 A(y, SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, 60, SSH2_PKTCTX_PASSWORD) \
\r
1510 A(y, SSH2_MSG_USERAUTH_INFO_REQUEST, 60, SSH2_PKTCTX_KBDINTER) \
\r
1511 A(y, SSH2_MSG_USERAUTH_INFO_RESPONSE, 61, SSH2_PKTCTX_KBDINTER) \
\r
1512 A(y, SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, 60, SSH2_PKTCTX_GSSAPI) \
\r
1513 A(y, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, 61, SSH2_PKTCTX_GSSAPI) \
\r
1514 A(y, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 63, SSH2_PKTCTX_GSSAPI) \
\r
1515 A(y, SSH2_MSG_USERAUTH_GSSAPI_ERROR, 64, SSH2_PKTCTX_GSSAPI) \
\r
1516 A(y, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, 65, SSH2_PKTCTX_GSSAPI) \
\r
1517 A(y, SSH2_MSG_USERAUTH_GSSAPI_MIC, 66, SSH2_PKTCTX_GSSAPI) \
\r
1518 X(y, SSH2_MSG_GLOBAL_REQUEST, 80) \
\r
1519 X(y, SSH2_MSG_REQUEST_SUCCESS, 81) \
\r
1520 X(y, SSH2_MSG_REQUEST_FAILURE, 82) \
\r
1521 X(y, SSH2_MSG_CHANNEL_OPEN, 90) \
\r
1522 X(y, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, 91) \
\r
1523 X(y, SSH2_MSG_CHANNEL_OPEN_FAILURE, 92) \
\r
1524 X(y, SSH2_MSG_CHANNEL_WINDOW_ADJUST, 93) \
\r
1525 X(y, SSH2_MSG_CHANNEL_DATA, 94) \
\r
1526 X(y, SSH2_MSG_CHANNEL_EXTENDED_DATA, 95) \
\r
1527 X(y, SSH2_MSG_CHANNEL_EOF, 96) \
\r
1528 X(y, SSH2_MSG_CHANNEL_CLOSE, 97) \
\r
1529 X(y, SSH2_MSG_CHANNEL_REQUEST, 98) \
\r
1530 X(y, SSH2_MSG_CHANNEL_SUCCESS, 99) \
\r
1531 X(y, SSH2_MSG_CHANNEL_FAILURE, 100) \
\r
1534 #define DEF_ENUM_UNIVERSAL(y, name, value) name = value,
\r
1535 #define DEF_ENUM_CONTEXTUAL(y, name, value, context) name = value,
\r
1537 SSH1_MESSAGE_TYPES(DEF_ENUM_UNIVERSAL, y)
\r
1538 SSH2_MESSAGE_TYPES(DEF_ENUM_UNIVERSAL,
\r
1539 DEF_ENUM_CONTEXTUAL, DEF_ENUM_CONTEXTUAL, y)
\r
1540 /* Virtual packet type, for packets too short to even have a type */
\r
1541 SSH_MSG_NO_TYPE_CODE = 256
\r
1543 #undef DEF_ENUM_UNIVERSAL
\r
1544 #undef DEF_ENUM_CONTEXTUAL
\r
1547 * SSH-1 agent messages.
\r
1549 #define SSH1_AGENTC_REQUEST_RSA_IDENTITIES 1
\r
1550 #define SSH1_AGENT_RSA_IDENTITIES_ANSWER 2
\r
1551 #define SSH1_AGENTC_RSA_CHALLENGE 3
\r
1552 #define SSH1_AGENT_RSA_RESPONSE 4
\r
1553 #define SSH1_AGENTC_ADD_RSA_IDENTITY 7
\r
1554 #define SSH1_AGENTC_REMOVE_RSA_IDENTITY 8
\r
1555 #define SSH1_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 /* openssh private? */
\r
1558 * Messages common to SSH-1 and OpenSSH's SSH-2.
\r
1560 #define SSH_AGENT_FAILURE 5
\r
1561 #define SSH_AGENT_SUCCESS 6
\r
1564 * OpenSSH's SSH-2 agent messages.
\r
1566 #define SSH2_AGENTC_REQUEST_IDENTITIES 11
\r
1567 #define SSH2_AGENT_IDENTITIES_ANSWER 12
\r
1568 #define SSH2_AGENTC_SIGN_REQUEST 13
\r
1569 #define SSH2_AGENT_SIGN_RESPONSE 14
\r
1570 #define SSH2_AGENTC_ADD_IDENTITY 17
\r
1571 #define SSH2_AGENTC_REMOVE_IDENTITY 18
\r
1572 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19
\r
1573 #define SSH2_AGENTC_EXTENSION 27
\r
1574 #define SSH_AGENT_EXTENSION_FAILURE 28
\r
1577 * Assorted other SSH-related enumerations.
\r
1579 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */
\r
1580 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */
\r
1581 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */
\r
1582 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */
\r
1583 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */
\r
1584 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */
\r
1585 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */
\r
1586 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */
\r
1587 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */
\r
1588 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */
\r
1589 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */
\r
1590 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */
\r
1591 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */
\r
1592 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */
\r
1593 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */
\r
1595 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */
\r
1596 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */
\r
1597 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */
\r
1598 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */
\r
1600 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */
\r
1603 /* TTY modes with opcodes defined consistently in the SSH specs. */
\r
1604 #define TTYMODE_CHAR(name, val, index) SSH_TTYMODE_##name = val,
\r
1605 #define TTYMODE_FLAG(name, val, field, mask) SSH_TTYMODE_##name = val,
\r
1606 #include "sshttymodes.h"
\r
1607 #undef TTYMODE_CHAR
\r
1608 #undef TTYMODE_FLAG
\r
1610 /* Modes encoded differently between SSH-1 and SSH-2, for which we
\r
1611 * make up our own dummy opcodes to avoid confusion. */
\r
1612 TTYMODE_dummy = 255,
\r
1613 TTYMODE_ISPEED, TTYMODE_OSPEED,
\r
1615 /* Limiting value that we can use as an array bound below */
\r
1618 /* The real opcodes for terminal speeds. */
\r
1619 TTYMODE_ISPEED_SSH1 = 192,
\r
1620 TTYMODE_OSPEED_SSH1 = 193,
\r
1621 TTYMODE_ISPEED_SSH2 = 128,
\r
1622 TTYMODE_OSPEED_SSH2 = 129,
\r
1624 /* And the opcode that ends a list. */
\r
1625 TTYMODE_END_OF_LIST = 0
\r
1628 struct ssh_ttymodes {
\r
1629 /* A boolean per mode, indicating whether it's set. */
\r
1630 bool have_mode[TTYMODE_LIMIT];
\r
1632 /* The actual value for each mode. */
\r
1633 unsigned mode_val[TTYMODE_LIMIT];
\r
1636 struct ssh_ttymodes get_ttymodes_from_conf(Seat *seat, Conf *conf);
\r
1637 struct ssh_ttymodes read_ttymodes_from_packet(
\r
1638 BinarySource *bs, int ssh_version);
\r
1639 void write_ttymodes_to_packet(BinarySink *bs, int ssh_version,
\r
1640 struct ssh_ttymodes modes);
\r
1642 const char *ssh1_pkt_type(int type);
\r
1643 const char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type);
\r
1644 bool ssh2_pkt_type_code_valid(unsigned type);
\r
1647 * Need this to warn about support for the original SSH-2 keyfile
\r
1650 void old_keyfile_warning(void);
\r
1653 * Flags indicating implementation bugs that we know how to mitigate
\r
1654 * if we think the other end has them.
\r
1656 #define SSH_IMPL_BUG_LIST(X) \
\r
1657 X(BUG_CHOKES_ON_SSH1_IGNORE) \
\r
1658 X(BUG_SSH2_HMAC) \
\r
1659 X(BUG_NEEDS_SSH1_PLAIN_PASSWORD) \
\r
1660 X(BUG_CHOKES_ON_RSA) \
\r
1661 X(BUG_SSH2_RSA_PADDING) \
\r
1662 X(BUG_SSH2_DERIVEKEY) \
\r
1663 X(BUG_SSH2_REKEY) \
\r
1664 X(BUG_SSH2_PK_SESSIONID) \
\r
1665 X(BUG_SSH2_MAXPKT) \
\r
1666 X(BUG_CHOKES_ON_SSH2_IGNORE) \
\r
1667 X(BUG_CHOKES_ON_WINADJ) \
\r
1668 X(BUG_SENDS_LATE_REQUEST_REPLY) \
\r
1669 X(BUG_SSH2_OLDGEX) \
\r
1671 #define TMP_DECLARE_LOG2_ENUM(thing) log2_##thing,
\r
1672 enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_LOG2_ENUM) };
\r
1673 #undef TMP_DECLARE_LOG2_ENUM
\r
1674 #define TMP_DECLARE_REAL_ENUM(thing) thing = 1 << log2_##thing,
\r
1675 enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_REAL_ENUM) };
\r
1676 #undef TMP_DECLARE_REAL_ENUM
\r
1678 /* Shared system for allocating local SSH channel ids. Expects to be
\r
1679 * passed a tree full of structs that have a field called 'localid' of
\r
1680 * type unsigned, and will check that! */
\r
1681 unsigned alloc_channel_id_general(tree234 *channels, size_t localid_offset);
\r
1682 #define alloc_channel_id(tree, type) \
\r
1683 TYPECHECK(&((type *)0)->localid == (unsigned *)0, \
\r
1684 alloc_channel_id_general(tree, offsetof(type, localid)))
\r
1686 void add_to_commasep(strbuf *buf, const char *data);
\r
1687 bool get_commasep_word(ptrlen *list, ptrlen *word);
\r
1689 int verify_ssh_manual_host_key(Conf *conf, char **fingerprints, ssh_key *key);
\r
1691 typedef struct ssh_transient_hostkey_cache ssh_transient_hostkey_cache;
\r
1692 ssh_transient_hostkey_cache *ssh_transient_hostkey_cache_new(void);
\r
1693 void ssh_transient_hostkey_cache_free(ssh_transient_hostkey_cache *thc);
\r
1694 void ssh_transient_hostkey_cache_add(
\r
1695 ssh_transient_hostkey_cache *thc, ssh_key *key);
\r
1696 bool ssh_transient_hostkey_cache_verify(
\r
1697 ssh_transient_hostkey_cache *thc, ssh_key *key);
\r
1698 bool ssh_transient_hostkey_cache_has(
\r
1699 ssh_transient_hostkey_cache *thc, const ssh_keyalg *alg);
\r
1700 bool ssh_transient_hostkey_cache_non_empty(ssh_transient_hostkey_cache *thc);
\r