| blob | d365bafdb0e11e07fb88cda92b385faa585788fe |
1 #include <stdio.h>\r
2 #include <string.h>\r
3 \r
4 #include "puttymem.h"\r
5 #include "tree234.h"\r
6 #include "network.h"\r
7 #include "misc.h"\r
8 \r
9 struct ssh_channel;\r
10 \r
11 /*\r
12 * Buffer management constants. There are several of these for\r
13 * various different purposes:\r
14 *\r
15 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up\r
16 * on a local data stream before we throttle the whole SSH\r
17 * connection (in SSH-1 only). Throttling the whole connection is\r
18 * pretty drastic so we set this high in the hope it won't\r
19 * happen very often.\r
20 *\r
21 * - SSH_MAX_BACKLOG is the amount of backlog that must build up\r
22 * on the SSH connection itself before we defensively throttle\r
23 * _all_ local data streams. This is pretty drastic too (though\r
24 * thankfully unlikely in SSH-2 since the window mechanism should\r
25 * ensure that the server never has any need to throttle its end\r
26 * of the connection), so we set this high as well.\r
27 *\r
28 * - OUR_V2_WINSIZE is the default window size we present on SSH-2\r
29 * channels.\r
30 *\r
31 * - OUR_V2_BIGWIN is the window size we advertise for the only\r
32 * channel in a simple connection. It must be <= INT_MAX.\r
33 *\r
34 * - OUR_V2_MAXPKT is the official "maximum packet size" we send\r
35 * to the remote side. This actually has nothing to do with the\r
36 * size of the _packet_, but is instead a limit on the amount\r
37 * of data we're willing to receive in a single SSH2 channel\r
38 * data message.\r
39 *\r
40 * - OUR_V2_PACKETLIMIT is actually the maximum size of SSH\r
41 * _packet_ we're prepared to cope with. It must be a multiple\r
42 * of the cipher block size, and must be at least 35000.\r
43 */\r
44 \r
45 #define SSH1_BUFFER_LIMIT 32768\r
46 #define SSH_MAX_BACKLOG 32768\r
47 #define OUR_V2_WINSIZE 16384\r
48 #define OUR_V2_BIGWIN 0x7fffffff\r
49 #define OUR_V2_MAXPKT 0x4000UL\r
50 #define OUR_V2_PACKETLIMIT 0x9000UL\r
51 \r
52 typedef struct PacketQueueNode PacketQueueNode;\r
53 struct PacketQueueNode {\r
54 PacketQueueNode *next, *prev;\r
55 size_t formal_size; /* contribution to PacketQueueBase's total_size */\r
56 bool on_free_queue; /* is this packet scheduled for freeing? */\r
57 };\r
58 \r
59 typedef struct PktIn {\r
60 int type;\r
61 unsigned long sequence; /* SSH-2 incoming sequence number */\r
62 PacketQueueNode qnode; /* for linking this packet on to a queue */\r
63 BinarySource_IMPLEMENTATION;\r
64 } PktIn;\r
65 \r
66 typedef struct PktOut {\r
67 size_t prefix; /* bytes up to and including type field */\r
68 size_t length; /* total bytes, including prefix */\r
69 int type;\r
70 size_t minlen; /* SSH-2: ensure wire length is at least this */\r
71 unsigned char *data; /* allocated storage */\r
72 size_t maxlen; /* amount of storage allocated for `data' */\r
73 \r
74 /* Extra metadata used in SSH packet logging mode, allowing us to\r
75 * log in the packet header line that the packet came from a\r
76 * connection-sharing downstream and what if anything unusual was\r
77 * done to it. The additional_log_text field is expected to be a\r
78 * static string - it will not be freed. */\r
79 unsigned downstream_id;\r
80 const char *additional_log_text;\r
81 \r
82 PacketQueueNode qnode; /* for linking this packet on to a queue */\r
83 BinarySink_IMPLEMENTATION;\r
84 } PktOut;\r
85 \r
86 typedef struct PacketQueueBase {\r
87 PacketQueueNode end;\r
88 size_t total_size; /* sum of all formal_size fields on the queue */\r
89 struct IdempotentCallback *ic;\r
90 } PacketQueueBase;\r
91 \r
92 typedef struct PktInQueue {\r
93 PacketQueueBase pqb;\r
94 PktIn *(*after)(PacketQueueBase *, PacketQueueNode *prev, bool pop);\r
95 } PktInQueue;\r
96 \r
97 typedef struct PktOutQueue {\r
98 PacketQueueBase pqb;\r
99 PktOut *(*after)(PacketQueueBase *, PacketQueueNode *prev, bool pop);\r
100 } PktOutQueue;\r
101 \r
102 void pq_base_push(PacketQueueBase *pqb, PacketQueueNode *node);\r
103 void pq_base_push_front(PacketQueueBase *pqb, PacketQueueNode *node);\r
104 void pq_base_concatenate(PacketQueueBase *dest,\r
105 PacketQueueBase *q1, PacketQueueBase *q2);\r
106 \r
107 void pq_in_init(PktInQueue *pq);\r
108 void pq_out_init(PktOutQueue *pq);\r
109 void pq_in_clear(PktInQueue *pq);\r
110 void pq_out_clear(PktOutQueue *pq);\r
111 \r
112 #define pq_push(pq, pkt) \\r
113 TYPECHECK((pq)->after(&(pq)->pqb, NULL, false) == pkt, \\r
114 pq_base_push(&(pq)->pqb, &(pkt)->qnode))\r
115 #define pq_push_front(pq, pkt) \\r
116 TYPECHECK((pq)->after(&(pq)->pqb, NULL, false) == pkt, \\r
117 pq_base_push_front(&(pq)->pqb, &(pkt)->qnode))\r
118 #define pq_peek(pq) ((pq)->after(&(pq)->pqb, &(pq)->pqb.end, false))\r
119 #define pq_pop(pq) ((pq)->after(&(pq)->pqb, &(pq)->pqb.end, true))\r
120 #define pq_concatenate(dst, q1, q2) \\r
121 TYPECHECK((q1)->after(&(q1)->pqb, NULL, false) == \\r
122 (dst)->after(&(dst)->pqb, NULL, false) && \\r
123 (q2)->after(&(q2)->pqb, NULL, false) == \\r
124 (dst)->after(&(dst)->pqb, NULL, false), \\r
125 pq_base_concatenate(&(dst)->pqb, &(q1)->pqb, &(q2)->pqb))\r
126 \r
127 #define pq_first(pq) pq_peek(pq)\r
128 #define pq_next(pq, pkt) ((pq)->after(&(pq)->pqb, &(pkt)->qnode, false))\r
129 \r
130 /*\r
131 * Packet type contexts, so that ssh2_pkt_type can correctly decode\r
132 * the ambiguous type numbers back into the correct type strings.\r
133 */\r
134 typedef enum {\r
135 SSH2_PKTCTX_NOKEX,\r
136 SSH2_PKTCTX_DHGROUP,\r
137 SSH2_PKTCTX_DHGEX,\r
138 SSH2_PKTCTX_ECDHKEX,\r
139 SSH2_PKTCTX_GSSKEX,\r
140 SSH2_PKTCTX_RSAKEX\r
141 } Pkt_KCtx;\r
142 typedef enum {\r
143 SSH2_PKTCTX_NOAUTH,\r
144 SSH2_PKTCTX_PUBLICKEY,\r
145 SSH2_PKTCTX_PASSWORD,\r
146 SSH2_PKTCTX_GSSAPI,\r
147 SSH2_PKTCTX_KBDINTER\r
148 } Pkt_ACtx;\r
149 \r
150 typedef struct PacketLogSettings {\r
151 bool omit_passwords, omit_data;\r
152 Pkt_KCtx kctx;\r
153 Pkt_ACtx actx;\r
154 } PacketLogSettings;\r
155 \r
156 #define MAX_BLANKS 4 /* no packet needs more censored sections than this */\r
157 int ssh1_censor_packet(\r
158 const PacketLogSettings *pls, int type, bool sender_is_client,\r
159 ptrlen pkt, logblank_t *blanks);\r
160 int ssh2_censor_packet(\r
161 const PacketLogSettings *pls, int type, bool sender_is_client,\r
162 ptrlen pkt, logblank_t *blanks);\r
163 \r
164 PktOut *ssh_new_packet(void);\r
165 void ssh_free_pktout(PktOut *pkt);\r
166 \r
167 Socket *ssh_connection_sharing_init(\r
168 const char *host, int port, Conf *conf, LogContext *logctx,\r
169 Plug *sshplug, ssh_sharing_state **state);\r
170 void ssh_connshare_provide_connlayer(ssh_sharing_state *sharestate,\r
171 ConnectionLayer *cl);\r
172 bool ssh_share_test_for_upstream(const char *host, int port, Conf *conf);\r
173 void share_got_pkt_from_server(ssh_sharing_connstate *ctx, int type,\r
174 const void *pkt, int pktlen);\r
175 void share_activate(ssh_sharing_state *sharestate,\r
176 const char *server_verstring);\r
177 void sharestate_free(ssh_sharing_state *state);\r
178 int share_ndownstreams(ssh_sharing_state *state);\r
179 \r
180 void ssh_connshare_log(Ssh *ssh, int event, const char *logtext,\r
181 const char *ds_err, const char *us_err);\r
182 void share_setup_x11_channel(ssh_sharing_connstate *cs, share_channel *chan,\r
183 unsigned upstream_id, unsigned server_id,\r
184 unsigned server_currwin, unsigned server_maxpkt,\r
185 unsigned client_adjusted_window,\r
186 const char *peer_addr, int peer_port, int endian,\r
187 int protomajor, int protominor,\r
188 const void *initial_data, int initial_len);\r
189 \r
190 /* Per-application overrides for what roles we can take in connection\r
191 * sharing, regardless of user configuration (e.g. pscp will never be\r
192 * an upstream) */\r
193 extern const bool share_can_be_downstream;\r
194 extern const bool share_can_be_upstream;\r
195 \r
196 struct X11Display;\r
197 struct X11FakeAuth;\r
198 \r
199 /* Structure definition centralised here because the SSH-1 and SSH-2\r
200 * connection layers both use it. But the client module (portfwd.c)\r
201 * should not try to look inside here. */\r
202 struct ssh_rportfwd {\r
203 unsigned sport, dport;\r
204 char *shost, *dhost;\r
205 int addressfamily;\r
206 char *log_description; /* name of remote listening port, for logging */\r
207 ssh_sharing_connstate *share_ctx;\r
208 PortFwdRecord *pfr;\r
209 };\r
210 void free_rportfwd(struct ssh_rportfwd *rpf);\r
211 \r
212 typedef struct ConnectionLayerVtable ConnectionLayerVtable;\r
213 \r
214 struct ConnectionLayerVtable {\r
215 /* Allocate and free remote-to-local port forwardings, called by\r
216 * PortFwdManager or by connection sharing */\r
217 struct ssh_rportfwd *(*rportfwd_alloc)(\r
218 ConnectionLayer *cl,\r
219 const char *shost, int sport, const char *dhost, int dport,\r
220 int addressfamily, const char *log_description, PortFwdRecord *pfr,\r
221 ssh_sharing_connstate *share_ctx);\r
222 void (*rportfwd_remove)(ConnectionLayer *cl, struct ssh_rportfwd *rpf);\r
223 \r
224 /* Open a local-to-remote port forwarding channel, called by\r
225 * PortFwdManager */\r
226 SshChannel *(*lportfwd_open)(\r
227 ConnectionLayer *cl, const char *hostname, int port,\r
228 const char *description, const SocketPeerInfo *peerinfo,\r
229 Channel *chan);\r
230 \r
231 /* Initiate opening of a 'session'-type channel */\r
232 SshChannel *(*session_open)(ConnectionLayer *cl, Channel *chan);\r
233 \r
234 /* Open outgoing channels for X and agent forwarding. (Used in the\r
235 * SSH server.) */\r
236 SshChannel *(*serverside_x11_open)(ConnectionLayer *cl, Channel *chan,\r
237 const SocketPeerInfo *pi);\r
238 SshChannel *(*serverside_agent_open)(ConnectionLayer *cl, Channel *chan);\r
239 \r
240 /* Add an X11 display for ordinary X forwarding */\r
241 struct X11FakeAuth *(*add_x11_display)(\r
242 ConnectionLayer *cl, int authtype, struct X11Display *x11disp);\r
243 \r
244 /* Add and remove X11 displays for connection sharing downstreams */\r
245 struct X11FakeAuth *(*add_sharing_x11_display)(\r
246 ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,\r
247 share_channel *share_chan);\r
248 void (*remove_sharing_x11_display)(\r
249 ConnectionLayer *cl, struct X11FakeAuth *auth);\r
250 \r
251 /* Pass through an outgoing SSH packet from a downstream */\r
252 void (*send_packet_from_downstream)(\r
253 ConnectionLayer *cl, unsigned id, int type,\r
254 const void *pkt, int pktlen, const char *additional_log_text);\r
255 \r
256 /* Allocate/free an upstream channel number associated with a\r
257 * sharing downstream */\r
258 unsigned (*alloc_sharing_channel)(ConnectionLayer *cl,\r
259 ssh_sharing_connstate *connstate);\r
260 void (*delete_sharing_channel)(ConnectionLayer *cl, unsigned localid);\r
261 \r
262 /* Indicate that a downstream has sent a global request with the\r
263 * want-reply flag, so that when a reply arrives it will be passed\r
264 * back to that downstrean */\r
265 void (*sharing_queue_global_request)(\r
266 ConnectionLayer *cl, ssh_sharing_connstate *connstate);\r
267 \r
268 /* Indicate that the last downstream has disconnected */\r
269 void (*sharing_no_more_downstreams)(ConnectionLayer *cl);\r
270 \r
271 /* Query whether the connection layer is doing agent forwarding */\r
272 bool (*agent_forwarding_permitted)(ConnectionLayer *cl);\r
273 \r
274 /* Set the size of the main terminal window (if any) */\r
275 void (*terminal_size)(ConnectionLayer *cl, int width, int height);\r
276 \r
277 /* Indicate that the backlog on standard output has cleared */\r
278 void (*stdout_unthrottle)(ConnectionLayer *cl, size_t bufsize);\r
279 \r
280 /* Query the size of the backlog on standard _input_ */\r
281 size_t (*stdin_backlog)(ConnectionLayer *cl);\r
282 \r
283 /* Tell the connection layer that the SSH connection itself has\r
284 * backed up, so it should tell all currently open channels to\r
285 * cease reading from their local input sources if they can. (Or\r
286 * tell it that that state of affairs has gone away again.) */\r
287 void (*throttle_all_channels)(ConnectionLayer *cl, bool throttled);\r
288 \r
289 /* Ask the connection layer about its current preference for\r
290 * line-discipline options. */\r
291 bool (*ldisc_option)(ConnectionLayer *cl, int option);\r
292 \r
293 /* Communicate _to_ the connection layer (from the main session\r
294 * channel) what its preference for line-discipline options is. */\r
295 void (*set_ldisc_option)(ConnectionLayer *cl, int option, bool value);\r
296 \r
297 /* Communicate to the connection layer whether X forwarding was\r
298 * successfully enabled (for purposes of knowing whether to accept\r
299 * subsequent channel-opens). */\r
300 void (*enable_x_fwd)(ConnectionLayer *cl);\r
301 \r
302 /* Communicate / query whether the main session channel currently\r
303 * wants user input. The set function is called by mainchan; the\r
304 * query function is called by the top-level ssh.c. */\r
305 void (*set_wants_user_input)(ConnectionLayer *cl, bool wanted);\r
306 bool (*get_wants_user_input)(ConnectionLayer *cl);\r
307 \r
308 /* Notify the connection layer that more data has been added to\r
309 * the user input queue. */\r
310 void (*got_user_input)(ConnectionLayer *cl);\r
311 };\r
312 \r
313 struct ConnectionLayer {\r
314 LogContext *logctx;\r
315 const struct ConnectionLayerVtable *vt;\r
316 };\r
317 \r
318 static inline struct ssh_rportfwd *ssh_rportfwd_alloc(\r
319 ConnectionLayer *cl, const char *sh, int sp, const char *dh, int dp,\r
320 int af, const char *log, PortFwdRecord *pfr, ssh_sharing_connstate *cs)\r
321 { return cl->vt->rportfwd_alloc(cl, sh, sp, dh, dp, af, log, pfr, cs); }\r
322 static inline void ssh_rportfwd_remove(\r
323 ConnectionLayer *cl, struct ssh_rportfwd *rpf)\r
324 { cl->vt->rportfwd_remove(cl, rpf); }\r
325 static inline SshChannel *ssh_lportfwd_open(\r
326 ConnectionLayer *cl, const char *host, int port,\r
327 const char *desc, const SocketPeerInfo *pi, Channel *chan)\r
328 { return cl->vt->lportfwd_open(cl, host, port, desc, pi, chan); }\r
329 static inline SshChannel *ssh_session_open(ConnectionLayer *cl, Channel *chan)\r
330 { return cl->vt->session_open(cl, chan); }\r
331 static inline SshChannel *ssh_serverside_x11_open(\r
332 ConnectionLayer *cl, Channel *chan, const SocketPeerInfo *pi)\r
333 { return cl->vt->serverside_x11_open(cl, chan, pi); }\r
334 static inline SshChannel *ssh_serverside_agent_open(\r
335 ConnectionLayer *cl, Channel *chan)\r
336 { return cl->vt->serverside_agent_open(cl, chan); }\r
337 static inline struct X11FakeAuth *ssh_add_x11_display(\r
338 ConnectionLayer *cl, int authtype, struct X11Display *x11disp)\r
339 { return cl->vt->add_x11_display(cl, authtype, x11disp); }\r
340 static inline struct X11FakeAuth *ssh_add_sharing_x11_display(\r
341 ConnectionLayer *cl, int authtype, ssh_sharing_connstate *share_cs,\r
342 share_channel *share_chan)\r
343 { return cl->vt->add_sharing_x11_display(cl, authtype, share_cs, share_chan); }\r
344 static inline void ssh_remove_sharing_x11_display(\r
345 ConnectionLayer *cl, struct X11FakeAuth *auth)\r
346 { cl->vt->remove_sharing_x11_display(cl, auth); }\r
347 static inline void ssh_send_packet_from_downstream(\r
348 ConnectionLayer *cl, unsigned id, int type,\r
349 const void *pkt, int len, const char *log)\r
350 { cl->vt->send_packet_from_downstream(cl, id, type, pkt, len, log); }\r
351 static inline unsigned ssh_alloc_sharing_channel(\r
352 ConnectionLayer *cl, ssh_sharing_connstate *connstate)\r
353 { return cl->vt->alloc_sharing_channel(cl, connstate); }\r
354 static inline void ssh_delete_sharing_channel(\r
355 ConnectionLayer *cl, unsigned localid)\r
356 { cl->vt->delete_sharing_channel(cl, localid); }\r
357 static inline void ssh_sharing_queue_global_request(\r
358 ConnectionLayer *cl, ssh_sharing_connstate *connstate)\r
359 { cl->vt->sharing_queue_global_request(cl, connstate); }\r
360 static inline void ssh_sharing_no_more_downstreams(ConnectionLayer *cl)\r
361 { cl->vt->sharing_no_more_downstreams(cl); }\r
362 static inline bool ssh_agent_forwarding_permitted(ConnectionLayer *cl)\r
363 { return cl->vt->agent_forwarding_permitted(cl); }\r
364 static inline void ssh_terminal_size(ConnectionLayer *cl, int w, int h)\r
365 { cl->vt->terminal_size(cl, w, h); }\r
366 static inline void ssh_stdout_unthrottle(ConnectionLayer *cl, size_t bufsize)\r
367 { cl->vt->stdout_unthrottle(cl, bufsize); }\r
368 static inline size_t ssh_stdin_backlog(ConnectionLayer *cl)\r
369 { return cl->vt->stdin_backlog(cl); }\r
370 static inline void ssh_throttle_all_channels(ConnectionLayer *cl, bool thr)\r
371 { cl->vt->throttle_all_channels(cl, thr); }\r
372 static inline bool ssh_ldisc_option(ConnectionLayer *cl, int option)\r
373 { return cl->vt->ldisc_option(cl, option); }\r
374 static inline void ssh_set_ldisc_option(ConnectionLayer *cl, int opt, bool val)\r
375 { cl->vt->set_ldisc_option(cl, opt, val); }\r
376 static inline void ssh_enable_x_fwd(ConnectionLayer *cl)\r
377 { cl->vt->enable_x_fwd(cl); }\r
378 static inline void ssh_set_wants_user_input(ConnectionLayer *cl, bool wanted)\r
379 { cl->vt->set_wants_user_input(cl, wanted); }\r
380 static inline bool ssh_get_wants_user_input(ConnectionLayer *cl)\r
381 { return cl->vt->get_wants_user_input(cl); }\r
382 static inline void ssh_got_user_input(ConnectionLayer *cl)\r
383 { cl->vt->got_user_input(cl); }\r
384 \r
385 /* Exports from portfwd.c */\r
386 PortFwdManager *portfwdmgr_new(ConnectionLayer *cl);\r
387 void portfwdmgr_free(PortFwdManager *mgr);\r
388 void portfwdmgr_config(PortFwdManager *mgr, Conf *conf);\r
389 void portfwdmgr_close(PortFwdManager *mgr, PortFwdRecord *pfr);\r
390 void portfwdmgr_close_all(PortFwdManager *mgr);\r
391 char *portfwdmgr_connect(PortFwdManager *mgr, Channel **chan_ret,\r
392 char *hostname, int port, SshChannel *c,\r
393 int addressfamily);\r
394 bool portfwdmgr_listen(PortFwdManager *mgr, const char *host, int port,\r
395 const char *keyhost, int keyport, Conf *conf);\r
396 bool portfwdmgr_unlisten(PortFwdManager *mgr, const char *host, int port);\r
397 Channel *portfwd_raw_new(ConnectionLayer *cl, Plug **plug, bool start_ready);\r
398 void portfwd_raw_free(Channel *pfchan);\r
399 void portfwd_raw_setup(Channel *pfchan, Socket *s, SshChannel *sc);\r
400 \r
401 Socket *platform_make_agent_socket(Plug *plug, const char *dirprefix,\r
402 char **error, char **name);\r
403 \r
404 LogContext *ssh_get_logctx(Ssh *ssh);\r
405 \r
406 /* Communications back to ssh.c from connection layers */\r
407 void ssh_throttle_conn(Ssh *ssh, int adjust);\r
408 void ssh_got_exitcode(Ssh *ssh, int status);\r
409 void ssh_ldisc_update(Ssh *ssh);\r
410 void ssh_check_sendok(Ssh *ssh);\r
411 void ssh_got_fallback_cmd(Ssh *ssh);\r
412 bool ssh_is_bare(Ssh *ssh);\r
413 \r
414 /* Communications back to ssh.c from the BPP */\r
415 void ssh_conn_processed_data(Ssh *ssh);\r
416 void ssh_sendbuffer_changed(Ssh *ssh);\r
417 void ssh_check_frozen(Ssh *ssh);\r
418 \r
419 /* Functions to abort the connection, for various reasons. */\r
420 void ssh_remote_error(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
421 void ssh_remote_eof(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
422 void ssh_proto_error(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
423 void ssh_sw_abort(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
424 void ssh_sw_abort_deferred(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
425 void ssh_user_close(Ssh *ssh, const char *fmt, ...) PRINTF_LIKE(2, 3);\r
426 void ssh_spr_close(Ssh *ssh, SeatPromptResult spr, const char *context);\r
427 \r
428 /* Bit positions in the SSH-1 cipher protocol word */\r
429 #define SSH1_CIPHER_IDEA 1\r
430 #define SSH1_CIPHER_DES 2\r
431 #define SSH1_CIPHER_3DES 3\r
432 #define SSH1_CIPHER_BLOWFISH 6\r
433 \r
434 /* The subset of those that we support, with names for selecting them\r
435 * on Uppity's command line */\r
436 #define SSH1_SUPPORTED_CIPHER_LIST(X) \\r
437 X(SSH1_CIPHER_3DES, "3des") \\r
438 X(SSH1_CIPHER_BLOWFISH, "blowfish") \\r
439 X(SSH1_CIPHER_DES, "des") \\r
440 /* end of list */\r
441 #define SSH1_CIPHER_LIST_MAKE_MASK(bitpos, name) | (1U << bitpos)\r
442 #define SSH1_SUPPORTED_CIPHER_MASK \\r
443 (0 SSH1_SUPPORTED_CIPHER_LIST(SSH1_CIPHER_LIST_MAKE_MASK))\r
444 \r
445 struct ssh_key {\r
446 const ssh_keyalg *vt;\r
447 };\r
448 \r
449 struct RSAKey {\r
450 int bits;\r
451 int bytes;\r
452 mp_int *modulus;\r
453 mp_int *exponent;\r
454 mp_int *private_exponent;\r
455 mp_int *p;\r
456 mp_int *q;\r
457 mp_int *iqmp;\r
458 char *comment;\r
459 ssh_key sshk;\r
460 };\r
461 \r
462 struct dsa_key {\r
463 mp_int *p, *q, *g, *y, *x;\r
464 ssh_key sshk;\r
465 };\r
466 \r
467 struct ec_curve;\r
468 \r
469 /* Weierstrass form curve */\r
470 struct ec_wcurve\r
471 {\r
472 WeierstrassCurve *wc;\r
473 WeierstrassPoint *G;\r
474 mp_int *G_order;\r
475 };\r
476 \r
477 /* Montgomery form curve */\r
478 struct ec_mcurve\r
479 {\r
480 MontgomeryCurve *mc;\r
481 MontgomeryPoint *G;\r
482 unsigned log2_cofactor;\r
483 };\r
484 \r
485 /* Edwards form curve */\r
486 struct ec_ecurve\r
487 {\r
488 EdwardsCurve *ec;\r
489 EdwardsPoint *G;\r
490 mp_int *G_order;\r
491 unsigned log2_cofactor;\r
492 };\r
493 \r
494 typedef enum EllipticCurveType {\r
495 EC_WEIERSTRASS, EC_MONTGOMERY, EC_EDWARDS\r
496 } EllipticCurveType;\r
497 \r
498 struct ec_curve {\r
499 EllipticCurveType type;\r
500 /* 'name' is the identifier of the curve when it has to appear in\r
501 * wire protocol encodings, as it does in e.g. the public key and\r
502 * signature formats for NIST curves. Curves which do not format\r
503 * their keys or signatures in this way just have name==NULL.\r
504 *\r
505 * 'textname' is non-NULL for all curves, and is a human-readable\r
506 * identification suitable for putting in log messages. */\r
507 const char *name, *textname;\r
508 size_t fieldBits, fieldBytes;\r
509 mp_int *p;\r
510 union {\r
511 struct ec_wcurve w;\r
512 struct ec_mcurve m;\r
513 struct ec_ecurve e;\r
514 };\r
515 };\r
516 \r
517 const ssh_keyalg *ec_alg_by_oid(int len, const void *oid,\r
518 const struct ec_curve **curve);\r
519 const unsigned char *ec_alg_oid(const ssh_keyalg *alg, int *oidlen);\r
520 extern const int ec_nist_curve_lengths[], n_ec_nist_curve_lengths;\r
521 extern const int ec_ed_curve_lengths[], n_ec_ed_curve_lengths;\r
522 bool ec_nist_alg_and_curve_by_bits(int bits,\r
523 const struct ec_curve **curve,\r
524 const ssh_keyalg **alg);\r
525 bool ec_ed_alg_and_curve_by_bits(int bits,\r
526 const struct ec_curve **curve,\r
527 const ssh_keyalg **alg);\r
528 \r
529 struct ecdsa_key {\r
530 const struct ec_curve *curve;\r
531 WeierstrassPoint *publicKey;\r
532 mp_int *privateKey;\r
533 ssh_key sshk;\r
534 };\r
535 struct eddsa_key {\r
536 const struct ec_curve *curve;\r
537 EdwardsPoint *publicKey;\r
538 mp_int *privateKey;\r
539 ssh_key sshk;\r
540 };\r
541 \r
542 WeierstrassPoint *ecdsa_public(mp_int *private_key, const ssh_keyalg *alg);\r
543 EdwardsPoint *eddsa_public(mp_int *private_key, const ssh_keyalg *alg);\r
544 \r
545 typedef enum KeyComponentType {\r
546 KCT_TEXT, KCT_BINARY, KCT_MPINT\r
547 } KeyComponentType;\r
548 typedef struct key_component {\r
549 char *name;\r
550 KeyComponentType type;\r
551 union {\r
552 strbuf *str; /* used for KCT_TEXT and KCT_BINARY */\r
553 mp_int *mp; /* used for KCT_MPINT */\r
554 };\r
555 } key_component;\r
556 typedef struct key_components {\r
557 size_t ncomponents, componentsize;\r
558 key_component *components;\r
559 } key_components;\r
560 key_components *key_components_new(void);\r
561 void key_components_add_text(key_components *kc,\r
562 const char *name, const char *value);\r
563 void key_components_add_text_pl(key_components *kc,\r
564 const char *name, ptrlen value);\r
565 void key_components_add_binary(key_components *kc,\r
566 const char *name, ptrlen value);\r
567 void key_components_add_mp(key_components *kc,\r
568 const char *name, mp_int *value);\r
569 void key_components_add_uint(key_components *kc,\r
570 const char *name, uintmax_t value);\r
571 void key_components_add_copy(key_components *kc,\r
572 const char *name, const key_component *value);\r
573 void key_components_free(key_components *kc);\r
574 \r
575 /*\r
576 * SSH-1 never quite decided which order to store the two components\r
577 * of an RSA key. During connection setup, the server sends its host\r
578 * and server keys with the exponent first; private key files store\r
579 * the modulus first. The agent protocol is even more confusing,\r
580 * because the client specifies a key to the server in one order and\r
581 * the server lists the keys it knows about in the other order!\r
582 */\r
583 typedef enum { RSA_SSH1_EXPONENT_FIRST, RSA_SSH1_MODULUS_FIRST } RsaSsh1Order;\r
584 \r
585 void BinarySource_get_rsa_ssh1_pub(\r
586 BinarySource *src, RSAKey *result, RsaSsh1Order order);\r
587 void BinarySource_get_rsa_ssh1_priv(\r
588 BinarySource *src, RSAKey *rsa);\r
589 RSAKey *BinarySource_get_rsa_ssh1_priv_agent(BinarySource *src);\r
590 bool rsa_ssh1_encrypt(unsigned char *data, int length, RSAKey *key);\r
591 mp_int *rsa_ssh1_decrypt(mp_int *input, RSAKey *key);\r
592 bool rsa_ssh1_decrypt_pkcs1(mp_int *input, RSAKey *key, strbuf *outbuf);\r
593 char *rsastr_fmt(RSAKey *key);\r
594 char *rsa_ssh1_fingerprint(RSAKey *key);\r
595 char **rsa_ssh1_fake_all_fingerprints(RSAKey *key);\r
596 bool rsa_verify(RSAKey *key);\r
597 void rsa_ssh1_public_blob(BinarySink *bs, RSAKey *key, RsaSsh1Order order);\r
598 int rsa_ssh1_public_blob_len(ptrlen data);\r
599 void rsa_ssh1_private_blob_agent(BinarySink *bs, RSAKey *key);\r
600 void duprsakey(RSAKey *dst, const RSAKey *src);\r
601 void freersapriv(RSAKey *key);\r
602 void freersakey(RSAKey *key);\r
603 key_components *rsa_components(RSAKey *key);\r
604 \r
605 uint32_t crc32_rfc1662(ptrlen data);\r
606 uint32_t crc32_ssh1(ptrlen data);\r
607 uint32_t crc32_update(uint32_t crc_input, ptrlen data);\r
608 \r
609 /* SSH CRC compensation attack detector */\r
610 struct crcda_ctx;\r
611 struct crcda_ctx *crcda_make_context(void);\r
612 void crcda_free_context(struct crcda_ctx *ctx);\r
613 bool detect_attack(struct crcda_ctx *ctx,\r
614 const unsigned char *buf, uint32_t len,\r
615 const unsigned char *IV);\r
616 \r
617 /*\r
618 * SSH2 RSA key exchange functions\r
619 */\r
620 struct ssh_rsa_kex_extra {\r
621 int minklen;\r
622 };\r
623 RSAKey *ssh_rsakex_newkey(ptrlen data);\r
624 void ssh_rsakex_freekey(RSAKey *key);\r
625 int ssh_rsakex_klen(RSAKey *key);\r
626 strbuf *ssh_rsakex_encrypt(\r
627 RSAKey *key, const ssh_hashalg *h, ptrlen plaintext);\r
628 mp_int *ssh_rsakex_decrypt(\r
629 RSAKey *key, const ssh_hashalg *h, ptrlen ciphertext);\r
630 \r
631 /*\r
632 * Helper function for k generation in DSA, reused in ECDSA\r
633 */\r
634 mp_int *dsa_gen_k(const char *id_string,\r
635 mp_int *modulus, mp_int *private_key,\r
636 unsigned char *digest, int digest_len);\r
637 \r
638 struct ssh_cipher {\r
639 const ssh_cipheralg *vt;\r
640 };\r
641 \r
642 struct ssh_cipheralg {\r
643 ssh_cipher *(*new)(const ssh_cipheralg *alg);\r
644 void (*free)(ssh_cipher *);\r
645 void (*setiv)(ssh_cipher *, const void *iv);\r
646 void (*setkey)(ssh_cipher *, const void *key);\r
647 void (*encrypt)(ssh_cipher *, void *blk, int len);\r
648 void (*decrypt)(ssh_cipher *, void *blk, int len);\r
649 /* Ignored unless SSH_CIPHER_SEPARATE_LENGTH flag set */\r
650 void (*encrypt_length)(ssh_cipher *, void *blk, int len,\r
651 unsigned long seq);\r
652 void (*decrypt_length)(ssh_cipher *, void *blk, int len,\r
653 unsigned long seq);\r
654 /* For ciphers that update their state per logical message\r
655 * (typically, per unit independently MACed) */\r
656 void (*next_message)(ssh_cipher *);\r
657 const char *ssh2_id;\r
658 int blksize;\r
659 /* real_keybits is the number of bits of entropy genuinely used by\r
660 * the cipher scheme; it's used for deciding how big a\r
661 * Diffie-Hellman group is needed to exchange a key for the\r
662 * cipher. */\r
663 int real_keybits;\r
664 /* padded_keybytes is the number of bytes of key data expected as\r
665 * input to the setkey function; it's used for deciding how much\r
666 * data needs to be generated from the post-kex generation of key\r
667 * material. In a sensible cipher which uses all its key bytes for\r
668 * real work, this will just be real_keybits/8, but in DES-type\r
669 * ciphers which ignore one bit in each byte, it'll be slightly\r
670 * different. */\r
671 int padded_keybytes;\r
672 unsigned int flags;\r
673 #define SSH_CIPHER_IS_CBC 1\r
674 #define SSH_CIPHER_SEPARATE_LENGTH 2\r
675 const char *text_name;\r
676 /* If set, this takes priority over other MAC. */\r
677 const ssh2_macalg *required_mac;\r
678 \r
679 /* Pointer to any extra data used by a particular implementation. */\r
680 const void *extra;\r
681 };\r
682 \r
683 static inline ssh_cipher *ssh_cipher_new(const ssh_cipheralg *alg)\r
684 { return alg->new(alg); }\r
685 static inline void ssh_cipher_free(ssh_cipher *c)\r
686 { c->vt->free(c); }\r
687 static inline void ssh_cipher_setiv(ssh_cipher *c, const void *iv)\r
688 { c->vt->setiv(c, iv); }\r
689 static inline void ssh_cipher_setkey(ssh_cipher *c, const void *key)\r
690 { c->vt->setkey(c, key); }\r
691 static inline void ssh_cipher_encrypt(ssh_cipher *c, void *blk, int len)\r
692 { c->vt->encrypt(c, blk, len); }\r
693 static inline void ssh_cipher_decrypt(ssh_cipher *c, void *blk, int len)\r
694 { c->vt->decrypt(c, blk, len); }\r
695 static inline void ssh_cipher_encrypt_length(\r
696 ssh_cipher *c, void *blk, int len, unsigned long seq)\r
697 { c->vt->encrypt_length(c, blk, len, seq); }\r
698 static inline void ssh_cipher_decrypt_length(\r
699 ssh_cipher *c, void *blk, int len, unsigned long seq)\r
700 { c->vt->decrypt_length(c, blk, len, seq); }\r
701 static inline void ssh_cipher_next_message(ssh_cipher *c)\r
702 { c->vt->next_message(c); }\r
703 static inline const struct ssh_cipheralg *ssh_cipher_alg(ssh_cipher *c)\r
704 { return c->vt; }\r
705 \r
706 void nullcipher_next_message(ssh_cipher *);\r
707 \r
708 struct ssh2_ciphers {\r
709 int nciphers;\r
710 const ssh_cipheralg *const *list;\r
711 };\r
712 \r
713 struct ssh2_mac {\r
714 const ssh2_macalg *vt;\r
715 BinarySink_DELEGATE_IMPLEMENTATION;\r
716 };\r
717 \r
718 struct ssh2_macalg {\r
719 /* Passes in the cipher context */\r
720 ssh2_mac *(*new)(const ssh2_macalg *alg, ssh_cipher *cipher);\r
721 void (*free)(ssh2_mac *);\r
722 void (*setkey)(ssh2_mac *, ptrlen key);\r
723 void (*start)(ssh2_mac *);\r
724 void (*genresult)(ssh2_mac *, unsigned char *);\r
725 void (*next_message)(ssh2_mac *);\r
726 const char *(*text_name)(ssh2_mac *);\r
727 const char *name, *etm_name;\r
728 int len, keylen;\r
729 \r
730 /* Pointer to any extra data used by a particular implementation. */\r
731 const void *extra;\r
732 };\r
733 \r
734 static inline ssh2_mac *ssh2_mac_new(\r
735 const ssh2_macalg *alg, ssh_cipher *cipher)\r
736 { return alg->new(alg, cipher); }\r
737 static inline void ssh2_mac_free(ssh2_mac *m)\r
738 { m->vt->free(m); }\r
739 static inline void ssh2_mac_setkey(ssh2_mac *m, ptrlen key)\r
740 { m->vt->setkey(m, key); }\r
741 static inline void ssh2_mac_start(ssh2_mac *m)\r
742 { m->vt->start(m); }\r
743 static inline void ssh2_mac_genresult(ssh2_mac *m, unsigned char *out)\r
744 { m->vt->genresult(m, out); }\r
745 static inline void ssh2_mac_next_message(ssh2_mac *m)\r
746 { m->vt->next_message(m); }\r
747 static inline const char *ssh2_mac_text_name(ssh2_mac *m)\r
748 { return m->vt->text_name(m); }\r
749 static inline const ssh2_macalg *ssh2_mac_alg(ssh2_mac *m)\r
750 { return m->vt; }\r
751 \r
752 /* Centralised 'methods' for ssh2_mac, defined in mac.c. These run\r
753 * the MAC in a specifically SSH-2 style, i.e. taking account of a\r
754 * packet sequence number as well as the data to be authenticated. */\r
755 bool ssh2_mac_verresult(ssh2_mac *, const void *);\r
756 void ssh2_mac_generate(ssh2_mac *, void *, int, unsigned long seq);\r
757 bool ssh2_mac_verify(ssh2_mac *, const void *, int, unsigned long seq);\r
758 \r
759 void nullmac_next_message(ssh2_mac *m);\r
760 \r
761 /* Use a MAC in its raw form, outside SSH-2 context, to MAC a given\r
762 * string with a given key in the most obvious way. */\r
763 void mac_simple(const ssh2_macalg *alg, ptrlen key, ptrlen data, void *output);\r
764 \r
765 struct ssh_hash {\r
766 const ssh_hashalg *vt;\r
767 BinarySink_DELEGATE_IMPLEMENTATION;\r
768 };\r
769 \r
770 struct ssh_hashalg {\r
771 ssh_hash *(*new)(const ssh_hashalg *alg);\r
772 void (*reset)(ssh_hash *);\r
773 void (*copyfrom)(ssh_hash *dest, ssh_hash *src);\r
774 void (*digest)(ssh_hash *, unsigned char *);\r
775 void (*free)(ssh_hash *);\r
776 size_t hlen; /* output length in bytes */\r
777 size_t blocklen; /* length of the hash's input block, or 0 for N/A */\r
778 const char *text_basename; /* the semantic name of the hash */\r
779 const char *annotation; /* extra info, e.g. which of multiple impls */\r
780 const char *text_name; /* both combined, e.g. "SHA-n (unaccelerated)" */\r
781 const void *extra; /* private to the hash implementation */\r
782 };\r
783 \r
784 static inline ssh_hash *ssh_hash_new(const ssh_hashalg *alg)\r
785 { ssh_hash *h = alg->new(alg); if (h) h->vt->reset(h); return h; }\r
786 static inline ssh_hash *ssh_hash_copy(ssh_hash *orig)\r
787 { ssh_hash *h = orig->vt->new(orig->vt); h->vt->copyfrom(h, orig); return h; }\r
788 static inline void ssh_hash_digest(ssh_hash *h, unsigned char *out)\r
789 { h->vt->digest(h, out); }\r
790 static inline void ssh_hash_free(ssh_hash *h)\r
791 { h->vt->free(h); }\r
792 static inline const ssh_hashalg *ssh_hash_alg(ssh_hash *h)\r
793 { return h->vt; }\r
794 \r
795 /* The reset and copyfrom vtable methods return void. But for call-site\r
796 * convenience, these wrappers return their input pointer. */\r
797 static inline ssh_hash *ssh_hash_reset(ssh_hash *h)\r
798 { h->vt->reset(h); return h; }\r
799 static inline ssh_hash *ssh_hash_copyfrom(ssh_hash *dest, ssh_hash *src)\r
800 { dest->vt->copyfrom(dest, src); return dest; }\r
801 \r
802 /* ssh_hash_final emits the digest _and_ frees the ssh_hash */\r
803 static inline void ssh_hash_final(ssh_hash *h, unsigned char *out)\r
804 { h->vt->digest(h, out); h->vt->free(h); }\r
805 \r
806 /* ssh_hash_digest_nondestructive generates a finalised hash from the\r
807 * given object without changing its state, so you can continue\r
808 * appending data to get a hash of an extended string. */\r
809 static inline void ssh_hash_digest_nondestructive(ssh_hash *h,\r
810 unsigned char *out)\r
811 { ssh_hash_final(ssh_hash_copy(h), out); }\r
812 \r
813 /* Handy macros for defining all those text-name fields at once */\r
814 #define HASHALG_NAMES_BARE(base) \\r
815 .text_basename = base, .annotation = NULL, .text_name = base\r
816 #define HASHALG_NAMES_ANNOTATED(base, ann) \\r
817 .text_basename = base, .annotation = ann, .text_name = base " (" ann ")"\r
818 \r
819 void hash_simple(const ssh_hashalg *alg, ptrlen data, void *output);\r
820 \r
821 struct ssh_kex {\r
822 const char *name, *groupname;\r
823 enum { KEXTYPE_DH, KEXTYPE_RSA, KEXTYPE_ECDH,\r
824 KEXTYPE_GSS, KEXTYPE_GSS_ECDH } main_type;\r
825 const ssh_hashalg *hash;\r
826 union { /* publicly visible data for each type */\r
827 const ecdh_keyalg *ecdh_vt; /* for KEXTYPE_ECDH, KEXTYPE_GSS_ECDH */\r
828 };\r
829 const void *extra; /* private to the kex methods */\r
830 };\r
831 \r
832 static inline bool kex_is_gss(const struct ssh_kex *kex)\r
833 {\r
834 return kex->main_type == KEXTYPE_GSS || kex->main_type == KEXTYPE_GSS_ECDH;\r
835 }\r
836 \r
837 struct ssh_kexes {\r
838 int nkexes;\r
839 const ssh_kex *const *list;\r
840 };\r
841 \r
842 /* Indices of the negotiation strings in the KEXINIT packet */\r
843 enum kexlist {\r
844 KEXLIST_KEX, KEXLIST_HOSTKEY, KEXLIST_CSCIPHER, KEXLIST_SCCIPHER,\r
845 KEXLIST_CSMAC, KEXLIST_SCMAC, KEXLIST_CSCOMP, KEXLIST_SCCOMP,\r
846 NKEXLIST\r
847 };\r
848 \r
849 struct ssh_keyalg {\r
850 /* Constructors that create an ssh_key */\r
851 ssh_key *(*new_pub) (const ssh_keyalg *self, ptrlen pub);\r
852 ssh_key *(*new_priv) (const ssh_keyalg *self, ptrlen pub, ptrlen priv);\r
853 ssh_key *(*new_priv_openssh) (const ssh_keyalg *self, BinarySource *);\r
854 \r
855 /* Methods that operate on an existing ssh_key */\r
856 void (*freekey) (ssh_key *key);\r
857 char *(*invalid) (ssh_key *key, unsigned flags);\r
858 void (*sign) (ssh_key *key, ptrlen data, unsigned flags, BinarySink *);\r
859 bool (*verify) (ssh_key *key, ptrlen sig, ptrlen data);\r
860 void (*public_blob)(ssh_key *key, BinarySink *);\r
861 void (*private_blob)(ssh_key *key, BinarySink *);\r
862 void (*openssh_blob) (ssh_key *key, BinarySink *);\r
863 bool (*has_private) (ssh_key *key);\r
864 char *(*cache_str) (ssh_key *key);\r
865 key_components *(*components) (ssh_key *key);\r
866 ssh_key *(*base_key) (ssh_key *key); /* does not confer ownership */\r
867 /* The following methods can be NULL if !is_certificate */\r
868 void (*ca_public_blob)(ssh_key *key, BinarySink *);\r
869 bool (*check_cert)(ssh_key *key, bool host, ptrlen principal,\r
870 uint64_t time, const ca_options *opts,\r
871 BinarySink *error);\r
872 void (*cert_id_string)(ssh_key *key, BinarySink *);\r
873 SeatDialogText *(*cert_info)(ssh_key *key);\r
874 \r
875 /* 'Class methods' that don't deal with an ssh_key at all */\r
876 int (*pubkey_bits) (const ssh_keyalg *self, ptrlen blob);\r
877 unsigned (*supported_flags) (const ssh_keyalg *self);\r
878 const char *(*alternate_ssh_id) (const ssh_keyalg *self, unsigned flags);\r
879 char *(*alg_desc)(const ssh_keyalg *self);\r
880 bool (*variable_size)(const ssh_keyalg *self);\r
881 /* The following methods can be NULL if !is_certificate */\r
882 const ssh_keyalg *(*related_alg)(const ssh_keyalg *self,\r
883 const ssh_keyalg *base);\r
884 \r
885 /* Constant data fields giving information about the key type */\r
886 const char *ssh_id; /* string identifier in the SSH protocol */\r
887 const char *cache_id; /* identifier used in PuTTY's host key cache */\r
888 const void *extra; /* private to the public key methods */\r
889 bool is_certificate; /* is this a certified key type? */\r
890 const ssh_keyalg *base_alg; /* if so, for what underlying key alg? */\r
891 };\r
892 \r
893 static inline ssh_key *ssh_key_new_pub(const ssh_keyalg *self, ptrlen pub)\r
894 { return self->new_pub(self, pub); }\r
895 static inline ssh_key *ssh_key_new_priv(\r
896 const ssh_keyalg *self, ptrlen pub, ptrlen priv)\r
897 { return self->new_priv(self, pub, priv); }\r
898 static inline ssh_key *ssh_key_new_priv_openssh(\r
899 const ssh_keyalg *self, BinarySource *src)\r
900 { return self->new_priv_openssh(self, src); }\r
901 static inline void ssh_key_free(ssh_key *key)\r
902 { key->vt->freekey(key); }\r
903 static inline char *ssh_key_invalid(ssh_key *key, unsigned flags)\r
904 { return key->vt->invalid(key, flags); }\r
905 static inline void ssh_key_sign(\r
906 ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs)\r
907 { key->vt->sign(key, data, flags, bs); }\r
908 static inline bool ssh_key_verify(ssh_key *key, ptrlen sig, ptrlen data)\r
909 { return key->vt->verify(key, sig, data); }\r
910 static inline void ssh_key_public_blob(ssh_key *key, BinarySink *bs)\r
911 { key->vt->public_blob(key, bs); }\r
912 static inline void ssh_key_private_blob(ssh_key *key, BinarySink *bs)\r
913 { key->vt->private_blob(key, bs); }\r
914 static inline void ssh_key_openssh_blob(ssh_key *key, BinarySink *bs)\r
915 { key->vt->openssh_blob(key, bs); }\r
916 static inline bool ssh_key_has_private(ssh_key *key)\r
917 { return key->vt->has_private(key); }\r
918 static inline char *ssh_key_cache_str(ssh_key *key)\r
919 { return key->vt->cache_str(key); }\r
920 static inline key_components *ssh_key_components(ssh_key *key)\r
921 { return key->vt->components(key); }\r
922 static inline ssh_key *ssh_key_base_key(ssh_key *key)\r
923 { return key->vt->base_key(key); }\r
924 static inline void ssh_key_ca_public_blob(ssh_key *key, BinarySink *bs)\r
925 { key->vt->ca_public_blob(key, bs); }\r
926 static inline void ssh_key_cert_id_string(ssh_key *key, BinarySink *bs)\r
927 { key->vt->cert_id_string(key, bs); }\r
928 static inline SeatDialogText *ssh_key_cert_info(ssh_key *key)\r
929 { return key->vt->cert_info(key); }\r
930 static inline bool ssh_key_check_cert(\r
931 ssh_key *key, bool host, ptrlen principal, uint64_t time,\r
932 const ca_options *opts, BinarySink *error)\r
933 { return key->vt->check_cert(key, host, principal, time, opts, error); }\r
934 static inline int ssh_key_public_bits(const ssh_keyalg *self, ptrlen blob)\r
935 { return self->pubkey_bits(self, blob); }\r
936 static inline const ssh_keyalg *ssh_key_alg(ssh_key *key)\r
937 { return key->vt; }\r
938 static inline const char *ssh_key_ssh_id(ssh_key *key)\r
939 { return key->vt->ssh_id; }\r
940 static inline const char *ssh_key_cache_id(ssh_key *key)\r
941 { return key->vt->cache_id; }\r
942 static inline unsigned ssh_key_supported_flags(ssh_key *key)\r
943 { return key->vt->supported_flags(key->vt); }\r
944 static inline unsigned ssh_keyalg_supported_flags(const ssh_keyalg *self)\r
945 { return self->supported_flags(self); }\r
946 static inline const char *ssh_keyalg_alternate_ssh_id(\r
947 const ssh_keyalg *self, unsigned flags)\r
948 { return self->alternate_ssh_id(self, flags); }\r
949 static inline char *ssh_keyalg_desc(const ssh_keyalg *self)\r
950 { return self->alg_desc(self); }\r
951 static inline bool ssh_keyalg_variable_size(const ssh_keyalg *self)\r
952 { return self->variable_size(self); }\r
953 static inline const ssh_keyalg *ssh_keyalg_related_alg(\r
954 const ssh_keyalg *self, const ssh_keyalg *base)\r
955 { return self->related_alg(self, base); }\r
956 \r
957 /* Stub functions shared between multiple key types */\r
958 unsigned nullkey_supported_flags(const ssh_keyalg *self);\r
959 const char *nullkey_alternate_ssh_id(const ssh_keyalg *self, unsigned flags);\r
960 ssh_key *nullkey_base_key(ssh_key *key);\r
961 bool nullkey_variable_size_no(const ssh_keyalg *self);\r
962 bool nullkey_variable_size_yes(const ssh_keyalg *self);\r
963 \r
964 /* Utility functions implemented centrally */\r
965 ssh_key *ssh_key_clone(ssh_key *key);\r
966 \r
967 /*\r
968 * SSH2 ECDH key exchange vtable\r
969 */\r
970 struct ecdh_key {\r
971 const ecdh_keyalg *vt;\r
972 };\r
973 struct ecdh_keyalg {\r
974 /* Unusually, the 'new' method here doesn't directly take a vt\r
975 * pointer, because it will also need the containing ssh_kex\r
976 * structure for top-level parameters, and since that contains a\r
977 * vt pointer anyway, we might as well _only_ pass that. */\r
978 ecdh_key *(*new)(const ssh_kex *kex, bool is_server);\r
979 void (*free)(ecdh_key *key);\r
980 void (*getpublic)(ecdh_key *key, BinarySink *bs);\r
981 bool (*getkey)(ecdh_key *key, ptrlen remoteKey, BinarySink *bs);\r
982 char *(*description)(const ssh_kex *kex);\r
983 };\r
984 static inline ecdh_key *ecdh_key_new(const ssh_kex *kex, bool is_server)\r
985 { return kex->ecdh_vt->new(kex, is_server); }\r
986 static inline void ecdh_key_free(ecdh_key *key)\r
987 { key->vt->free(key); }\r
988 static inline void ecdh_key_getpublic(ecdh_key *key, BinarySink *bs)\r
989 { key->vt->getpublic(key, bs); }\r
990 static inline bool ecdh_key_getkey(ecdh_key *key, ptrlen remoteKey,\r
991 BinarySink *bs)\r
992 { return key->vt->getkey(key, remoteKey, bs); }\r
993 static inline char *ecdh_keyalg_description(const ssh_kex *kex)\r
994 { return kex->ecdh_vt->description(kex); }\r
995 \r
996 /*\r
997 * Suffix on GSSAPI SSH protocol identifiers that indicates Kerberos 5\r
998 * as the mechanism.\r
999 *\r
1000 * This suffix is the base64-encoded MD5 hash of the byte sequence\r
1001 * 06 09 2A 86 48 86 F7 12 01 02 02, which in turn is the ASN.1 DER\r
1002 * encoding of the object ID 1.2.840.113554.1.2.2 which designates\r
1003 * Kerberos v5.\r
1004 *\r
1005 * (The same encoded OID, minus the two-byte DER header, is defined in\r
1006 * ssh/pgssapi.c as GSS_MECH_KRB5.)\r
1007 */\r
1008 #define GSS_KRB5_OID_HASH "toWM5Slw5Ew8Mqkay+al2g=="\r
1009 \r
1010 /*\r
1011 * Enumeration of signature flags from draft-miller-ssh-agent-02\r
1012 */\r
1013 #define SSH_AGENT_RSA_SHA2_256 2\r
1014 #define SSH_AGENT_RSA_SHA2_512 4\r
1015 \r
1016 struct ssh_compressor {\r
1017 const ssh_compression_alg *vt;\r
1018 };\r
1019 struct ssh_decompressor {\r
1020 const ssh_compression_alg *vt;\r
1021 };\r
1022 \r
1023 struct ssh_compression_alg {\r
1024 const char *name;\r
1025 /* For zlib@openssh.com: if non-NULL, this name will be considered once\r
1026 * userauth has completed successfully. */\r
1027 const char *delayed_name;\r
1028 ssh_compressor *(*compress_new)(void);\r
1029 void (*compress_free)(ssh_compressor *);\r
1030 void (*compress)(ssh_compressor *, const unsigned char *block, int len,\r
1031 unsigned char **outblock, int *outlen,\r
1032 int minlen);\r
1033 ssh_decompressor *(*decompress_new)(void);\r
1034 void (*decompress_free)(ssh_decompressor *);\r
1035 bool (*decompress)(ssh_decompressor *, const unsigned char *block, int len,\r
1036 unsigned char **outblock, int *outlen);\r
1037 const char *text_name;\r
1038 };\r
1039 \r
1040 static inline ssh_compressor *ssh_compressor_new(\r
1041 const ssh_compression_alg *alg)\r
1042 { return alg->compress_new(); }\r
1043 static inline ssh_decompressor *ssh_decompressor_new(\r
1044 const ssh_compression_alg *alg)\r
1045 { return alg->decompress_new(); }\r
1046 static inline void ssh_compressor_free(ssh_compressor *c)\r
1047 { c->vt->compress_free(c); }\r
1048 static inline void ssh_decompressor_free(ssh_decompressor *d)\r
1049 { d->vt->decompress_free(d); }\r
1050 static inline void ssh_compressor_compress(\r
1051 ssh_compressor *c, const unsigned char *block, int len,\r
1052 unsigned char **outblock, int *outlen, int minlen)\r
1053 { c->vt->compress(c, block, len, outblock, outlen, minlen); }\r
1054 static inline bool ssh_decompressor_decompress(\r
1055 ssh_decompressor *d, const unsigned char *block, int len,\r
1056 unsigned char **outblock, int *outlen)\r
1057 { return d->vt->decompress(d, block, len, outblock, outlen); }\r
1058 static inline const ssh_compression_alg *ssh_compressor_alg(\r
1059 ssh_compressor *c)\r
1060 { return c->vt; }\r
1061 static inline const ssh_compression_alg *ssh_decompressor_alg(\r
1062 ssh_decompressor *d)\r
1063 { return d->vt; }\r
1064 \r
1065 struct ssh2_userkey {\r
1066 ssh_key *key; /* the key itself */\r
1067 char *comment; /* the key comment */\r
1068 };\r
1069 \r
1070 /* Argon2 password hashing function */\r
1071 typedef enum { Argon2d = 0, Argon2i = 1, Argon2id = 2 } Argon2Flavour;\r
1072 void argon2(Argon2Flavour, uint32_t mem, uint32_t passes,\r
1073 uint32_t parallel, uint32_t taglen,\r
1074 ptrlen P, ptrlen S, ptrlen K, ptrlen X, strbuf *out);\r
1075 void argon2_choose_passes(\r
1076 Argon2Flavour, uint32_t mem, uint32_t milliseconds, uint32_t *passes,\r
1077 uint32_t parallel, uint32_t taglen, ptrlen P, ptrlen S, ptrlen K, ptrlen X,\r
1078 strbuf *out);\r
1079 /* The H' hash defined in Argon2, exposed just for testcrypt */\r
1080 strbuf *argon2_long_hash(unsigned length, ptrlen data);\r
1081 \r
1082 /* The maximum length of any hash algorithm. (bytes) */\r
1083 #define MAX_HASH_LEN (114) /* longest is SHAKE256 with 114-byte output */\r
1084 \r
1085 extern const ssh_cipheralg ssh_3des_ssh1;\r
1086 extern const ssh_cipheralg ssh_blowfish_ssh1;\r
1087 extern const ssh_cipheralg ssh_3des_ssh2_ctr;\r
1088 extern const ssh_cipheralg ssh_3des_ssh2;\r
1089 extern const ssh_cipheralg ssh_des;\r
1090 extern const ssh_cipheralg ssh_des_sshcom_ssh2;\r
1091 extern const ssh_cipheralg ssh_aes256_sdctr;\r
1092 extern const ssh_cipheralg ssh_aes256_sdctr_ni;\r
1093 extern const ssh_cipheralg ssh_aes256_sdctr_neon;\r
1094 extern const ssh_cipheralg ssh_aes256_sdctr_sw;\r
1095 extern const ssh_cipheralg ssh_aes256_gcm;\r
1096 extern const ssh_cipheralg ssh_aes256_gcm_ni;\r
1097 extern const ssh_cipheralg ssh_aes256_gcm_neon;\r
1098 extern const ssh_cipheralg ssh_aes256_gcm_sw;\r
1099 extern const ssh_cipheralg ssh_aes256_cbc;\r
1100 extern const ssh_cipheralg ssh_aes256_cbc_ni;\r
1101 extern const ssh_cipheralg ssh_aes256_cbc_neon;\r
1102 extern const ssh_cipheralg ssh_aes256_cbc_sw;\r
1103 extern const ssh_cipheralg ssh_aes192_sdctr;\r
1104 extern const ssh_cipheralg ssh_aes192_sdctr_ni;\r
1105 extern const ssh_cipheralg ssh_aes192_sdctr_neon;\r
1106 extern const ssh_cipheralg ssh_aes192_sdctr_sw;\r
1107 extern const ssh_cipheralg ssh_aes192_gcm;\r
1108 extern const ssh_cipheralg ssh_aes192_gcm_ni;\r
1109 extern const ssh_cipheralg ssh_aes192_gcm_neon;\r
1110 extern const ssh_cipheralg ssh_aes192_gcm_sw;\r
1111 extern const ssh_cipheralg ssh_aes192_cbc;\r
1112 extern const ssh_cipheralg ssh_aes192_cbc_ni;\r
1113 extern const ssh_cipheralg ssh_aes192_cbc_neon;\r
1114 extern const ssh_cipheralg ssh_aes192_cbc_sw;\r
1115 extern const ssh_cipheralg ssh_aes128_sdctr;\r
1116 extern const ssh_cipheralg ssh_aes128_sdctr_ni;\r
1117 extern const ssh_cipheralg ssh_aes128_sdctr_neon;\r
1118 extern const ssh_cipheralg ssh_aes128_sdctr_sw;\r
1119 extern const ssh_cipheralg ssh_aes128_gcm;\r
1120 extern const ssh_cipheralg ssh_aes128_gcm_ni;\r
1121 extern const ssh_cipheralg ssh_aes128_gcm_neon;\r
1122 extern const ssh_cipheralg ssh_aes128_gcm_sw;\r
1123 extern const ssh_cipheralg ssh_aes128_cbc;\r
1124 extern const ssh_cipheralg ssh_aes128_cbc_ni;\r
1125 extern const ssh_cipheralg ssh_aes128_cbc_neon;\r
1126 extern const ssh_cipheralg ssh_aes128_cbc_sw;\r
1127 extern const ssh_cipheralg ssh_blowfish_ssh2_ctr;\r
1128 extern const ssh_cipheralg ssh_blowfish_ssh2;\r
1129 extern const ssh_cipheralg ssh_arcfour256_ssh2;\r
1130 extern const ssh_cipheralg ssh_arcfour128_ssh2;\r
1131 extern const ssh_cipheralg ssh2_chacha20_poly1305;\r
1132 extern const ssh2_ciphers ssh2_3des;\r
1133 extern const ssh2_ciphers ssh2_des;\r
1134 extern const ssh2_ciphers ssh2_aes;\r
1135 extern const ssh2_ciphers ssh2_blowfish;\r
1136 extern const ssh2_ciphers ssh2_arcfour;\r
1137 extern const ssh2_ciphers ssh2_ccp;\r
1138 extern const ssh2_ciphers ssh2_aesgcm;\r
1139 extern const ssh_hashalg ssh_md5;\r
1140 extern const ssh_hashalg ssh_sha1;\r
1141 extern const ssh_hashalg ssh_sha1_ni;\r
1142 extern const ssh_hashalg ssh_sha1_neon;\r
1143 extern const ssh_hashalg ssh_sha1_sw;\r
1144 extern const ssh_hashalg ssh_sha256;\r
1145 extern const ssh_hashalg ssh_sha256_ni;\r
1146 extern const ssh_hashalg ssh_sha256_neon;\r
1147 extern const ssh_hashalg ssh_sha256_sw;\r
1148 extern const ssh_hashalg ssh_sha384;\r
1149 extern const ssh_hashalg ssh_sha384_neon;\r
1150 extern const ssh_hashalg ssh_sha384_sw;\r
1151 extern const ssh_hashalg ssh_sha512;\r
1152 extern const ssh_hashalg ssh_sha512_neon;\r
1153 extern const ssh_hashalg ssh_sha512_sw;\r
1154 extern const ssh_hashalg ssh_sha3_224;\r
1155 extern const ssh_hashalg ssh_sha3_256;\r
1156 extern const ssh_hashalg ssh_sha3_384;\r
1157 extern const ssh_hashalg ssh_sha3_512;\r
1158 extern const ssh_hashalg ssh_shake256_114bytes;\r
1159 extern const ssh_hashalg ssh_blake2b;\r
1160 extern const ssh_kexes ssh_diffiehellman_group1;\r
1161 extern const ssh_kexes ssh_diffiehellman_group14;\r
1162 extern const ssh_kexes ssh_diffiehellman_group15;\r
1163 extern const ssh_kexes ssh_diffiehellman_group16;\r
1164 extern const ssh_kexes ssh_diffiehellman_group17;\r
1165 extern const ssh_kexes ssh_diffiehellman_group18;\r
1166 extern const ssh_kexes ssh_diffiehellman_gex;\r
1167 extern const ssh_kex ssh_diffiehellman_group1_sha1;\r
1168 extern const ssh_kex ssh_diffiehellman_group14_sha256;\r
1169 extern const ssh_kex ssh_diffiehellman_group14_sha1;\r
1170 extern const ssh_kex ssh_diffiehellman_group15_sha512;\r
1171 extern const ssh_kex ssh_diffiehellman_group16_sha512;\r
1172 extern const ssh_kex ssh_diffiehellman_group17_sha512;\r
1173 extern const ssh_kex ssh_diffiehellman_group18_sha512;\r
1174 extern const ssh_kexes ssh_gssk5_sha1_kex;\r
1175 extern const ssh_kexes ssh_gssk5_sha2_kex;\r
1176 extern const ssh_kexes ssh_gssk5_ecdh_kex;\r
1177 extern const ssh_kexes ssh_rsa_kex;\r
1178 extern const ssh_kex ssh_ec_kex_curve25519;\r
1179 extern const ssh_kex ssh_ec_kex_curve448;\r
1180 extern const ssh_kex ssh_ec_kex_nistp256;\r
1181 extern const ssh_kex ssh_ec_kex_nistp384;\r
1182 extern const ssh_kex ssh_ec_kex_nistp521;\r
1183 extern const ssh_kexes ssh_ecdh_kex;\r
1184 extern const ssh_kexes ssh_ntru_hybrid_kex;\r
1185 extern const ssh_keyalg ssh_dsa;\r
1186 extern const ssh_keyalg ssh_rsa;\r
1187 extern const ssh_keyalg ssh_rsa_sha256;\r
1188 extern const ssh_keyalg ssh_rsa_sha512;\r
1189 extern const ssh_keyalg ssh_ecdsa_ed25519;\r
1190 extern const ssh_keyalg ssh_ecdsa_ed448;\r
1191 extern const ssh_keyalg ssh_ecdsa_nistp256;\r
1192 extern const ssh_keyalg ssh_ecdsa_nistp384;\r
1193 extern const ssh_keyalg ssh_ecdsa_nistp521;\r
1194 extern const ssh_keyalg opensshcert_ssh_dsa;\r
1195 extern const ssh_keyalg opensshcert_ssh_rsa;\r
1196 extern const ssh_keyalg opensshcert_ssh_rsa_sha256;\r
1197 extern const ssh_keyalg opensshcert_ssh_rsa_sha512;\r
1198 extern const ssh_keyalg opensshcert_ssh_ecdsa_ed25519;\r
1199 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp256;\r
1200 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp384;\r
1201 extern const ssh_keyalg opensshcert_ssh_ecdsa_nistp521;\r
1202 extern const ssh2_macalg ssh_hmac_md5;\r
1203 extern const ssh2_macalg ssh_hmac_sha1;\r
1204 extern const ssh2_macalg ssh_hmac_sha1_buggy;\r
1205 extern const ssh2_macalg ssh_hmac_sha1_96;\r
1206 extern const ssh2_macalg ssh_hmac_sha1_96_buggy;\r
1207 extern const ssh2_macalg ssh_hmac_sha256;\r
1208 extern const ssh2_macalg ssh_hmac_sha512;\r
1209 extern const ssh2_macalg ssh2_poly1305;\r
1210 extern const ssh2_macalg ssh2_aesgcm_mac;\r
1211 extern const ssh2_macalg ssh2_aesgcm_mac_sw;\r
1212 extern const ssh2_macalg ssh2_aesgcm_mac_ref_poly;\r
1213 extern const ssh2_macalg ssh2_aesgcm_mac_clmul;\r
1214 extern const ssh2_macalg ssh2_aesgcm_mac_neon;\r
1215 extern const ssh_compression_alg ssh_zlib;\r
1216 \r
1217 /* Special constructor: BLAKE2b can be instantiated with any hash\r
1218 * length up to 128 bytes */\r
1219 ssh_hash *blake2b_new_general(unsigned hashlen);\r
1220 \r
1221 /* Special test function for AES-GCM */\r
1222 void aesgcm_set_prefix_lengths(ssh2_mac *mac, size_t skip, size_t aad);\r
1223 \r
1224 /*\r
1225 * On some systems, you have to detect hardware crypto acceleration by\r
1226 * asking the local OS API rather than OS-agnostically asking the CPU\r
1227 * itself. If so, then this function should be implemented in each\r
1228 * platform subdirectory.\r
1229 */\r
1230 bool platform_aes_neon_available(void);\r
1231 bool platform_pmull_neon_available(void);\r
1232 bool platform_sha256_neon_available(void);\r
1233 bool platform_sha1_neon_available(void);\r
1234 bool platform_sha512_neon_available(void);\r
1235 \r
1236 /*\r
1237 * PuTTY version number formatted as an SSH version string.\r
1238 */\r
1239 extern const char sshver[];\r
1240 \r
1241 /*\r
1242 * Gross hack: pscp will try to start SFTP but fall back to scp1 if\r
1243 * that fails. This variable is the means by which pscp.c can reach\r
1244 * into the SSH code and find out which one it got.\r
1245 */\r
1246 extern bool ssh_fallback_cmd(Backend *backend);\r
1247 \r
1248 /*\r
1249 * The PRNG type, defined in prng.c. Visible data fields are\r
1250 * 'savesize', which suggests how many random bytes you should request\r
1251 * from a particular PRNG instance to write to putty.rnd, and a\r
1252 * BinarySink implementation which you can use to write seed data in\r
1253 * between calling prng_seed_{begin,finish}.\r
1254 */\r
1255 struct prng {\r
1256 size_t savesize;\r
1257 BinarySink_IMPLEMENTATION;\r
1258 /* (also there's a surrounding implementation struct in prng.c) */\r
1259 };\r
1260 prng *prng_new(const ssh_hashalg *hashalg);\r
1261 void prng_free(prng *p);\r
1262 void prng_seed_begin(prng *p);\r
1263 void prng_seed_finish(prng *p);\r
1264 void prng_read(prng *p, void *vout, size_t size);\r
1265 void prng_add_entropy(prng *p, unsigned source_id, ptrlen data);\r
1266 size_t prng_seed_bits(prng *p);\r
1267 \r
1268 /* This function must be implemented by the platform, and returns a\r
1269 * timer in milliseconds that the PRNG can use to know whether it's\r
1270 * been reseeded too recently to do it again.\r
1271 *\r
1272 * The PRNG system has its own special timing function not because its\r
1273 * timing needs are unusual in the real applications, but simply so\r
1274 * that testcrypt can mock it to keep the tests deterministic. */\r
1275 uint64_t prng_reseed_time_ms(void);\r
1276 \r
1277 void random_read(void *out, size_t size);\r
1278 \r
1279 /* Exports from x11fwd.c */\r
1280 enum {\r
1281 X11_TRANS_IPV4 = 0, X11_TRANS_IPV6 = 6, X11_TRANS_UNIX = 256\r
1282 };\r
1283 struct X11Display {\r
1284 /* Broken-down components of the display name itself */\r
1285 bool unixdomain;\r
1286 char *hostname;\r
1287 int displaynum;\r
1288 int screennum;\r
1289 /* OSX sometimes replaces all the above with a full Unix-socket pathname */\r
1290 char *unixsocketpath;\r
1291 \r
1292 /* PuTTY networking SockAddr to connect to the display, and associated\r
1293 * gubbins */\r
1294 SockAddr *addr;\r
1295 int port;\r
1296 char *realhost;\r
1297 \r
1298 /* Our local auth details for talking to the real X display. */\r
1299 int localauthproto;\r
1300 unsigned char *localauthdata;\r
1301 int localauthdatalen;\r
1302 };\r
1303 struct X11FakeAuth {\r
1304 /* Auth details we invented for a virtual display on the SSH server. */\r
1305 int proto;\r
1306 unsigned char *data;\r
1307 int datalen;\r
1308 char *protoname;\r
1309 char *datastring;\r
1310 \r
1311 /* The encrypted form of the first block, in XDM-AUTHORIZATION-1.\r
1312 * Used as part of the key when these structures are organised\r
1313 * into a tree. See x11_invent_fake_auth for explanation. */\r
1314 unsigned char *xa1_firstblock;\r
1315 \r
1316 /*\r
1317 * Used inside x11fwd.c to remember recently seen\r
1318 * XDM-AUTHORIZATION-1 strings, to avoid replay attacks.\r
1319 */\r
1320 tree234 *xdmseen;\r
1321 \r
1322 /*\r
1323 * What to do with an X connection matching this auth data.\r
1324 */\r
1325 struct X11Display *disp;\r
1326 ssh_sharing_connstate *share_cs;\r
1327 share_channel *share_chan;\r
1328 };\r
1329 int x11_authcmp(void *av, void *bv); /* for putting X11FakeAuth in a tree234 */\r
1330 /*\r
1331 * x11_setup_display() parses the display variable and fills in an\r
1332 * X11Display structure. Some remote auth details are invented;\r
1333 * the supplied authtype parameter configures the preferred\r
1334 * authorisation protocol to use at the remote end. The local auth\r
1335 * details are looked up by calling platform_get_x11_auth.\r
1336 *\r
1337 * If the returned pointer is NULL, then *error_msg will contain a\r
1338 * dynamically allocated error message string.\r
1339 */\r
1340 extern struct X11Display *x11_setup_display(const char *display, Conf *,\r
1341 char **error_msg);\r
1342 void x11_free_display(struct X11Display *disp);\r
1343 struct X11FakeAuth *x11_invent_fake_auth(tree234 *t, int authtype);\r
1344 void x11_free_fake_auth(struct X11FakeAuth *auth);\r
1345 Channel *x11_new_channel(tree234 *authtree, SshChannel *c,\r
1346 const char *peeraddr, int peerport,\r
1347 bool connection_sharing_possible);\r
1348 char *x11_display(const char *display);\r
1349 /* Platform-dependent X11 functions */\r
1350 extern void platform_get_x11_auth(struct X11Display *display, Conf *);\r
1351 /* examine a mostly-filled-in X11Display and fill in localauth* */\r
1352 extern const bool platform_uses_x11_unix_by_default;\r
1353 /* choose default X transport in the absence of a specified one */\r
1354 SockAddr *platform_get_x11_unix_address(const char *path, int displaynum);\r
1355 /* make up a SockAddr naming the address for displaynum */\r
1356 char *platform_get_x_display(void);\r
1357 /* allocated local X display string, if any */\r
1358 /* X11-related helper functions in utils */\r
1359 /*\r
1360 * This function does the job of platform_get_x11_auth, provided\r
1361 * it is told where to find a normally formatted .Xauthority file:\r
1362 * it opens that file, parses it to find an auth record which\r
1363 * matches the display details in "display", and fills in the\r
1364 * localauth fields.\r
1365 *\r
1366 * It is expected that most implementations of\r
1367 * platform_get_x11_auth() will work by finding their system's\r
1368 * .Xauthority file, adjusting the display details if necessary\r
1369 * for local oddities like Unix-domain socket transport, and\r
1370 * calling this function to do the rest of the work.\r
1371 */\r
1372 void x11_get_auth_from_authfile(struct X11Display *display,\r
1373 const char *authfilename);\r
1374 void x11_format_auth_for_authfile(\r
1375 BinarySink *bs, SockAddr *addr, int display_no,\r
1376 ptrlen authproto, ptrlen authdata);\r
1377 void *x11_make_greeting(int endian, int protomajor, int protominor,\r
1378 int auth_proto, const void *auth_data, int auth_len,\r
1379 const char *peer_ip, int peer_port,\r
1380 int *outlen);\r
1381 int x11_identify_auth_proto(ptrlen protoname);\r
1382 void *x11_dehexify(ptrlen hex, int *outlen);\r
1383 bool x11_parse_ip(const char *addr_string, unsigned long *ip);\r
1384 \r
1385 Channel *agentf_new(SshChannel *c);\r
1386 \r
1387 bool dh_is_gex(const ssh_kex *kex);\r
1388 dh_ctx *dh_setup_group(const ssh_kex *kex);\r
1389 dh_ctx *dh_setup_gex(mp_int *pval, mp_int *gval);\r
1390 int dh_modulus_bit_size(const dh_ctx *ctx);\r
1391 void dh_cleanup(dh_ctx *);\r
1392 mp_int *dh_create_e(dh_ctx *);\r
1393 const char *dh_validate_f(dh_ctx *, mp_int *f);\r
1394 mp_int *dh_find_K(dh_ctx *, mp_int *f);\r
1395 \r
1396 static inline bool is_base64_char(char c)\r
1397 {\r
1398 return ((c >= '0' && c <= '9') ||\r
1399 (c >= 'a' && c <= 'z') ||\r
1400 (c >= 'A' && c <= 'Z') ||\r
1401 c == '+' || c == '/' || c == '=');\r
1402 }\r
1403 \r
1404 extern int base64_lines(int datalen);\r
1405 \r
1406 /* ppk_load_* can return this as an error */\r
1407 extern ssh2_userkey ssh2_wrong_passphrase;\r
1408 #define SSH2_WRONG_PASSPHRASE (&ssh2_wrong_passphrase)\r
1409 \r
1410 bool ppk_encrypted_s(BinarySource *src, char **comment);\r
1411 bool ppk_encrypted_f(const Filename *filename, char **comment);\r
1412 bool rsa1_encrypted_s(BinarySource *src, char **comment);\r
1413 bool rsa1_encrypted_f(const Filename *filename, char **comment);\r
1414 \r
1415 ssh2_userkey *ppk_load_s(BinarySource *src, const char *passphrase,\r
1416 const char **errorstr);\r
1417 ssh2_userkey *ppk_load_f(const Filename *filename, const char *passphrase,\r
1418 const char **errorstr);\r
1419 int rsa1_load_s(BinarySource *src, RSAKey *key,\r
1420 const char *passphrase, const char **errorstr);\r
1421 int rsa1_load_f(const Filename *filename, RSAKey *key,\r
1422 const char *passphrase, const char **errorstr);\r
1423 \r
1424 typedef struct ppk_save_parameters {\r
1425 unsigned fmt_version; /* currently 2 or 3 */\r
1426 \r
1427 /*\r
1428 * Parameters for fmt_version == 3\r
1429 */\r
1430 Argon2Flavour argon2_flavour;\r
1431 uint32_t argon2_mem; /* in Kbyte */\r
1432 bool argon2_passes_auto;\r
1433 union {\r
1434 uint32_t argon2_passes; /* if auto == false */\r
1435 uint32_t argon2_milliseconds; /* if auto == true */\r
1436 };\r
1437 uint32_t argon2_parallelism;\r
1438 \r
1439 /* The ability to choose a specific salt is only intended for the\r
1440 * use of the automated test of PuTTYgen. It's a (mild) security\r
1441 * risk to do it with any passphrase you actually care about,\r
1442 * because it invalidates the entire point of having a salt in the\r
1443 * first place. */\r
1444 const uint8_t *salt;\r
1445 size_t saltlen;\r
1446 } ppk_save_parameters;\r
1447 extern const ppk_save_parameters ppk_save_default_parameters;\r
1448 \r
1449 strbuf *ppk_save_sb(ssh2_userkey *key, const char *passphrase,\r
1450 const ppk_save_parameters *params);\r
1451 bool ppk_save_f(const Filename *filename, ssh2_userkey *key,\r
1452 const char *passphrase, const ppk_save_parameters *params);\r
1453 strbuf *rsa1_save_sb(RSAKey *key, const char *passphrase);\r
1454 bool rsa1_save_f(const Filename *filename, RSAKey *key,\r
1455 const char *passphrase);\r
1456 \r
1457 bool ppk_loadpub_s(BinarySource *src, char **algorithm, BinarySink *bs,\r
1458 char **commentptr, const char **errorstr);\r
1459 bool ppk_loadpub_f(const Filename *filename, char **algorithm, BinarySink *bs,\r
1460 char **commentptr, const char **errorstr);\r
1461 int rsa1_loadpub_s(BinarySource *src, BinarySink *bs,\r
1462 char **commentptr, const char **errorstr);\r
1463 int rsa1_loadpub_f(const Filename *filename, BinarySink *bs,\r
1464 char **commentptr, const char **errorstr);\r
1465 \r
1466 extern const ssh_keyalg *const all_keyalgs[];\r
1467 extern const size_t n_keyalgs;\r
1468 const ssh_keyalg *find_pubkey_alg(const char *name);\r
1469 const ssh_keyalg *find_pubkey_alg_len(ptrlen name);\r
1470 \r
1471 ptrlen pubkey_blob_to_alg_name(ptrlen blob);\r
1472 const ssh_keyalg *pubkey_blob_to_alg(ptrlen blob);\r
1473 \r
1474 /* Convenient wrappers on the LoadedFile mechanism suitable for key files */\r
1475 LoadedFile *lf_load_keyfile(const Filename *filename, const char **errptr);\r
1476 LoadedFile *lf_load_keyfile_fp(FILE *fp, const char **errptr);\r
1477 \r
1478 enum {\r
1479 SSH_KEYTYPE_UNOPENABLE,\r
1480 SSH_KEYTYPE_UNKNOWN,\r
1481 SSH_KEYTYPE_SSH1, SSH_KEYTYPE_SSH2,\r
1482 /*\r
1483 * The OpenSSH key types deserve a little explanation. OpenSSH has\r
1484 * two physical formats for private key storage: an old PEM-based\r
1485 * one largely dictated by their use of OpenSSL and full of ASN.1,\r
1486 * and a new one using the same private key formats used over the\r
1487 * wire for talking to ssh-agent. The old format can only support\r
1488 * a subset of the key types, because it needs redesign for each\r
1489 * key type, and after a while they decided to move to the new\r
1490 * format so as not to have to do that.\r
1491 *\r
1492 * On input, key files are identified as either\r
1493 * SSH_KEYTYPE_OPENSSH_PEM or SSH_KEYTYPE_OPENSSH_NEW, describing\r
1494 * accurately which actual format the keys are stored in.\r
1495 *\r
1496 * On output, however, we default to following OpenSSH's own\r
1497 * policy of writing out PEM-style keys for maximum backwards\r
1498 * compatibility if the key type supports it, and otherwise\r
1499 * switching to the new format. So the formats you can select for\r
1500 * output are SSH_KEYTYPE_OPENSSH_NEW (forcing the new format for\r
1501 * any key type), and SSH_KEYTYPE_OPENSSH_AUTO to use the oldest\r
1502 * format supported by whatever key type you're writing out.\r
1503 *\r
1504 * So we have three type codes, but only two of them usable in any\r
1505 * given circumstance. An input key file will never be identified\r
1506 * as AUTO, only PEM or NEW; key export UIs should not be able to\r
1507 * select PEM, only AUTO or NEW.\r
1508 */\r
1509 SSH_KEYTYPE_OPENSSH_AUTO,\r
1510 SSH_KEYTYPE_OPENSSH_PEM,\r
1511 SSH_KEYTYPE_OPENSSH_NEW,\r
1512 SSH_KEYTYPE_SSHCOM,\r
1513 /*\r
1514 * Public-key-only formats, which we still want to be able to read\r
1515 * for various purposes.\r
1516 */\r
1517 SSH_KEYTYPE_SSH1_PUBLIC,\r
1518 SSH_KEYTYPE_SSH2_PUBLIC_RFC4716,\r
1519 SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH\r
1520 };\r
1521 \r
1522 typedef enum {\r
1523 /* Default fingerprint types strip off a certificate to show you\r
1524 * the fingerprint of the underlying public key */\r
1525 SSH_FPTYPE_MD5,\r
1526 SSH_FPTYPE_SHA256,\r
1527 /* Non-default version of each fingerprint type which is 'raw',\r
1528 * giving you the true hash of the public key blob even if it\r
1529 * includes a certificate */\r
1530 SSH_FPTYPE_MD5_CERT,\r
1531 SSH_FPTYPE_SHA256_CERT,\r
1532 } FingerprintType;\r
1533 \r
1534 static inline bool ssh_fptype_is_cert(FingerprintType fptype)\r
1535 {\r
1536 return fptype >= SSH_FPTYPE_MD5_CERT;\r
1537 }\r
1538 static inline FingerprintType ssh_fptype_from_cert(FingerprintType fptype)\r
1539 {\r
1540 if (ssh_fptype_is_cert(fptype))\r
1541 fptype -= (SSH_FPTYPE_MD5_CERT - SSH_FPTYPE_MD5);\r
1542 return fptype;\r
1543 }\r
1544 static inline FingerprintType ssh_fptype_to_cert(FingerprintType fptype)\r
1545 {\r
1546 if (!ssh_fptype_is_cert(fptype))\r
1547 fptype += (SSH_FPTYPE_MD5_CERT - SSH_FPTYPE_MD5);\r
1548 return fptype;\r
1549 }\r
1550 \r
1551 #define SSH_N_FPTYPES (SSH_FPTYPE_SHA256_CERT + 1)\r
1552 #define SSH_FPTYPE_DEFAULT SSH_FPTYPE_SHA256\r
1553 \r
1554 FingerprintType ssh2_pick_fingerprint(char **fingerprints,\r
1555 FingerprintType preferred_type);\r
1556 FingerprintType ssh2_pick_default_fingerprint(char **fingerprints);\r
1557 \r
1558 char *ssh1_pubkey_str(RSAKey *ssh1key);\r
1559 void ssh1_write_pubkey(FILE *fp, RSAKey *ssh1key);\r
1560 char *ssh2_pubkey_openssh_str(ssh2_userkey *key);\r
1561 void ssh2_write_pubkey(FILE *fp, const char *comment,\r
1562 const void *v_pub_blob, int pub_len,\r
1563 int keytype);\r
1564 char *ssh2_fingerprint_blob(ptrlen, FingerprintType);\r
1565 char *ssh2_fingerprint(ssh_key *key, FingerprintType);\r
1566 char *ssh2_double_fingerprint_blob(ptrlen, FingerprintType);\r
1567 char *ssh2_double_fingerprint(ssh_key *key, FingerprintType);\r
1568 char **ssh2_all_fingerprints_for_blob(ptrlen);\r
1569 char **ssh2_all_fingerprints(ssh_key *key);\r
1570 void ssh2_free_all_fingerprints(char **);\r
1571 int key_type(const Filename *filename);\r
1572 int key_type_s(BinarySource *src);\r
1573 const char *key_type_to_str(int type);\r
1574 \r
1575 bool import_possible(int type);\r
1576 int import_target_type(int type);\r
1577 bool import_encrypted(const Filename *filename, int type, char **comment);\r
1578 bool import_encrypted_s(const Filename *filename, BinarySource *src,\r
1579 int type, char **comment);\r
1580 int import_ssh1(const Filename *filename, int type,\r
1581 RSAKey *key, char *passphrase, const char **errmsg_p);\r
1582 int import_ssh1_s(BinarySource *src, int type,\r
1583 RSAKey *key, char *passphrase, const char **errmsg_p);\r
1584 ssh2_userkey *import_ssh2(const Filename *filename, int type,\r
1585 char *passphrase, const char **errmsg_p);\r
1586 ssh2_userkey *import_ssh2_s(BinarySource *src, int type,\r
1587 char *passphrase, const char **errmsg_p);\r
1588 bool export_ssh1(const Filename *filename, int type,\r
1589 RSAKey *key, char *passphrase);\r
1590 bool export_ssh2(const Filename *filename, int type,\r
1591 ssh2_userkey *key, char *passphrase);\r
1592 \r
1593 void des3_decrypt_pubkey(const void *key, void *blk, int len);\r
1594 void des3_encrypt_pubkey(const void *key, void *blk, int len);\r
1595 void des3_decrypt_pubkey_ossh(const void *key, const void *iv,\r
1596 void *blk, int len);\r
1597 void des3_encrypt_pubkey_ossh(const void *key, const void *iv,\r
1598 void *blk, int len);\r
1599 void aes256_encrypt_pubkey(const void *key, const void *iv,\r
1600 void *blk, int len);\r
1601 void aes256_decrypt_pubkey(const void *key, const void *iv,\r
1602 void *blk, int len);\r
1603 \r
1604 void des_encrypt_xdmauth(const void *key, void *blk, int len);\r
1605 void des_decrypt_xdmauth(const void *key, void *blk, int len);\r
1606 \r
1607 void openssh_bcrypt(ptrlen passphrase, ptrlen salt,\r
1608 int rounds, unsigned char *out, int outbytes);\r
1609 \r
1610 /*\r
1611 * Connection-sharing API provided by platforms. This function must\r
1612 * either:\r
1613 * - return SHARE_NONE and do nothing\r
1614 * - return SHARE_DOWNSTREAM and set *sock to a Socket connected to\r
1615 * downplug\r
1616 * - return SHARE_UPSTREAM and set *sock to a Socket connected to\r
1617 * upplug.\r
1618 */\r
1619 enum { SHARE_NONE, SHARE_DOWNSTREAM, SHARE_UPSTREAM };\r
1620 int platform_ssh_share(const char *name, Conf *conf,\r
1621 Plug *downplug, Plug *upplug, Socket **sock,\r
1622 char **logtext, char **ds_err, char **us_err,\r
1623 bool can_upstream, bool can_downstream);\r
1624 void platform_ssh_share_cleanup(const char *name);\r
1625 \r
1626 /*\r
1627 * List macro defining the SSH-1 message type codes.\r
1628 */\r
1629 #define SSH1_MESSAGE_TYPES(X, y) \\r
1630 X(y, SSH1_MSG_DISCONNECT, 1) \\r
1631 X(y, SSH1_SMSG_PUBLIC_KEY, 2) \\r
1632 X(y, SSH1_CMSG_SESSION_KEY, 3) \\r
1633 X(y, SSH1_CMSG_USER, 4) \\r
1634 X(y, SSH1_CMSG_AUTH_RSA, 6) \\r
1635 X(y, SSH1_SMSG_AUTH_RSA_CHALLENGE, 7) \\r
1636 X(y, SSH1_CMSG_AUTH_RSA_RESPONSE, 8) \\r
1637 X(y, SSH1_CMSG_AUTH_PASSWORD, 9) \\r
1638 X(y, SSH1_CMSG_REQUEST_PTY, 10) \\r
1639 X(y, SSH1_CMSG_WINDOW_SIZE, 11) \\r
1640 X(y, SSH1_CMSG_EXEC_SHELL, 12) \\r
1641 X(y, SSH1_CMSG_EXEC_CMD, 13) \\r
1642 X(y, SSH1_SMSG_SUCCESS, 14) \\r
1643 X(y, SSH1_SMSG_FAILURE, 15) \\r
1644 X(y, SSH1_CMSG_STDIN_DATA, 16) \\r
1645 X(y, SSH1_SMSG_STDOUT_DATA, 17) \\r
1646 X(y, SSH1_SMSG_STDERR_DATA, 18) \\r
1647 X(y, SSH1_CMSG_EOF, 19) \\r
1648 X(y, SSH1_SMSG_EXIT_STATUS, 20) \\r
1649 X(y, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION, 21) \\r
1650 X(y, SSH1_MSG_CHANNEL_OPEN_FAILURE, 22) \\r
1651 X(y, SSH1_MSG_CHANNEL_DATA, 23) \\r
1652 X(y, SSH1_MSG_CHANNEL_CLOSE, 24) \\r
1653 X(y, SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION, 25) \\r
1654 X(y, SSH1_SMSG_X11_OPEN, 27) \\r
1655 X(y, SSH1_CMSG_PORT_FORWARD_REQUEST, 28) \\r
1656 X(y, SSH1_MSG_PORT_OPEN, 29) \\r
1657 X(y, SSH1_CMSG_AGENT_REQUEST_FORWARDING, 30) \\r
1658 X(y, SSH1_SMSG_AGENT_OPEN, 31) \\r
1659 X(y, SSH1_MSG_IGNORE, 32) \\r
1660 X(y, SSH1_CMSG_EXIT_CONFIRMATION, 33) \\r
1661 X(y, SSH1_CMSG_X11_REQUEST_FORWARDING, 34) \\r
1662 X(y, SSH1_CMSG_AUTH_RHOSTS_RSA, 35) \\r
1663 X(y, SSH1_MSG_DEBUG, 36) \\r
1664 X(y, SSH1_CMSG_REQUEST_COMPRESSION, 37) \\r
1665 X(y, SSH1_CMSG_AUTH_TIS, 39) \\r
1666 X(y, SSH1_SMSG_AUTH_TIS_CHALLENGE, 40) \\r
1667 X(y, SSH1_CMSG_AUTH_TIS_RESPONSE, 41) \\r
1668 X(y, SSH1_CMSG_AUTH_CCARD, 70) \\r
1669 X(y, SSH1_SMSG_AUTH_CCARD_CHALLENGE, 71) \\r
1670 X(y, SSH1_CMSG_AUTH_CCARD_RESPONSE, 72) \\r
1671 /* end of list */\r
1672 \r
1673 #define SSH1_AUTH_RHOSTS 1 /* 0x1 */\r
1674 #define SSH1_AUTH_RSA 2 /* 0x2 */\r
1675 #define SSH1_AUTH_PASSWORD 3 /* 0x3 */\r
1676 #define SSH1_AUTH_RHOSTS_RSA 4 /* 0x4 */\r
1677 #define SSH1_AUTH_TIS 5 /* 0x5 */\r
1678 #define SSH1_AUTH_CCARD 16 /* 0x10 */\r
1679 \r
1680 #define SSH1_PROTOFLAG_SCREEN_NUMBER 1 /* 0x1 */\r
1681 /* Mask for protoflags we will echo back to server if seen */\r
1682 #define SSH1_PROTOFLAGS_SUPPORTED 0 /* 0x1 */\r
1683 \r
1684 /*\r
1685 * List macro defining SSH-2 message type codes. Some of these depend\r
1686 * on particular contexts (i.e. a previously negotiated kex or auth\r
1687 * method)\r
1688 */\r
1689 #define SSH2_MESSAGE_TYPES(X, K, A, y) \\r
1690 X(y, SSH2_MSG_DISCONNECT, 1) \\r
1691 X(y, SSH2_MSG_IGNORE, 2) \\r
1692 X(y, SSH2_MSG_UNIMPLEMENTED, 3) \\r
1693 X(y, SSH2_MSG_DEBUG, 4) \\r
1694 X(y, SSH2_MSG_SERVICE_REQUEST, 5) \\r
1695 X(y, SSH2_MSG_SERVICE_ACCEPT, 6) \\r
1696 X(y, SSH2_MSG_EXT_INFO, 7) \\r
1697 X(y, SSH2_MSG_KEXINIT, 20) \\r
1698 X(y, SSH2_MSG_NEWKEYS, 21) \\r
1699 K(y, SSH2_MSG_KEXDH_INIT, 30, SSH2_PKTCTX_DHGROUP) \\r
1700 K(y, SSH2_MSG_KEXDH_REPLY, 31, SSH2_PKTCTX_DHGROUP) \\r
1701 K(y, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD, 30, SSH2_PKTCTX_DHGEX) \\r
1702 K(y, SSH2_MSG_KEX_DH_GEX_REQUEST, 34, SSH2_PKTCTX_DHGEX) \\r
1703 K(y, SSH2_MSG_KEX_DH_GEX_GROUP, 31, SSH2_PKTCTX_DHGEX) \\r
1704 K(y, SSH2_MSG_KEX_DH_GEX_INIT, 32, SSH2_PKTCTX_DHGEX) \\r
1705 K(y, SSH2_MSG_KEX_DH_GEX_REPLY, 33, SSH2_PKTCTX_DHGEX) \\r
1706 K(y, SSH2_MSG_KEXGSS_INIT, 30, SSH2_PKTCTX_GSSKEX) \\r
1707 K(y, SSH2_MSG_KEXGSS_CONTINUE, 31, SSH2_PKTCTX_GSSKEX) \\r
1708 K(y, SSH2_MSG_KEXGSS_COMPLETE, 32, SSH2_PKTCTX_GSSKEX) \\r
1709 K(y, SSH2_MSG_KEXGSS_HOSTKEY, 33, SSH2_PKTCTX_GSSKEX) \\r
1710 K(y, SSH2_MSG_KEXGSS_ERROR, 34, SSH2_PKTCTX_GSSKEX) \\r
1711 K(y, SSH2_MSG_KEXGSS_GROUPREQ, 40, SSH2_PKTCTX_GSSKEX) \\r
1712 K(y, SSH2_MSG_KEXGSS_GROUP, 41, SSH2_PKTCTX_GSSKEX) \\r
1713 K(y, SSH2_MSG_KEXRSA_PUBKEY, 30, SSH2_PKTCTX_RSAKEX) \\r
1714 K(y, SSH2_MSG_KEXRSA_SECRET, 31, SSH2_PKTCTX_RSAKEX) \\r
1715 K(y, SSH2_MSG_KEXRSA_DONE, 32, SSH2_PKTCTX_RSAKEX) \\r
1716 K(y, SSH2_MSG_KEX_ECDH_INIT, 30, SSH2_PKTCTX_ECDHKEX) \\r
1717 K(y, SSH2_MSG_KEX_ECDH_REPLY, 31, SSH2_PKTCTX_ECDHKEX) \\r
1718 X(y, SSH2_MSG_USERAUTH_REQUEST, 50) \\r
1719 X(y, SSH2_MSG_USERAUTH_FAILURE, 51) \\r
1720 X(y, SSH2_MSG_USERAUTH_SUCCESS, 52) \\r
1721 X(y, SSH2_MSG_USERAUTH_BANNER, 53) \\r
1722 A(y, SSH2_MSG_USERAUTH_PK_OK, 60, SSH2_PKTCTX_PUBLICKEY) \\r
1723 A(y, SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, 60, SSH2_PKTCTX_PASSWORD) \\r
1724 A(y, SSH2_MSG_USERAUTH_INFO_REQUEST, 60, SSH2_PKTCTX_KBDINTER) \\r
1725 A(y, SSH2_MSG_USERAUTH_INFO_RESPONSE, 61, SSH2_PKTCTX_KBDINTER) \\r
1726 A(y, SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, 60, SSH2_PKTCTX_GSSAPI) \\r
1727 A(y, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, 61, SSH2_PKTCTX_GSSAPI) \\r
1728 A(y, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 63, SSH2_PKTCTX_GSSAPI) \\r
1729 A(y, SSH2_MSG_USERAUTH_GSSAPI_ERROR, 64, SSH2_PKTCTX_GSSAPI) \\r
1730 A(y, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, 65, SSH2_PKTCTX_GSSAPI) \\r
1731 A(y, SSH2_MSG_USERAUTH_GSSAPI_MIC, 66, SSH2_PKTCTX_GSSAPI) \\r
1732 X(y, SSH2_MSG_GLOBAL_REQUEST, 80) \\r
1733 X(y, SSH2_MSG_REQUEST_SUCCESS, 81) \\r
1734 X(y, SSH2_MSG_REQUEST_FAILURE, 82) \\r
1735 X(y, SSH2_MSG_CHANNEL_OPEN, 90) \\r
1736 X(y, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, 91) \\r
1737 X(y, SSH2_MSG_CHANNEL_OPEN_FAILURE, 92) \\r
1738 X(y, SSH2_MSG_CHANNEL_WINDOW_ADJUST, 93) \\r
1739 X(y, SSH2_MSG_CHANNEL_DATA, 94) \\r
1740 X(y, SSH2_MSG_CHANNEL_EXTENDED_DATA, 95) \\r
1741 X(y, SSH2_MSG_CHANNEL_EOF, 96) \\r
1742 X(y, SSH2_MSG_CHANNEL_CLOSE, 97) \\r
1743 X(y, SSH2_MSG_CHANNEL_REQUEST, 98) \\r
1744 X(y, SSH2_MSG_CHANNEL_SUCCESS, 99) \\r
1745 X(y, SSH2_MSG_CHANNEL_FAILURE, 100) \\r
1746 /* end of list */\r
1747 \r
1748 #define DEF_ENUM_UNIVERSAL(y, name, value) name = value,\r
1749 #define DEF_ENUM_CONTEXTUAL(y, name, value, context) name = value,\r
1750 enum {\r
1751 SSH1_MESSAGE_TYPES(DEF_ENUM_UNIVERSAL, y)\r
1752 SSH2_MESSAGE_TYPES(DEF_ENUM_UNIVERSAL,\r
1753 DEF_ENUM_CONTEXTUAL, DEF_ENUM_CONTEXTUAL, y)\r
1754 /* Virtual packet type, for packets too short to even have a type */\r
1755 SSH_MSG_NO_TYPE_CODE = 256\r
1756 };\r
1757 #undef DEF_ENUM_UNIVERSAL\r
1758 #undef DEF_ENUM_CONTEXTUAL\r
1759 \r
1760 /*\r
1761 * SSH-1 agent messages.\r
1762 */\r
1763 #define SSH1_AGENTC_REQUEST_RSA_IDENTITIES 1\r
1764 #define SSH1_AGENT_RSA_IDENTITIES_ANSWER 2\r
1765 #define SSH1_AGENTC_RSA_CHALLENGE 3\r
1766 #define SSH1_AGENT_RSA_RESPONSE 4\r
1767 #define SSH1_AGENTC_ADD_RSA_IDENTITY 7\r
1768 #define SSH1_AGENTC_REMOVE_RSA_IDENTITY 8\r
1769 #define SSH1_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 /* openssh private? */\r
1770 \r
1771 /*\r
1772 * Messages common to SSH-1 and OpenSSH's SSH-2.\r
1773 */\r
1774 #define SSH_AGENT_FAILURE 5\r
1775 #define SSH_AGENT_SUCCESS 6\r
1776 \r
1777 /*\r
1778 * OpenSSH's SSH-2 agent messages.\r
1779 */\r
1780 #define SSH2_AGENTC_REQUEST_IDENTITIES 11\r
1781 #define SSH2_AGENT_IDENTITIES_ANSWER 12\r
1782 #define SSH2_AGENTC_SIGN_REQUEST 13\r
1783 #define SSH2_AGENT_SIGN_RESPONSE 14\r
1784 #define SSH2_AGENTC_ADD_IDENTITY 17\r
1785 #define SSH2_AGENTC_REMOVE_IDENTITY 18\r
1786 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19\r
1787 #define SSH2_AGENTC_EXTENSION 27\r
1788 #define SSH_AGENT_EXTENSION_FAILURE 28\r
1789 \r
1790 /*\r
1791 * Assorted other SSH-related enumerations.\r
1792 */\r
1793 #define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 /* 0x1 */\r
1794 #define SSH2_DISCONNECT_PROTOCOL_ERROR 2 /* 0x2 */\r
1795 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 /* 0x3 */\r
1796 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 /* 0x4 */\r
1797 #define SSH2_DISCONNECT_MAC_ERROR 5 /* 0x5 */\r
1798 #define SSH2_DISCONNECT_COMPRESSION_ERROR 6 /* 0x6 */\r
1799 #define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE 7 /* 0x7 */\r
1800 #define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 /* 0x8 */\r
1801 #define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 /* 0x9 */\r
1802 #define SSH2_DISCONNECT_CONNECTION_LOST 10 /* 0xa */\r
1803 #define SSH2_DISCONNECT_BY_APPLICATION 11 /* 0xb */\r
1804 #define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS 12 /* 0xc */\r
1805 #define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER 13 /* 0xd */\r
1806 #define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 /* 0xe */\r
1807 #define SSH2_DISCONNECT_ILLEGAL_USER_NAME 15 /* 0xf */\r
1808 \r
1809 #define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED 1 /* 0x1 */\r
1810 #define SSH2_OPEN_CONNECT_FAILED 2 /* 0x2 */\r
1811 #define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE 3 /* 0x3 */\r
1812 #define SSH2_OPEN_RESOURCE_SHORTAGE 4 /* 0x4 */\r
1813 \r
1814 #define SSH2_EXTENDED_DATA_STDERR 1 /* 0x1 */\r
1815 \r
1816 enum {\r
1817 /* TTY modes with opcodes defined consistently in the SSH specs. */\r
1818 #define TTYMODE_CHAR(name, val, index) SSH_TTYMODE_##name = val,\r
1819 #define TTYMODE_FLAG(name, val, field, mask) SSH_TTYMODE_##name = val,\r
1820 #include "ssh/ttymode-list.h"\r
1821 #undef TTYMODE_CHAR\r
1822 #undef TTYMODE_FLAG\r
1823 \r
1824 /* Modes encoded differently between SSH-1 and SSH-2, for which we\r
1825 * make up our own dummy opcodes to avoid confusion. */\r
1826 TTYMODE_dummy = 255,\r
1827 TTYMODE_ISPEED, TTYMODE_OSPEED,\r
1828 \r
1829 /* Limiting value that we can use as an array bound below */\r
1830 TTYMODE_LIMIT,\r
1831 \r
1832 /* The real opcodes for terminal speeds. */\r
1833 TTYMODE_ISPEED_SSH1 = 192,\r
1834 TTYMODE_OSPEED_SSH1 = 193,\r
1835 TTYMODE_ISPEED_SSH2 = 128,\r
1836 TTYMODE_OSPEED_SSH2 = 129,\r
1837 \r
1838 /* And the opcode that ends a list. */\r
1839 TTYMODE_END_OF_LIST = 0\r
1840 };\r
1841 \r
1842 struct ssh_ttymodes {\r
1843 /* A boolean per mode, indicating whether it's set. */\r
1844 bool have_mode[TTYMODE_LIMIT];\r
1845 \r
1846 /* The actual value for each mode. */\r
1847 unsigned mode_val[TTYMODE_LIMIT];\r
1848 };\r
1849 \r
1850 struct ssh_ttymodes get_ttymodes_from_conf(Seat *seat, Conf *conf);\r
1851 struct ssh_ttymodes read_ttymodes_from_packet(\r
1852 BinarySource *bs, int ssh_version);\r
1853 void write_ttymodes_to_packet(BinarySink *bs, int ssh_version,\r
1854 struct ssh_ttymodes modes);\r
1855 \r
1856 const char *ssh1_pkt_type(int type);\r
1857 const char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type);\r
1858 bool ssh2_pkt_type_code_valid(unsigned type);\r
1859 \r
1860 /*\r
1861 * Need this to warn about support for the original SSH-2 keyfile\r
1862 * format.\r
1863 */\r
1864 void old_keyfile_warning(void);\r
1865 \r
1866 /*\r
1867 * Flags indicating implementation bugs that we know how to mitigate\r
1868 * if we think the other end has them.\r
1869 */\r
1870 #define SSH_IMPL_BUG_LIST(X) \\r
1871 X(BUG_CHOKES_ON_SSH1_IGNORE) \\r
1872 X(BUG_SSH2_HMAC) \\r
1873 X(BUG_NEEDS_SSH1_PLAIN_PASSWORD) \\r
1874 X(BUG_CHOKES_ON_RSA) \\r
1875 X(BUG_SSH2_RSA_PADDING) \\r
1876 X(BUG_SSH2_DERIVEKEY) \\r
1877 X(BUG_SSH2_REKEY) \\r
1878 X(BUG_SSH2_PK_SESSIONID) \\r
1879 X(BUG_SSH2_MAXPKT) \\r
1880 X(BUG_CHOKES_ON_SSH2_IGNORE) \\r
1881 X(BUG_CHOKES_ON_WINADJ) \\r
1882 X(BUG_SENDS_LATE_REQUEST_REPLY) \\r
1883 X(BUG_SSH2_OLDGEX) \\r
1884 X(BUG_REQUIRES_FILTERED_KEXINIT) \\r
1885 X(BUG_RSA_SHA2_CERT_USERAUTH) \\r
1886 /* end of list */\r
1887 #define TMP_DECLARE_LOG2_ENUM(thing) log2_##thing,\r
1888 enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_LOG2_ENUM) };\r
1889 #undef TMP_DECLARE_LOG2_ENUM\r
1890 #define TMP_DECLARE_REAL_ENUM(thing) thing = 1 << log2_##thing,\r
1891 enum { SSH_IMPL_BUG_LIST(TMP_DECLARE_REAL_ENUM) };\r
1892 #undef TMP_DECLARE_REAL_ENUM\r
1893 \r
1894 /* Shared system for allocating local SSH channel ids. Expects to be\r
1895 * passed a tree full of structs that have a field called 'localid' of\r
1896 * type unsigned, and will check that! */\r
1897 unsigned alloc_channel_id_general(tree234 *channels, size_t localid_offset);\r
1898 #define alloc_channel_id(tree, type) \\r
1899 TYPECHECK(&((type *)0)->localid == (unsigned *)0, \\r
1900 alloc_channel_id_general(tree, offsetof(type, localid)))\r
1901 \r
1902 void add_to_commasep(strbuf *buf, const char *data);\r
1903 void add_to_commasep_pl(strbuf *buf, ptrlen data);\r
1904 bool get_commasep_word(ptrlen *list, ptrlen *word);\r
1905 \r
1906 /* Reasons why something warned by confirm_weak_crypto_primitive might\r
1907 * be considered weak */\r
1908 typedef enum WeakCryptoReason {\r
1909 WCR_BELOW_THRESHOLD, /* user has told us to consider it weak */\r
1910 WCR_TERRAPIN, /* known vulnerability CVE-2023-48795 */\r
1911 WCR_TERRAPIN_AVOIDABLE, /* same, but demoting ChaCha20 can avoid it */\r
1912 } WeakCryptoReason;\r
1913 \r
1914 SeatPromptResult verify_ssh_host_key(\r
1915 InteractionReadySeat iseat, Conf *conf, const char *host, int port,\r
1916 ssh_key *key, const char *keytype, char *keystr, const char *keydisp,\r
1917 char **fingerprints, int ca_count,\r
1918 void (*callback)(void *ctx, SeatPromptResult result), void *ctx);\r
1919 SeatPromptResult confirm_weak_crypto_primitive(\r
1920 InteractionReadySeat iseat, const char *algtype, const char *algname,\r
1921 void (*callback)(void *ctx, SeatPromptResult result), void *ctx,\r
1922 WeakCryptoReason wcr);\r
1923 SeatPromptResult confirm_weak_cached_hostkey(\r
1924 InteractionReadySeat iseat, const char *algname, const char **betteralgs,\r
1925 void (*callback)(void *ctx, SeatPromptResult result), void *ctx);\r
1926 \r
1927 typedef struct ssh_transient_hostkey_cache ssh_transient_hostkey_cache;\r
1928 ssh_transient_hostkey_cache *ssh_transient_hostkey_cache_new(void);\r
1929 void ssh_transient_hostkey_cache_free(ssh_transient_hostkey_cache *thc);\r
1930 void ssh_transient_hostkey_cache_add(\r
1931 ssh_transient_hostkey_cache *thc, ssh_key *key);\r
1932 bool ssh_transient_hostkey_cache_verify(\r
1933 ssh_transient_hostkey_cache *thc, ssh_key *key);\r
1934 bool ssh_transient_hostkey_cache_has(\r
1935 ssh_transient_hostkey_cache *thc, const ssh_keyalg *alg);\r
1936 bool ssh_transient_hostkey_cache_non_empty(ssh_transient_hostkey_cache *thc);\r
1937 \r
1938 /*\r
1939 * Protocol definitions for authentication helper plugins\r
1940 */\r
1941 \r
1942 #define AUTHPLUGIN_MSG_NAMES(X) \\r
1943 X(PLUGIN_INIT, 1) \\r
1944 X(PLUGIN_INIT_RESPONSE, 2) \\r
1945 X(PLUGIN_PROTOCOL, 3) \\r
1946 X(PLUGIN_PROTOCOL_ACCEPT, 4) \\r
1947 X(PLUGIN_PROTOCOL_REJECT, 5) \\r
1948 X(PLUGIN_AUTH_SUCCESS, 6) \\r
1949 X(PLUGIN_AUTH_FAILURE, 7) \\r
1950 X(PLUGIN_INIT_FAILURE, 8) \\r
1951 X(PLUGIN_KI_SERVER_REQUEST, 20) \\r
1952 X(PLUGIN_KI_SERVER_RESPONSE, 21) \\r
1953 X(PLUGIN_KI_USER_REQUEST, 22) \\r
1954 X(PLUGIN_KI_USER_RESPONSE, 23) \\r
1955 /* end of list */\r
1956 \r
1957 #define PLUGIN_PROTOCOL_MAX_VERSION 2 /* the highest version we speak */\r
1958 \r
1959 enum {\r
1960 #define ENUMDECL(name, value) name = value,\r
1961 AUTHPLUGIN_MSG_NAMES(ENUMDECL)\r
1962 #undef ENUMDECL\r
1963 \r
1964 /* Error codes internal to this implementation, indicating failure\r
1965 * to receive a meaningful packet at all */\r
1966 PLUGIN_NOTYPE = 256, /* packet too short to have a type */\r
1967 PLUGIN_EOF = 257 /* EOF from auth plugin */\r
1968 };\r