2 * Packet-censoring code for SSH-2, used to identify sensitive fields
3 * like passwords so that the logging system can avoid writing them
12 int ssh2_censor_packet(
13 const PacketLogSettings
*pls
, int type
, bool sender_is_client
,
14 ptrlen pkt
, logblank_t
*blanks
)
20 BinarySource_BARE_INIT_PL(src
, pkt
);
23 (type
== SSH2_MSG_CHANNEL_DATA
||
24 type
== SSH2_MSG_CHANNEL_EXTENDED_DATA
)) {
25 /* "Session data" packets - omit the data string. */
26 get_uint32(src
); /* skip channel id */
27 if (type
== SSH2_MSG_CHANNEL_EXTENDED_DATA
)
28 get_uint32(src
); /* skip extended data type */
29 str
= get_string(src
);
31 assert(nblanks
< MAX_BLANKS
);
32 blanks
[nblanks
].offset
= src
->pos
- str
.len
;
33 blanks
[nblanks
].type
= PKTLOG_OMIT
;
34 blanks
[nblanks
].len
= str
.len
;
39 if (sender_is_client
&& pls
->omit_passwords
) {
40 if (type
== SSH2_MSG_USERAUTH_REQUEST
) {
41 /* If this is a password packet, blank the password(s). */
42 get_string(src
); /* username */
43 get_string(src
); /* service name */
44 str
= get_string(src
); /* auth method */
45 if (ptrlen_eq_string(str
, "password")) {
47 /* Blank the password field. */
48 str
= get_string(src
);
50 assert(nblanks
< MAX_BLANKS
);
51 blanks
[nblanks
].offset
= src
->pos
- str
.len
;
52 blanks
[nblanks
].type
= PKTLOG_BLANK
;
53 blanks
[nblanks
].len
= str
.len
;
55 /* If there's another password field beyond it
56 * (change of password), blank that too. */
57 str
= get_string(src
);
59 blanks
[nblanks
-1].len
=
60 src
->pos
- blanks
[nblanks
].offset
;
63 } else if (pls
->actx
== SSH2_PKTCTX_KBDINTER
&&
64 type
== SSH2_MSG_USERAUTH_INFO_RESPONSE
) {
65 /* If this is a keyboard-interactive response packet,
66 * blank the responses. */
68 assert(nblanks
< MAX_BLANKS
);
69 blanks
[nblanks
].offset
= src
->pos
;
70 blanks
[nblanks
].type
= PKTLOG_BLANK
;
72 str
= get_string(src
);
73 } while (!get_err(src
));
74 blanks
[nblanks
].len
= src
->pos
- blanks
[nblanks
].offset
;
76 } else if (type
== SSH2_MSG_CHANNEL_REQUEST
) {
78 * If this is an X forwarding request packet, blank the
81 * Note that while we blank the X authentication data
82 * here, we don't take any special action to blank the
83 * start of an X11 channel, so using MIT-MAGIC-COOKIE-1
84 * and actually opening an X connection without having
85 * session blanking enabled is likely to leak your cookie
89 str
= get_string(src
);
90 if (ptrlen_eq_string(str
, "x11-req")) {
94 str
= get_string(src
);
96 assert(nblanks
< MAX_BLANKS
);
97 blanks
[nblanks
].offset
= src
->pos
- str
.len
;
98 blanks
[nblanks
].type
= PKTLOG_BLANK
;
99 blanks
[nblanks
].len
= str
.len
;