search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Upgrade libgit2
[TortoiseGit.git] / src / TortoisePlink / ssh / transport2.c
blobe6840ffa8e562535ca7caf231147f349fb871f53
1 /*
2 * Packet protocol layer for the SSH-2 transport protocol (RFC 4253).
3 */
4
5 #include <assert.h>
6
7 #include "putty.h"
8 #include "ssh.h"
9 #include "bpp.h"
10 #include "ppl.h"
11 #include "sshcr.h"
12 #include "server.h"
13 #include "storage.h"
14 #include "transport2.h"
15 #include "mpint.h"
16
17 const struct ssh_signkey_with_user_pref_id ssh2_hostkey_algs[] = {
18 #define ARRAYENT_HOSTKEY_ALGORITHM(type, alg) { &alg, type },
19 HOSTKEY_ALGORITHMS(ARRAYENT_HOSTKEY_ALGORITHM)
20 };
21
22 const static ssh2_macalg *const macs[] = {
23 &ssh_hmac_sha256, &ssh_hmac_sha512,
24 &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
25 };
26 const static ssh2_macalg *const buggymacs[] = {
27 &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
28 };
29
30 const static ptrlen ext_info_c = PTRLEN_DECL_LITERAL("ext-info-c");
31 const static ptrlen ext_info_s = PTRLEN_DECL_LITERAL("ext-info-s");
32 const static ptrlen kex_strict_c =
33 PTRLEN_DECL_LITERAL("kex-strict-c-v00@openssh.com");
34 const static ptrlen kex_strict_s =
35 PTRLEN_DECL_LITERAL("kex-strict-s-v00@openssh.com");
36
37 /* Pointer value to store in s->weak_algorithms_consented_to to
38 * indicate that the user has accepted the risk of the Terrapin
39 * attack */
40 static const char terrapin_weakness[1];
41
42 static ssh_compressor *ssh_comp_none_init(void)
43 {
44 return NULL;
45 }
46 static void ssh_comp_none_cleanup(ssh_compressor *handle)
47 {
48 }
49 static ssh_decompressor *ssh_decomp_none_init(void)
50 {
51 return NULL;
52 }
53 static void ssh_decomp_none_cleanup(ssh_decompressor *handle)
54 {
55 }
56 static void ssh_comp_none_block(ssh_compressor *handle,
57 const unsigned char *block, int len,
58 unsigned char **outblock, int *outlen,
59 int minlen)
60 {
61 }
62 static bool ssh_decomp_none_block(ssh_decompressor *handle,
63 const unsigned char *block, int len,
64 unsigned char **outblock, int *outlen)
65 {
66 return false;
67 }
68 static const ssh_compression_alg ssh_comp_none = {
69 .name = "none",
70 .delayed_name = NULL,
71 .compress_new = ssh_comp_none_init,
72 .compress_free = ssh_comp_none_cleanup,
73 .compress = ssh_comp_none_block,
74 .decompress_new = ssh_decomp_none_init,
75 .decompress_free = ssh_decomp_none_cleanup,
76 .decompress = ssh_decomp_none_block,
77 .text_name = NULL,
78 };
79 const static ssh_compression_alg *const compressions[] = {
80 &ssh_zlib, &ssh_comp_none
81 };
82
83 static void ssh2_transport_free(PacketProtocolLayer *);
84 static void ssh2_transport_process_queue(PacketProtocolLayer *);
85 static bool ssh2_transport_get_specials(
86 PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx);
87 static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
88 SessionSpecialCode code, int arg);
89 static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf);
90 static size_t ssh2_transport_queued_data_size(PacketProtocolLayer *ppl);
91
92 static void ssh2_transport_set_max_data_size(struct ssh2_transport_state *s);
93 static unsigned long sanitise_rekey_time(int rekey_time, unsigned long def);
94 static void ssh2_transport_higher_layer_packet_callback(void *context);
95 static void ssh2_transport_final_output(PacketProtocolLayer *ppl);
96 static const char *terrapin_vulnerable(
97 bool strict_kex, const transport_direction *d);
98 static bool try_to_avoid_terrapin(const struct ssh2_transport_state *s);
99
100 static const PacketProtocolLayerVtable ssh2_transport_vtable = {
101 .free = ssh2_transport_free,
102 .process_queue = ssh2_transport_process_queue,
103 .get_specials = ssh2_transport_get_specials,
104 .special_cmd = ssh2_transport_special_cmd,
105 .reconfigure = ssh2_transport_reconfigure,
106 .queued_data_size = ssh2_transport_queued_data_size,
107 .final_output = ssh2_transport_final_output,
108 .name = NULL, /* no protocol name for this layer */
109 };
110
111 #ifndef NO_GSSAPI
112 static void ssh2_transport_gss_update(struct ssh2_transport_state *s,
113 bool definitely_rekeying);
114 #endif
115
116 static bool ssh2_transport_timer_update(struct ssh2_transport_state *s,
117 unsigned long rekey_time);
118 static SeatPromptResult ssh2_transport_confirm_weak_crypto_primitive(
119 struct ssh2_transport_state *s, const char *type, const char *name,
120 const void *alg, WeakCryptoReason wcr);
121
122 static const char *const kexlist_descr[NKEXLIST] = {
123 "key exchange algorithm",
124 "host key algorithm",
125 "client-to-server cipher",
126 "server-to-client cipher",
127 "client-to-server MAC",
128 "server-to-client MAC",
129 "client-to-server compression method",
130 "server-to-client compression method"
131 };
132
133 static int weak_algorithm_compare(void *av, void *bv);
134 static int ca_blob_compare(void *av, void *bv);
135
136 PacketProtocolLayer *ssh2_transport_new(
137 Conf *conf, const char *host, int port, const char *fullhostname,
138 const char *client_greeting, const char *server_greeting,
139 struct ssh_connection_shared_gss_state *shgss,
140 struct DataTransferStats *stats, PacketProtocolLayer *higher_layer,
141 const SshServerConfig *ssc)
142 {
143 struct ssh2_transport_state *s = snew(struct ssh2_transport_state);
144 memset(s, 0, sizeof(*s));
145 s->ppl.vt = &ssh2_transport_vtable;
146
147 s->conf = conf_copy(conf);
148 s->savedhost = dupstr(host);
149 s->savedport = port;
150 s->fullhostname = dupstr(fullhostname);
151 s->shgss = shgss;
152 s->client_greeting = dupstr(client_greeting);
153 s->server_greeting = dupstr(server_greeting);
154 s->stats = stats;
155 s->hostkeyblob = strbuf_new();
156 s->host_cas = newtree234(ca_blob_compare);
157
158 pq_in_init(&s->pq_in_higher);
159 pq_out_init(&s->pq_out_higher);
160 s->pq_out_higher.pqb.ic = &s->ic_pq_out_higher;
161 s->ic_pq_out_higher.fn = ssh2_transport_higher_layer_packet_callback;
162 s->ic_pq_out_higher.ctx = &s->ppl;
163
164 s->higher_layer = higher_layer;
165 s->higher_layer->selfptr = &s->higher_layer;
166 ssh_ppl_setup_queues(s->higher_layer, &s->pq_in_higher, &s->pq_out_higher);
167
168 #ifndef NO_GSSAPI
169 s->gss_cred_expiry = GSS_NO_EXPIRATION;
170 s->shgss->srv_name = GSS_C_NO_NAME;
171 s->shgss->ctx = NULL;
172 #endif
173 s->thc = ssh_transient_hostkey_cache_new();
174 s->gss_kex_used = false;
175
176 s->outgoing_kexinit = strbuf_new();
177 s->incoming_kexinit = strbuf_new();
178 if (ssc) {
179 s->ssc = ssc;
180 s->client_kexinit = s->incoming_kexinit;
181 s->server_kexinit = s->outgoing_kexinit;
182 s->cstrans = &s->in;
183 s->sctrans = &s->out;
184 s->out.mkkey_adjust = 1;
185 } else {
186 s->client_kexinit = s->outgoing_kexinit;
187 s->server_kexinit = s->incoming_kexinit;
188 s->cstrans = &s->out;
189 s->sctrans = &s->in;
190 s->in.mkkey_adjust = 1;
191 }
192
193 s->weak_algorithms_consented_to = newtree234(weak_algorithm_compare);
194
195 ssh2_transport_set_max_data_size(s);
196
197 return &s->ppl;
198 }
199
200 static void ssh2_transport_free(PacketProtocolLayer *ppl)
201 {
202 struct ssh2_transport_state *s =
203 container_of(ppl, struct ssh2_transport_state, ppl);
204
205 /*
206 * As our last act before being freed, move any outgoing packets
207 * off our higher layer's output queue on to our own output queue.
208 * We might be being freed while the SSH connection is still alive
209 * (because we're initiating shutdown from our end), in which case
210 * we don't want those last few packets to get lost.
211 *
212 * (If our owner were to have already destroyed our output pq
213 * before wanting to free us, then it would have to reset our
214 * publicly visible out_pq field to NULL to inhibit this attempt.
215 * But that's not how I expect the shutdown sequence to go in
216 * practice.)
217 */
218 if (s->ppl.out_pq)
219 pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
220
221 conf_free(s->conf);
222
223 ssh_ppl_free(s->higher_layer);
224
225 pq_in_clear(&s->pq_in_higher);
226 pq_out_clear(&s->pq_out_higher);
227
228 sfree(s->savedhost);
229 sfree(s->fullhostname);
230 sfree(s->client_greeting);
231 sfree(s->server_greeting);
232 sfree(s->keystr);
233 strbuf_free(s->hostkeyblob);
234 {
235 host_ca *hca;
236 while ( (hca = delpos234(s->host_cas, 0)) )
237 host_ca_free(hca);
238 freetree234(s->host_cas);
239 }
240 if (s->hkey && !s->hostkeys) {
241 ssh_key_free(s->hkey);
242 s->hkey = NULL;
243 }
244 for (size_t i = 0; i < NKEXLIST; i++)
245 sfree(s->kexlists[i].algs);
246 if (s->f) mp_free(s->f);
247 if (s->p) mp_free(s->p);
248 if (s->g) mp_free(s->g);
249 if (s->ebuf) strbuf_free(s->ebuf);
250 if (s->fbuf) strbuf_free(s->fbuf);
251 if (s->kex_shared_secret) strbuf_free(s->kex_shared_secret);
252 if (s->dh_ctx)
253 dh_cleanup(s->dh_ctx);
254 if (s->rsa_kex_key_needs_freeing) {
255 ssh_rsakex_freekey(s->rsa_kex_key);
256 sfree(s->rsa_kex_key);
257 }
258 if (s->ecdh_key)
259 ecdh_key_free(s->ecdh_key);
260 if (s->exhash)
261 ssh_hash_free(s->exhash);
262 strbuf_free(s->outgoing_kexinit);
263 strbuf_free(s->incoming_kexinit);
264 ssh_transient_hostkey_cache_free(s->thc);
265
266 freetree234(s->weak_algorithms_consented_to);
267
268 expire_timer_context(s);
269 sfree(s);
270 }
271
272 /*
273 * SSH-2 key derivation (RFC 4253 section 7.2).
274 */
275 static void ssh2_mkkey(
276 struct ssh2_transport_state *s, strbuf *out,
277 strbuf *kex_shared_secret, unsigned char *H, char chr, int keylen)
278 {
279 int hlen = s->kex_alg->hash->hlen;
280 int keylen_padded;
281 unsigned char *key;
282 ssh_hash *h;
283
284 if (keylen == 0)
285 return;
286
287 /*
288 * Round the requested amount of key material up to a multiple of
289 * the length of the hash we're using to make it. This makes life
290 * simpler because then we can just write each hash output block
291 * straight into the output buffer without fiddling about
292 * truncating the last one. Since it's going into a strbuf, and
293 * strbufs are always smemclr()ed on free, there's no need to
294 * worry about leaving extra potentially-sensitive data in memory
295 * that the caller didn't ask for.
296 */
297 keylen_padded = ((keylen + hlen - 1) / hlen) * hlen;
298
299 strbuf_clear(out);
300 key = strbuf_append(out, keylen_padded);
301
302 /* First hlen bytes. */
303 h = ssh_hash_new(s->kex_alg->hash);
304 if (!(s->ppl.remote_bugs & BUG_SSH2_DERIVEKEY))
305 put_datapl(h, ptrlen_from_strbuf(kex_shared_secret));
306 put_data(h, H, hlen);
307 put_byte(h, chr);
308 put_data(h, s->session_id, s->session_id_len);
309 ssh_hash_digest(h, key);
310
311 /* Subsequent blocks of hlen bytes. */
312 if (keylen_padded > hlen) {
313 int offset;
314
315 ssh_hash_reset(h);
316 if (!(s->ppl.remote_bugs & BUG_SSH2_DERIVEKEY))
317 put_datapl(h, ptrlen_from_strbuf(kex_shared_secret));
318 put_data(h, H, hlen);
319
320 for (offset = hlen; offset < keylen_padded; offset += hlen) {
321 put_data(h, key + offset - hlen, hlen);
322 ssh_hash_digest_nondestructive(h, key + offset);
323 }
324
325 }
326
327 ssh_hash_free(h);
328 }
329
330 /*
331 * Find a slot in a KEXINIT algorithm list to use for a new algorithm.
332 * If the algorithm is already in the list, return a pointer to its
333 * entry, otherwise return an entry from the end of the list.
334 *
335 * 'name' is expected to be a ptrlen which it's safe to keep a copy
336 * of.
337 */
338 static struct kexinit_algorithm *ssh2_kexinit_addalg_pl(
339 struct kexinit_algorithm_list *list, ptrlen name)
340 {
341 for (size_t i = 0; i < list->nalgs; i++)
342 if (ptrlen_eq_ptrlen(list->algs[i].name, name))
343 return &list->algs[i];
344
345 sgrowarray(list->algs, list->algsize, list->nalgs);
346 struct kexinit_algorithm *entry = &list->algs[list->nalgs++];
347 entry->name = name;
348 return entry;
349 }
350
351 static struct kexinit_algorithm *ssh2_kexinit_addalg(
352 struct kexinit_algorithm_list *list, const char *name)
353 {
354 return ssh2_kexinit_addalg_pl(list, ptrlen_from_asciz(name));
355 }
356
357 bool ssh2_common_filter_queue(PacketProtocolLayer *ppl)
358 {
359 static const char *const ssh2_disconnect_reasons[] = {
360 NULL,
361 "host not allowed to connect",
362 "protocol error",
363 "key exchange failed",
364 "host authentication failed",
365 "MAC error",
366 "compression error",
367 "service not available",
368 "protocol version not supported",
369 "host key not verifiable",
370 "connection lost",
371 "by application",
372 "too many connections",
373 "auth cancelled by user",
374 "no more auth methods available",
375 "illegal user name",
376 };
377
378 PktIn *pktin;
379 ptrlen msg;
380 int reason;
381
382 while ((pktin = pq_peek(ppl->in_pq)) != NULL) {
383 switch (pktin->type) {
384 case SSH2_MSG_DISCONNECT:
385 reason = get_uint32(pktin);
386 msg = get_string(pktin);
387
388 ssh_remote_error(
389 ppl->ssh, "Remote side sent disconnect message\n"
390 "type %d (%s):\n\"%.*s\"", reason,
391 ((reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
392 ssh2_disconnect_reasons[reason] : "unknown"),
393 PTRLEN_PRINTF(msg));
394 /* don't try to pop the queue, because we've been freed! */
395 return true; /* indicate that we've been freed */
396
397 case SSH2_MSG_DEBUG:
398 /* XXX maybe we should actually take notice of the return value */
399 get_bool(pktin);
400 msg = get_string(pktin);
401 ppl_logevent("Remote debug message: %.*s", PTRLEN_PRINTF(msg));
402 pq_pop(ppl->in_pq);
403 break;
404
405 case SSH2_MSG_IGNORE:
406 /* Do nothing, because we're ignoring it! Duhh. */
407 pq_pop(ppl->in_pq);
408 break;
409
410 case SSH2_MSG_EXT_INFO: {
411 /*
412 * The BPP enforces that these turn up only at legal
413 * points in the protocol. In particular, it will not pass
414 * an EXT_INFO on to us if it arrives before encryption is
415 * enabled (which is when a MITM could inject one
416 * maliciously).
417 *
418 * However, one of the criteria for legality is that a
419 * server is permitted to send this message immediately
420 * _before_ USERAUTH_SUCCESS. So we may receive this
421 * message not yet knowing whether it's legal to have sent
422 * it - we won't know until the BPP processes the next
423 * packet.
424 *
425 * But that should be OK, because firstly, an
426 * out-of-sequence EXT_INFO that's still within the
427 * encrypted session is only a _protocol_ violation, not
428 * an attack; secondly, any data we set in response to
429 * such an illegal EXT_INFO won't have a chance to affect
430 * the session before the BPP aborts it anyway.
431 */
432 uint32_t nexts = get_uint32(pktin);
433 for (uint32_t i = 0; i < nexts && !get_err(pktin); i++) {
434 ptrlen extname = get_string(pktin);
435 ptrlen extvalue = get_string(pktin);
436 if (ptrlen_eq_string(extname, "server-sig-algs")) {
437 /*
438 * Server has sent a list of signature algorithms
439 * it will potentially accept for user
440 * authentication keys. Check in particular
441 * whether the RFC 8332 improved versions of
442 * ssh-rsa are in the list, and set flags in the
443 * BPP if so.
444 *
445 * TODO: another thing we _could_ do here is to
446 * record a full list of the algorithm identifiers
447 * we've seen, whether we understand them
448 * ourselves or not. Then we could use that as a
449 * pre-filter during userauth, to skip keys in the
450 * SSH agent if we already know the server can't
451 * possibly accept them. (Even if the key
452 * algorithm is one that the agent and the server
453 * both understand but we do not.)
454 */
455 ptrlen algname;
456 while (get_commasep_word(&extvalue, &algname)) {
457 if (ptrlen_eq_string(algname, "rsa-sha2-256"))
458 ppl->bpp->ext_info_rsa_sha256_ok = true;
459 if (ptrlen_eq_string(algname, "rsa-sha2-512"))
460 ppl->bpp->ext_info_rsa_sha512_ok = true;
461 }
462 }
463 }
464 pq_pop(ppl->in_pq);
465 break;
466 }
467
468 default:
469 return false;
470 }
471 }
472
473 return false;
474 }
475
476 static bool ssh2_transport_filter_queue(struct ssh2_transport_state *s)
477 {
478 PktIn *pktin;
479
480 if (!s->enabled_incoming_crypto) {
481 /*
482 * Record the fact that we've seen any non-KEXINIT packet at
483 * the head of our queue.
484 *
485 * This enables us to check later that the initial incoming
486 * KEXINIT was the very first packet, if scanning the KEXINITs
487 * turns out to enable strict-kex mode.
488 */
489 PktIn *pktin = pq_peek(s->ppl.in_pq);
490 if (pktin && pktin->type != SSH2_MSG_KEXINIT)
491 s->seen_non_kexinit = true;
492
493 if (s->strict_kex) {
494 /*
495 * Also, if we're already in strict-KEX mode and haven't
496 * turned on crypto yet, don't do any actual filtering.
497 * This ensures that extraneous packets _after_ the
498 * KEXINIT will go to the main coroutine, which will
499 * complain about them.
500 */
501 return false;
502 }
503 }
504
505 while (1) {
506 if (ssh2_common_filter_queue(&s->ppl))
507 return true;
508 if ((pktin = pq_peek(s->ppl.in_pq)) == NULL)
509 return false;
510
511 /* Pass on packets to the next layer if they're outside
512 * the range reserved for the transport protocol. */
513 if (pktin->type >= 50) {
514 /* ... except that we shouldn't tolerate higher-layer
515 * packets coming from the server before we've seen
516 * the first NEWKEYS. */
517 if (!s->higher_layer_ok) {
518 ssh_proto_error(s->ppl.ssh, "Received premature higher-"
519 "layer packet, type %d (%s)", pktin->type,
520 ssh2_pkt_type(s->ppl.bpp->pls->kctx,
521 s->ppl.bpp->pls->actx,
522 pktin->type));
523 return true;
524 }
525
526 pq_pop(s->ppl.in_pq);
527 pq_push(&s->pq_in_higher, pktin);
528 } else {
529 /* Anything else is a transport-layer packet that the main
530 * process_queue coroutine should handle. */
531 return false;
532 }
533 }
534 }
535
536 PktIn *ssh2_transport_pop(struct ssh2_transport_state *s)
537 {
538 if (ssh2_transport_filter_queue(s))
539 return NULL; /* we've been freed */
540 return pq_pop(s->ppl.in_pq);
541 }
542
543 static void ssh2_write_kexinit_lists(
544 BinarySink *pktout,
545 struct kexinit_algorithm_list kexlists[NKEXLIST],
546 Conf *conf, const SshServerConfig *ssc, int remote_bugs,
547 const char *hk_host, int hk_port, const ssh_keyalg *hk_prev,
548 ssh_transient_hostkey_cache *thc, tree234 *host_cas,
549 ssh_key *const *our_hostkeys, int our_nhostkeys,
550 bool first_time, bool can_gssapi_keyex, bool transient_hostkey_mode)
551 {
552 int i, j, k;
553 bool warn;
554
555 int n_preferred_kex;
556 const ssh_kexes *preferred_kex[KEX_MAX + 3]; /* +3 for GSSAPI */
557 int n_preferred_hk;
558 int preferred_hk[HK_MAX];
559 int n_preferred_ciphers;
560 const ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
561 const ssh_compression_alg *preferred_comp;
562 const ssh2_macalg *const *maclist;
563 int nmacs;
564
565 struct kexinit_algorithm *alg;
566
567 /*
568 * Set up the preferred key exchange. (NULL => warn below here)
569 */
570 n_preferred_kex = 0;
571 if (can_gssapi_keyex) {
572 preferred_kex[n_preferred_kex++] = &ssh_gssk5_ecdh_kex;
573 preferred_kex[n_preferred_kex++] = &ssh_gssk5_sha2_kex;
574 preferred_kex[n_preferred_kex++] = &ssh_gssk5_sha1_kex;
575 }
576 for (i = 0; i < KEX_MAX; i++) {
577 switch (conf_get_int_int(conf, CONF_ssh_kexlist, i)) {
578 case KEX_DHGEX:
579 preferred_kex[n_preferred_kex++] =
580 &ssh_diffiehellman_gex;
581 break;
582 case KEX_DHGROUP18:
583 preferred_kex[n_preferred_kex++] =
584 &ssh_diffiehellman_group18;
585 break;
586 case KEX_DHGROUP17:
587 preferred_kex[n_preferred_kex++] =
588 &ssh_diffiehellman_group17;
589 break;
590 case KEX_DHGROUP16:
591 preferred_kex[n_preferred_kex++] =
592 &ssh_diffiehellman_group16;
593 break;
594 case KEX_DHGROUP15:
595 preferred_kex[n_preferred_kex++] =
596 &ssh_diffiehellman_group15;
597 break;
598 case KEX_DHGROUP14:
599 preferred_kex[n_preferred_kex++] =
600 &ssh_diffiehellman_group14;
601 break;
602 case KEX_DHGROUP1:
603 preferred_kex[n_preferred_kex++] =
604 &ssh_diffiehellman_group1;
605 break;
606 case KEX_RSA:
607 preferred_kex[n_preferred_kex++] =
608 &ssh_rsa_kex;
609 break;
610 case KEX_ECDH:
611 preferred_kex[n_preferred_kex++] =
612 &ssh_ecdh_kex;
613 break;
614 case KEX_NTRU_HYBRID:
615 preferred_kex[n_preferred_kex++] =
616 &ssh_ntru_hybrid_kex;
617 break;
618 case KEX_WARN:
619 /* Flag for later. Don't bother if it's the last in
620 * the list. */
621 if (i < KEX_MAX - 1) {
622 preferred_kex[n_preferred_kex++] = NULL;
623 }
624 break;
625 }
626 }
627
628 /*
629 * Set up the preferred host key types. These are just the ids
630 * in the enum in putty.h, so 'warn below here' is indicated
631 * by HK_WARN.
632 */
633 n_preferred_hk = 0;
634 for (i = 0; i < HK_MAX; i++) {
635 int id = conf_get_int_int(conf, CONF_ssh_hklist, i);
636 /* As above, don't bother with HK_WARN if it's last in the
637 * list */
638 if (id != HK_WARN || i < HK_MAX - 1)
639 preferred_hk[n_preferred_hk++] = id;
640 }
641
642 /*
643 * Set up the preferred ciphers. (NULL => warn below here)
644 */
645 n_preferred_ciphers = 0;
646 for (i = 0; i < CIPHER_MAX; i++) {
647 switch (conf_get_int_int(conf, CONF_ssh_cipherlist, i)) {
648 case CIPHER_BLOWFISH:
649 preferred_ciphers[n_preferred_ciphers++] = &ssh2_blowfish;
650 break;
651 case CIPHER_DES:
652 if (conf_get_bool(conf, CONF_ssh2_des_cbc))
653 preferred_ciphers[n_preferred_ciphers++] = &ssh2_des;
654 break;
655 case CIPHER_3DES:
656 preferred_ciphers[n_preferred_ciphers++] = &ssh2_3des;
657 break;
658 case CIPHER_AES:
659 preferred_ciphers[n_preferred_ciphers++] = &ssh2_aes;
660 break;
661 case CIPHER_ARCFOUR:
662 preferred_ciphers[n_preferred_ciphers++] = &ssh2_arcfour;
663 break;
664 case CIPHER_CHACHA20:
665 preferred_ciphers[n_preferred_ciphers++] = &ssh2_ccp;
666 break;
667 case CIPHER_AESGCM:
668 preferred_ciphers[n_preferred_ciphers++] = &ssh2_aesgcm;
669 break;
670 case CIPHER_WARN:
671 /* Flag for later. Don't bother if it's the last in
672 * the list. */
673 if (i < CIPHER_MAX - 1) {
674 preferred_ciphers[n_preferred_ciphers++] = NULL;
675 }
676 break;
677 }
678 }
679
680 /*
681 * Set up preferred compression.
682 */
683 if (conf_get_bool(conf, CONF_compression))
684 preferred_comp = &ssh_zlib;
685 else
686 preferred_comp = &ssh_comp_none;
687
688 for (i = 0; i < NKEXLIST; i++)
689 kexlists[i].nalgs = 0;
690 /* List key exchange algorithms. */
691 warn = false;
692 for (i = 0; i < n_preferred_kex; i++) {
693 const ssh_kexes *k = preferred_kex[i];
694 if (!k) warn = true;
695 else for (j = 0; j < k->nkexes; j++) {
696 alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_KEX],
697 k->list[j]->name);
698 alg->u.kex.kex = k->list[j];
699 alg->u.kex.warn = warn;
700 }
701 }
702 /* List server host key algorithms. */
703 if (our_hostkeys) {
704 /*
705 * In server mode, we just list the algorithms that match the
706 * host keys we actually have.
707 */
708 for (i = 0; i < our_nhostkeys; i++) {
709 const ssh_keyalg *keyalg = ssh_key_alg(our_hostkeys[i]);
710
711 alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
712 keyalg->ssh_id);
713 alg->u.hk.hostkey = keyalg;
714 alg->u.hk.hkflags = 0;
715 alg->u.hk.warn = false;
716
717 uint32_t supported_flags = ssh_keyalg_supported_flags(keyalg);
718 static const uint32_t try_flags[] = {
719 SSH_AGENT_RSA_SHA2_256,
720 SSH_AGENT_RSA_SHA2_512,
721 };
722 for (size_t i = 0; i < lenof(try_flags); i++) {
723 if (try_flags[i] & ~supported_flags)
724 continue; /* these flags not supported */
725
726 alg = ssh2_kexinit_addalg(
727 &kexlists[KEXLIST_HOSTKEY],
728 ssh_keyalg_alternate_ssh_id(keyalg, try_flags[i]));
729
730 alg->u.hk.hostkey = keyalg;
731 alg->u.hk.hkflags = try_flags[i];
732 alg->u.hk.warn = false;
733 }
734 }
735 } else if (first_time) {
736 /*
737 * In the first key exchange, we list all the algorithms we're
738 * prepared to cope with, but (if configured to) we prefer
739 * those algorithms for which we have a host key for this
740 * host.
741 *
742 * If the host key algorithm is below the warning
743 * threshold, we warn even if we did already have a key
744 * for it, on the basis that if the user has just
745 * reconfigured that host key type to be warned about,
746 * they surely _do_ want to be alerted that a server
747 * they're actually connecting to is using it.
748 */
749
750 bool accept_certs = false;
751 {
752 host_ca_enum *handle = enum_host_ca_start();
753 if (handle) {
754 strbuf *name = strbuf_new();
755 while (strbuf_clear(name), enum_host_ca_next(handle, name)) {
756 host_ca *hca = host_ca_load(name->s);
757 if (!hca)
758 continue;
759
760 if (hca->ca_public_key &&
761 cert_expr_match_str(hca->validity_expression,
762 hk_host, hk_port)) {
763 accept_certs = true;
764 add234(host_cas, hca);
765 } else {
766 host_ca_free(hca);
767 }
768 }
769 enum_host_ca_finish(handle);
770 strbuf_free(name);
771 }
772 }
773
774 if (accept_certs) {
775 /* Add all the certificate algorithms first, in preference order */
776 warn = false;
777 for (i = 0; i < n_preferred_hk; i++) {
778 if (preferred_hk[i] == HK_WARN)
779 warn = true;
780 for (j = 0; j < lenof(ssh2_hostkey_algs); j++) {
781 const struct ssh_signkey_with_user_pref_id *a =
782 &ssh2_hostkey_algs[j];
783 if (!a->alg->is_certificate)
784 continue;
785 if (a->id != preferred_hk[i])
786 continue;
787 alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
788 a->alg->ssh_id);
789 alg->u.hk.hostkey = a->alg;
790 alg->u.hk.warn = warn;
791 }
792 }
793 }
794
795 /* Next, add algorithms we already know a key for (unless
796 * configured not to do that) */
797 warn = false;
798 for (i = 0; i < n_preferred_hk; i++) {
799 if (preferred_hk[i] == HK_WARN)
800 warn = true;
801 for (j = 0; j < lenof(ssh2_hostkey_algs); j++) {
802 const struct ssh_signkey_with_user_pref_id *a =
803 &ssh2_hostkey_algs[j];
804 if (a->alg->is_certificate && accept_certs)
805 continue; /* already added this one */
806 if (a->id != preferred_hk[i])
807 continue;
808 if (conf_get_bool(conf, CONF_ssh_prefer_known_hostkeys) &&
809 have_ssh_host_key(hk_host, hk_port,
810 a->alg->cache_id)) {
811 alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
812 a->alg->ssh_id);
813 alg->u.hk.hostkey = a->alg;
814 alg->u.hk.warn = warn;
815 }
816 }
817 }
818
819 /* And finally, everything else */
820 warn = false;
821 for (i = 0; i < n_preferred_hk; i++) {
822 if (preferred_hk[i] == HK_WARN)
823 warn = true;
824 for (j = 0; j < lenof(ssh2_hostkey_algs); j++) {
825 const struct ssh_signkey_with_user_pref_id *a =
826 &ssh2_hostkey_algs[j];
827 if (a->alg->is_certificate)
828 continue;
829 if (a->id != preferred_hk[i])
830 continue;
831 alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
832 a->alg->ssh_id);
833 alg->u.hk.hostkey = a->alg;
834 alg->u.hk.warn = warn;
835 }
836 }
837 #ifndef NO_GSSAPI
838 } else if (transient_hostkey_mode) {
839 /*
840 * If we've previously done a GSSAPI KEX, then we list
841 * precisely the algorithms for which a previous GSS key
842 * exchange has delivered us a host key, because we expect
843 * one of exactly those keys to be used in any subsequent
844 * non-GSS-based rekey.
845 *
846 * An exception is if this is the key exchange we
847 * triggered for the purposes of populating that cache -
848 * in which case the cache will currently be empty, which
849 * isn't helpful!
850 */
851 warn = false;
852 for (i = 0; i < n_preferred_hk; i++) {
853 if (preferred_hk[i] == HK_WARN)
854 warn = true;
855 for (j = 0; j < lenof(ssh2_hostkey_algs); j++) {
856 if (ssh2_hostkey_algs[j].id != preferred_hk[i])
857 continue;
858 if (ssh_transient_hostkey_cache_has(
859 thc, ssh2_hostkey_algs[j].alg)) {
860 alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
861 ssh2_hostkey_algs[j].alg->ssh_id);
862 alg->u.hk.hostkey = ssh2_hostkey_algs[j].alg;
863 alg->u.hk.warn = warn;
864 }
865 }
866 }
867 #endif
868 } else {
869 /*
870 * In subsequent key exchanges, we list only the host key
871 * algorithm that was selected in the first key exchange,
872 * so that we keep getting the same host key and hence
873 * don't have to interrupt the user's session to ask for
874 * reverification.
875 */
876 assert(hk_prev);
877 alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY], hk_prev->ssh_id);
878 alg->u.hk.hostkey = hk_prev;
879 alg->u.hk.warn = false;
880 }
881 if (can_gssapi_keyex) {
882 alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY], "null");
883 alg->u.hk.hostkey = NULL;
884 }
885 /* List encryption algorithms (client->server then server->client). */
886 for (k = KEXLIST_CSCIPHER; k <= KEXLIST_SCCIPHER; k++) {
887 warn = false;
888 #ifdef FUZZING
889 alg = ssh2_kexinit_addalg(&kexlists[K], "none");
890 alg->u.cipher.cipher = NULL;
891 alg->u.cipher.warn = warn;
892 #endif /* FUZZING */
893 for (i = 0; i < n_preferred_ciphers; i++) {
894 const ssh2_ciphers *c = preferred_ciphers[i];
895 if (!c) warn = true;
896 else for (j = 0; j < c->nciphers; j++) {
897 alg = ssh2_kexinit_addalg(&kexlists[k],
898 c->list[j]->ssh2_id);
899 alg->u.cipher.cipher = c->list[j];
900 alg->u.cipher.warn = warn;
901 }
902 }
903 }
904
905 /*
906 * Be prepared to work around the buggy MAC problem.
907 */
908 if (remote_bugs & BUG_SSH2_HMAC) {
909 maclist = buggymacs;
910 nmacs = lenof(buggymacs);
911 } else {
912 maclist = macs;
913 nmacs = lenof(macs);
914 }
915
916 /* List MAC algorithms (client->server then server->client). */
917 for (j = KEXLIST_CSMAC; j <= KEXLIST_SCMAC; j++) {
918 #ifdef FUZZING
919 alg = ssh2_kexinit_addalg(kexlists[j], "none");
920 alg->u.mac.mac = NULL;
921 alg->u.mac.etm = false;
922 #endif /* FUZZING */
923 for (i = 0; i < nmacs; i++) {
924 alg = ssh2_kexinit_addalg(&kexlists[j], maclist[i]->name);
925 alg->u.mac.mac = maclist[i];
926 alg->u.mac.etm = false;
927 }
928 for (i = 0; i < nmacs; i++) {
929 /* For each MAC, there may also be an ETM version,
930 * which we list second. */
931 if (maclist[i]->etm_name) {
932 alg = ssh2_kexinit_addalg(&kexlists[j], maclist[i]->etm_name);
933 alg->u.mac.mac = maclist[i];
934 alg->u.mac.etm = true;
935 }
936 }
937 }
938
939 /* List client->server compression algorithms,
940 * then server->client compression algorithms. (We use the
941 * same set twice.) */
942 for (j = KEXLIST_CSCOMP; j <= KEXLIST_SCCOMP; j++) {
943 assert(lenof(compressions) > 1);
944 /* Prefer non-delayed versions */
945 alg = ssh2_kexinit_addalg(&kexlists[j], preferred_comp->name);
946 alg->u.comp.comp = preferred_comp;
947 alg->u.comp.delayed = false;
948 if (preferred_comp->delayed_name) {
949 alg = ssh2_kexinit_addalg(&kexlists[j],
950 preferred_comp->delayed_name);
951 alg->u.comp.comp = preferred_comp;
952 alg->u.comp.delayed = true;
953 }
954 for (i = 0; i < lenof(compressions); i++) {
955 const ssh_compression_alg *c = compressions[i];
956 alg = ssh2_kexinit_addalg(&kexlists[j], c->name);
957 alg->u.comp.comp = c;
958 alg->u.comp.delayed = false;
959 if (c->delayed_name) {
960 alg = ssh2_kexinit_addalg(&kexlists[j], c->delayed_name);
961 alg->u.comp.comp = c;
962 alg->u.comp.delayed = true;
963 }
964 }
965 }
966
967 /*
968 * Finally, format the lists into text and write them into the
969 * outgoing KEXINIT packet.
970 */
971 for (i = 0; i < NKEXLIST; i++) {
972 strbuf *list = strbuf_new();
973 if (ssc && ssc->kex_override[i].ptr) {
974 put_datapl(list, ssc->kex_override[i]);
975 } else {
976 for (j = 0; j < kexlists[i].nalgs; j++)
977 add_to_commasep_pl(list, kexlists[i].algs[j].name);
978 }
979 if (i == KEXLIST_KEX && first_time) {
980 if (our_hostkeys) { /* we're the server */
981 add_to_commasep_pl(list, ext_info_s);
982 add_to_commasep_pl(list, kex_strict_s);
983 } else { /* we're the client */
984 add_to_commasep_pl(list, ext_info_c);
985 add_to_commasep_pl(list, kex_strict_c);
986 }
987 }
988 put_stringsb(pktout, list);
989 }
990 /* List client->server languages. Empty list. */
991 put_stringz(pktout, "");
992 /* List server->client languages. Empty list. */
993 put_stringz(pktout, "");
994 }
995
996 struct server_hostkeys {
997 int *indices;
998 size_t n, size;
999 };
1000
1001 static bool kexinit_keyword_found(ptrlen list, ptrlen keyword)
1002 {
1003 for (ptrlen word; get_commasep_word(&list, &word) ;)
1004 if (ptrlen_eq_ptrlen(word, keyword))
1005 return true;
1006 return false;
1007 }
1008
1009 typedef struct ScanKexinitsResult {
1010 bool success;
1011
1012 /* only if success is false */
1013 enum {
1014 SKR_INCOMPLETE,
1015 SKR_UNKNOWN_ID,
1016 SKR_NO_AGREEMENT,
1017 } error;
1018
1019 const char *kind; /* what kind of thing did we fail to sort out? */
1020 ptrlen desc; /* and what was it? or what was the available list? */
1021 } ScanKexinitsResult;
1022
1023 static ScanKexinitsResult ssh2_scan_kexinits(
1024 ptrlen client_kexinit, ptrlen server_kexinit, bool we_are_server,
1025 struct kexinit_algorithm_list kexlists[NKEXLIST],
1026 const ssh_kex **kex_alg, const ssh_keyalg **hostkey_alg,
1027 transport_direction *cs, transport_direction *sc,
1028 bool *warn_kex, bool *warn_hk, bool *warn_cscipher, bool *warn_sccipher,
1029 bool *ignore_guess_cs_packet, bool *ignore_guess_sc_packet,
1030 struct server_hostkeys *server_hostkeys, unsigned *hkflags,
1031 bool *can_send_ext_info, bool first_time, bool *strict_kex)
1032 {
1033 BinarySource client[1], server[1];
1034 int i;
1035 bool guess_correct;
1036 ptrlen clists[NKEXLIST], slists[NKEXLIST];
1037 const struct kexinit_algorithm *selected[NKEXLIST];
1038
1039 BinarySource_BARE_INIT_PL(client, client_kexinit);
1040 BinarySource_BARE_INIT_PL(server, server_kexinit);
1041
1042 /* Skip packet type bytes and random cookies. */
1043 get_data(client, 1 + 16);
1044 get_data(server, 1 + 16);
1045
1046 guess_correct = true;
1047
1048 /* Find the matching string in each list, and map it to its
1049 * kexinit_algorithm structure. */
1050 for (i = 0; i < NKEXLIST; i++) {
1051 ptrlen clist, slist, cword, sword, found;
1052 bool cfirst, sfirst;
1053 int j;
1054
1055 clists[i] = get_string(client);
1056 slists[i] = get_string(server);
1057 if (get_err(client) || get_err(server)) {
1058 ScanKexinitsResult skr = {
1059 .success = false, .error = SKR_INCOMPLETE,
1060 };
1061 return skr;
1062 }
1063
1064 for (cfirst = true, clist = clists[i];
1065 get_commasep_word(&clist, &cword); cfirst = false)
1066 for (sfirst = true, slist = slists[i];
1067 get_commasep_word(&slist, &sword); sfirst = false)
1068 if (ptrlen_eq_ptrlen(cword, sword)) {
1069 found = cword;
1070 goto found_match;
1071 }
1072
1073 /* No matching string found in the two lists. Delay reporting
1074 * a fatal error until below, because sometimes it turns out
1075 * not to be fatal. */
1076 selected[i] = NULL;
1077
1078 /*
1079 * However, even if a failure to agree on any algorithm at all
1080 * is not completely fatal (e.g. because it's the MAC
1081 * negotiation for a cipher that comes with a built-in MAC),
1082 * it still invalidates the guessed key exchange packet. (RFC
1083 * 4253 section 7, not contradicted by OpenSSH's
1084 * PROTOCOL.chacha20poly1305 or as far as I can see by their
1085 * code.)
1086 */
1087 guess_correct = false;
1088
1089 continue;
1090
1091 found_match:
1092
1093 selected[i] = NULL;
1094 for (j = 0; j < kexlists[i].nalgs; j++) {
1095 if (ptrlen_eq_ptrlen(found, kexlists[i].algs[j].name)) {
1096 selected[i] = &kexlists[i].algs[j];
1097 break;
1098 }
1099 }
1100 if (!selected[i]) {
1101 /*
1102 * In the client, this should never happen! But in the
1103 * server, where we allow manual override on the command
1104 * line of the exact KEXINIT strings, it can happen
1105 * because the command line contained a typo. So we
1106 * produce a reasonably useful message instead of an
1107 * assertion failure.
1108 */
1109 ScanKexinitsResult skr = {
1110 .success = false, .error = SKR_UNKNOWN_ID,
1111 .kind = kexlist_descr[i], .desc = found,
1112 };
1113 return skr;
1114 }
1115
1116 /*
1117 * If the kex or host key algorithm is not the first one in
1118 * both sides' lists, that means the guessed key exchange
1119 * packet (if any) is officially wrong.
1120 */
1121 if ((i == KEXLIST_KEX || i == KEXLIST_HOSTKEY) && !(cfirst || sfirst))
1122 guess_correct = false;
1123 }
1124
1125 /*
1126 * Skip language strings in both KEXINITs, and read the flags
1127 * saying whether a guessed KEX packet follows.
1128 */
1129 get_string(client);
1130 get_string(client);
1131 get_string(server);
1132 get_string(server);
1133 if (ignore_guess_cs_packet)
1134 *ignore_guess_cs_packet = get_bool(client) && !guess_correct;
1135 if (ignore_guess_sc_packet)
1136 *ignore_guess_sc_packet = get_bool(server) && !guess_correct;
1137
1138 /*
1139 * Now transcribe the selected algorithm set into the output data.
1140 */
1141 for (i = 0; i < NKEXLIST; i++) {
1142 const struct kexinit_algorithm *alg;
1143
1144 /*
1145 * If we've already selected a cipher which requires a
1146 * particular MAC, then just select that. This is the case in
1147 * which it's not a fatal error if the actual MAC string lists
1148 * didn't include any matching error.
1149 */
1150 if (i == KEXLIST_CSMAC && cs->cipher &&
1151 cs->cipher->required_mac) {
1152 cs->mac = cs->cipher->required_mac;
1153 cs->etm_mode = !!(cs->mac->etm_name);
1154 continue;
1155 }
1156 if (i == KEXLIST_SCMAC && sc->cipher &&
1157 sc->cipher->required_mac) {
1158 sc->mac = sc->cipher->required_mac;
1159 sc->etm_mode = !!(sc->mac->etm_name);
1160 continue;
1161 }
1162
1163 alg = selected[i];
1164 if (!alg) {
1165 /*
1166 * Otherwise, any match failure _is_ a fatal error.
1167 */
1168 ScanKexinitsResult skr = {
1169 .success = false, .error = SKR_UNKNOWN_ID,
1170 .kind = kexlist_descr[i], .desc = slists[i],
1171 };
1172 return skr;
1173 }
1174
1175 switch (i) {
1176 case KEXLIST_KEX:
1177 *kex_alg = alg->u.kex.kex;
1178 *warn_kex = alg->u.kex.warn;
1179 break;
1180
1181 case KEXLIST_HOSTKEY:
1182 /*
1183 * Ignore an unexpected/inappropriate offer of "null",
1184 * we offer "null" when we're willing to use GSS KEX,
1185 * but it is only acceptable when GSSKEX is actually
1186 * selected.
1187 */
1188 if (alg->u.hk.hostkey == NULL &&
1189 (*kex_alg)->main_type != KEXTYPE_GSS)
1190 continue;
1191
1192 *hostkey_alg = alg->u.hk.hostkey;
1193 *hkflags = alg->u.hk.hkflags;
1194 *warn_hk = alg->u.hk.warn;
1195 break;
1196
1197 case KEXLIST_CSCIPHER:
1198 cs->cipher = alg->u.cipher.cipher;
1199 *warn_cscipher = alg->u.cipher.warn;
1200 break;
1201
1202 case KEXLIST_SCCIPHER:
1203 sc->cipher = alg->u.cipher.cipher;
1204 *warn_sccipher = alg->u.cipher.warn;
1205 break;
1206
1207 case KEXLIST_CSMAC:
1208 cs->mac = alg->u.mac.mac;
1209 cs->etm_mode = alg->u.mac.etm;
1210 break;
1211
1212 case KEXLIST_SCMAC:
1213 sc->mac = alg->u.mac.mac;
1214 sc->etm_mode = alg->u.mac.etm;
1215 break;
1216
1217 case KEXLIST_CSCOMP:
1218 cs->comp = alg->u.comp.comp;
1219 cs->comp_delayed = alg->u.comp.delayed;
1220 break;
1221
1222 case KEXLIST_SCCOMP:
1223 sc->comp = alg->u.comp.comp;
1224 sc->comp_delayed = alg->u.comp.delayed;
1225 break;
1226
1227 default:
1228 unreachable("Bad list index in scan_kexinits");
1229 }
1230 }
1231
1232 /*
1233 * Check whether the other side advertised support for EXT_INFO.
1234 */
1235 if (kexinit_keyword_found(
1236 we_are_server ? clists[KEXLIST_KEX] : slists[KEXLIST_KEX],
1237 we_are_server ? ext_info_c : ext_info_s))
1238 *can_send_ext_info = true;
1239
1240 /*
1241 * Check whether the other side advertised support for kex-strict.
1242 */
1243 if (first_time && kexinit_keyword_found(
1244 we_are_server ? clists[KEXLIST_KEX] : slists[KEXLIST_KEX],
1245 we_are_server ? kex_strict_c : kex_strict_s))
1246 *strict_kex = true;
1247
1248 if (server_hostkeys) {
1249 /*
1250 * Finally, make an auxiliary pass over the server's host key
1251 * list to find all the host key algorithms offered by the
1252 * server which we know about at all, whether we selected each
1253 * one or not. We return these as a list of indices into the
1254 * constant ssh2_hostkey_algs[] array.
1255 */
1256 ptrlen list = slists[KEXLIST_HOSTKEY];
1257 for (ptrlen word; get_commasep_word(&list, &word) ;) {
1258 for (i = 0; i < lenof(ssh2_hostkey_algs); i++)
1259 if (ptrlen_eq_string(word, ssh2_hostkey_algs[i].alg->ssh_id)) {
1260 sgrowarray(server_hostkeys->indices, server_hostkeys->size,
1261 server_hostkeys->n);
1262 server_hostkeys->indices[server_hostkeys->n++] = i;
1263 break;
1264 }
1265 }
1266 }
1267
1268 ScanKexinitsResult skr = { .success = true };
1269 return skr;
1270 }
1271
1272 static void ssh2_report_scan_kexinits_error(Ssh *ssh, ScanKexinitsResult skr)
1273 {
1274 assert(!skr.success);
1275
1276 switch (skr.error) {
1277 case SKR_INCOMPLETE:
1278 /* Report a better error than the spurious "Couldn't
1279 * agree" that we'd generate if we pressed on regardless
1280 * and treated the empty get_string() result as genuine */
1281 ssh_proto_error(ssh, "KEXINIT packet was incomplete");
1282 break;
1283 case SKR_UNKNOWN_ID:
1284 ssh_sw_abort(ssh, "Selected %s \"%.*s\" does not correspond to "
1285 "any supported algorithm",
1286 skr.kind, PTRLEN_PRINTF(skr.desc));
1287 break;
1288 case SKR_NO_AGREEMENT:
1289 ssh_sw_abort(ssh, "Couldn't agree a %s (available: %.*s)",
1290 skr.kind, PTRLEN_PRINTF(skr.desc));
1291 break;
1292 default:
1293 unreachable("bad ScanKexinitsResult");
1294 }
1295 }
1296
1297 static inline bool delay_outgoing_kexinit(struct ssh2_transport_state *s)
1298 {
1299 if (!(s->ppl.remote_bugs & BUG_REQUIRES_FILTERED_KEXINIT))
1300 return false; /* bug flag not enabled => no need to delay */
1301 if (s->incoming_kexinit->len)
1302 return false; /* already got a remote KEXINIT we can filter against */
1303 return true;
1304 }
1305
1306 static void filter_outgoing_kexinit(struct ssh2_transport_state *s)
1307 {
1308 strbuf *pktout = strbuf_new();
1309 BinarySource osrc[1], isrc[1];
1310 BinarySource_BARE_INIT(
1311 osrc, s->outgoing_kexinit->u, s->outgoing_kexinit->len);
1312 BinarySource_BARE_INIT(
1313 isrc, s->incoming_kexinit->u, s->incoming_kexinit->len);
1314
1315 /* Skip the packet type bytes from both packets */
1316 get_byte(osrc);
1317 get_byte(isrc);
1318
1319 /* Copy our cookie into the real output packet; skip their cookie */
1320 put_datapl(pktout, get_data(osrc, 16));
1321 get_data(isrc, 16);
1322
1323 /*
1324 * Now we expect NKEXLIST+2 name-lists. We write into the outgoing
1325 * packet a subset of our intended outgoing one, containing only
1326 * names mentioned in the incoming out.
1327 *
1328 * NKEXLIST+2 because for this purpose we treat the 'languages'
1329 * lists the same as the rest. In the rest of this code base we
1330 * ignore those.
1331 */
1332 strbuf *out = strbuf_new();
1333 for (size_t i = 0; i < NKEXLIST+2; i++) {
1334 strbuf_clear(out);
1335 ptrlen olist = get_string(osrc), ilist = get_string(isrc);
1336 for (ptrlen oword; get_commasep_word(&olist, &oword) ;) {
1337 ptrlen searchword = oword;
1338 ptrlen ilist_copy = ilist;
1339
1340 /*
1341 * Special case: the kex_strict keywords are
1342 * asymmetrically named, so if we're contemplating
1343 * including one of them in our filtered KEXINIT, we
1344 * should search the other side's KEXINIT for the _other_
1345 * one, not the same one.
1346 */
1347 if (i == KEXLIST_KEX) {
1348 if (ptrlen_eq_ptrlen(oword, kex_strict_c))
1349 searchword = kex_strict_s;
1350 else if (ptrlen_eq_ptrlen(oword, kex_strict_s))
1351 searchword = kex_strict_c;
1352 }
1353
1354 bool add = false;
1355 for (ptrlen iword; get_commasep_word(&ilist_copy, &iword) ;) {
1356 if (ptrlen_eq_ptrlen(searchword, iword)) {
1357 /* Found this word in the incoming list. */
1358 add = true;
1359 break;
1360 }
1361 }
1362
1363 if (i == KEXLIST_KEX && ptrlen_eq_string(oword, "ext-info-c")) {
1364 /* Special case: this will _never_ match anything from the
1365 * server, and we need it to enable SHA-2 based RSA.
1366 *
1367 * If this ever turns out to confuse any server all by
1368 * itself then I suppose we'll need an even more
1369 * draconian bug flag to exclude that too. (Obv, such
1370 * a server wouldn't be able to speak SHA-2 RSA
1371 * anyway.) */
1372 add = true;
1373 }
1374
1375 if (add)
1376 add_to_commasep_pl(out, oword);
1377 }
1378 put_stringpl(pktout, ptrlen_from_strbuf(out));
1379 }
1380 strbuf_free(out);
1381
1382 /*
1383 * Finally, copy the remaining parts of our intended KEXINIT.
1384 */
1385 put_bool(pktout, get_bool(osrc)); /* first-kex-packet-follows */
1386 put_uint32(pktout, get_uint32(osrc)); /* reserved word */
1387
1388 /*
1389 * Dump this data into s->outgoing_kexinit in place of what we had
1390 * there before. We need to remember the KEXINIT we _really_ sent,
1391 * not the one we'd have liked to send, since the host key
1392 * signature will be validated against the former.
1393 */
1394 strbuf_shrink_to(s->outgoing_kexinit, 1); /* keep the type byte */
1395 put_datapl(s->outgoing_kexinit, ptrlen_from_strbuf(pktout));
1396 strbuf_free(pktout);
1397 }
1398
1399 void ssh2transport_finalise_exhash(struct ssh2_transport_state *s)
1400 {
1401 put_datapl(s->exhash, ptrlen_from_strbuf(s->kex_shared_secret));
1402 assert(ssh_hash_alg(s->exhash)->hlen <= sizeof(s->exchange_hash));
1403 ssh_hash_final(s->exhash, s->exchange_hash);
1404 s->exhash = NULL;
1405
1406 #if 0
1407 debug("Exchange hash is:\n");
1408 dmemdump(s->exchange_hash, s->kex_alg->hash->hlen);
1409 #endif
1410 }
1411
1412 static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
1413 {
1414 struct ssh2_transport_state *s =
1415 container_of(ppl, struct ssh2_transport_state, ppl);
1416 PktIn *pktin;
1417 PktOut *pktout;
1418
1419 /* Filter centrally handled messages off the front of the queue on
1420 * every entry to this coroutine, no matter where we're resuming
1421 * from, even if we're _not_ looping on pq_pop. That way we can
1422 * still proactively handle those messages even if we're waiting
1423 * for a user response. */
1424 if (ssh2_transport_filter_queue(s))
1425 return; /* we've been freed */
1426
1427 crBegin(s->crState);
1428
1429 s->in.cipher = s->out.cipher = NULL;
1430 s->in.mac = s->out.mac = NULL;
1431 s->in.comp = s->out.comp = NULL;
1432
1433 s->got_session_id = false;
1434 s->need_gss_transient_hostkey = false;
1435 s->warned_about_no_gss_transient_hostkey = false;
1436
1437 begin_key_exchange:
1438
1439 #ifndef NO_GSSAPI
1440 if (s->need_gss_transient_hostkey) {
1441 /*
1442 * This flag indicates a special case in which we must not do
1443 * GSS key exchange even if we could. (See comments below,
1444 * where the flag was set on the previous key exchange.)
1445 */
1446 s->can_gssapi_keyex = false;
1447 } else if (conf_get_bool(s->conf, CONF_try_gssapi_kex)) {
1448 /*
1449 * We always check if we have GSS creds before we come up with
1450 * the kex algorithm list, otherwise future rekeys will fail
1451 * when creds expire. To make this so, this code section must
1452 * follow the begin_key_exchange label above, otherwise this
1453 * section would execute just once per-connection.
1454 *
1455 * Update GSS state unless the reason we're here is that a
1456 * timer just checked the GSS state and decided that we should
1457 * rekey to update delegated credentials. In that case, the
1458 * state is "fresh".
1459 */
1460 if (s->rekey_class != RK_GSS_UPDATE)
1461 ssh2_transport_gss_update(s, true);
1462
1463 /* Do GSSAPI KEX when capable */
1464 s->can_gssapi_keyex = s->gss_status & GSS_KEX_CAPABLE;
1465
1466 /*
1467 * But not when failure is likely. [ GSS implementations may
1468 * attempt (and fail) to use a ticket that is almost expired
1469 * when retrieved from the ccache that actually expires by the
1470 * time the server receives it. ]
1471 *
1472 * Note: The first time always try KEXGSS if we can, failures
1473 * will be very rare, and disabling the initial GSS KEX is
1474 * worse. Some day GSS libraries will ignore cached tickets
1475 * whose lifetime is critically short, and will instead use
1476 * fresh ones.
1477 */
1478 if (!s->got_session_id && (s->gss_status & GSS_CTXT_MAYFAIL) != 0)
1479 s->can_gssapi_keyex = false;
1480 s->gss_delegate = conf_get_bool(s->conf, CONF_gssapifwd);
1481 } else {
1482 s->can_gssapi_keyex = false;
1483 }
1484 #endif
1485
1486 s->ppl.bpp->pls->kctx = SSH2_PKTCTX_NOKEX;
1487
1488 /*
1489 * Construct our KEXINIT packet, in a strbuf so we can refer to it
1490 * later.
1491 */
1492 strbuf_clear(s->outgoing_kexinit);
1493 put_byte(s->outgoing_kexinit, SSH2_MSG_KEXINIT);
1494 random_read(strbuf_append(s->outgoing_kexinit, 16), 16);
1495 ssh2_write_kexinit_lists(
1496 BinarySink_UPCAST(s->outgoing_kexinit), s->kexlists,
1497 s->conf, s->ssc, s->ppl.remote_bugs,
1498 s->savedhost, s->savedport, s->hostkey_alg, s->thc, s->host_cas,
1499 s->hostkeys, s->nhostkeys,
1500 !s->got_session_id, s->can_gssapi_keyex,
1501 s->gss_kex_used && !s->need_gss_transient_hostkey);
1502 /* First KEX packet does _not_ follow, because we're not that brave. */
1503 put_bool(s->outgoing_kexinit, false);
1504 put_uint32(s->outgoing_kexinit, 0); /* reserved */
1505
1506 /*
1507 * Send our KEXINIT, most of the time.
1508 *
1509 * An exception: in BUG_REQUIRES_FILTERED_KEXINIT mode, we have to
1510 * have seen at least one KEXINIT from the server first, so that
1511 * we can filter our own KEXINIT down to contain only algorithms
1512 * the server mentioned.
1513 *
1514 * But we only need to do this on the _first_ key exchange, when
1515 * we've never seen a KEXINIT from the server before. In rekeys,
1516 * we still have the server's previous KEXINIT lying around, so we
1517 * can filter based on that.
1518 *
1519 * (And a good thing too, since the way you _initiate_ a rekey is
1520 * by sending your KEXINIT, so we'd have no way to prod the server
1521 * into sending its first!)
1522 */
1523 s->kexinit_delayed = delay_outgoing_kexinit(s);
1524 if (!s->kexinit_delayed) {
1525 if (s->ppl.remote_bugs & BUG_REQUIRES_FILTERED_KEXINIT) {
1526 /* Filter based on the KEXINIT from the previous exchange */
1527 filter_outgoing_kexinit(s);
1528 }
1529
1530 pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXINIT);
1531 put_data(pktout, s->outgoing_kexinit->u + 1,
1532 s->outgoing_kexinit->len - 1); /* omit type byte */
1533 pq_push(s->ppl.out_pq, pktout);
1534 }
1535
1536 /*
1537 * Flag that KEX is in progress.
1538 */
1539 s->kex_in_progress = true;
1540
1541 /*
1542 * Wait for the other side's KEXINIT, and save it.
1543 */
1544 crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
1545 if (pktin->type != SSH2_MSG_KEXINIT) {
1546 ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
1547 "expecting KEXINIT, type %d (%s)", pktin->type,
1548 ssh2_pkt_type(s->ppl.bpp->pls->kctx,
1549 s->ppl.bpp->pls->actx, pktin->type));
1550 return;
1551 }
1552 strbuf_clear(s->incoming_kexinit);
1553 put_byte(s->incoming_kexinit, SSH2_MSG_KEXINIT);
1554 put_data(s->incoming_kexinit, get_ptr(pktin), get_avail(pktin));
1555
1556 /*
1557 * If we've delayed sending our KEXINIT so as to filter it down to
1558 * only things the server won't choke on, send ours now.
1559 */
1560 if (s->kexinit_delayed) {
1561 filter_outgoing_kexinit(s);
1562 pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXINIT);
1563 put_data(pktout, s->outgoing_kexinit->u + 1,
1564 s->outgoing_kexinit->len - 1); /* omit type byte */
1565 pq_push(s->ppl.out_pq, pktout);
1566 }
1567
1568 /*
1569 * Work through the two KEXINIT packets in parallel to find the
1570 * selected algorithm identifiers.
1571 */
1572 {
1573 struct server_hostkeys hks = { NULL, 0, 0 };
1574
1575 ScanKexinitsResult skr = ssh2_scan_kexinits(
1576 ptrlen_from_strbuf(s->client_kexinit),
1577 ptrlen_from_strbuf(s->server_kexinit), s->ssc != NULL,
1578 s->kexlists, &s->kex_alg, &s->hostkey_alg, s->cstrans,
1579 s->sctrans, &s->warn_kex, &s->warn_hk, &s->warn_cscipher,
1580 &s->warn_sccipher, NULL, &s->ignorepkt, &hks,
1581 &s->hkflags, &s->can_send_ext_info, !s->got_session_id,
1582 &s->strict_kex);
1583
1584 if (!skr.success) {
1585 sfree(hks.indices);
1586 ssh2_report_scan_kexinits_error(s->ppl.ssh, skr);
1587 return; /* we just called a fatal error function */
1588 }
1589
1590 /*
1591 * If we've just turned on strict kex mode, say so, and
1592 * retrospectively fault any pre-KEXINIT extraneous packets.
1593 */
1594 if (!s->got_session_id && s->strict_kex) {
1595 ppl_logevent("Enabling strict key exchange semantics");
1596 if (s->seen_non_kexinit) {
1597 ssh_proto_error(s->ppl.ssh, "Received a packet before KEXINIT "
1598 "in strict-kex mode");
1599 return;
1600 }
1601 }
1602
1603 /*
1604 * In addition to deciding which host key we're actually going
1605 * to use, we should make a list of the host keys offered by
1606 * the server which we _don't_ have cached. These will be
1607 * offered as cross-certification options by ssh_get_specials.
1608 *
1609 * We also count the key we're currently using for KEX as one
1610 * we've already got, because by the time this menu becomes
1611 * visible, it will be.
1612 */
1613 s->n_uncert_hostkeys = 0;
1614
1615 for (int i = 0; i < hks.n; i++) {
1616 int j = hks.indices[i];
1617 if (ssh2_hostkey_algs[j].alg != s->hostkey_alg &&
1618 ssh2_hostkey_algs[j].alg->cache_id &&
1619 !have_ssh_host_key(s->savedhost, s->savedport,
1620 ssh2_hostkey_algs[j].alg->cache_id)) {
1621 s->uncert_hostkeys[s->n_uncert_hostkeys++] = j;
1622 }
1623 }
1624
1625 sfree(hks.indices);
1626 }
1627
1628 if (s->warn_kex) {
1629 s->spr = ssh2_transport_confirm_weak_crypto_primitive(
1630 s, "key-exchange algorithm", s->kex_alg->name, s->kex_alg,
1631 WCR_BELOW_THRESHOLD);
1632 crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
1633 if (spr_is_abort(s->spr)) {
1634 ssh_spr_close(s->ppl.ssh, s->spr, "kex warning");
1635 return;
1636 }
1637 }
1638
1639 if (s->warn_hk) {
1640 int j, k;
1641 const char **betteralgs = NULL;
1642 size_t nbetter = 0, bettersize = 0;
1643
1644 /*
1645 * Change warning box wording depending on why we chose a
1646 * warning-level host key algorithm. If it's because
1647 * that's all we have *cached*, list the host keys we
1648 * could usefully cross-certify. Otherwise, use the same
1649 * standard wording as any other weak crypto primitive.
1650 */
1651 for (j = 0; j < s->n_uncert_hostkeys; j++) {
1652 const struct ssh_signkey_with_user_pref_id *hktype =
1653 &ssh2_hostkey_algs[s->uncert_hostkeys[j]];
1654 bool better = false;
1655 for (k = 0; k < HK_MAX; k++) {
1656 int id = conf_get_int_int(s->conf, CONF_ssh_hklist, k);
1657 if (id == HK_WARN) {
1658 break;
1659 } else if (id == hktype->id) {
1660 better = true;
1661 break;
1662 }
1663 }
1664 if (better) {
1665 sgrowarray(betteralgs, bettersize, nbetter);
1666 betteralgs[nbetter++] = hktype->alg->ssh_id;
1667 }
1668 }
1669 if (betteralgs) {
1670 /* Use the special warning prompt that lets us provide
1671 * a list of better algorithms */
1672 sgrowarray(betteralgs, bettersize, nbetter);
1673 betteralgs[nbetter] = NULL;
1674 s->spr = confirm_weak_cached_hostkey(
1675 ppl_get_iseat(&s->ppl), s->hostkey_alg->ssh_id, betteralgs,
1676 ssh2_transport_dialog_callback, s);
1677 sfree(betteralgs);
1678 } else {
1679 /* If none exist, use the more general 'weak crypto'
1680 * warning prompt */
1681 s->spr = ssh2_transport_confirm_weak_crypto_primitive(
1682 s, "host key type", s->hostkey_alg->ssh_id,
1683 s->hostkey_alg, WCR_BELOW_THRESHOLD);
1684 }
1685 crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
1686 if (spr_is_abort(s->spr)) {
1687 ssh_spr_close(s->ppl.ssh, s->spr, "host key warning");
1688 return;
1689 }
1690 }
1691
1692 if (s->warn_cscipher) {
1693 s->spr = ssh2_transport_confirm_weak_crypto_primitive(
1694 s, "client-to-server cipher", s->out.cipher->ssh2_id,
1695 s->out.cipher, WCR_BELOW_THRESHOLD);
1696 crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
1697 if (spr_is_abort(s->spr)) {
1698 ssh_spr_close(s->ppl.ssh, s->spr, "cipher warning");
1699 return;
1700 }
1701 }
1702
1703 if (s->warn_sccipher) {
1704 s->spr = ssh2_transport_confirm_weak_crypto_primitive(
1705 s, "server-to-client cipher", s->in.cipher->ssh2_id,
1706 s->in.cipher, WCR_BELOW_THRESHOLD);
1707 crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
1708 if (spr_is_abort(s->spr)) {
1709 ssh_spr_close(s->ppl.ssh, s->spr, "cipher warning");
1710 return;
1711 }
1712 }
1713
1714 {
1715 s->terrapin.csvuln = terrapin_vulnerable(s->strict_kex, s->cstrans);
1716 s->terrapin.scvuln = terrapin_vulnerable(s->strict_kex, s->sctrans);
1717 s->terrapin.wcr = WCR_TERRAPIN;
1718
1719 if (s->terrapin.csvuln || s->terrapin.scvuln) {
1720 ppl_logevent("SSH connection is vulnerable to 'Terrapin' attack "
1721 "(CVE-2023-48795)");
1722 if (try_to_avoid_terrapin(s))
1723 s->terrapin.wcr = WCR_TERRAPIN_AVOIDABLE;
1724 }
1725
1726 if (s->terrapin.csvuln) {
1727 s->spr = ssh2_transport_confirm_weak_crypto_primitive(
1728 s, "client-to-server cipher", s->terrapin.csvuln,
1729 terrapin_weakness, s->terrapin.wcr);
1730 crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
1731 if (spr_is_abort(s->spr)) {
1732 ssh_spr_close(s->ppl.ssh, s->spr, "vulnerability warning");
1733 return;
1734 }
1735 }
1736
1737 if (s->terrapin.scvuln) {
1738 s->spr = ssh2_transport_confirm_weak_crypto_primitive(
1739 s, "server-to-client cipher", s->terrapin.scvuln,
1740 terrapin_weakness, s->terrapin.wcr);
1741 crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
1742 if (spr_is_abort(s->spr)) {
1743 ssh_spr_close(s->ppl.ssh, s->spr, "vulnerability warning");
1744 return;
1745 }
1746 }
1747
1748 if (s->terrapin.csvuln || s->terrapin.scvuln) {
1749 ppl_logevent("Continuing despite 'Terrapin' vulnerability, "
1750 "at user request");
1751 }
1752 }
1753
1754 /*
1755 * If the other side has sent an initial key exchange packet that
1756 * we must treat as a wrong guess, wait for it, and discard it.
1757 */
1758 if (s->ignorepkt)
1759 crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
1760
1761 /*
1762 * Actually perform the key exchange.
1763 */
1764 s->exhash = ssh_hash_new(s->kex_alg->hash);
1765 if (s->kex_shared_secret)
1766 strbuf_free(s->kex_shared_secret);
1767 s->kex_shared_secret = strbuf_new_nm();
1768 put_stringz(s->exhash, s->client_greeting);
1769 put_stringz(s->exhash, s->server_greeting);
1770 put_string(s->exhash, s->client_kexinit->u, s->client_kexinit->len);
1771 put_string(s->exhash, s->server_kexinit->u, s->server_kexinit->len);
1772 s->crStateKex = 0;
1773 while (1) {
1774 bool aborted = false;
1775 ssh2kex_coroutine(s, &aborted);
1776 if (aborted)
1777 return; /* disaster: our entire state has been freed */
1778 if (!s->crStateKex)
1779 break; /* kex phase has terminated normally */
1780 crReturnV;
1781 }
1782
1783 /*
1784 * The exchange hash from the very first key exchange is also
1785 * the session id, used in session key construction and
1786 * authentication.
1787 */
1788 if (!s->got_session_id) {
1789 assert(sizeof(s->exchange_hash) <= sizeof(s->session_id));
1790 memcpy(s->session_id, s->exchange_hash, sizeof(s->exchange_hash));
1791 s->session_id_len = s->kex_alg->hash->hlen;
1792 assert(s->session_id_len <= sizeof(s->session_id));
1793 s->got_session_id = true;
1794 }
1795
1796 /*
1797 * Send SSH2_MSG_NEWKEYS.
1798 */
1799 pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_NEWKEYS);
1800 pq_push(s->ppl.out_pq, pktout);
1801 /* Start counting down the outgoing-data limit for these cipher keys. */
1802 dts_reset(&s->stats->out, s->max_data_size);
1803
1804 /*
1805 * Force the BPP to synchronously marshal all packets up to and
1806 * including that NEWKEYS into wire format, before we switch over
1807 * to new crypto.
1808 */
1809 ssh_bpp_handle_output(s->ppl.bpp);
1810
1811 /*
1812 * We've sent outgoing NEWKEYS, so create and initialise outgoing
1813 * session keys.
1814 */
1815 {
1816 strbuf *cipher_key = strbuf_new_nm();
1817 strbuf *cipher_iv = strbuf_new_nm();
1818 strbuf *mac_key = strbuf_new_nm();
1819
1820 if (s->out.cipher) {
1821 ssh2_mkkey(s, cipher_iv, s->kex_shared_secret, s->exchange_hash,
1822 'A' + s->out.mkkey_adjust, s->out.cipher->blksize);
1823 ssh2_mkkey(s, cipher_key, s->kex_shared_secret, s->exchange_hash,
1824 'C' + s->out.mkkey_adjust,
1825 s->out.cipher->padded_keybytes);
1826 }
1827 if (s->out.mac) {
1828 ssh2_mkkey(s, mac_key, s->kex_shared_secret, s->exchange_hash,
1829 'E' + s->out.mkkey_adjust, s->out.mac->keylen);
1830 }
1831
1832 ssh2_bpp_new_outgoing_crypto(
1833 s->ppl.bpp,
1834 s->out.cipher, cipher_key->u, cipher_iv->u,
1835 s->out.mac, s->out.etm_mode, mac_key->u,
1836 s->out.comp, s->out.comp_delayed,
1837 s->strict_kex);
1838 s->enabled_outgoing_crypto = true;
1839
1840 strbuf_free(cipher_key);
1841 strbuf_free(cipher_iv);
1842 strbuf_free(mac_key);
1843 }
1844
1845 /*
1846 * If that was our first key exchange, this is the moment to send
1847 * our EXT_INFO, if we're sending one.
1848 */
1849 if (!s->post_newkeys_ext_info) {
1850 s->post_newkeys_ext_info = true; /* never do this again */
1851 if (s->can_send_ext_info) {
1852 strbuf *extinfo = strbuf_new();
1853 uint32_t n_exts = 0;
1854
1855 if (s->ssc) {
1856 /* Server->client EXT_INFO lists our supported user
1857 * key algorithms. */
1858 n_exts++;
1859 put_stringz(extinfo, "server-sig-algs");
1860 strbuf *list = strbuf_new();
1861 for (size_t i = 0; i < n_keyalgs; i++)
1862 add_to_commasep(list, all_keyalgs[i]->ssh_id);
1863 put_stringsb(extinfo, list);
1864 } else {
1865 /* Client->server EXT_INFO is currently not sent, but here's
1866 * where we should put things in it if we ever want to. */
1867 }
1868
1869 /* Only send EXT_INFO if it's non-empty */
1870 if (n_exts) {
1871 pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_EXT_INFO);
1872 put_uint32(pktout, n_exts);
1873 put_datapl(pktout, ptrlen_from_strbuf(extinfo));
1874 pq_push(s->ppl.out_pq, pktout);
1875 }
1876
1877 strbuf_free(extinfo);
1878 }
1879 }
1880
1881 /*
1882 * Now our end of the key exchange is complete, we can send all
1883 * our queued higher-layer packets. Transfer the whole of the next
1884 * layer's outgoing queue on to our own.
1885 */
1886 pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
1887 ssh_sendbuffer_changed(s->ppl.ssh);
1888
1889 /*
1890 * Expect SSH2_MSG_NEWKEYS from server.
1891 */
1892 crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
1893 if (pktin->type != SSH2_MSG_NEWKEYS) {
1894 ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
1895 "expecting SSH_MSG_NEWKEYS, type %d (%s)",
1896 pktin->type,
1897 ssh2_pkt_type(s->ppl.bpp->pls->kctx,
1898 s->ppl.bpp->pls->actx,
1899 pktin->type));
1900 return;
1901 }
1902 /* Start counting down the incoming-data limit for these cipher keys. */
1903 dts_reset(&s->stats->in, s->max_data_size);
1904
1905 /*
1906 * We've seen incoming NEWKEYS, so create and initialise
1907 * incoming session keys.
1908 */
1909 {
1910 strbuf *cipher_key = strbuf_new_nm();
1911 strbuf *cipher_iv = strbuf_new_nm();
1912 strbuf *mac_key = strbuf_new_nm();
1913
1914 if (s->in.cipher) {
1915 ssh2_mkkey(s, cipher_iv, s->kex_shared_secret, s->exchange_hash,
1916 'A' + s->in.mkkey_adjust, s->in.cipher->blksize);
1917 ssh2_mkkey(s, cipher_key, s->kex_shared_secret, s->exchange_hash,
1918 'C' + s->in.mkkey_adjust,
1919 s->in.cipher->padded_keybytes);
1920 }
1921 if (s->in.mac) {
1922 ssh2_mkkey(s, mac_key, s->kex_shared_secret, s->exchange_hash,
1923 'E' + s->in.mkkey_adjust, s->in.mac->keylen);
1924 }
1925
1926 ssh2_bpp_new_incoming_crypto(
1927 s->ppl.bpp,
1928 s->in.cipher, cipher_key->u, cipher_iv->u,
1929 s->in.mac, s->in.etm_mode, mac_key->u,
1930 s->in.comp, s->in.comp_delayed,
1931 s->strict_kex);
1932 s->enabled_incoming_crypto = true;
1933
1934 strbuf_free(cipher_key);
1935 strbuf_free(cipher_iv);
1936 strbuf_free(mac_key);
1937 }
1938
1939 /*
1940 * Free shared secret.
1941 */
1942 strbuf_free(s->kex_shared_secret);
1943 s->kex_shared_secret = NULL;
1944
1945 /*
1946 * Update the specials menu to list the remaining uncertified host
1947 * keys.
1948 */
1949 seat_update_specials_menu(s->ppl.seat);
1950
1951 /*
1952 * Key exchange is over. Loop straight back round if we have a
1953 * deferred rekey reason.
1954 */
1955 if (s->deferred_rekey_reason) {
1956 ppl_logevent("%s", s->deferred_rekey_reason);
1957 pktin = NULL;
1958 s->deferred_rekey_reason = NULL;
1959 goto begin_key_exchange;
1960 }
1961
1962 /*
1963 * Otherwise, schedule a timer for our next rekey.
1964 */
1965 s->kex_in_progress = false;
1966 s->last_rekey = GETTICKCOUNT();
1967 (void) ssh2_transport_timer_update(s, 0);
1968
1969 /*
1970 * Now we're encrypting. Get the next-layer protocol started if it
1971 * hasn't already, and then sit here waiting for reasons to go
1972 * back to the start and do a repeat key exchange. One of those
1973 * reasons is that we receive KEXINIT from the other end; the
1974 * other is if we find rekey_reason is non-NULL, i.e. we've
1975 * decided to initiate a rekey ourselves for some reason.
1976 */
1977 if (!s->higher_layer_ok) {
1978 if (!s->hostkeys) {
1979 /* We're the client, so send SERVICE_REQUEST. */
1980 pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_SERVICE_REQUEST);
1981 put_stringz(pktout, s->higher_layer->vt->name);
1982 pq_push(s->ppl.out_pq, pktout);
1983 crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
1984 if (pktin->type != SSH2_MSG_SERVICE_ACCEPT) {
1985 ssh_sw_abort(s->ppl.ssh, "Server refused request to start "
1986 "'%s' protocol", s->higher_layer->vt->name);
1987 return;
1988 }
1989 } else {
1990 ptrlen service_name;
1991
1992 /* We're the server, so expect SERVICE_REQUEST. */
1993 crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
1994 if (pktin->type != SSH2_MSG_SERVICE_REQUEST) {
1995 ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
1996 "expecting SERVICE_REQUEST, type %d (%s)",
1997 pktin->type,
1998 ssh2_pkt_type(s->ppl.bpp->pls->kctx,
1999 s->ppl.bpp->pls->actx,
2000 pktin->type));
2001 return;
2002 }
2003 service_name = get_string(pktin);
2004 if (!ptrlen_eq_string(service_name, s->higher_layer->vt->name)) {
2005 ssh_proto_error(s->ppl.ssh, "Client requested service "
2006 "'%.*s' when we only support '%s'",
2007 PTRLEN_PRINTF(service_name),
2008 s->higher_layer->vt->name);
2009 return;
2010 }
2011
2012 pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_SERVICE_ACCEPT);
2013 put_stringz(pktout, s->higher_layer->vt->name);
2014 pq_push(s->ppl.out_pq, pktout);
2015 }
2016
2017 s->higher_layer_ok = true;
2018 queue_idempotent_callback(&s->higher_layer->ic_process_queue);
2019 }
2020
2021 s->rekey_class = RK_NONE;
2022 do {
2023 crReturnV;
2024
2025 /* Pass through outgoing packets from the higher layer. */
2026 pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
2027 ssh_sendbuffer_changed(s->ppl.ssh);
2028
2029 /* Wait for either a KEXINIT, or something setting
2030 * s->rekey_class. This call to ssh2_transport_pop also has
2031 * the side effect of transferring incoming packets _to_ the
2032 * higher layer (via filter_queue). */
2033 if ((pktin = ssh2_transport_pop(s)) != NULL) {
2034 if (pktin->type != SSH2_MSG_KEXINIT) {
2035 ssh_proto_error(s->ppl.ssh, "Received unexpected transport-"
2036 "layer packet outside a key exchange, "
2037 "type %d (%s)", pktin->type,
2038 ssh2_pkt_type(s->ppl.bpp->pls->kctx,
2039 s->ppl.bpp->pls->actx,
2040 pktin->type));
2041 return;
2042 }
2043 pq_push_front(s->ppl.in_pq, pktin);
2044 ppl_logevent("Remote side initiated key re-exchange");
2045 s->rekey_class = RK_SERVER;
2046 }
2047
2048 if (s->rekey_class == RK_POST_USERAUTH) {
2049 /*
2050 * userauth has seen a USERAUTH_SUCCESS. This may be the
2051 * moment to do an immediate rekey with different
2052 * parameters. But it may not; so here we turn that rekey
2053 * class into either RK_NONE or RK_NORMAL.
2054 *
2055 * Currently the only reason for this is if we've done a
2056 * GSS key exchange and don't have anything in our
2057 * transient hostkey cache, in which case we should make
2058 * an attempt to populate the cache now.
2059 */
2060 if (s->need_gss_transient_hostkey) {
2061 s->rekey_reason = "populating transient host key cache";
2062 s->rekey_class = RK_NORMAL;
2063 } else {
2064 /* No need to rekey at this time. */
2065 s->rekey_class = RK_NONE;
2066 }
2067 }
2068
2069 if (!s->rekey_class) {
2070 /* If we don't yet have any other reason to rekey, check
2071 * if we've hit our data limit in either direction. */
2072 if (s->stats->in.expired) {
2073 s->rekey_reason = "too much data received";
2074 s->rekey_class = RK_NORMAL;
2075 } else if (s->stats->out.expired) {
2076 s->rekey_reason = "too much data sent";
2077 s->rekey_class = RK_NORMAL;
2078 }
2079 }
2080
2081 if (s->rekey_class != RK_NONE && s->rekey_class != RK_SERVER) {
2082 /*
2083 * Special case: if the server bug is set that doesn't
2084 * allow rekeying, we give a different log message and
2085 * continue waiting. (If such a server _initiates_ a
2086 * rekey, we process it anyway!)
2087 */
2088 if ((s->ppl.remote_bugs & BUG_SSH2_REKEY)) {
2089 ppl_logevent("Remote bug prevents key re-exchange (%s)",
2090 s->rekey_reason);
2091 /* Reset the counters, so that at least this message doesn't
2092 * hit the event log _too_ often. */
2093 dts_reset(&s->stats->in, s->max_data_size);
2094 dts_reset(&s->stats->out, s->max_data_size);
2095 (void) ssh2_transport_timer_update(s, 0);
2096 s->rekey_class = RK_NONE;
2097 } else {
2098 ppl_logevent("Initiating key re-exchange (%s)",
2099 s->rekey_reason);
2100 }
2101 }
2102 } while (s->rekey_class == RK_NONE);
2103
2104 /* Once we exit the above loop, we really are rekeying. */
2105 goto begin_key_exchange;
2106
2107 crFinishV;
2108 }
2109
2110 static void ssh2_transport_higher_layer_packet_callback(void *context)
2111 {
2112 PacketProtocolLayer *ppl = (PacketProtocolLayer *)context;
2113 ssh_ppl_process_queue(ppl);
2114 }
2115
2116 static void ssh2_transport_timer(void *ctx, unsigned long now)
2117 {
2118 struct ssh2_transport_state *s = (struct ssh2_transport_state *)ctx;
2119 unsigned long mins;
2120 unsigned long ticks;
2121
2122 if (s->kex_in_progress || now != s->next_rekey)
2123 return;
2124
2125 mins = sanitise_rekey_time(conf_get_int(s->conf, CONF_ssh_rekey_time), 60);
2126 if (mins == 0)
2127 return;
2128
2129 /* Rekey if enough time has elapsed */
2130 ticks = mins * 60 * TICKSPERSEC;
2131 if (now - s->last_rekey > ticks - 30*TICKSPERSEC) {
2132 s->rekey_reason = "timeout";
2133 s->rekey_class = RK_NORMAL;
2134 queue_idempotent_callback(&s->ppl.ic_process_queue);
2135 return;
2136 }
2137
2138 #ifndef NO_GSSAPI
2139 /*
2140 * Rekey now if we have a new cred or context expires this cycle,
2141 * but not if this is unsafe.
2142 */
2143 if (conf_get_int(s->conf, CONF_gssapirekey)) {
2144 ssh2_transport_gss_update(s, false);
2145 if ((s->gss_status & GSS_KEX_CAPABLE) != 0 &&
2146 (s->gss_status & GSS_CTXT_MAYFAIL) == 0 &&
2147 (s->gss_status & (GSS_CRED_UPDATED|GSS_CTXT_EXPIRES)) != 0) {
2148 s->rekey_reason = "GSS credentials updated";
2149 s->rekey_class = RK_GSS_UPDATE;
2150 queue_idempotent_callback(&s->ppl.ic_process_queue);
2151 return;
2152 }
2153 }
2154 #endif
2155
2156 /* Try again later. */
2157 (void) ssh2_transport_timer_update(s, 0);
2158 }
2159
2160 /*
2161 * The rekey_time is zero except when re-configuring.
2162 *
2163 * We either schedule the next timer and return false, or return true
2164 * to run the callback now, which will call us again to re-schedule on
2165 * completion.
2166 */
2167 static bool ssh2_transport_timer_update(struct ssh2_transport_state *s,
2168 unsigned long rekey_time)
2169 {
2170 unsigned long mins;
2171 unsigned long ticks;
2172
2173 mins = sanitise_rekey_time(conf_get_int(s->conf, CONF_ssh_rekey_time), 60);
2174 ticks = mins * 60 * TICKSPERSEC;
2175
2176 /* Handle change from previous setting */
2177 if (rekey_time != 0 && rekey_time != mins) {
2178 unsigned long next;
2179 unsigned long now = GETTICKCOUNT();
2180
2181 mins = rekey_time;
2182 ticks = mins * 60 * TICKSPERSEC;
2183 next = s->last_rekey + ticks;
2184
2185 /* If overdue, caller will rekey synchronously now */
2186 if (now - s->last_rekey > ticks)
2187 return true;
2188 ticks = next - now;
2189 }
2190
2191 #ifndef NO_GSSAPI
2192 if (s->gss_kex_used) {
2193 /*
2194 * If we've used GSSAPI key exchange, then we should
2195 * periodically check whether we need to do another one to
2196 * pass new credentials to the server.
2197 */
2198 unsigned long gssmins;
2199
2200 /* Check cascade conditions more frequently if configured */
2201 gssmins = sanitise_rekey_time(
2202 conf_get_int(s->conf, CONF_gssapirekey), GSS_DEF_REKEY_MINS);
2203 if (gssmins > 0) {
2204 if (gssmins < mins)
2205 ticks = (mins = gssmins) * 60 * TICKSPERSEC;
2206
2207 if ((s->gss_status & GSS_KEX_CAPABLE) != 0) {
2208 /*
2209 * Run next timer even sooner if it would otherwise be
2210 * too close to the context expiration time
2211 */
2212 if ((s->gss_status & GSS_CTXT_EXPIRES) == 0 &&
2213 s->gss_ctxt_lifetime - mins * 60 < 2 * MIN_CTXT_LIFETIME)
2214 ticks -= 2 * MIN_CTXT_LIFETIME * TICKSPERSEC;
2215 }
2216 }
2217 }
2218 #endif
2219
2220 /* Schedule the next timer */
2221 s->next_rekey = schedule_timer(ticks, ssh2_transport_timer, s);
2222 return false;
2223 }
2224
2225 void ssh2_transport_dialog_callback(void *vctx, SeatPromptResult spr)
2226 {
2227 struct ssh2_transport_state *s = (struct ssh2_transport_state *)vctx;
2228 s->spr = spr;
2229 ssh_ppl_process_queue(&s->ppl);
2230 }
2231
2232 #ifndef NO_GSSAPI
2233 /*
2234 * This is called at the beginning of each SSH rekey to determine
2235 * whether we are GSS capable, and if we did GSS key exchange, and are
2236 * delegating credentials, it is also called periodically to determine
2237 * whether we should rekey in order to delegate (more) fresh
2238 * credentials. This is called "credential cascading".
2239 *
2240 * On Windows, with SSPI, we may not get the credential expiration, as
2241 * Windows automatically renews from cached passwords, so the
2242 * credential effectively never expires. Since we still want to
2243 * cascade when the local TGT is updated, we use the expiration of a
2244 * newly obtained context as a proxy for the expiration of the TGT.
2245 */
2246 static void ssh2_transport_gss_update(struct ssh2_transport_state *s,
2247 bool definitely_rekeying)
2248 {
2249 PacketProtocolLayer *ppl = &s->ppl; /* for ppl_logevent */
2250 int gss_stat;
2251 time_t gss_cred_expiry;
2252 unsigned long mins;
2253 Ssh_gss_buf gss_sndtok;
2254 Ssh_gss_buf gss_rcvtok;
2255 Ssh_gss_ctx gss_ctx;
2256
2257 s->gss_status = 0;
2258
2259 /*
2260 * Nothing to do if no GSSAPI libraries are configured or GSSAPI
2261 * auth is not enabled.
2262 */
2263 if (s->shgss->libs->nlibraries == 0)
2264 return;
2265 if (!conf_get_bool(s->conf, CONF_try_gssapi_auth) &&
2266 !conf_get_bool(s->conf, CONF_try_gssapi_kex))
2267 return;
2268
2269 /* Import server name and cache it */
2270 if (s->shgss->srv_name == GSS_C_NO_NAME) {
2271 gss_stat = s->shgss->lib->import_name(
2272 s->shgss->lib, s->fullhostname, &s->shgss->srv_name);
2273 if (gss_stat != SSH_GSS_OK) {
2274 if (gss_stat == SSH_GSS_BAD_HOST_NAME)
2275 ppl_logevent("GSSAPI import name failed - Bad service name;"
2276 " won't use GSS key exchange");
2277 else
2278 ppl_logevent("GSSAPI import name failed;"
2279 " won't use GSS key exchange");
2280 return;
2281 }
2282 }
2283
2284 /*
2285 * Do we (still) have credentials? Capture the credential
2286 * expiration when available
2287 */
2288 gss_stat = s->shgss->lib->acquire_cred(
2289 s->shgss->lib, &gss_ctx, &gss_cred_expiry);
2290 if (gss_stat != SSH_GSS_OK)
2291 return;
2292
2293 SSH_GSS_CLEAR_BUF(&gss_sndtok);
2294 SSH_GSS_CLEAR_BUF(&gss_rcvtok);
2295
2296 /*
2297 * When acquire_cred yields no useful expiration, get a proxy for
2298 * the cred expiration from the context expiration.
2299 */
2300 gss_stat = s->shgss->lib->init_sec_context(
2301 s->shgss->lib, &gss_ctx, s->shgss->srv_name,
2302 0 /* don't delegate */, &gss_rcvtok, &gss_sndtok,
2303 (gss_cred_expiry == GSS_NO_EXPIRATION ? &gss_cred_expiry : NULL),
2304 &s->gss_ctxt_lifetime);
2305
2306 /* This context was for testing only. */
2307 if (gss_ctx)
2308 s->shgss->lib->release_cred(s->shgss->lib, &gss_ctx);
2309
2310 if (gss_stat != SSH_GSS_OK &&
2311 gss_stat != SSH_GSS_S_CONTINUE_NEEDED) {
2312 /*
2313 * No point in verbosely interrupting the user to tell them we
2314 * couldn't get GSS credentials, if this was only a check
2315 * between key exchanges to see if fresh ones were available.
2316 * When we do do a rekey, this message (if displayed) will
2317 * appear among the standard rekey blurb, but when we're not,
2318 * it shouldn't pop up all the time regardless.
2319 */
2320 if (definitely_rekeying)
2321 ppl_logevent("No GSSAPI security context available");
2322
2323 return;
2324 }
2325
2326 if (gss_sndtok.length)
2327 s->shgss->lib->free_tok(s->shgss->lib, &gss_sndtok);
2328
2329 s->gss_status |= GSS_KEX_CAPABLE;
2330
2331 /*
2332 * When rekeying to cascade, avoid doing this too close to the
2333 * context expiration time, since the key exchange might fail.
2334 */
2335 if (s->gss_ctxt_lifetime < MIN_CTXT_LIFETIME)
2336 s->gss_status |= GSS_CTXT_MAYFAIL;
2337
2338 /*
2339 * If we're not delegating credentials, rekeying is not used to
2340 * refresh them. We must avoid setting GSS_CRED_UPDATED or
2341 * GSS_CTXT_EXPIRES when credential delegation is disabled.
2342 */
2343 if (!conf_get_bool(s->conf, CONF_gssapifwd))
2344 return;
2345
2346 if (s->gss_cred_expiry != GSS_NO_EXPIRATION &&
2347 difftime(gss_cred_expiry, s->gss_cred_expiry) > 0)
2348 s->gss_status |= GSS_CRED_UPDATED;
2349
2350 mins = sanitise_rekey_time(
2351 conf_get_int(s->conf, CONF_gssapirekey), GSS_DEF_REKEY_MINS);
2352 if (mins > 0 && s->gss_ctxt_lifetime <= mins * 60)
2353 s->gss_status |= GSS_CTXT_EXPIRES;
2354 }
2355 #endif /* NO_GSSAPI */
2356
2357 ptrlen ssh2_transport_get_session_id(PacketProtocolLayer *ppl)
2358 {
2359 struct ssh2_transport_state *s;
2360
2361 assert(ppl->vt == &ssh2_transport_vtable);
2362 s = container_of(ppl, struct ssh2_transport_state, ppl);
2363
2364 assert(s->got_session_id);
2365 return make_ptrlen(s->session_id, s->session_id_len);
2366 }
2367
2368 void ssh2_transport_notify_auth_done(PacketProtocolLayer *ppl)
2369 {
2370 struct ssh2_transport_state *s;
2371
2372 assert(ppl->vt == &ssh2_transport_vtable);
2373 s = container_of(ppl, struct ssh2_transport_state, ppl);
2374
2375 s->rekey_reason = NULL; /* will be filled in later */
2376 s->rekey_class = RK_POST_USERAUTH;
2377 queue_idempotent_callback(&s->ppl.ic_process_queue);
2378 }
2379
2380 static bool ssh2_transport_get_specials(
2381 PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx)
2382 {
2383 struct ssh2_transport_state *s =
2384 container_of(ppl, struct ssh2_transport_state, ppl);
2385 bool need_separator = false;
2386 bool toret = false;
2387
2388 if (ssh_ppl_get_specials(s->higher_layer, add_special, ctx)) {
2389 need_separator = true;
2390 toret = true;
2391 }
2392
2393 /*
2394 * Don't bother offering rekey-based specials if we've decided the
2395 * remote won't cope with it, since we wouldn't bother sending it
2396 * if asked anyway.
2397 */
2398 if (!(s->ppl.remote_bugs & BUG_SSH2_REKEY)) {
2399 if (need_separator) {
2400 add_special(ctx, NULL, SS_SEP, 0);
2401 need_separator = false;
2402 }
2403
2404 add_special(ctx, "Repeat key exchange", SS_REKEY, 0);
2405 toret = true;
2406
2407 if (s->n_uncert_hostkeys) {
2408 int i;
2409
2410 add_special(ctx, NULL, SS_SEP, 0);
2411 add_special(ctx, "Cache new host key type", SS_SUBMENU, 0);
2412 for (i = 0; i < s->n_uncert_hostkeys; i++) {
2413 const ssh_keyalg *alg =
2414 ssh2_hostkey_algs[s->uncert_hostkeys[i]].alg;
2415
2416 add_special(ctx, alg->ssh_id, SS_XCERT, s->uncert_hostkeys[i]);
2417 }
2418 add_special(ctx, NULL, SS_EXITMENU, 0);
2419 }
2420 }
2421
2422 return toret;
2423 }
2424
2425 static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
2426 SessionSpecialCode code, int arg)
2427 {
2428 struct ssh2_transport_state *s =
2429 container_of(ppl, struct ssh2_transport_state, ppl);
2430
2431 if (code == SS_REKEY) {
2432 if (!s->kex_in_progress) {
2433 s->rekey_reason = "at user request";
2434 s->rekey_class = RK_NORMAL;
2435 queue_idempotent_callback(&s->ppl.ic_process_queue);
2436 }
2437 } else if (code == SS_XCERT) {
2438 if (!s->kex_in_progress) {
2439 s->cross_certifying = s->hostkey_alg = ssh2_hostkey_algs[arg].alg;
2440 s->rekey_reason = "cross-certifying new host key";
2441 s->rekey_class = RK_NORMAL;
2442 queue_idempotent_callback(&s->ppl.ic_process_queue);
2443 }
2444 } else {
2445 /* Send everything else to the next layer up. This includes
2446 * SS_PING/SS_NOP, which we _could_ handle here - but it's
2447 * better to put them in the connection layer, so they'll
2448 * still work in bare connection mode. */
2449 ssh_ppl_special_cmd(s->higher_layer, code, arg);
2450 }
2451 }
2452
2453 /* Safely convert rekey_time to unsigned long minutes */
2454 static unsigned long sanitise_rekey_time(int rekey_time, unsigned long def)
2455 {
2456 if (rekey_time < 0 || rekey_time > MAX_TICK_MINS)
2457 rekey_time = def;
2458 return (unsigned long)rekey_time;
2459 }
2460
2461 static void ssh2_transport_set_max_data_size(struct ssh2_transport_state *s)
2462 {
2463 s->max_data_size = parse_blocksize(
2464 conf_get_str(s->conf, CONF_ssh_rekey_data));
2465 }
2466
2467 static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf)
2468 {
2469 struct ssh2_transport_state *s;
2470 const char *rekey_reason = NULL;
2471 bool rekey_mandatory = false;
2472 unsigned long old_max_data_size, rekey_time;
2473 int i;
2474
2475 assert(ppl->vt == &ssh2_transport_vtable);
2476 s = container_of(ppl, struct ssh2_transport_state, ppl);
2477
2478 rekey_time = sanitise_rekey_time(
2479 conf_get_int(conf, CONF_ssh_rekey_time), 60);
2480 if (ssh2_transport_timer_update(s, rekey_time))
2481 rekey_reason = "timeout shortened";
2482
2483 old_max_data_size = s->max_data_size;
2484 ssh2_transport_set_max_data_size(s);
2485 if (old_max_data_size != s->max_data_size &&
2486 s->max_data_size != 0) {
2487 if (s->max_data_size < old_max_data_size) {
2488 unsigned long diff = old_max_data_size - s->max_data_size;
2489
2490 dts_consume(&s->stats->out, diff);
2491 dts_consume(&s->stats->in, diff);
2492 if (s->stats->out.expired || s->stats->in.expired)
2493 rekey_reason = "data limit lowered";
2494 } else {
2495 unsigned long diff = s->max_data_size - old_max_data_size;
2496 if (s->stats->out.running)
2497 s->stats->out.remaining += diff;
2498 if (s->stats->in.running)
2499 s->stats->in.remaining += diff;
2500 }
2501 }
2502
2503 if (conf_get_bool(s->conf, CONF_compression) !=
2504 conf_get_bool(conf, CONF_compression)) {
2505 rekey_reason = "compression setting changed";
2506 rekey_mandatory = true;
2507 }
2508
2509 for (i = 0; i < CIPHER_MAX; i++)
2510 if (conf_get_int_int(s->conf, CONF_ssh_cipherlist, i) !=
2511 conf_get_int_int(conf, CONF_ssh_cipherlist, i)) {
2512 rekey_reason = "cipher settings changed";
2513 rekey_mandatory = true;
2514 }
2515 if (conf_get_bool(s->conf, CONF_ssh2_des_cbc) !=
2516 conf_get_bool(conf, CONF_ssh2_des_cbc)) {
2517 rekey_reason = "cipher settings changed";
2518 rekey_mandatory = true;
2519 }
2520
2521 conf_free(s->conf);
2522 s->conf = conf_copy(conf);
2523
2524 if (rekey_reason) {
2525 if (!s->kex_in_progress && !ssh2_bpp_rekey_inadvisable(s->ppl.bpp)) {
2526 s->rekey_reason = rekey_reason;
2527 s->rekey_class = RK_NORMAL;
2528 queue_idempotent_callback(&s->ppl.ic_process_queue);
2529 } else if (rekey_mandatory) {
2530 s->deferred_rekey_reason = rekey_reason;
2531 }
2532 }
2533
2534 /* Also pass the configuration along to our higher layer */
2535 ssh_ppl_reconfigure(s->higher_layer, conf);
2536 }
2537
2538 static int weak_algorithm_compare(void *av, void *bv)
2539 {
2540 uintptr_t a = (uintptr_t)av, b = (uintptr_t)bv;
2541 return a < b ? -1 : a > b ? +1 : 0;
2542 }
2543
2544 static int ca_blob_compare(void *av, void *bv)
2545 {
2546 host_ca *a = (host_ca *)av, *b = (host_ca *)bv;
2547 strbuf *apk = a->ca_public_key, *bpk = b->ca_public_key;
2548 /* Ordering by public key is arbitrary here, so do whatever is easiest */
2549 if (apk->len < bpk->len)
2550 return -1;
2551 if (apk->len > bpk->len)
2552 return +1;
2553 return memcmp(apk->u, bpk->u, apk->len);
2554 }
2555
2556 /*
2557 * Wrapper on confirm_weak_crypto_primitive(), which uses the
2558 * tree234 s->weak_algorithms_consented_to to ensure we ask at most
2559 * once about any given crypto primitive.
2560 */
2561 static SeatPromptResult ssh2_transport_confirm_weak_crypto_primitive(
2562 struct ssh2_transport_state *s, const char *type, const char *name,
2563 const void *alg, WeakCryptoReason wcr)
2564 {
2565 if (find234(s->weak_algorithms_consented_to, (void *)alg, NULL))
2566 return SPR_OK;
2567 add234(s->weak_algorithms_consented_to, (void *)alg);
2568
2569 return confirm_weak_crypto_primitive(
2570 ppl_get_iseat(&s->ppl), type, name, ssh2_transport_dialog_callback,
2571 s, wcr);
2572 }
2573
2574 static size_t ssh2_transport_queued_data_size(PacketProtocolLayer *ppl)
2575 {
2576 struct ssh2_transport_state *s =
2577 container_of(ppl, struct ssh2_transport_state, ppl);
2578
2579 return (ssh_ppl_default_queued_data_size(ppl) +
2580 ssh_ppl_queued_data_size(s->higher_layer));
2581 }
2582
2583 static void ssh2_transport_final_output(PacketProtocolLayer *ppl)
2584 {
2585 struct ssh2_transport_state *s =
2586 container_of(ppl, struct ssh2_transport_state, ppl);
2587
2588 ssh_ppl_final_output(s->higher_layer);
2589 }
2590
2591 /* Check the settings for a transport direction to see if they're
2592 * vulnerable to the Terrapin attack, aka CVE-2023-48795. If so,
2593 * return a string describing the vulnerable thing. */
2594 static const char *terrapin_vulnerable(
2595 bool strict_kex, const transport_direction *d)
2596 {
2597 /*
2598 * Strict kex mode eliminates the vulnerability. (That's what it's
2599 * for.)
2600 */
2601 if (strict_kex)
2602 return NULL;
2603
2604 /*
2605 * ChaCha20-Poly1305 is vulnerable and perfectly exploitable.
2606 */
2607 if (d->cipher == &ssh2_chacha20_poly1305)
2608 return "ChaCha20-Poly1305";
2609
2610 /*
2611 * CBC-mode ciphers with OpenSSH's ETM modification are vulnerable
2612 * and probabilistically exploitable.
2613 */
2614 if (d->etm_mode && (d->cipher->flags & SSH_CIPHER_IS_CBC))
2615 return "a CBC-mode cipher in OpenSSH ETM mode";
2616
2617 return NULL;
2618 }
2619
2620 /*
2621 * Called when we've detected that at least one transport direction
2622 * has the Terrapin vulnerability.
2623 *
2624 * Before we report it, try to replay what would have happened if the
2625 * user had reconfigured their cipher settings to demote
2626 * ChaCha20+Poly1305 to below the warning threshold. If that would
2627 * have avoided the vulnerability, we should say so in the dialog box.
2628 *
2629 * This is basically the only change in PuTTY's configuration that has
2630 * a chance of avoiding the problem. Terrapin affects the modified
2631 * binary packet protocol used with ChaCha20+Poly1305, and also
2632 * CBC-mode ciphers in ETM mode. But PuTTY unconditionally offers the
2633 * ETM mode of each MAC _after_ the non-ETM mode. So the latter case
2634 * can only come up if the server has been configured to _only_ permit
2635 * the ETM modes of those MACs, which means there's nothing we can do
2636 * anyway.
2637 */
2638 static bool try_to_avoid_terrapin(const struct ssh2_transport_state *s)
2639 {
2640 bool avoidable = false;
2641
2642 strbuf *alt_client_kexinit = strbuf_new();
2643 Conf *alt_conf = conf_copy(s->conf);
2644 struct kexinit_algorithm_list alt_kexlists[NKEXLIST];
2645 memset(alt_kexlists, 0, sizeof(alt_kexlists));
2646
2647 /*
2648 * We only bother doing this if we're the client, because Uppity
2649 * can't present a dialog box anyway.
2650 */
2651 if (s->ssc)
2652 goto out;
2653
2654 /*
2655 * Demote CIPHER_CHACHA20 to just below CIPHER_WARN, if it was
2656 * previously above it. If not, don't do anything - we don't want
2657 * to _promote_ it.
2658 */
2659 int ccp_pos_now = -1, ccp_pos_wanted = -1;
2660 for (int i = 0; i < CIPHER_MAX; i++) {
2661 switch (conf_get_int_int(alt_conf, CONF_ssh_cipherlist,
2662 i)) {
2663 case CIPHER_CHACHA20:
2664 ccp_pos_now = i;
2665 break;
2666 case CIPHER_WARN:
2667 ccp_pos_wanted = i;
2668 break;
2669 }
2670 }
2671 if (ccp_pos_now < 0 || ccp_pos_wanted < 0)
2672 goto out; /* shouldn't ever happen: didn't find the two entries */
2673 if (ccp_pos_now >= ccp_pos_wanted)
2674 goto out; /* ChaCha20 is already demoted and it didn't help */
2675 while (ccp_pos_now < ccp_pos_wanted) {
2676 int cnext = conf_get_int_int(alt_conf, CONF_ssh_cipherlist,
2677 ccp_pos_now + 1);
2678 conf_set_int_int(alt_conf, CONF_ssh_cipherlist,
2679 ccp_pos_now, cnext);
2680 ccp_pos_now++;
2681 }
2682 conf_set_int_int(alt_conf, CONF_ssh_cipherlist,
2683 ccp_pos_now + 1, CIPHER_CHACHA20);
2684
2685 /*
2686 * Make the outgoing KEXINIT we would have made using this
2687 * configuration.
2688 */
2689 put_byte(alt_client_kexinit, SSH2_MSG_KEXINIT);
2690 put_padding(alt_client_kexinit, 16, 'x'); /* fake random padding */
2691 ssh2_write_kexinit_lists(
2692 BinarySink_UPCAST(alt_client_kexinit), alt_kexlists, alt_conf,
2693 s->ssc, s->ppl.remote_bugs, s->savedhost, s->savedport, s->hostkey_alg,
2694 s->thc, s->host_cas, s->hostkeys, s->nhostkeys, !s->got_session_id,
2695 s->can_gssapi_keyex,
2696 s->gss_kex_used && !s->need_gss_transient_hostkey);
2697 put_bool(alt_client_kexinit, false); /* guess packet follows */
2698 put_uint32(alt_client_kexinit, 0); /* reserved */
2699
2700 /*
2701 * Re-analyse the incoming KEXINIT with respect to this one, to
2702 * see what we'd have decided on.
2703 */
2704 transport_direction cstrans, sctrans;
2705 bool warn_kex, warn_hk, warn_cscipher, warn_sccipher;
2706 bool can_send_ext_info = false, strict_kex = false;
2707 unsigned hkflags;
2708 const ssh_kex *kex_alg;
2709 const ssh_keyalg *hostkey_alg;
2710
2711 ScanKexinitsResult skr = ssh2_scan_kexinits(
2712 ptrlen_from_strbuf(alt_client_kexinit),
2713 ptrlen_from_strbuf(s->server_kexinit),
2714 s->ssc != NULL, alt_kexlists, &kex_alg, &hostkey_alg,
2715 &cstrans, &sctrans,
2716 &warn_kex, &warn_hk, &warn_cscipher, &warn_sccipher, NULL, NULL, NULL,
2717 &hkflags, &can_send_ext_info, !s->got_session_id, &strict_kex);
2718 if (!skr.success) /* something else would have gone wrong */
2719 goto out;
2720
2721 /*
2722 * Reject this as an alternative solution if any of the warn flags
2723 * has got worse, or if there's still anything
2724 * Terrapin-vulnerable.
2725 */
2726 if (warn_kex > s->warn_kex)
2727 goto out;
2728 if (warn_hk > s->warn_hk)
2729 goto out;
2730 if (warn_cscipher > s->warn_cscipher)
2731 goto out;
2732 if (warn_sccipher > s->warn_sccipher)
2733 goto out;
2734 if (terrapin_vulnerable(strict_kex, &cstrans))
2735 goto out;
2736 if (terrapin_vulnerable(strict_kex, &sctrans))
2737 goto out;
2738
2739 /*
2740 * Success! The vulnerability could have been avoided by this Conf
2741 * tweak, and we should tell the user so.
2742 */
2743 avoidable = true;
2744
2745 out:
2746
2747 for (size_t i = 0; i < NKEXLIST; i++)
2748 sfree(alt_kexlists[i].algs);
2749 strbuf_free(alt_client_kexinit);
2750 conf_free(alt_conf);
2751
2752 return avoidable;
2753 }
Windows Explorer Extension to Operate Git