transport2.c 97 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754
  1. /*
  2. * Packet protocol layer for the SSH-2 transport protocol (RFC 4253).
  3. */
  4. #include <assert.h>
  5. #include "putty.h"
  6. #include "ssh.h"
  7. #include "bpp.h"
  8. #include "ppl.h"
  9. #include "sshcr.h"
  10. #include "server.h"
  11. #include "storage.h"
  12. #include "transport2.h"
  13. #include "mpint.h"
  14. const struct ssh_signkey_with_user_pref_id ssh2_hostkey_algs[] = {
  15. #define ARRAYENT_HOSTKEY_ALGORITHM(type, alg) { &alg, type },
  16. HOSTKEY_ALGORITHMS(ARRAYENT_HOSTKEY_ALGORITHM)
  17. };
  18. const static ssh2_macalg *const macs[] = {
  19. &ssh_hmac_sha256, &ssh_hmac_sha512,
  20. &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
  21. };
  22. const static ssh2_macalg *const buggymacs[] = {
  23. &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
  24. };
  25. const static ptrlen ext_info_c = PTRLEN_DECL_LITERAL("ext-info-c");
  26. const static ptrlen ext_info_s = PTRLEN_DECL_LITERAL("ext-info-s");
  27. const static ptrlen kex_strict_c =
  28. PTRLEN_DECL_LITERAL("kex-strict-c-v00@openssh.com");
  29. const static ptrlen kex_strict_s =
  30. PTRLEN_DECL_LITERAL("kex-strict-s-v00@openssh.com");
  31. /* Pointer value to store in s->weak_algorithms_consented_to to
  32. * indicate that the user has accepted the risk of the Terrapin
  33. * attack */
  34. static const char terrapin_weakness[1];
  35. static ssh_compressor *ssh_comp_none_init(void)
  36. {
  37. return NULL;
  38. }
  39. static void ssh_comp_none_cleanup(ssh_compressor *handle)
  40. {
  41. }
  42. static ssh_decompressor *ssh_decomp_none_init(void)
  43. {
  44. return NULL;
  45. }
  46. static void ssh_decomp_none_cleanup(ssh_decompressor *handle)
  47. {
  48. }
  49. static void ssh_comp_none_block(ssh_compressor *handle,
  50. const unsigned char *block, int len,
  51. unsigned char **outblock, int *outlen,
  52. int minlen)
  53. {
  54. }
  55. static bool ssh_decomp_none_block(ssh_decompressor *handle,
  56. const unsigned char *block, int len,
  57. unsigned char **outblock, int *outlen)
  58. {
  59. return false;
  60. }
  61. static const ssh_compression_alg ssh_comp_none = {
  62. .name = "none",
  63. .delayed_name = NULL,
  64. .compress_new = ssh_comp_none_init,
  65. .compress_free = ssh_comp_none_cleanup,
  66. .compress = ssh_comp_none_block,
  67. .decompress_new = ssh_decomp_none_init,
  68. .decompress_free = ssh_decomp_none_cleanup,
  69. .decompress = ssh_decomp_none_block,
  70. .text_name = NULL,
  71. };
  72. const static ssh_compression_alg *const compressions[] = {
  73. &ssh_zlib, &ssh_comp_none
  74. };
  75. static void ssh2_transport_free(PacketProtocolLayer *);
  76. static void ssh2_transport_process_queue(PacketProtocolLayer *);
  77. static bool ssh2_transport_get_specials(
  78. PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx);
  79. static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
  80. SessionSpecialCode code, int arg);
  81. static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf);
  82. static size_t ssh2_transport_queued_data_size(PacketProtocolLayer *ppl);
  83. static void ssh2_transport_set_max_data_size(struct ssh2_transport_state *s);
  84. static unsigned long sanitise_rekey_time(int rekey_time, unsigned long def);
  85. static void ssh2_transport_higher_layer_packet_callback(void *context);
  86. static void ssh2_transport_final_output(PacketProtocolLayer *ppl);
  87. static const char *terrapin_vulnerable(
  88. bool strict_kex, const transport_direction *d);
  89. static bool try_to_avoid_terrapin(const struct ssh2_transport_state *s);
  90. static const PacketProtocolLayerVtable ssh2_transport_vtable = {
  91. .free = ssh2_transport_free,
  92. .process_queue = ssh2_transport_process_queue,
  93. .get_specials = ssh2_transport_get_specials,
  94. .special_cmd = ssh2_transport_special_cmd,
  95. .reconfigure = ssh2_transport_reconfigure,
  96. .queued_data_size = ssh2_transport_queued_data_size,
  97. .final_output = ssh2_transport_final_output,
  98. .name = NULL, /* no protocol name for this layer */
  99. };
  100. #ifndef NO_GSSAPI
  101. static void ssh2_transport_gss_update(struct ssh2_transport_state *s,
  102. bool definitely_rekeying);
  103. #endif
  104. static bool ssh2_transport_timer_update(struct ssh2_transport_state *s,
  105. unsigned long rekey_time);
  106. static SeatPromptResult ssh2_transport_confirm_weak_crypto_primitive(
  107. struct ssh2_transport_state *s, const char *type, const char *name,
  108. const void *alg, WeakCryptoReason wcr);
  109. static const char *const kexlist_descr[NKEXLIST] = {
  110. "key exchange algorithm",
  111. "host key algorithm",
  112. "client-to-server cipher",
  113. "server-to-client cipher",
  114. "client-to-server MAC",
  115. "server-to-client MAC",
  116. "client-to-server compression method",
  117. "server-to-client compression method"
  118. };
  119. static int weak_algorithm_compare(void *av, void *bv);
  120. static int ca_blob_compare(void *av, void *bv);
  121. PacketProtocolLayer *ssh2_transport_new(
  122. Conf *conf, const char *host, int port, const char *fullhostname,
  123. const char *client_greeting, const char *server_greeting,
  124. struct ssh_connection_shared_gss_state *shgss,
  125. struct DataTransferStats *stats, PacketProtocolLayer *higher_layer,
  126. const SshServerConfig *ssc)
  127. {
  128. struct ssh2_transport_state *s = snew(struct ssh2_transport_state);
  129. memset(s, 0, sizeof(*s));
  130. s->ppl.vt = &ssh2_transport_vtable;
  131. s->conf = conf_copy(conf);
  132. s->savedhost = dupstr(host);
  133. s->savedport = port;
  134. s->fullhostname = dupstr(fullhostname);
  135. s->shgss = shgss;
  136. s->client_greeting = dupstr(client_greeting);
  137. s->server_greeting = dupstr(server_greeting);
  138. s->stats = stats;
  139. s->hostkeyblob = strbuf_new();
  140. s->host_cas = newtree234(ca_blob_compare);
  141. pq_in_init(&s->pq_in_higher);
  142. pq_out_init(&s->pq_out_higher);
  143. s->pq_out_higher.pqb.ic = &s->ic_pq_out_higher;
  144. s->ic_pq_out_higher.fn = ssh2_transport_higher_layer_packet_callback;
  145. s->ic_pq_out_higher.ctx = &s->ppl;
  146. s->higher_layer = higher_layer;
  147. s->higher_layer->selfptr = &s->higher_layer;
  148. ssh_ppl_setup_queues(s->higher_layer, &s->pq_in_higher, &s->pq_out_higher);
  149. #ifndef NO_GSSAPI
  150. s->gss_cred_expiry = GSS_NO_EXPIRATION;
  151. s->shgss->srv_name = GSS_C_NO_NAME;
  152. s->shgss->ctx = NULL;
  153. #endif
  154. s->thc = ssh_transient_hostkey_cache_new();
  155. s->gss_kex_used = false;
  156. s->outgoing_kexinit = strbuf_new();
  157. s->incoming_kexinit = strbuf_new();
  158. if (ssc) {
  159. s->ssc = ssc;
  160. s->client_kexinit = s->incoming_kexinit;
  161. s->server_kexinit = s->outgoing_kexinit;
  162. s->cstrans = &s->in;
  163. s->sctrans = &s->out;
  164. s->out.mkkey_adjust = 1;
  165. } else {
  166. s->client_kexinit = s->outgoing_kexinit;
  167. s->server_kexinit = s->incoming_kexinit;
  168. s->cstrans = &s->out;
  169. s->sctrans = &s->in;
  170. s->in.mkkey_adjust = 1;
  171. }
  172. s->weak_algorithms_consented_to = newtree234(weak_algorithm_compare);
  173. ssh2_transport_set_max_data_size(s);
  174. return &s->ppl;
  175. }
  176. static void ssh2_transport_free(PacketProtocolLayer *ppl)
  177. {
  178. struct ssh2_transport_state *s =
  179. container_of(ppl, struct ssh2_transport_state, ppl);
  180. /*
  181. * As our last act before being freed, move any outgoing packets
  182. * off our higher layer's output queue on to our own output queue.
  183. * We might be being freed while the SSH connection is still alive
  184. * (because we're initiating shutdown from our end), in which case
  185. * we don't want those last few packets to get lost.
  186. *
  187. * (If our owner were to have already destroyed our output pq
  188. * before wanting to free us, then it would have to reset our
  189. * publicly visible out_pq field to NULL to inhibit this attempt.
  190. * But that's not how I expect the shutdown sequence to go in
  191. * practice.)
  192. */
  193. if (s->ppl.out_pq)
  194. pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
  195. conf_free(s->conf);
  196. ssh_ppl_free(s->higher_layer);
  197. pq_in_clear(&s->pq_in_higher);
  198. pq_out_clear(&s->pq_out_higher);
  199. sfree(s->savedhost);
  200. sfree(s->fullhostname);
  201. sfree(s->client_greeting);
  202. sfree(s->server_greeting);
  203. sfree(s->keystr);
  204. strbuf_free(s->hostkeyblob);
  205. {
  206. host_ca *hca;
  207. while ( (hca = delpos234(s->host_cas, 0)) )
  208. host_ca_free(hca);
  209. freetree234(s->host_cas);
  210. }
  211. if (s->hkey && !s->hostkeys) {
  212. ssh_key_free(s->hkey);
  213. s->hkey = NULL;
  214. }
  215. for (size_t i = 0; i < NKEXLIST; i++)
  216. sfree(s->kexlists[i].algs);
  217. if (s->f) mp_free(s->f);
  218. if (s->p) mp_free(s->p);
  219. if (s->g) mp_free(s->g);
  220. if (s->ebuf) strbuf_free(s->ebuf);
  221. if (s->fbuf) strbuf_free(s->fbuf);
  222. if (s->kex_shared_secret) strbuf_free(s->kex_shared_secret);
  223. if (s->dh_ctx)
  224. dh_cleanup(s->dh_ctx);
  225. if (s->rsa_kex_key_needs_freeing) {
  226. ssh_rsakex_freekey(s->rsa_kex_key);
  227. sfree(s->rsa_kex_key);
  228. }
  229. if (s->ecdh_key)
  230. ecdh_key_free(s->ecdh_key);
  231. if (s->exhash)
  232. ssh_hash_free(s->exhash);
  233. strbuf_free(s->outgoing_kexinit);
  234. strbuf_free(s->incoming_kexinit);
  235. ssh_transient_hostkey_cache_free(s->thc);
  236. freetree234(s->weak_algorithms_consented_to);
  237. expire_timer_context(s);
  238. sfree(s);
  239. }
  240. /*
  241. * SSH-2 key derivation (RFC 4253 section 7.2).
  242. */
  243. static void ssh2_mkkey(
  244. struct ssh2_transport_state *s, strbuf *out,
  245. strbuf *kex_shared_secret, unsigned char *H, char chr, int keylen)
  246. {
  247. int hlen = s->kex_alg->hash->hlen;
  248. int keylen_padded;
  249. unsigned char *key;
  250. ssh_hash *h;
  251. if (keylen == 0)
  252. return;
  253. /*
  254. * Round the requested amount of key material up to a multiple of
  255. * the length of the hash we're using to make it. This makes life
  256. * simpler because then we can just write each hash output block
  257. * straight into the output buffer without fiddling about
  258. * truncating the last one. Since it's going into a strbuf, and
  259. * strbufs are always smemclr()ed on free, there's no need to
  260. * worry about leaving extra potentially-sensitive data in memory
  261. * that the caller didn't ask for.
  262. */
  263. keylen_padded = ((keylen + hlen - 1) / hlen) * hlen;
  264. strbuf_clear(out);
  265. key = strbuf_append(out, keylen_padded);
  266. /* First hlen bytes. */
  267. h = ssh_hash_new(s->kex_alg->hash);
  268. if (!(s->ppl.remote_bugs & BUG_SSH2_DERIVEKEY))
  269. put_datapl(h, ptrlen_from_strbuf(kex_shared_secret));
  270. put_data(h, H, hlen);
  271. put_byte(h, chr);
  272. put_data(h, s->session_id, s->session_id_len);
  273. ssh_hash_digest(h, key);
  274. /* Subsequent blocks of hlen bytes. */
  275. if (keylen_padded > hlen) {
  276. int offset;
  277. ssh_hash_reset(h);
  278. if (!(s->ppl.remote_bugs & BUG_SSH2_DERIVEKEY))
  279. put_datapl(h, ptrlen_from_strbuf(kex_shared_secret));
  280. put_data(h, H, hlen);
  281. for (offset = hlen; offset < keylen_padded; offset += hlen) {
  282. put_data(h, key + offset - hlen, hlen);
  283. ssh_hash_digest_nondestructive(h, key + offset);
  284. }
  285. }
  286. ssh_hash_free(h);
  287. }
  288. /*
  289. * Find a slot in a KEXINIT algorithm list to use for a new algorithm.
  290. * If the algorithm is already in the list, return a pointer to its
  291. * entry, otherwise return an entry from the end of the list.
  292. *
  293. * 'name' is expected to be a ptrlen which it's safe to keep a copy
  294. * of.
  295. */
  296. static struct kexinit_algorithm *ssh2_kexinit_addalg_pl(
  297. struct kexinit_algorithm_list *list, ptrlen name)
  298. {
  299. for (size_t i = 0; i < list->nalgs; i++)
  300. if (ptrlen_eq_ptrlen(list->algs[i].name, name))
  301. return &list->algs[i];
  302. sgrowarray(list->algs, list->algsize, list->nalgs);
  303. struct kexinit_algorithm *entry = &list->algs[list->nalgs++];
  304. entry->name = name;
  305. return entry;
  306. }
  307. static struct kexinit_algorithm *ssh2_kexinit_addalg(
  308. struct kexinit_algorithm_list *list, const char *name)
  309. {
  310. return ssh2_kexinit_addalg_pl(list, ptrlen_from_asciz(name));
  311. }
  312. bool ssh2_common_filter_queue(PacketProtocolLayer *ppl)
  313. {
  314. static const char *const ssh2_disconnect_reasons[] = {
  315. NULL,
  316. "host not allowed to connect",
  317. "protocol error",
  318. "key exchange failed",
  319. "host authentication failed",
  320. "MAC error",
  321. "compression error",
  322. "service not available",
  323. "protocol version not supported",
  324. "host key not verifiable",
  325. "connection lost",
  326. "by application",
  327. "too many connections",
  328. "auth cancelled by user",
  329. "no more auth methods available",
  330. "illegal user name",
  331. };
  332. PktIn *pktin;
  333. ptrlen msg;
  334. int reason;
  335. while ((pktin = pq_peek(ppl->in_pq)) != NULL) {
  336. switch (pktin->type) {
  337. case SSH2_MSG_DISCONNECT:
  338. reason = get_uint32(pktin);
  339. msg = get_string(pktin);
  340. ssh_remote_error(
  341. ppl->ssh, "Remote side sent disconnect message\n"
  342. "type %d (%s):\n\"%.*s\"", reason,
  343. ((reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
  344. ssh2_disconnect_reasons[reason] : "unknown"),
  345. PTRLEN_PRINTF(msg));
  346. /* don't try to pop the queue, because we've been freed! */
  347. return true; /* indicate that we've been freed */
  348. case SSH2_MSG_DEBUG:
  349. /* XXX maybe we should actually take notice of the return value */
  350. get_bool(pktin);
  351. msg = get_string(pktin);
  352. ppl_logevent("Remote debug message: %.*s", PTRLEN_PRINTF(msg));
  353. pq_pop(ppl->in_pq);
  354. break;
  355. case SSH2_MSG_IGNORE:
  356. /* Do nothing, because we're ignoring it! Duhh. */
  357. pq_pop(ppl->in_pq);
  358. break;
  359. case SSH2_MSG_EXT_INFO: {
  360. /*
  361. * The BPP enforces that these turn up only at legal
  362. * points in the protocol. In particular, it will not pass
  363. * an EXT_INFO on to us if it arrives before encryption is
  364. * enabled (which is when a MITM could inject one
  365. * maliciously).
  366. *
  367. * However, one of the criteria for legality is that a
  368. * server is permitted to send this message immediately
  369. * _before_ USERAUTH_SUCCESS. So we may receive this
  370. * message not yet knowing whether it's legal to have sent
  371. * it - we won't know until the BPP processes the next
  372. * packet.
  373. *
  374. * But that should be OK, because firstly, an
  375. * out-of-sequence EXT_INFO that's still within the
  376. * encrypted session is only a _protocol_ violation, not
  377. * an attack; secondly, any data we set in response to
  378. * such an illegal EXT_INFO won't have a chance to affect
  379. * the session before the BPP aborts it anyway.
  380. */
  381. uint32_t nexts = get_uint32(pktin);
  382. for (uint32_t i = 0; i < nexts && !get_err(pktin); i++) {
  383. ptrlen extname = get_string(pktin);
  384. ptrlen extvalue = get_string(pktin);
  385. if (ptrlen_eq_string(extname, "server-sig-algs")) {
  386. /*
  387. * Server has sent a list of signature algorithms
  388. * it will potentially accept for user
  389. * authentication keys. Check in particular
  390. * whether the RFC 8332 improved versions of
  391. * ssh-rsa are in the list, and set flags in the
  392. * BPP if so.
  393. *
  394. * TODO: another thing we _could_ do here is to
  395. * record a full list of the algorithm identifiers
  396. * we've seen, whether we understand them
  397. * ourselves or not. Then we could use that as a
  398. * pre-filter during userauth, to skip keys in the
  399. * SSH agent if we already know the server can't
  400. * possibly accept them. (Even if the key
  401. * algorithm is one that the agent and the server
  402. * both understand but we do not.)
  403. */
  404. ptrlen algname;
  405. while (get_commasep_word(&extvalue, &algname)) {
  406. if (ptrlen_eq_string(algname, "rsa-sha2-256"))
  407. ppl->bpp->ext_info_rsa_sha256_ok = true;
  408. if (ptrlen_eq_string(algname, "rsa-sha2-512"))
  409. ppl->bpp->ext_info_rsa_sha512_ok = true;
  410. }
  411. }
  412. }
  413. pq_pop(ppl->in_pq);
  414. break;
  415. }
  416. default:
  417. return false;
  418. }
  419. }
  420. return false;
  421. }
  422. static bool ssh2_transport_filter_queue(struct ssh2_transport_state *s)
  423. {
  424. PktIn *pktin;
  425. if (!s->enabled_incoming_crypto) {
  426. /*
  427. * Record the fact that we've seen any non-KEXINIT packet at
  428. * the head of our queue.
  429. *
  430. * This enables us to check later that the initial incoming
  431. * KEXINIT was the very first packet, if scanning the KEXINITs
  432. * turns out to enable strict-kex mode.
  433. */
  434. PktIn *pktin = pq_peek(s->ppl.in_pq);
  435. if (pktin && pktin->type != SSH2_MSG_KEXINIT)
  436. s->seen_non_kexinit = true;
  437. if (s->strict_kex) {
  438. /*
  439. * Also, if we're already in strict-KEX mode and haven't
  440. * turned on crypto yet, don't do any actual filtering.
  441. * This ensures that extraneous packets _after_ the
  442. * KEXINIT will go to the main coroutine, which will
  443. * complain about them.
  444. */
  445. return false;
  446. }
  447. }
  448. while (1) {
  449. if (ssh2_common_filter_queue(&s->ppl))
  450. return true;
  451. if ((pktin = pq_peek(s->ppl.in_pq)) == NULL)
  452. return false;
  453. /* Pass on packets to the next layer if they're outside
  454. * the range reserved for the transport protocol. */
  455. if (pktin->type >= 50) {
  456. /* ... except that we shouldn't tolerate higher-layer
  457. * packets coming from the server before we've seen
  458. * the first NEWKEYS. */
  459. if (!s->higher_layer_ok) {
  460. ssh_proto_error(s->ppl.ssh, "Received premature higher-"
  461. "layer packet, type %d (%s)", pktin->type,
  462. ssh2_pkt_type(s->ppl.bpp->pls->kctx,
  463. s->ppl.bpp->pls->actx,
  464. pktin->type));
  465. return true;
  466. }
  467. pq_pop(s->ppl.in_pq);
  468. pq_push(&s->pq_in_higher, pktin);
  469. } else {
  470. /* Anything else is a transport-layer packet that the main
  471. * process_queue coroutine should handle. */
  472. return false;
  473. }
  474. }
  475. }
  476. PktIn *ssh2_transport_pop(struct ssh2_transport_state *s)
  477. {
  478. if (ssh2_transport_filter_queue(s))
  479. return NULL; /* we've been freed */
  480. return pq_pop(s->ppl.in_pq);
  481. }
  482. static void ssh2_write_kexinit_lists(
  483. BinarySink *pktout,
  484. struct kexinit_algorithm_list kexlists[NKEXLIST],
  485. Conf *conf, const SshServerConfig *ssc, int remote_bugs,
  486. const char *hk_host, int hk_port, const ssh_keyalg *hk_prev,
  487. ssh_transient_hostkey_cache *thc, tree234 *host_cas,
  488. ssh_key *const *our_hostkeys, int our_nhostkeys,
  489. bool first_time, bool can_gssapi_keyex, bool transient_hostkey_mode)
  490. {
  491. int i, j, k;
  492. bool warn;
  493. int n_preferred_kex;
  494. const ssh_kexes *preferred_kex[KEX_MAX + 3]; /* +3 for GSSAPI */
  495. int n_preferred_hk;
  496. int preferred_hk[HK_MAX];
  497. int n_preferred_ciphers;
  498. const ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
  499. const ssh_compression_alg *preferred_comp;
  500. const ssh2_macalg *const *maclist;
  501. int nmacs;
  502. struct kexinit_algorithm *alg;
  503. /*
  504. * Set up the preferred key exchange. (NULL => warn below here)
  505. */
  506. n_preferred_kex = 0;
  507. if (can_gssapi_keyex) {
  508. preferred_kex[n_preferred_kex++] = &ssh_gssk5_ecdh_kex;
  509. preferred_kex[n_preferred_kex++] = &ssh_gssk5_sha2_kex;
  510. preferred_kex[n_preferred_kex++] = &ssh_gssk5_sha1_kex;
  511. }
  512. for (i = 0; i < KEX_MAX; i++) {
  513. switch (conf_get_int_int(conf, CONF_ssh_kexlist, i)) {
  514. case KEX_DHGEX:
  515. preferred_kex[n_preferred_kex++] =
  516. &ssh_diffiehellman_gex;
  517. break;
  518. case KEX_DHGROUP18:
  519. preferred_kex[n_preferred_kex++] =
  520. &ssh_diffiehellman_group18;
  521. break;
  522. case KEX_DHGROUP17:
  523. preferred_kex[n_preferred_kex++] =
  524. &ssh_diffiehellman_group17;
  525. break;
  526. case KEX_DHGROUP16:
  527. preferred_kex[n_preferred_kex++] =
  528. &ssh_diffiehellman_group16;
  529. break;
  530. case KEX_DHGROUP15:
  531. preferred_kex[n_preferred_kex++] =
  532. &ssh_diffiehellman_group15;
  533. break;
  534. case KEX_DHGROUP14:
  535. preferred_kex[n_preferred_kex++] =
  536. &ssh_diffiehellman_group14;
  537. break;
  538. case KEX_DHGROUP1:
  539. preferred_kex[n_preferred_kex++] =
  540. &ssh_diffiehellman_group1;
  541. break;
  542. case KEX_RSA:
  543. preferred_kex[n_preferred_kex++] =
  544. &ssh_rsa_kex;
  545. break;
  546. case KEX_ECDH:
  547. preferred_kex[n_preferred_kex++] =
  548. &ssh_ecdh_kex;
  549. break;
  550. case KEX_NTRU_HYBRID:
  551. preferred_kex[n_preferred_kex++] =
  552. &ssh_ntru_hybrid_kex;
  553. break;
  554. case KEX_WARN:
  555. /* Flag for later. Don't bother if it's the last in
  556. * the list. */
  557. if (i < KEX_MAX - 1) {
  558. preferred_kex[n_preferred_kex++] = NULL;
  559. }
  560. break;
  561. }
  562. }
  563. /*
  564. * Set up the preferred host key types. These are just the ids
  565. * in the enum in putty.h, so 'warn below here' is indicated
  566. * by HK_WARN.
  567. */
  568. n_preferred_hk = 0;
  569. for (i = 0; i < HK_MAX; i++) {
  570. int id = conf_get_int_int(conf, CONF_ssh_hklist, i);
  571. /* As above, don't bother with HK_WARN if it's last in the
  572. * list */
  573. if (id != HK_WARN || i < HK_MAX - 1)
  574. preferred_hk[n_preferred_hk++] = id;
  575. }
  576. /*
  577. * Set up the preferred ciphers. (NULL => warn below here)
  578. */
  579. n_preferred_ciphers = 0;
  580. for (i = 0; i < CIPHER_MAX; i++) {
  581. switch (conf_get_int_int(conf, CONF_ssh_cipherlist, i)) {
  582. case CIPHER_BLOWFISH:
  583. preferred_ciphers[n_preferred_ciphers++] = &ssh2_blowfish;
  584. break;
  585. case CIPHER_DES:
  586. if (conf_get_bool(conf, CONF_ssh2_des_cbc))
  587. preferred_ciphers[n_preferred_ciphers++] = &ssh2_des;
  588. break;
  589. case CIPHER_3DES:
  590. preferred_ciphers[n_preferred_ciphers++] = &ssh2_3des;
  591. break;
  592. case CIPHER_AES:
  593. preferred_ciphers[n_preferred_ciphers++] = &ssh2_aes;
  594. break;
  595. case CIPHER_ARCFOUR:
  596. preferred_ciphers[n_preferred_ciphers++] = &ssh2_arcfour;
  597. break;
  598. case CIPHER_CHACHA20:
  599. preferred_ciphers[n_preferred_ciphers++] = &ssh2_ccp;
  600. break;
  601. case CIPHER_AESGCM:
  602. preferred_ciphers[n_preferred_ciphers++] = &ssh2_aesgcm;
  603. break;
  604. case CIPHER_WARN:
  605. /* Flag for later. Don't bother if it's the last in
  606. * the list. */
  607. if (i < CIPHER_MAX - 1) {
  608. preferred_ciphers[n_preferred_ciphers++] = NULL;
  609. }
  610. break;
  611. }
  612. }
  613. /*
  614. * Set up preferred compression.
  615. */
  616. if (conf_get_bool(conf, CONF_compression))
  617. preferred_comp = &ssh_zlib;
  618. else
  619. preferred_comp = &ssh_comp_none;
  620. for (i = 0; i < NKEXLIST; i++)
  621. kexlists[i].nalgs = 0;
  622. /* List key exchange algorithms. */
  623. warn = false;
  624. for (i = 0; i < n_preferred_kex; i++) {
  625. const ssh_kexes *k = preferred_kex[i];
  626. if (!k) warn = true;
  627. else for (j = 0; j < k->nkexes; j++) {
  628. alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_KEX],
  629. k->list[j]->name);
  630. alg->u.kex.kex = k->list[j];
  631. alg->u.kex.warn = warn;
  632. }
  633. }
  634. /* List server host key algorithms. */
  635. if (our_hostkeys) {
  636. /*
  637. * In server mode, we just list the algorithms that match the
  638. * host keys we actually have.
  639. */
  640. for (i = 0; i < our_nhostkeys; i++) {
  641. const ssh_keyalg *keyalg = ssh_key_alg(our_hostkeys[i]);
  642. alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
  643. keyalg->ssh_id);
  644. alg->u.hk.hostkey = keyalg;
  645. alg->u.hk.hkflags = 0;
  646. alg->u.hk.warn = false;
  647. uint32_t supported_flags = ssh_keyalg_supported_flags(keyalg);
  648. static const uint32_t try_flags[] = {
  649. SSH_AGENT_RSA_SHA2_256,
  650. SSH_AGENT_RSA_SHA2_512,
  651. };
  652. for (size_t i = 0; i < lenof(try_flags); i++) {
  653. if (try_flags[i] & ~supported_flags)
  654. continue; /* these flags not supported */
  655. alg = ssh2_kexinit_addalg(
  656. &kexlists[KEXLIST_HOSTKEY],
  657. ssh_keyalg_alternate_ssh_id(keyalg, try_flags[i]));
  658. alg->u.hk.hostkey = keyalg;
  659. alg->u.hk.hkflags = try_flags[i];
  660. alg->u.hk.warn = false;
  661. }
  662. }
  663. } else if (first_time) {
  664. /*
  665. * In the first key exchange, we list all the algorithms we're
  666. * prepared to cope with, but (if configured to) we prefer
  667. * those algorithms for which we have a host key for this
  668. * host.
  669. *
  670. * If the host key algorithm is below the warning
  671. * threshold, we warn even if we did already have a key
  672. * for it, on the basis that if the user has just
  673. * reconfigured that host key type to be warned about,
  674. * they surely _do_ want to be alerted that a server
  675. * they're actually connecting to is using it.
  676. */
  677. bool accept_certs = false;
  678. {
  679. host_ca_enum *handle = enum_host_ca_start();
  680. if (handle) {
  681. strbuf *name = strbuf_new();
  682. while (strbuf_clear(name), enum_host_ca_next(handle, name)) {
  683. host_ca *hca = host_ca_load(name->s);
  684. if (!hca)
  685. continue;
  686. if (hca->ca_public_key &&
  687. cert_expr_match_str(hca->validity_expression,
  688. hk_host, hk_port)) {
  689. accept_certs = true;
  690. add234(host_cas, hca);
  691. } else {
  692. host_ca_free(hca);
  693. }
  694. }
  695. enum_host_ca_finish(handle);
  696. strbuf_free(name);
  697. }
  698. }
  699. if (accept_certs) {
  700. /* Add all the certificate algorithms first, in preference order */
  701. warn = false;
  702. for (i = 0; i < n_preferred_hk; i++) {
  703. if (preferred_hk[i] == HK_WARN)
  704. warn = true;
  705. for (j = 0; j < lenof(ssh2_hostkey_algs); j++) {
  706. const struct ssh_signkey_with_user_pref_id *a =
  707. &ssh2_hostkey_algs[j];
  708. if (!a->alg->is_certificate)
  709. continue;
  710. if (a->id != preferred_hk[i])
  711. continue;
  712. alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
  713. a->alg->ssh_id);
  714. alg->u.hk.hostkey = a->alg;
  715. alg->u.hk.warn = warn;
  716. }
  717. }
  718. }
  719. /* Next, add algorithms we already know a key for (unless
  720. * configured not to do that) */
  721. warn = false;
  722. for (i = 0; i < n_preferred_hk; i++) {
  723. if (preferred_hk[i] == HK_WARN)
  724. warn = true;
  725. for (j = 0; j < lenof(ssh2_hostkey_algs); j++) {
  726. const struct ssh_signkey_with_user_pref_id *a =
  727. &ssh2_hostkey_algs[j];
  728. if (a->alg->is_certificate && accept_certs)
  729. continue; /* already added this one */
  730. if (a->id != preferred_hk[i])
  731. continue;
  732. if (conf_get_bool(conf, CONF_ssh_prefer_known_hostkeys) &&
  733. have_ssh_host_key(hk_host, hk_port,
  734. a->alg->cache_id)) {
  735. alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
  736. a->alg->ssh_id);
  737. alg->u.hk.hostkey = a->alg;
  738. alg->u.hk.warn = warn;
  739. }
  740. }
  741. }
  742. /* And finally, everything else */
  743. warn = false;
  744. for (i = 0; i < n_preferred_hk; i++) {
  745. if (preferred_hk[i] == HK_WARN)
  746. warn = true;
  747. for (j = 0; j < lenof(ssh2_hostkey_algs); j++) {
  748. const struct ssh_signkey_with_user_pref_id *a =
  749. &ssh2_hostkey_algs[j];
  750. if (a->alg->is_certificate)
  751. continue;
  752. if (a->id != preferred_hk[i])
  753. continue;
  754. alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
  755. a->alg->ssh_id);
  756. alg->u.hk.hostkey = a->alg;
  757. alg->u.hk.warn = warn;
  758. }
  759. }
  760. #ifndef NO_GSSAPI
  761. } else if (transient_hostkey_mode) {
  762. /*
  763. * If we've previously done a GSSAPI KEX, then we list
  764. * precisely the algorithms for which a previous GSS key
  765. * exchange has delivered us a host key, because we expect
  766. * one of exactly those keys to be used in any subsequent
  767. * non-GSS-based rekey.
  768. *
  769. * An exception is if this is the key exchange we
  770. * triggered for the purposes of populating that cache -
  771. * in which case the cache will currently be empty, which
  772. * isn't helpful!
  773. */
  774. warn = false;
  775. for (i = 0; i < n_preferred_hk; i++) {
  776. if (preferred_hk[i] == HK_WARN)
  777. warn = true;
  778. for (j = 0; j < lenof(ssh2_hostkey_algs); j++) {
  779. if (ssh2_hostkey_algs[j].id != preferred_hk[i])
  780. continue;
  781. if (ssh_transient_hostkey_cache_has(
  782. thc, ssh2_hostkey_algs[j].alg)) {
  783. alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY],
  784. ssh2_hostkey_algs[j].alg->ssh_id);
  785. alg->u.hk.hostkey = ssh2_hostkey_algs[j].alg;
  786. alg->u.hk.warn = warn;
  787. }
  788. }
  789. }
  790. #endif
  791. } else {
  792. /*
  793. * In subsequent key exchanges, we list only the host key
  794. * algorithm that was selected in the first key exchange,
  795. * so that we keep getting the same host key and hence
  796. * don't have to interrupt the user's session to ask for
  797. * reverification.
  798. */
  799. assert(hk_prev);
  800. alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY], hk_prev->ssh_id);
  801. alg->u.hk.hostkey = hk_prev;
  802. alg->u.hk.warn = false;
  803. }
  804. if (can_gssapi_keyex) {
  805. alg = ssh2_kexinit_addalg(&kexlists[KEXLIST_HOSTKEY], "null");
  806. alg->u.hk.hostkey = NULL;
  807. }
  808. /* List encryption algorithms (client->server then server->client). */
  809. for (k = KEXLIST_CSCIPHER; k <= KEXLIST_SCCIPHER; k++) {
  810. warn = false;
  811. #ifdef FUZZING
  812. alg = ssh2_kexinit_addalg(&kexlists[K], "none");
  813. alg->u.cipher.cipher = NULL;
  814. alg->u.cipher.warn = warn;
  815. #endif /* FUZZING */
  816. for (i = 0; i < n_preferred_ciphers; i++) {
  817. const ssh2_ciphers *c = preferred_ciphers[i];
  818. if (!c) warn = true;
  819. else for (j = 0; j < c->nciphers; j++) {
  820. alg = ssh2_kexinit_addalg(&kexlists[k],
  821. c->list[j]->ssh2_id);
  822. alg->u.cipher.cipher = c->list[j];
  823. alg->u.cipher.warn = warn;
  824. }
  825. }
  826. }
  827. /*
  828. * Be prepared to work around the buggy MAC problem.
  829. */
  830. if (remote_bugs & BUG_SSH2_HMAC) {
  831. maclist = buggymacs;
  832. nmacs = lenof(buggymacs);
  833. } else {
  834. maclist = macs;
  835. nmacs = lenof(macs);
  836. }
  837. /* List MAC algorithms (client->server then server->client). */
  838. for (j = KEXLIST_CSMAC; j <= KEXLIST_SCMAC; j++) {
  839. #ifdef FUZZING
  840. alg = ssh2_kexinit_addalg(kexlists[j], "none");
  841. alg->u.mac.mac = NULL;
  842. alg->u.mac.etm = false;
  843. #endif /* FUZZING */
  844. for (i = 0; i < nmacs; i++) {
  845. alg = ssh2_kexinit_addalg(&kexlists[j], maclist[i]->name);
  846. alg->u.mac.mac = maclist[i];
  847. alg->u.mac.etm = false;
  848. }
  849. for (i = 0; i < nmacs; i++) {
  850. /* For each MAC, there may also be an ETM version,
  851. * which we list second. */
  852. if (maclist[i]->etm_name) {
  853. alg = ssh2_kexinit_addalg(&kexlists[j], maclist[i]->etm_name);
  854. alg->u.mac.mac = maclist[i];
  855. alg->u.mac.etm = true;
  856. }
  857. }
  858. }
  859. /* List client->server compression algorithms,
  860. * then server->client compression algorithms. (We use the
  861. * same set twice.) */
  862. for (j = KEXLIST_CSCOMP; j <= KEXLIST_SCCOMP; j++) {
  863. assert(lenof(compressions) > 1);
  864. /* Prefer non-delayed versions */
  865. alg = ssh2_kexinit_addalg(&kexlists[j], preferred_comp->name);
  866. alg->u.comp.comp = preferred_comp;
  867. alg->u.comp.delayed = false;
  868. if (preferred_comp->delayed_name) {
  869. alg = ssh2_kexinit_addalg(&kexlists[j],
  870. preferred_comp->delayed_name);
  871. alg->u.comp.comp = preferred_comp;
  872. alg->u.comp.delayed = true;
  873. }
  874. for (i = 0; i < lenof(compressions); i++) {
  875. const ssh_compression_alg *c = compressions[i];
  876. alg = ssh2_kexinit_addalg(&kexlists[j], c->name);
  877. alg->u.comp.comp = c;
  878. alg->u.comp.delayed = false;
  879. if (c->delayed_name) {
  880. alg = ssh2_kexinit_addalg(&kexlists[j], c->delayed_name);
  881. alg->u.comp.comp = c;
  882. alg->u.comp.delayed = true;
  883. }
  884. }
  885. }
  886. /*
  887. * Finally, format the lists into text and write them into the
  888. * outgoing KEXINIT packet.
  889. */
  890. for (i = 0; i < NKEXLIST; i++) {
  891. strbuf *list = strbuf_new();
  892. if (ssc && ssc->kex_override[i].ptr) {
  893. put_datapl(list, ssc->kex_override[i]);
  894. } else {
  895. for (j = 0; j < kexlists[i].nalgs; j++)
  896. add_to_commasep_pl(list, kexlists[i].algs[j].name);
  897. }
  898. if (i == KEXLIST_KEX && first_time) {
  899. if (our_hostkeys) { /* we're the server */
  900. add_to_commasep_pl(list, ext_info_s);
  901. add_to_commasep_pl(list, kex_strict_s);
  902. } else { /* we're the client */
  903. add_to_commasep_pl(list, ext_info_c);
  904. add_to_commasep_pl(list, kex_strict_c);
  905. }
  906. }
  907. put_stringsb(pktout, list);
  908. }
  909. /* List client->server languages. Empty list. */
  910. put_stringz(pktout, "");
  911. /* List server->client languages. Empty list. */
  912. put_stringz(pktout, "");
  913. }
  914. struct server_hostkeys {
  915. int *indices;
  916. size_t n, size;
  917. };
  918. static bool kexinit_keyword_found(ptrlen list, ptrlen keyword)
  919. {
  920. for (ptrlen word; get_commasep_word(&list, &word) ;)
  921. if (ptrlen_eq_ptrlen(word, keyword))
  922. return true;
  923. return false;
  924. }
  925. typedef struct ScanKexinitsResult {
  926. bool success;
  927. /* only if success is false */
  928. enum {
  929. SKR_INCOMPLETE,
  930. SKR_UNKNOWN_ID,
  931. SKR_NO_AGREEMENT,
  932. } error;
  933. const char *kind; /* what kind of thing did we fail to sort out? */
  934. ptrlen desc; /* and what was it? or what was the available list? */
  935. } ScanKexinitsResult;
  936. static ScanKexinitsResult ssh2_scan_kexinits(
  937. ptrlen client_kexinit, ptrlen server_kexinit, bool we_are_server,
  938. struct kexinit_algorithm_list kexlists[NKEXLIST],
  939. const ssh_kex **kex_alg, const ssh_keyalg **hostkey_alg,
  940. transport_direction *cs, transport_direction *sc,
  941. bool *warn_kex, bool *warn_hk, bool *warn_cscipher, bool *warn_sccipher,
  942. bool *ignore_guess_cs_packet, bool *ignore_guess_sc_packet,
  943. struct server_hostkeys *server_hostkeys, unsigned *hkflags,
  944. bool *can_send_ext_info, bool first_time, bool *strict_kex)
  945. {
  946. BinarySource client[1], server[1];
  947. int i;
  948. bool guess_correct;
  949. ptrlen clists[NKEXLIST], slists[NKEXLIST];
  950. const struct kexinit_algorithm *selected[NKEXLIST];
  951. BinarySource_BARE_INIT_PL(client, client_kexinit);
  952. BinarySource_BARE_INIT_PL(server, server_kexinit);
  953. /* Skip packet type bytes and random cookies. */
  954. get_data(client, 1 + 16);
  955. get_data(server, 1 + 16);
  956. guess_correct = true;
  957. /* Find the matching string in each list, and map it to its
  958. * kexinit_algorithm structure. */
  959. for (i = 0; i < NKEXLIST; i++) {
  960. ptrlen clist, slist, cword, sword, found;
  961. bool cfirst, sfirst;
  962. int j;
  963. clists[i] = get_string(client);
  964. slists[i] = get_string(server);
  965. if (get_err(client) || get_err(server)) {
  966. ScanKexinitsResult skr = {
  967. .success = false, .error = SKR_INCOMPLETE,
  968. };
  969. return skr;
  970. }
  971. for (cfirst = true, clist = clists[i];
  972. get_commasep_word(&clist, &cword); cfirst = false)
  973. for (sfirst = true, slist = slists[i];
  974. get_commasep_word(&slist, &sword); sfirst = false)
  975. if (ptrlen_eq_ptrlen(cword, sword)) {
  976. found = cword;
  977. goto found_match;
  978. }
  979. /* No matching string found in the two lists. Delay reporting
  980. * a fatal error until below, because sometimes it turns out
  981. * not to be fatal. */
  982. selected[i] = NULL;
  983. /*
  984. * However, even if a failure to agree on any algorithm at all
  985. * is not completely fatal (e.g. because it's the MAC
  986. * negotiation for a cipher that comes with a built-in MAC),
  987. * it still invalidates the guessed key exchange packet. (RFC
  988. * 4253 section 7, not contradicted by OpenSSH's
  989. * PROTOCOL.chacha20poly1305 or as far as I can see by their
  990. * code.)
  991. */
  992. guess_correct = false;
  993. continue;
  994. found_match:
  995. selected[i] = NULL;
  996. for (j = 0; j < kexlists[i].nalgs; j++) {
  997. if (ptrlen_eq_ptrlen(found, kexlists[i].algs[j].name)) {
  998. selected[i] = &kexlists[i].algs[j];
  999. break;
  1000. }
  1001. }
  1002. if (!selected[i]) {
  1003. /*
  1004. * In the client, this should never happen! But in the
  1005. * server, where we allow manual override on the command
  1006. * line of the exact KEXINIT strings, it can happen
  1007. * because the command line contained a typo. So we
  1008. * produce a reasonably useful message instead of an
  1009. * assertion failure.
  1010. */
  1011. ScanKexinitsResult skr = {
  1012. .success = false, .error = SKR_UNKNOWN_ID,
  1013. .kind = kexlist_descr[i], .desc = found,
  1014. };
  1015. return skr;
  1016. }
  1017. /*
  1018. * If the kex or host key algorithm is not the first one in
  1019. * both sides' lists, that means the guessed key exchange
  1020. * packet (if any) is officially wrong.
  1021. */
  1022. if ((i == KEXLIST_KEX || i == KEXLIST_HOSTKEY) && !(cfirst || sfirst))
  1023. guess_correct = false;
  1024. }
  1025. /*
  1026. * Skip language strings in both KEXINITs, and read the flags
  1027. * saying whether a guessed KEX packet follows.
  1028. */
  1029. get_string(client);
  1030. get_string(client);
  1031. get_string(server);
  1032. get_string(server);
  1033. if (ignore_guess_cs_packet)
  1034. *ignore_guess_cs_packet = get_bool(client) && !guess_correct;
  1035. if (ignore_guess_sc_packet)
  1036. *ignore_guess_sc_packet = get_bool(server) && !guess_correct;
  1037. /*
  1038. * Now transcribe the selected algorithm set into the output data.
  1039. */
  1040. for (i = 0; i < NKEXLIST; i++) {
  1041. const struct kexinit_algorithm *alg;
  1042. /*
  1043. * If we've already selected a cipher which requires a
  1044. * particular MAC, then just select that. This is the case in
  1045. * which it's not a fatal error if the actual MAC string lists
  1046. * didn't include any matching error.
  1047. */
  1048. if (i == KEXLIST_CSMAC && cs->cipher &&
  1049. cs->cipher->required_mac) {
  1050. cs->mac = cs->cipher->required_mac;
  1051. cs->etm_mode = !!(cs->mac->etm_name);
  1052. continue;
  1053. }
  1054. if (i == KEXLIST_SCMAC && sc->cipher &&
  1055. sc->cipher->required_mac) {
  1056. sc->mac = sc->cipher->required_mac;
  1057. sc->etm_mode = !!(sc->mac->etm_name);
  1058. continue;
  1059. }
  1060. alg = selected[i];
  1061. if (!alg) {
  1062. /*
  1063. * Otherwise, any match failure _is_ a fatal error.
  1064. */
  1065. ScanKexinitsResult skr = {
  1066. .success = false, .error = SKR_UNKNOWN_ID,
  1067. .kind = kexlist_descr[i], .desc = slists[i],
  1068. };
  1069. return skr;
  1070. }
  1071. switch (i) {
  1072. case KEXLIST_KEX:
  1073. *kex_alg = alg->u.kex.kex;
  1074. *warn_kex = alg->u.kex.warn;
  1075. break;
  1076. case KEXLIST_HOSTKEY:
  1077. /*
  1078. * Ignore an unexpected/inappropriate offer of "null",
  1079. * we offer "null" when we're willing to use GSS KEX,
  1080. * but it is only acceptable when GSSKEX is actually
  1081. * selected.
  1082. */
  1083. if (alg->u.hk.hostkey == NULL &&
  1084. (*kex_alg)->main_type != KEXTYPE_GSS)
  1085. continue;
  1086. *hostkey_alg = alg->u.hk.hostkey;
  1087. *hkflags = alg->u.hk.hkflags;
  1088. *warn_hk = alg->u.hk.warn;
  1089. break;
  1090. case KEXLIST_CSCIPHER:
  1091. cs->cipher = alg->u.cipher.cipher;
  1092. *warn_cscipher = alg->u.cipher.warn;
  1093. break;
  1094. case KEXLIST_SCCIPHER:
  1095. sc->cipher = alg->u.cipher.cipher;
  1096. *warn_sccipher = alg->u.cipher.warn;
  1097. break;
  1098. case KEXLIST_CSMAC:
  1099. cs->mac = alg->u.mac.mac;
  1100. cs->etm_mode = alg->u.mac.etm;
  1101. break;
  1102. case KEXLIST_SCMAC:
  1103. sc->mac = alg->u.mac.mac;
  1104. sc->etm_mode = alg->u.mac.etm;
  1105. break;
  1106. case KEXLIST_CSCOMP:
  1107. cs->comp = alg->u.comp.comp;
  1108. cs->comp_delayed = alg->u.comp.delayed;
  1109. break;
  1110. case KEXLIST_SCCOMP:
  1111. sc->comp = alg->u.comp.comp;
  1112. sc->comp_delayed = alg->u.comp.delayed;
  1113. break;
  1114. default:
  1115. unreachable("Bad list index in scan_kexinits");
  1116. }
  1117. }
  1118. /*
  1119. * Check whether the other side advertised support for EXT_INFO.
  1120. */
  1121. if (kexinit_keyword_found(
  1122. we_are_server ? clists[KEXLIST_KEX] : slists[KEXLIST_KEX],
  1123. we_are_server ? ext_info_c : ext_info_s))
  1124. *can_send_ext_info = true;
  1125. /*
  1126. * Check whether the other side advertised support for kex-strict.
  1127. */
  1128. if (first_time && kexinit_keyword_found(
  1129. we_are_server ? clists[KEXLIST_KEX] : slists[KEXLIST_KEX],
  1130. we_are_server ? kex_strict_c : kex_strict_s))
  1131. *strict_kex = true;
  1132. if (server_hostkeys) {
  1133. /*
  1134. * Finally, make an auxiliary pass over the server's host key
  1135. * list to find all the host key algorithms offered by the
  1136. * server which we know about at all, whether we selected each
  1137. * one or not. We return these as a list of indices into the
  1138. * constant ssh2_hostkey_algs[] array.
  1139. */
  1140. ptrlen list = slists[KEXLIST_HOSTKEY];
  1141. for (ptrlen word; get_commasep_word(&list, &word) ;) {
  1142. for (i = 0; i < lenof(ssh2_hostkey_algs); i++)
  1143. if (ptrlen_eq_string(word, ssh2_hostkey_algs[i].alg->ssh_id)) {
  1144. sgrowarray(server_hostkeys->indices, server_hostkeys->size,
  1145. server_hostkeys->n);
  1146. server_hostkeys->indices[server_hostkeys->n++] = i;
  1147. break;
  1148. }
  1149. }
  1150. }
  1151. ScanKexinitsResult skr = { .success = true };
  1152. return skr;
  1153. }
  1154. static void ssh2_report_scan_kexinits_error(Ssh *ssh, ScanKexinitsResult skr)
  1155. {
  1156. assert(!skr.success);
  1157. switch (skr.error) {
  1158. case SKR_INCOMPLETE:
  1159. /* Report a better error than the spurious "Couldn't
  1160. * agree" that we'd generate if we pressed on regardless
  1161. * and treated the empty get_string() result as genuine */
  1162. ssh_proto_error(ssh, "KEXINIT packet was incomplete");
  1163. break;
  1164. case SKR_UNKNOWN_ID:
  1165. ssh_sw_abort(ssh, "Selected %s \"%.*s\" does not correspond to "
  1166. "any supported algorithm",
  1167. skr.kind, PTRLEN_PRINTF(skr.desc));
  1168. break;
  1169. case SKR_NO_AGREEMENT:
  1170. ssh_sw_abort(ssh, "Couldn't agree a %s (available: %.*s)",
  1171. skr.kind, PTRLEN_PRINTF(skr.desc));
  1172. break;
  1173. default:
  1174. unreachable("bad ScanKexinitsResult");
  1175. }
  1176. }
  1177. static inline bool delay_outgoing_kexinit(struct ssh2_transport_state *s)
  1178. {
  1179. if (!(s->ppl.remote_bugs & BUG_REQUIRES_FILTERED_KEXINIT))
  1180. return false; /* bug flag not enabled => no need to delay */
  1181. if (s->incoming_kexinit->len)
  1182. return false; /* already got a remote KEXINIT we can filter against */
  1183. return true;
  1184. }
  1185. static void filter_outgoing_kexinit(struct ssh2_transport_state *s)
  1186. {
  1187. strbuf *pktout = strbuf_new();
  1188. BinarySource osrc[1], isrc[1];
  1189. BinarySource_BARE_INIT(
  1190. osrc, s->outgoing_kexinit->u, s->outgoing_kexinit->len);
  1191. BinarySource_BARE_INIT(
  1192. isrc, s->incoming_kexinit->u, s->incoming_kexinit->len);
  1193. /* Skip the packet type bytes from both packets */
  1194. get_byte(osrc);
  1195. get_byte(isrc);
  1196. /* Copy our cookie into the real output packet; skip their cookie */
  1197. put_datapl(pktout, get_data(osrc, 16));
  1198. get_data(isrc, 16);
  1199. /*
  1200. * Now we expect NKEXLIST+2 name-lists. We write into the outgoing
  1201. * packet a subset of our intended outgoing one, containing only
  1202. * names mentioned in the incoming out.
  1203. *
  1204. * NKEXLIST+2 because for this purpose we treat the 'languages'
  1205. * lists the same as the rest. In the rest of this code base we
  1206. * ignore those.
  1207. */
  1208. strbuf *out = strbuf_new();
  1209. for (size_t i = 0; i < NKEXLIST+2; i++) {
  1210. strbuf_clear(out);
  1211. ptrlen olist = get_string(osrc), ilist = get_string(isrc);
  1212. for (ptrlen oword; get_commasep_word(&olist, &oword) ;) {
  1213. ptrlen searchword = oword;
  1214. ptrlen ilist_copy = ilist;
  1215. /*
  1216. * Special case: the kex_strict keywords are
  1217. * asymmetrically named, so if we're contemplating
  1218. * including one of them in our filtered KEXINIT, we
  1219. * should search the other side's KEXINIT for the _other_
  1220. * one, not the same one.
  1221. */
  1222. if (i == KEXLIST_KEX) {
  1223. if (ptrlen_eq_ptrlen(oword, kex_strict_c))
  1224. searchword = kex_strict_s;
  1225. else if (ptrlen_eq_ptrlen(oword, kex_strict_s))
  1226. searchword = kex_strict_c;
  1227. }
  1228. bool add = false;
  1229. for (ptrlen iword; get_commasep_word(&ilist_copy, &iword) ;) {
  1230. if (ptrlen_eq_ptrlen(searchword, iword)) {
  1231. /* Found this word in the incoming list. */
  1232. add = true;
  1233. break;
  1234. }
  1235. }
  1236. if (i == KEXLIST_KEX && ptrlen_eq_string(oword, "ext-info-c")) {
  1237. /* Special case: this will _never_ match anything from the
  1238. * server, and we need it to enable SHA-2 based RSA.
  1239. *
  1240. * If this ever turns out to confuse any server all by
  1241. * itself then I suppose we'll need an even more
  1242. * draconian bug flag to exclude that too. (Obv, such
  1243. * a server wouldn't be able to speak SHA-2 RSA
  1244. * anyway.) */
  1245. add = true;
  1246. }
  1247. if (add)
  1248. add_to_commasep_pl(out, oword);
  1249. }
  1250. put_stringpl(pktout, ptrlen_from_strbuf(out));
  1251. }
  1252. strbuf_free(out);
  1253. /*
  1254. * Finally, copy the remaining parts of our intended KEXINIT.
  1255. */
  1256. put_bool(pktout, get_bool(osrc)); /* first-kex-packet-follows */
  1257. put_uint32(pktout, get_uint32(osrc)); /* reserved word */
  1258. /*
  1259. * Dump this data into s->outgoing_kexinit in place of what we had
  1260. * there before. We need to remember the KEXINIT we _really_ sent,
  1261. * not the one we'd have liked to send, since the host key
  1262. * signature will be validated against the former.
  1263. */
  1264. strbuf_shrink_to(s->outgoing_kexinit, 1); /* keep the type byte */
  1265. put_datapl(s->outgoing_kexinit, ptrlen_from_strbuf(pktout));
  1266. strbuf_free(pktout);
  1267. }
  1268. void ssh2transport_finalise_exhash(struct ssh2_transport_state *s)
  1269. {
  1270. put_datapl(s->exhash, ptrlen_from_strbuf(s->kex_shared_secret));
  1271. assert(ssh_hash_alg(s->exhash)->hlen <= sizeof(s->exchange_hash));
  1272. ssh_hash_final(s->exhash, s->exchange_hash);
  1273. s->exhash = NULL;
  1274. #if 0
  1275. debug("Exchange hash is:\n");
  1276. dmemdump(s->exchange_hash, s->kex_alg->hash->hlen);
  1277. #endif
  1278. }
  1279. static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
  1280. {
  1281. struct ssh2_transport_state *s =
  1282. container_of(ppl, struct ssh2_transport_state, ppl);
  1283. PktIn *pktin;
  1284. PktOut *pktout;
  1285. /* Filter centrally handled messages off the front of the queue on
  1286. * every entry to this coroutine, no matter where we're resuming
  1287. * from, even if we're _not_ looping on pq_pop. That way we can
  1288. * still proactively handle those messages even if we're waiting
  1289. * for a user response. */
  1290. if (ssh2_transport_filter_queue(s))
  1291. return; /* we've been freed */
  1292. crBegin(s->crState);
  1293. s->in.cipher = s->out.cipher = NULL;
  1294. s->in.mac = s->out.mac = NULL;
  1295. s->in.comp = s->out.comp = NULL;
  1296. s->got_session_id = false;
  1297. s->need_gss_transient_hostkey = false;
  1298. s->warned_about_no_gss_transient_hostkey = false;
  1299. begin_key_exchange:
  1300. #ifndef NO_GSSAPI
  1301. if (s->need_gss_transient_hostkey) {
  1302. /*
  1303. * This flag indicates a special case in which we must not do
  1304. * GSS key exchange even if we could. (See comments below,
  1305. * where the flag was set on the previous key exchange.)
  1306. */
  1307. s->can_gssapi_keyex = false;
  1308. } else if (conf_get_bool(s->conf, CONF_try_gssapi_kex)) {
  1309. /*
  1310. * We always check if we have GSS creds before we come up with
  1311. * the kex algorithm list, otherwise future rekeys will fail
  1312. * when creds expire. To make this so, this code section must
  1313. * follow the begin_key_exchange label above, otherwise this
  1314. * section would execute just once per-connection.
  1315. *
  1316. * Update GSS state unless the reason we're here is that a
  1317. * timer just checked the GSS state and decided that we should
  1318. * rekey to update delegated credentials. In that case, the
  1319. * state is "fresh".
  1320. */
  1321. if (s->rekey_class != RK_GSS_UPDATE)
  1322. ssh2_transport_gss_update(s, true);
  1323. /* Do GSSAPI KEX when capable */
  1324. s->can_gssapi_keyex = s->gss_status & GSS_KEX_CAPABLE;
  1325. /*
  1326. * But not when failure is likely. [ GSS implementations may
  1327. * attempt (and fail) to use a ticket that is almost expired
  1328. * when retrieved from the ccache that actually expires by the
  1329. * time the server receives it. ]
  1330. *
  1331. * Note: The first time always try KEXGSS if we can, failures
  1332. * will be very rare, and disabling the initial GSS KEX is
  1333. * worse. Some day GSS libraries will ignore cached tickets
  1334. * whose lifetime is critically short, and will instead use
  1335. * fresh ones.
  1336. */
  1337. if (!s->got_session_id && (s->gss_status & GSS_CTXT_MAYFAIL) != 0)
  1338. s->can_gssapi_keyex = false;
  1339. s->gss_delegate = conf_get_bool(s->conf, CONF_gssapifwd);
  1340. } else {
  1341. s->can_gssapi_keyex = false;
  1342. }
  1343. #endif
  1344. s->ppl.bpp->pls->kctx = SSH2_PKTCTX_NOKEX;
  1345. /*
  1346. * Construct our KEXINIT packet, in a strbuf so we can refer to it
  1347. * later.
  1348. */
  1349. strbuf_clear(s->outgoing_kexinit);
  1350. put_byte(s->outgoing_kexinit, SSH2_MSG_KEXINIT);
  1351. random_read(strbuf_append(s->outgoing_kexinit, 16), 16);
  1352. ssh2_write_kexinit_lists(
  1353. BinarySink_UPCAST(s->outgoing_kexinit), s->kexlists,
  1354. s->conf, s->ssc, s->ppl.remote_bugs,
  1355. s->savedhost, s->savedport, s->hostkey_alg, s->thc, s->host_cas,
  1356. s->hostkeys, s->nhostkeys,
  1357. !s->got_session_id, s->can_gssapi_keyex,
  1358. s->gss_kex_used && !s->need_gss_transient_hostkey);
  1359. /* First KEX packet does _not_ follow, because we're not that brave. */
  1360. put_bool(s->outgoing_kexinit, false);
  1361. put_uint32(s->outgoing_kexinit, 0); /* reserved */
  1362. /*
  1363. * Send our KEXINIT, most of the time.
  1364. *
  1365. * An exception: in BUG_REQUIRES_FILTERED_KEXINIT mode, we have to
  1366. * have seen at least one KEXINIT from the server first, so that
  1367. * we can filter our own KEXINIT down to contain only algorithms
  1368. * the server mentioned.
  1369. *
  1370. * But we only need to do this on the _first_ key exchange, when
  1371. * we've never seen a KEXINIT from the server before. In rekeys,
  1372. * we still have the server's previous KEXINIT lying around, so we
  1373. * can filter based on that.
  1374. *
  1375. * (And a good thing too, since the way you _initiate_ a rekey is
  1376. * by sending your KEXINIT, so we'd have no way to prod the server
  1377. * into sending its first!)
  1378. */
  1379. s->kexinit_delayed = delay_outgoing_kexinit(s);
  1380. if (!s->kexinit_delayed) {
  1381. if (s->ppl.remote_bugs & BUG_REQUIRES_FILTERED_KEXINIT) {
  1382. /* Filter based on the KEXINIT from the previous exchange */
  1383. filter_outgoing_kexinit(s);
  1384. }
  1385. pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXINIT);
  1386. put_data(pktout, s->outgoing_kexinit->u + 1,
  1387. s->outgoing_kexinit->len - 1); /* omit type byte */
  1388. pq_push(s->ppl.out_pq, pktout);
  1389. }
  1390. /*
  1391. * Flag that KEX is in progress.
  1392. */
  1393. s->kex_in_progress = true;
  1394. /*
  1395. * Wait for the other side's KEXINIT, and save it.
  1396. */
  1397. crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
  1398. if (pktin->type != SSH2_MSG_KEXINIT) {
  1399. ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
  1400. "expecting KEXINIT, type %d (%s)", pktin->type,
  1401. ssh2_pkt_type(s->ppl.bpp->pls->kctx,
  1402. s->ppl.bpp->pls->actx, pktin->type));
  1403. return;
  1404. }
  1405. strbuf_clear(s->incoming_kexinit);
  1406. put_byte(s->incoming_kexinit, SSH2_MSG_KEXINIT);
  1407. put_data(s->incoming_kexinit, get_ptr(pktin), get_avail(pktin));
  1408. /*
  1409. * If we've delayed sending our KEXINIT so as to filter it down to
  1410. * only things the server won't choke on, send ours now.
  1411. */
  1412. if (s->kexinit_delayed) {
  1413. filter_outgoing_kexinit(s);
  1414. pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_KEXINIT);
  1415. put_data(pktout, s->outgoing_kexinit->u + 1,
  1416. s->outgoing_kexinit->len - 1); /* omit type byte */
  1417. pq_push(s->ppl.out_pq, pktout);
  1418. }
  1419. /*
  1420. * Work through the two KEXINIT packets in parallel to find the
  1421. * selected algorithm identifiers.
  1422. */
  1423. {
  1424. struct server_hostkeys hks = { NULL, 0, 0 };
  1425. ScanKexinitsResult skr = ssh2_scan_kexinits(
  1426. ptrlen_from_strbuf(s->client_kexinit),
  1427. ptrlen_from_strbuf(s->server_kexinit), s->ssc != NULL,
  1428. s->kexlists, &s->kex_alg, &s->hostkey_alg, s->cstrans,
  1429. s->sctrans, &s->warn_kex, &s->warn_hk, &s->warn_cscipher,
  1430. &s->warn_sccipher, NULL, &s->ignorepkt, &hks,
  1431. &s->hkflags, &s->can_send_ext_info, !s->got_session_id,
  1432. &s->strict_kex);
  1433. if (!skr.success) {
  1434. sfree(hks.indices);
  1435. ssh2_report_scan_kexinits_error(s->ppl.ssh, skr);
  1436. return; /* we just called a fatal error function */
  1437. }
  1438. /*
  1439. * If we've just turned on strict kex mode, say so, and
  1440. * retrospectively fault any pre-KEXINIT extraneous packets.
  1441. */
  1442. if (!s->got_session_id && s->strict_kex) {
  1443. ppl_logevent("Enabling strict key exchange semantics");
  1444. if (s->seen_non_kexinit) {
  1445. ssh_proto_error(s->ppl.ssh, "Received a packet before KEXINIT "
  1446. "in strict-kex mode");
  1447. return;
  1448. }
  1449. }
  1450. /*
  1451. * In addition to deciding which host key we're actually going
  1452. * to use, we should make a list of the host keys offered by
  1453. * the server which we _don't_ have cached. These will be
  1454. * offered as cross-certification options by ssh_get_specials.
  1455. *
  1456. * We also count the key we're currently using for KEX as one
  1457. * we've already got, because by the time this menu becomes
  1458. * visible, it will be.
  1459. */
  1460. s->n_uncert_hostkeys = 0;
  1461. for (int i = 0; i < hks.n; i++) {
  1462. int j = hks.indices[i];
  1463. if (ssh2_hostkey_algs[j].alg != s->hostkey_alg &&
  1464. ssh2_hostkey_algs[j].alg->cache_id &&
  1465. !have_ssh_host_key(s->savedhost, s->savedport,
  1466. ssh2_hostkey_algs[j].alg->cache_id)) {
  1467. s->uncert_hostkeys[s->n_uncert_hostkeys++] = j;
  1468. }
  1469. }
  1470. sfree(hks.indices);
  1471. }
  1472. if (s->warn_kex) {
  1473. s->spr = ssh2_transport_confirm_weak_crypto_primitive(
  1474. s, "key-exchange algorithm", s->kex_alg->name, s->kex_alg,
  1475. WCR_BELOW_THRESHOLD);
  1476. crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
  1477. if (spr_is_abort(s->spr)) {
  1478. ssh_spr_close(s->ppl.ssh, s->spr, "kex warning");
  1479. return;
  1480. }
  1481. }
  1482. if (s->warn_hk) {
  1483. int j, k;
  1484. const char **betteralgs = NULL;
  1485. size_t nbetter = 0, bettersize = 0;
  1486. /*
  1487. * Change warning box wording depending on why we chose a
  1488. * warning-level host key algorithm. If it's because
  1489. * that's all we have *cached*, list the host keys we
  1490. * could usefully cross-certify. Otherwise, use the same
  1491. * standard wording as any other weak crypto primitive.
  1492. */
  1493. for (j = 0; j < s->n_uncert_hostkeys; j++) {
  1494. const struct ssh_signkey_with_user_pref_id *hktype =
  1495. &ssh2_hostkey_algs[s->uncert_hostkeys[j]];
  1496. bool better = false;
  1497. for (k = 0; k < HK_MAX; k++) {
  1498. int id = conf_get_int_int(s->conf, CONF_ssh_hklist, k);
  1499. if (id == HK_WARN) {
  1500. break;
  1501. } else if (id == hktype->id) {
  1502. better = true;
  1503. break;
  1504. }
  1505. }
  1506. if (better) {
  1507. sgrowarray(betteralgs, bettersize, nbetter);
  1508. betteralgs[nbetter++] = hktype->alg->ssh_id;
  1509. }
  1510. }
  1511. if (betteralgs) {
  1512. /* Use the special warning prompt that lets us provide
  1513. * a list of better algorithms */
  1514. sgrowarray(betteralgs, bettersize, nbetter);
  1515. betteralgs[nbetter] = NULL;
  1516. s->spr = confirm_weak_cached_hostkey(
  1517. ppl_get_iseat(&s->ppl), s->hostkey_alg->ssh_id, betteralgs,
  1518. ssh2_transport_dialog_callback, s);
  1519. sfree(betteralgs);
  1520. } else {
  1521. /* If none exist, use the more general 'weak crypto'
  1522. * warning prompt */
  1523. s->spr = ssh2_transport_confirm_weak_crypto_primitive(
  1524. s, "host key type", s->hostkey_alg->ssh_id,
  1525. s->hostkey_alg, WCR_BELOW_THRESHOLD);
  1526. }
  1527. crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
  1528. if (spr_is_abort(s->spr)) {
  1529. ssh_spr_close(s->ppl.ssh, s->spr, "host key warning");
  1530. return;
  1531. }
  1532. }
  1533. if (s->warn_cscipher) {
  1534. s->spr = ssh2_transport_confirm_weak_crypto_primitive(
  1535. s, "client-to-server cipher", s->out.cipher->ssh2_id,
  1536. s->out.cipher, WCR_BELOW_THRESHOLD);
  1537. crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
  1538. if (spr_is_abort(s->spr)) {
  1539. ssh_spr_close(s->ppl.ssh, s->spr, "cipher warning");
  1540. return;
  1541. }
  1542. }
  1543. if (s->warn_sccipher) {
  1544. s->spr = ssh2_transport_confirm_weak_crypto_primitive(
  1545. s, "server-to-client cipher", s->in.cipher->ssh2_id,
  1546. s->in.cipher, WCR_BELOW_THRESHOLD);
  1547. crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
  1548. if (spr_is_abort(s->spr)) {
  1549. ssh_spr_close(s->ppl.ssh, s->spr, "cipher warning");
  1550. return;
  1551. }
  1552. }
  1553. {
  1554. s->terrapin.csvuln = terrapin_vulnerable(s->strict_kex, s->cstrans);
  1555. s->terrapin.scvuln = terrapin_vulnerable(s->strict_kex, s->sctrans);
  1556. s->terrapin.wcr = WCR_TERRAPIN;
  1557. if (s->terrapin.csvuln || s->terrapin.scvuln) {
  1558. ppl_logevent("SSH connection is vulnerable to 'Terrapin' attack "
  1559. "(CVE-2023-48795)");
  1560. if (try_to_avoid_terrapin(s))
  1561. s->terrapin.wcr = WCR_TERRAPIN_AVOIDABLE;
  1562. }
  1563. if (s->terrapin.csvuln) {
  1564. s->spr = ssh2_transport_confirm_weak_crypto_primitive(
  1565. s, "client-to-server cipher", s->terrapin.csvuln,
  1566. terrapin_weakness, s->terrapin.wcr);
  1567. crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
  1568. if (spr_is_abort(s->spr)) {
  1569. ssh_spr_close(s->ppl.ssh, s->spr, "vulnerability warning");
  1570. return;
  1571. }
  1572. }
  1573. if (s->terrapin.scvuln) {
  1574. s->spr = ssh2_transport_confirm_weak_crypto_primitive(
  1575. s, "server-to-client cipher", s->terrapin.scvuln,
  1576. terrapin_weakness, s->terrapin.wcr);
  1577. crMaybeWaitUntilV(s->spr.kind != SPRK_INCOMPLETE);
  1578. if (spr_is_abort(s->spr)) {
  1579. ssh_spr_close(s->ppl.ssh, s->spr, "vulnerability warning");
  1580. return;
  1581. }
  1582. }
  1583. if (s->terrapin.csvuln || s->terrapin.scvuln) {
  1584. ppl_logevent("Continuing despite 'Terrapin' vulnerability, "
  1585. "at user request");
  1586. }
  1587. }
  1588. /*
  1589. * If the other side has sent an initial key exchange packet that
  1590. * we must treat as a wrong guess, wait for it, and discard it.
  1591. */
  1592. if (s->ignorepkt)
  1593. crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
  1594. /*
  1595. * Actually perform the key exchange.
  1596. */
  1597. s->exhash = ssh_hash_new(s->kex_alg->hash);
  1598. if (s->kex_shared_secret)
  1599. strbuf_free(s->kex_shared_secret);
  1600. s->kex_shared_secret = strbuf_new_nm();
  1601. put_stringz(s->exhash, s->client_greeting);
  1602. put_stringz(s->exhash, s->server_greeting);
  1603. put_string(s->exhash, s->client_kexinit->u, s->client_kexinit->len);
  1604. put_string(s->exhash, s->server_kexinit->u, s->server_kexinit->len);
  1605. s->crStateKex = 0;
  1606. while (1) {
  1607. bool aborted = false;
  1608. ssh2kex_coroutine(s, &aborted);
  1609. if (aborted)
  1610. return; /* disaster: our entire state has been freed */
  1611. if (!s->crStateKex)
  1612. break; /* kex phase has terminated normally */
  1613. crReturnV;
  1614. }
  1615. /*
  1616. * The exchange hash from the very first key exchange is also
  1617. * the session id, used in session key construction and
  1618. * authentication.
  1619. */
  1620. if (!s->got_session_id) {
  1621. assert(sizeof(s->exchange_hash) <= sizeof(s->session_id));
  1622. memcpy(s->session_id, s->exchange_hash, sizeof(s->exchange_hash));
  1623. s->session_id_len = s->kex_alg->hash->hlen;
  1624. assert(s->session_id_len <= sizeof(s->session_id));
  1625. s->got_session_id = true;
  1626. }
  1627. /*
  1628. * Send SSH2_MSG_NEWKEYS.
  1629. */
  1630. pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_NEWKEYS);
  1631. pq_push(s->ppl.out_pq, pktout);
  1632. /* Start counting down the outgoing-data limit for these cipher keys. */
  1633. dts_reset(&s->stats->out, s->max_data_size);
  1634. /*
  1635. * Force the BPP to synchronously marshal all packets up to and
  1636. * including that NEWKEYS into wire format, before we switch over
  1637. * to new crypto.
  1638. */
  1639. ssh_bpp_handle_output(s->ppl.bpp);
  1640. /*
  1641. * We've sent outgoing NEWKEYS, so create and initialise outgoing
  1642. * session keys.
  1643. */
  1644. {
  1645. strbuf *cipher_key = strbuf_new_nm();
  1646. strbuf *cipher_iv = strbuf_new_nm();
  1647. strbuf *mac_key = strbuf_new_nm();
  1648. if (s->out.cipher) {
  1649. ssh2_mkkey(s, cipher_iv, s->kex_shared_secret, s->exchange_hash,
  1650. 'A' + s->out.mkkey_adjust, s->out.cipher->blksize);
  1651. ssh2_mkkey(s, cipher_key, s->kex_shared_secret, s->exchange_hash,
  1652. 'C' + s->out.mkkey_adjust,
  1653. s->out.cipher->padded_keybytes);
  1654. }
  1655. if (s->out.mac) {
  1656. ssh2_mkkey(s, mac_key, s->kex_shared_secret, s->exchange_hash,
  1657. 'E' + s->out.mkkey_adjust, s->out.mac->keylen);
  1658. }
  1659. ssh2_bpp_new_outgoing_crypto(
  1660. s->ppl.bpp,
  1661. s->out.cipher, cipher_key->u, cipher_iv->u,
  1662. s->out.mac, s->out.etm_mode, mac_key->u,
  1663. s->out.comp, s->out.comp_delayed,
  1664. s->strict_kex);
  1665. s->enabled_outgoing_crypto = true;
  1666. strbuf_free(cipher_key);
  1667. strbuf_free(cipher_iv);
  1668. strbuf_free(mac_key);
  1669. }
  1670. /*
  1671. * If that was our first key exchange, this is the moment to send
  1672. * our EXT_INFO, if we're sending one.
  1673. */
  1674. if (!s->post_newkeys_ext_info) {
  1675. s->post_newkeys_ext_info = true; /* never do this again */
  1676. if (s->can_send_ext_info) {
  1677. strbuf *extinfo = strbuf_new();
  1678. uint32_t n_exts = 0;
  1679. if (s->ssc) {
  1680. /* Server->client EXT_INFO lists our supported user
  1681. * key algorithms. */
  1682. n_exts++;
  1683. put_stringz(extinfo, "server-sig-algs");
  1684. strbuf *list = strbuf_new();
  1685. for (size_t i = 0; i < n_keyalgs; i++)
  1686. add_to_commasep(list, all_keyalgs[i]->ssh_id);
  1687. put_stringsb(extinfo, list);
  1688. } else {
  1689. /* Client->server EXT_INFO is currently not sent, but here's
  1690. * where we should put things in it if we ever want to. */
  1691. }
  1692. /* Only send EXT_INFO if it's non-empty */
  1693. if (n_exts) {
  1694. pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_EXT_INFO);
  1695. put_uint32(pktout, n_exts);
  1696. put_datapl(pktout, ptrlen_from_strbuf(extinfo));
  1697. pq_push(s->ppl.out_pq, pktout);
  1698. }
  1699. strbuf_free(extinfo);
  1700. }
  1701. }
  1702. /*
  1703. * Now our end of the key exchange is complete, we can send all
  1704. * our queued higher-layer packets. Transfer the whole of the next
  1705. * layer's outgoing queue on to our own.
  1706. */
  1707. pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
  1708. ssh_sendbuffer_changed(s->ppl.ssh);
  1709. /*
  1710. * Expect SSH2_MSG_NEWKEYS from server.
  1711. */
  1712. crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
  1713. if (pktin->type != SSH2_MSG_NEWKEYS) {
  1714. ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
  1715. "expecting SSH_MSG_NEWKEYS, type %d (%s)",
  1716. pktin->type,
  1717. ssh2_pkt_type(s->ppl.bpp->pls->kctx,
  1718. s->ppl.bpp->pls->actx,
  1719. pktin->type));
  1720. return;
  1721. }
  1722. /* Start counting down the incoming-data limit for these cipher keys. */
  1723. dts_reset(&s->stats->in, s->max_data_size);
  1724. /*
  1725. * We've seen incoming NEWKEYS, so create and initialise
  1726. * incoming session keys.
  1727. */
  1728. {
  1729. strbuf *cipher_key = strbuf_new_nm();
  1730. strbuf *cipher_iv = strbuf_new_nm();
  1731. strbuf *mac_key = strbuf_new_nm();
  1732. if (s->in.cipher) {
  1733. ssh2_mkkey(s, cipher_iv, s->kex_shared_secret, s->exchange_hash,
  1734. 'A' + s->in.mkkey_adjust, s->in.cipher->blksize);
  1735. ssh2_mkkey(s, cipher_key, s->kex_shared_secret, s->exchange_hash,
  1736. 'C' + s->in.mkkey_adjust,
  1737. s->in.cipher->padded_keybytes);
  1738. }
  1739. if (s->in.mac) {
  1740. ssh2_mkkey(s, mac_key, s->kex_shared_secret, s->exchange_hash,
  1741. 'E' + s->in.mkkey_adjust, s->in.mac->keylen);
  1742. }
  1743. ssh2_bpp_new_incoming_crypto(
  1744. s->ppl.bpp,
  1745. s->in.cipher, cipher_key->u, cipher_iv->u,
  1746. s->in.mac, s->in.etm_mode, mac_key->u,
  1747. s->in.comp, s->in.comp_delayed,
  1748. s->strict_kex);
  1749. s->enabled_incoming_crypto = true;
  1750. strbuf_free(cipher_key);
  1751. strbuf_free(cipher_iv);
  1752. strbuf_free(mac_key);
  1753. }
  1754. /*
  1755. * Free shared secret.
  1756. */
  1757. strbuf_free(s->kex_shared_secret);
  1758. s->kex_shared_secret = NULL;
  1759. /*
  1760. * Update the specials menu to list the remaining uncertified host
  1761. * keys.
  1762. */
  1763. seat_update_specials_menu(s->ppl.seat);
  1764. /*
  1765. * Key exchange is over. Loop straight back round if we have a
  1766. * deferred rekey reason.
  1767. */
  1768. if (s->deferred_rekey_reason) {
  1769. ppl_logevent("%s", s->deferred_rekey_reason);
  1770. pktin = NULL;
  1771. s->deferred_rekey_reason = NULL;
  1772. goto begin_key_exchange;
  1773. }
  1774. /*
  1775. * Otherwise, schedule a timer for our next rekey.
  1776. */
  1777. s->kex_in_progress = false;
  1778. s->last_rekey = GETTICKCOUNT();
  1779. (void) ssh2_transport_timer_update(s, 0);
  1780. /*
  1781. * Now we're encrypting. Get the next-layer protocol started if it
  1782. * hasn't already, and then sit here waiting for reasons to go
  1783. * back to the start and do a repeat key exchange. One of those
  1784. * reasons is that we receive KEXINIT from the other end; the
  1785. * other is if we find rekey_reason is non-NULL, i.e. we've
  1786. * decided to initiate a rekey ourselves for some reason.
  1787. */
  1788. if (!s->higher_layer_ok) {
  1789. if (!s->hostkeys) {
  1790. /* We're the client, so send SERVICE_REQUEST. */
  1791. pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_SERVICE_REQUEST);
  1792. put_stringz(pktout, s->higher_layer->vt->name);
  1793. pq_push(s->ppl.out_pq, pktout);
  1794. crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
  1795. if (pktin->type != SSH2_MSG_SERVICE_ACCEPT) {
  1796. ssh_sw_abort(s->ppl.ssh, "Server refused request to start "
  1797. "'%s' protocol", s->higher_layer->vt->name);
  1798. return;
  1799. }
  1800. } else {
  1801. ptrlen service_name;
  1802. /* We're the server, so expect SERVICE_REQUEST. */
  1803. crMaybeWaitUntilV((pktin = ssh2_transport_pop(s)) != NULL);
  1804. if (pktin->type != SSH2_MSG_SERVICE_REQUEST) {
  1805. ssh_proto_error(s->ppl.ssh, "Received unexpected packet when "
  1806. "expecting SERVICE_REQUEST, type %d (%s)",
  1807. pktin->type,
  1808. ssh2_pkt_type(s->ppl.bpp->pls->kctx,
  1809. s->ppl.bpp->pls->actx,
  1810. pktin->type));
  1811. return;
  1812. }
  1813. service_name = get_string(pktin);
  1814. if (!ptrlen_eq_string(service_name, s->higher_layer->vt->name)) {
  1815. ssh_proto_error(s->ppl.ssh, "Client requested service "
  1816. "'%.*s' when we only support '%s'",
  1817. PTRLEN_PRINTF(service_name),
  1818. s->higher_layer->vt->name);
  1819. return;
  1820. }
  1821. pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH2_MSG_SERVICE_ACCEPT);
  1822. put_stringz(pktout, s->higher_layer->vt->name);
  1823. pq_push(s->ppl.out_pq, pktout);
  1824. }
  1825. s->higher_layer_ok = true;
  1826. queue_idempotent_callback(&s->higher_layer->ic_process_queue);
  1827. }
  1828. s->rekey_class = RK_NONE;
  1829. do {
  1830. crReturnV;
  1831. /* Pass through outgoing packets from the higher layer. */
  1832. pq_concatenate(s->ppl.out_pq, s->ppl.out_pq, &s->pq_out_higher);
  1833. ssh_sendbuffer_changed(s->ppl.ssh);
  1834. /* Wait for either a KEXINIT, or something setting
  1835. * s->rekey_class. This call to ssh2_transport_pop also has
  1836. * the side effect of transferring incoming packets _to_ the
  1837. * higher layer (via filter_queue). */
  1838. if ((pktin = ssh2_transport_pop(s)) != NULL) {
  1839. if (pktin->type != SSH2_MSG_KEXINIT) {
  1840. ssh_proto_error(s->ppl.ssh, "Received unexpected transport-"
  1841. "layer packet outside a key exchange, "
  1842. "type %d (%s)", pktin->type,
  1843. ssh2_pkt_type(s->ppl.bpp->pls->kctx,
  1844. s->ppl.bpp->pls->actx,
  1845. pktin->type));
  1846. return;
  1847. }
  1848. pq_push_front(s->ppl.in_pq, pktin);
  1849. ppl_logevent("Remote side initiated key re-exchange");
  1850. s->rekey_class = RK_SERVER;
  1851. }
  1852. if (s->rekey_class == RK_POST_USERAUTH) {
  1853. /*
  1854. * userauth has seen a USERAUTH_SUCCESS. This may be the
  1855. * moment to do an immediate rekey with different
  1856. * parameters. But it may not; so here we turn that rekey
  1857. * class into either RK_NONE or RK_NORMAL.
  1858. *
  1859. * Currently the only reason for this is if we've done a
  1860. * GSS key exchange and don't have anything in our
  1861. * transient hostkey cache, in which case we should make
  1862. * an attempt to populate the cache now.
  1863. */
  1864. if (s->need_gss_transient_hostkey) {
  1865. s->rekey_reason = "populating transient host key cache";
  1866. s->rekey_class = RK_NORMAL;
  1867. } else {
  1868. /* No need to rekey at this time. */
  1869. s->rekey_class = RK_NONE;
  1870. }
  1871. }
  1872. if (!s->rekey_class) {
  1873. /* If we don't yet have any other reason to rekey, check
  1874. * if we've hit our data limit in either direction. */
  1875. if (s->stats->in.expired) {
  1876. s->rekey_reason = "too much data received";
  1877. s->rekey_class = RK_NORMAL;
  1878. } else if (s->stats->out.expired) {
  1879. s->rekey_reason = "too much data sent";
  1880. s->rekey_class = RK_NORMAL;
  1881. }
  1882. }
  1883. if (s->rekey_class != RK_NONE && s->rekey_class != RK_SERVER) {
  1884. /*
  1885. * Special case: if the server bug is set that doesn't
  1886. * allow rekeying, we give a different log message and
  1887. * continue waiting. (If such a server _initiates_ a
  1888. * rekey, we process it anyway!)
  1889. */
  1890. if ((s->ppl.remote_bugs & BUG_SSH2_REKEY)) {
  1891. ppl_logevent("Remote bug prevents key re-exchange (%s)",
  1892. s->rekey_reason);
  1893. /* Reset the counters, so that at least this message doesn't
  1894. * hit the event log _too_ often. */
  1895. dts_reset(&s->stats->in, s->max_data_size);
  1896. dts_reset(&s->stats->out, s->max_data_size);
  1897. (void) ssh2_transport_timer_update(s, 0);
  1898. s->rekey_class = RK_NONE;
  1899. } else {
  1900. ppl_logevent("Initiating key re-exchange (%s)",
  1901. s->rekey_reason);
  1902. }
  1903. }
  1904. } while (s->rekey_class == RK_NONE);
  1905. /* Once we exit the above loop, we really are rekeying. */
  1906. goto begin_key_exchange;
  1907. crFinishV;
  1908. }
  1909. static void ssh2_transport_higher_layer_packet_callback(void *context)
  1910. {
  1911. PacketProtocolLayer *ppl = (PacketProtocolLayer *)context;
  1912. ssh_ppl_process_queue(ppl);
  1913. }
  1914. static void ssh2_transport_timer(void *ctx, unsigned long now)
  1915. {
  1916. struct ssh2_transport_state *s = (struct ssh2_transport_state *)ctx;
  1917. unsigned long mins;
  1918. unsigned long ticks;
  1919. if (s->kex_in_progress || now != s->next_rekey)
  1920. return;
  1921. mins = sanitise_rekey_time(conf_get_int(s->conf, CONF_ssh_rekey_time), 60);
  1922. if (mins == 0)
  1923. return;
  1924. /* Rekey if enough time has elapsed */
  1925. ticks = mins * 60 * TICKSPERSEC;
  1926. if (now - s->last_rekey > ticks - 30*TICKSPERSEC) {
  1927. s->rekey_reason = "timeout";
  1928. s->rekey_class = RK_NORMAL;
  1929. queue_idempotent_callback(&s->ppl.ic_process_queue);
  1930. return;
  1931. }
  1932. #ifndef NO_GSSAPI
  1933. /*
  1934. * Rekey now if we have a new cred or context expires this cycle,
  1935. * but not if this is unsafe.
  1936. */
  1937. if (conf_get_int(s->conf, CONF_gssapirekey)) {
  1938. ssh2_transport_gss_update(s, false);
  1939. if ((s->gss_status & GSS_KEX_CAPABLE) != 0 &&
  1940. (s->gss_status & GSS_CTXT_MAYFAIL) == 0 &&
  1941. (s->gss_status & (GSS_CRED_UPDATED|GSS_CTXT_EXPIRES)) != 0) {
  1942. s->rekey_reason = "GSS credentials updated";
  1943. s->rekey_class = RK_GSS_UPDATE;
  1944. queue_idempotent_callback(&s->ppl.ic_process_queue);
  1945. return;
  1946. }
  1947. }
  1948. #endif
  1949. /* Try again later. */
  1950. (void) ssh2_transport_timer_update(s, 0);
  1951. }
  1952. /*
  1953. * The rekey_time is zero except when re-configuring.
  1954. *
  1955. * We either schedule the next timer and return false, or return true
  1956. * to run the callback now, which will call us again to re-schedule on
  1957. * completion.
  1958. */
  1959. static bool ssh2_transport_timer_update(struct ssh2_transport_state *s,
  1960. unsigned long rekey_time)
  1961. {
  1962. unsigned long mins;
  1963. unsigned long ticks;
  1964. mins = sanitise_rekey_time(conf_get_int(s->conf, CONF_ssh_rekey_time), 60);
  1965. ticks = mins * 60 * TICKSPERSEC;
  1966. /* Handle change from previous setting */
  1967. if (rekey_time != 0 && rekey_time != mins) {
  1968. unsigned long next;
  1969. unsigned long now = GETTICKCOUNT();
  1970. mins = rekey_time;
  1971. ticks = mins * 60 * TICKSPERSEC;
  1972. next = s->last_rekey + ticks;
  1973. /* If overdue, caller will rekey synchronously now */
  1974. if (now - s->last_rekey > ticks)
  1975. return true;
  1976. ticks = next - now;
  1977. }
  1978. #ifndef NO_GSSAPI
  1979. if (s->gss_kex_used) {
  1980. /*
  1981. * If we've used GSSAPI key exchange, then we should
  1982. * periodically check whether we need to do another one to
  1983. * pass new credentials to the server.
  1984. */
  1985. unsigned long gssmins;
  1986. /* Check cascade conditions more frequently if configured */
  1987. gssmins = sanitise_rekey_time(
  1988. conf_get_int(s->conf, CONF_gssapirekey), GSS_DEF_REKEY_MINS);
  1989. if (gssmins > 0) {
  1990. if (gssmins < mins)
  1991. ticks = (mins = gssmins) * 60 * TICKSPERSEC;
  1992. if ((s->gss_status & GSS_KEX_CAPABLE) != 0) {
  1993. /*
  1994. * Run next timer even sooner if it would otherwise be
  1995. * too close to the context expiration time
  1996. */
  1997. if ((s->gss_status & GSS_CTXT_EXPIRES) == 0 &&
  1998. s->gss_ctxt_lifetime - mins * 60 < 2 * MIN_CTXT_LIFETIME)
  1999. ticks -= 2 * MIN_CTXT_LIFETIME * TICKSPERSEC;
  2000. }
  2001. }
  2002. }
  2003. #endif
  2004. /* Schedule the next timer */
  2005. s->next_rekey = schedule_timer(ticks, ssh2_transport_timer, s);
  2006. return false;
  2007. }
  2008. void ssh2_transport_dialog_callback(void *vctx, SeatPromptResult spr)
  2009. {
  2010. struct ssh2_transport_state *s = (struct ssh2_transport_state *)vctx;
  2011. s->spr = spr;
  2012. ssh_ppl_process_queue(&s->ppl);
  2013. }
  2014. #ifndef NO_GSSAPI
  2015. /*
  2016. * This is called at the beginning of each SSH rekey to determine
  2017. * whether we are GSS capable, and if we did GSS key exchange, and are
  2018. * delegating credentials, it is also called periodically to determine
  2019. * whether we should rekey in order to delegate (more) fresh
  2020. * credentials. This is called "credential cascading".
  2021. *
  2022. * On Windows, with SSPI, we may not get the credential expiration, as
  2023. * Windows automatically renews from cached passwords, so the
  2024. * credential effectively never expires. Since we still want to
  2025. * cascade when the local TGT is updated, we use the expiration of a
  2026. * newly obtained context as a proxy for the expiration of the TGT.
  2027. */
  2028. static void ssh2_transport_gss_update(struct ssh2_transport_state *s,
  2029. bool definitely_rekeying)
  2030. {
  2031. PacketProtocolLayer *ppl = &s->ppl; /* for ppl_logevent */
  2032. int gss_stat;
  2033. time_t gss_cred_expiry;
  2034. unsigned long mins;
  2035. Ssh_gss_buf gss_sndtok;
  2036. Ssh_gss_buf gss_rcvtok;
  2037. Ssh_gss_ctx gss_ctx;
  2038. s->gss_status = 0;
  2039. /*
  2040. * Nothing to do if no GSSAPI libraries are configured or GSSAPI
  2041. * auth is not enabled.
  2042. */
  2043. if (s->shgss->libs->nlibraries == 0)
  2044. return;
  2045. if (!conf_get_bool(s->conf, CONF_try_gssapi_auth) &&
  2046. !conf_get_bool(s->conf, CONF_try_gssapi_kex))
  2047. return;
  2048. /* Import server name and cache it */
  2049. if (s->shgss->srv_name == GSS_C_NO_NAME) {
  2050. gss_stat = s->shgss->lib->import_name(
  2051. s->shgss->lib, s->fullhostname, &s->shgss->srv_name);
  2052. if (gss_stat != SSH_GSS_OK) {
  2053. if (gss_stat == SSH_GSS_BAD_HOST_NAME)
  2054. ppl_logevent("GSSAPI import name failed - Bad service name;"
  2055. " won't use GSS key exchange");
  2056. else
  2057. ppl_logevent("GSSAPI import name failed;"
  2058. " won't use GSS key exchange");
  2059. return;
  2060. }
  2061. }
  2062. /*
  2063. * Do we (still) have credentials? Capture the credential
  2064. * expiration when available
  2065. */
  2066. gss_stat = s->shgss->lib->acquire_cred(
  2067. s->shgss->lib, &gss_ctx, &gss_cred_expiry);
  2068. if (gss_stat != SSH_GSS_OK)
  2069. return;
  2070. SSH_GSS_CLEAR_BUF(&gss_sndtok);
  2071. SSH_GSS_CLEAR_BUF(&gss_rcvtok);
  2072. /*
  2073. * When acquire_cred yields no useful expiration, get a proxy for
  2074. * the cred expiration from the context expiration.
  2075. */
  2076. gss_stat = s->shgss->lib->init_sec_context(
  2077. s->shgss->lib, &gss_ctx, s->shgss->srv_name,
  2078. 0 /* don't delegate */, &gss_rcvtok, &gss_sndtok,
  2079. (gss_cred_expiry == GSS_NO_EXPIRATION ? &gss_cred_expiry : NULL),
  2080. &s->gss_ctxt_lifetime);
  2081. /* This context was for testing only. */
  2082. if (gss_ctx)
  2083. s->shgss->lib->release_cred(s->shgss->lib, &gss_ctx);
  2084. if (gss_stat != SSH_GSS_OK &&
  2085. gss_stat != SSH_GSS_S_CONTINUE_NEEDED) {
  2086. /*
  2087. * No point in verbosely interrupting the user to tell them we
  2088. * couldn't get GSS credentials, if this was only a check
  2089. * between key exchanges to see if fresh ones were available.
  2090. * When we do do a rekey, this message (if displayed) will
  2091. * appear among the standard rekey blurb, but when we're not,
  2092. * it shouldn't pop up all the time regardless.
  2093. */
  2094. if (definitely_rekeying)
  2095. ppl_logevent("No GSSAPI security context available");
  2096. return;
  2097. }
  2098. if (gss_sndtok.length)
  2099. s->shgss->lib->free_tok(s->shgss->lib, &gss_sndtok);
  2100. s->gss_status |= GSS_KEX_CAPABLE;
  2101. /*
  2102. * When rekeying to cascade, avoid doing this too close to the
  2103. * context expiration time, since the key exchange might fail.
  2104. */
  2105. if (s->gss_ctxt_lifetime < MIN_CTXT_LIFETIME)
  2106. s->gss_status |= GSS_CTXT_MAYFAIL;
  2107. /*
  2108. * If we're not delegating credentials, rekeying is not used to
  2109. * refresh them. We must avoid setting GSS_CRED_UPDATED or
  2110. * GSS_CTXT_EXPIRES when credential delegation is disabled.
  2111. */
  2112. if (!conf_get_bool(s->conf, CONF_gssapifwd))
  2113. return;
  2114. if (s->gss_cred_expiry != GSS_NO_EXPIRATION &&
  2115. difftime(gss_cred_expiry, s->gss_cred_expiry) > 0)
  2116. s->gss_status |= GSS_CRED_UPDATED;
  2117. mins = sanitise_rekey_time(
  2118. conf_get_int(s->conf, CONF_gssapirekey), GSS_DEF_REKEY_MINS);
  2119. if (mins > 0 && s->gss_ctxt_lifetime <= mins * 60)
  2120. s->gss_status |= GSS_CTXT_EXPIRES;
  2121. }
  2122. #endif /* NO_GSSAPI */
  2123. ptrlen ssh2_transport_get_session_id(PacketProtocolLayer *ppl)
  2124. {
  2125. struct ssh2_transport_state *s;
  2126. assert(ppl->vt == &ssh2_transport_vtable);
  2127. s = container_of(ppl, struct ssh2_transport_state, ppl);
  2128. assert(s->got_session_id);
  2129. return make_ptrlen(s->session_id, s->session_id_len);
  2130. }
  2131. void ssh2_transport_notify_auth_done(PacketProtocolLayer *ppl)
  2132. {
  2133. struct ssh2_transport_state *s;
  2134. assert(ppl->vt == &ssh2_transport_vtable);
  2135. s = container_of(ppl, struct ssh2_transport_state, ppl);
  2136. s->rekey_reason = NULL; /* will be filled in later */
  2137. s->rekey_class = RK_POST_USERAUTH;
  2138. queue_idempotent_callback(&s->ppl.ic_process_queue);
  2139. }
  2140. static bool ssh2_transport_get_specials(
  2141. PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx)
  2142. {
  2143. struct ssh2_transport_state *s =
  2144. container_of(ppl, struct ssh2_transport_state, ppl);
  2145. bool need_separator = false;
  2146. bool toret = false;
  2147. if (ssh_ppl_get_specials(s->higher_layer, add_special, ctx)) {
  2148. need_separator = true;
  2149. toret = true;
  2150. }
  2151. /*
  2152. * Don't bother offering rekey-based specials if we've decided the
  2153. * remote won't cope with it, since we wouldn't bother sending it
  2154. * if asked anyway.
  2155. */
  2156. if (!(s->ppl.remote_bugs & BUG_SSH2_REKEY)) {
  2157. if (need_separator) {
  2158. add_special(ctx, NULL, SS_SEP, 0);
  2159. need_separator = false;
  2160. }
  2161. add_special(ctx, "Repeat key exchange", SS_REKEY, 0);
  2162. toret = true;
  2163. if (s->n_uncert_hostkeys) {
  2164. int i;
  2165. add_special(ctx, NULL, SS_SEP, 0);
  2166. add_special(ctx, "Cache new host key type", SS_SUBMENU, 0);
  2167. for (i = 0; i < s->n_uncert_hostkeys; i++) {
  2168. const ssh_keyalg *alg =
  2169. ssh2_hostkey_algs[s->uncert_hostkeys[i]].alg;
  2170. add_special(ctx, alg->ssh_id, SS_XCERT, s->uncert_hostkeys[i]);
  2171. }
  2172. add_special(ctx, NULL, SS_EXITMENU, 0);
  2173. }
  2174. }
  2175. return toret;
  2176. }
  2177. static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
  2178. SessionSpecialCode code, int arg)
  2179. {
  2180. struct ssh2_transport_state *s =
  2181. container_of(ppl, struct ssh2_transport_state, ppl);
  2182. if (code == SS_REKEY) {
  2183. if (!s->kex_in_progress) {
  2184. s->rekey_reason = "at user request";
  2185. s->rekey_class = RK_NORMAL;
  2186. queue_idempotent_callback(&s->ppl.ic_process_queue);
  2187. }
  2188. } else if (code == SS_XCERT) {
  2189. if (!s->kex_in_progress) {
  2190. s->cross_certifying = s->hostkey_alg = ssh2_hostkey_algs[arg].alg;
  2191. s->rekey_reason = "cross-certifying new host key";
  2192. s->rekey_class = RK_NORMAL;
  2193. queue_idempotent_callback(&s->ppl.ic_process_queue);
  2194. }
  2195. } else {
  2196. /* Send everything else to the next layer up. This includes
  2197. * SS_PING/SS_NOP, which we _could_ handle here - but it's
  2198. * better to put them in the connection layer, so they'll
  2199. * still work in bare connection mode. */
  2200. ssh_ppl_special_cmd(s->higher_layer, code, arg);
  2201. }
  2202. }
  2203. /* Safely convert rekey_time to unsigned long minutes */
  2204. static unsigned long sanitise_rekey_time(int rekey_time, unsigned long def)
  2205. {
  2206. if (rekey_time < 0 || rekey_time > MAX_TICK_MINS)
  2207. rekey_time = def;
  2208. return (unsigned long)rekey_time;
  2209. }
  2210. static void ssh2_transport_set_max_data_size(struct ssh2_transport_state *s)
  2211. {
  2212. s->max_data_size = parse_blocksize(
  2213. conf_get_str(s->conf, CONF_ssh_rekey_data));
  2214. }
  2215. static void ssh2_transport_reconfigure(PacketProtocolLayer *ppl, Conf *conf)
  2216. {
  2217. struct ssh2_transport_state *s;
  2218. const char *rekey_reason = NULL;
  2219. bool rekey_mandatory = false;
  2220. unsigned long old_max_data_size, rekey_time;
  2221. int i;
  2222. assert(ppl->vt == &ssh2_transport_vtable);
  2223. s = container_of(ppl, struct ssh2_transport_state, ppl);
  2224. rekey_time = sanitise_rekey_time(
  2225. conf_get_int(conf, CONF_ssh_rekey_time), 60);
  2226. if (ssh2_transport_timer_update(s, rekey_time))
  2227. rekey_reason = "timeout shortened";
  2228. old_max_data_size = s->max_data_size;
  2229. ssh2_transport_set_max_data_size(s);
  2230. if (old_max_data_size != s->max_data_size &&
  2231. s->max_data_size != 0) {
  2232. if (s->max_data_size < old_max_data_size) {
  2233. unsigned long diff = old_max_data_size - s->max_data_size;
  2234. dts_consume(&s->stats->out, diff);
  2235. dts_consume(&s->stats->in, diff);
  2236. if (s->stats->out.expired || s->stats->in.expired)
  2237. rekey_reason = "data limit lowered";
  2238. } else {
  2239. unsigned long diff = s->max_data_size - old_max_data_size;
  2240. if (s->stats->out.running)
  2241. s->stats->out.remaining += diff;
  2242. if (s->stats->in.running)
  2243. s->stats->in.remaining += diff;
  2244. }
  2245. }
  2246. if (conf_get_bool(s->conf, CONF_compression) !=
  2247. conf_get_bool(conf, CONF_compression)) {
  2248. rekey_reason = "compression setting changed";
  2249. rekey_mandatory = true;
  2250. }
  2251. for (i = 0; i < CIPHER_MAX; i++)
  2252. if (conf_get_int_int(s->conf, CONF_ssh_cipherlist, i) !=
  2253. conf_get_int_int(conf, CONF_ssh_cipherlist, i)) {
  2254. rekey_reason = "cipher settings changed";
  2255. rekey_mandatory = true;
  2256. }
  2257. if (conf_get_bool(s->conf, CONF_ssh2_des_cbc) !=
  2258. conf_get_bool(conf, CONF_ssh2_des_cbc)) {
  2259. rekey_reason = "cipher settings changed";
  2260. rekey_mandatory = true;
  2261. }
  2262. conf_free(s->conf);
  2263. s->conf = conf_copy(conf);
  2264. if (rekey_reason) {
  2265. if (!s->kex_in_progress && !ssh2_bpp_rekey_inadvisable(s->ppl.bpp)) {
  2266. s->rekey_reason = rekey_reason;
  2267. s->rekey_class = RK_NORMAL;
  2268. queue_idempotent_callback(&s->ppl.ic_process_queue);
  2269. } else if (rekey_mandatory) {
  2270. s->deferred_rekey_reason = rekey_reason;
  2271. }
  2272. }
  2273. /* Also pass the configuration along to our higher layer */
  2274. ssh_ppl_reconfigure(s->higher_layer, conf);
  2275. }
  2276. static int weak_algorithm_compare(void *av, void *bv)
  2277. {
  2278. uintptr_t a = (uintptr_t)av, b = (uintptr_t)bv;
  2279. return a < b ? -1 : a > b ? +1 : 0;
  2280. }
  2281. static int ca_blob_compare(void *av, void *bv)
  2282. {
  2283. host_ca *a = (host_ca *)av, *b = (host_ca *)bv;
  2284. strbuf *apk = a->ca_public_key, *bpk = b->ca_public_key;
  2285. /* Ordering by public key is arbitrary here, so do whatever is easiest */
  2286. if (apk->len < bpk->len)
  2287. return -1;
  2288. if (apk->len > bpk->len)
  2289. return +1;
  2290. return memcmp(apk->u, bpk->u, apk->len);
  2291. }
  2292. /*
  2293. * Wrapper on confirm_weak_crypto_primitive(), which uses the
  2294. * tree234 s->weak_algorithms_consented_to to ensure we ask at most
  2295. * once about any given crypto primitive.
  2296. */
  2297. static SeatPromptResult ssh2_transport_confirm_weak_crypto_primitive(
  2298. struct ssh2_transport_state *s, const char *type, const char *name,
  2299. const void *alg, WeakCryptoReason wcr)
  2300. {
  2301. if (find234(s->weak_algorithms_consented_to, (void *)alg, NULL))
  2302. return SPR_OK;
  2303. add234(s->weak_algorithms_consented_to, (void *)alg);
  2304. return confirm_weak_crypto_primitive(
  2305. ppl_get_iseat(&s->ppl), type, name, ssh2_transport_dialog_callback,
  2306. s, wcr);
  2307. }
  2308. static size_t ssh2_transport_queued_data_size(PacketProtocolLayer *ppl)
  2309. {
  2310. struct ssh2_transport_state *s =
  2311. container_of(ppl, struct ssh2_transport_state, ppl);
  2312. return (ssh_ppl_default_queued_data_size(ppl) +
  2313. ssh_ppl_queued_data_size(s->higher_layer));
  2314. }
  2315. static void ssh2_transport_final_output(PacketProtocolLayer *ppl)
  2316. {
  2317. struct ssh2_transport_state *s =
  2318. container_of(ppl, struct ssh2_transport_state, ppl);
  2319. ssh_ppl_final_output(s->higher_layer);
  2320. }
  2321. /* Check the settings for a transport direction to see if they're
  2322. * vulnerable to the Terrapin attack, aka CVE-2023-48795. If so,
  2323. * return a string describing the vulnerable thing. */
  2324. static const char *terrapin_vulnerable(
  2325. bool strict_kex, const transport_direction *d)
  2326. {
  2327. /*
  2328. * Strict kex mode eliminates the vulnerability. (That's what it's
  2329. * for.)
  2330. */
  2331. if (strict_kex)
  2332. return NULL;
  2333. /*
  2334. * ChaCha20-Poly1305 is vulnerable and perfectly exploitable.
  2335. */
  2336. if (d->cipher == &ssh2_chacha20_poly1305)
  2337. return "ChaCha20-Poly1305";
  2338. /*
  2339. * CBC-mode ciphers with OpenSSH's ETM modification are vulnerable
  2340. * and probabilistically exploitable.
  2341. */
  2342. if (d->etm_mode && (d->cipher->flags & SSH_CIPHER_IS_CBC))
  2343. return "a CBC-mode cipher in OpenSSH ETM mode";
  2344. return NULL;
  2345. }
  2346. /*
  2347. * Called when we've detected that at least one transport direction
  2348. * has the Terrapin vulnerability.
  2349. *
  2350. * Before we report it, try to replay what would have happened if the
  2351. * user had reconfigured their cipher settings to demote
  2352. * ChaCha20+Poly1305 to below the warning threshold. If that would
  2353. * have avoided the vulnerability, we should say so in the dialog box.
  2354. *
  2355. * This is basically the only change in PuTTY's configuration that has
  2356. * a chance of avoiding the problem. Terrapin affects the modified
  2357. * binary packet protocol used with ChaCha20+Poly1305, and also
  2358. * CBC-mode ciphers in ETM mode. But PuTTY unconditionally offers the
  2359. * ETM mode of each MAC _after_ the non-ETM mode. So the latter case
  2360. * can only come up if the server has been configured to _only_ permit
  2361. * the ETM modes of those MACs, which means there's nothing we can do
  2362. * anyway.
  2363. */
  2364. static bool try_to_avoid_terrapin(const struct ssh2_transport_state *s)
  2365. {
  2366. bool avoidable = false;
  2367. strbuf *alt_client_kexinit = strbuf_new();
  2368. Conf *alt_conf = conf_copy(s->conf);
  2369. struct kexinit_algorithm_list alt_kexlists[NKEXLIST];
  2370. memset(alt_kexlists, 0, sizeof(alt_kexlists));
  2371. /*
  2372. * We only bother doing this if we're the client, because Uppity
  2373. * can't present a dialog box anyway.
  2374. */
  2375. if (s->ssc)
  2376. goto out;
  2377. /*
  2378. * Demote CIPHER_CHACHA20 to just below CIPHER_WARN, if it was
  2379. * previously above it. If not, don't do anything - we don't want
  2380. * to _promote_ it.
  2381. */
  2382. int ccp_pos_now = -1, ccp_pos_wanted = -1;
  2383. for (int i = 0; i < CIPHER_MAX; i++) {
  2384. switch (conf_get_int_int(alt_conf, CONF_ssh_cipherlist,
  2385. i)) {
  2386. case CIPHER_CHACHA20:
  2387. ccp_pos_now = i;
  2388. break;
  2389. case CIPHER_WARN:
  2390. ccp_pos_wanted = i;
  2391. break;
  2392. }
  2393. }
  2394. if (ccp_pos_now < 0 || ccp_pos_wanted < 0)
  2395. goto out; /* shouldn't ever happen: didn't find the two entries */
  2396. if (ccp_pos_now >= ccp_pos_wanted)
  2397. goto out; /* ChaCha20 is already demoted and it didn't help */
  2398. while (ccp_pos_now < ccp_pos_wanted) {
  2399. int cnext = conf_get_int_int(alt_conf, CONF_ssh_cipherlist,
  2400. ccp_pos_now + 1);
  2401. conf_set_int_int(alt_conf, CONF_ssh_cipherlist,
  2402. ccp_pos_now, cnext);
  2403. ccp_pos_now++;
  2404. }
  2405. conf_set_int_int(alt_conf, CONF_ssh_cipherlist,
  2406. ccp_pos_now + 1, CIPHER_CHACHA20);
  2407. /*
  2408. * Make the outgoing KEXINIT we would have made using this
  2409. * configuration.
  2410. */
  2411. put_byte(alt_client_kexinit, SSH2_MSG_KEXINIT);
  2412. put_padding(alt_client_kexinit, 16, 'x'); /* fake random padding */
  2413. ssh2_write_kexinit_lists(
  2414. BinarySink_UPCAST(alt_client_kexinit), alt_kexlists, alt_conf,
  2415. s->ssc, s->ppl.remote_bugs, s->savedhost, s->savedport, s->hostkey_alg,
  2416. s->thc, s->host_cas, s->hostkeys, s->nhostkeys, !s->got_session_id,
  2417. s->can_gssapi_keyex,
  2418. s->gss_kex_used && !s->need_gss_transient_hostkey);
  2419. put_bool(alt_client_kexinit, false); /* guess packet follows */
  2420. put_uint32(alt_client_kexinit, 0); /* reserved */
  2421. /*
  2422. * Re-analyse the incoming KEXINIT with respect to this one, to
  2423. * see what we'd have decided on.
  2424. */
  2425. transport_direction cstrans, sctrans;
  2426. bool warn_kex, warn_hk, warn_cscipher, warn_sccipher;
  2427. bool can_send_ext_info = false, strict_kex = false;
  2428. unsigned hkflags;
  2429. const ssh_kex *kex_alg;
  2430. const ssh_keyalg *hostkey_alg;
  2431. ScanKexinitsResult skr = ssh2_scan_kexinits(
  2432. ptrlen_from_strbuf(alt_client_kexinit),
  2433. ptrlen_from_strbuf(s->server_kexinit),
  2434. s->ssc != NULL, alt_kexlists, &kex_alg, &hostkey_alg,
  2435. &cstrans, &sctrans,
  2436. &warn_kex, &warn_hk, &warn_cscipher, &warn_sccipher, NULL, NULL, NULL,
  2437. &hkflags, &can_send_ext_info, !s->got_session_id, &strict_kex);
  2438. if (!skr.success) /* something else would have gone wrong */
  2439. goto out;
  2440. /*
  2441. * Reject this as an alternative solution if any of the warn flags
  2442. * has got worse, or if there's still anything
  2443. * Terrapin-vulnerable.
  2444. */
  2445. if (warn_kex > s->warn_kex)
  2446. goto out;
  2447. if (warn_hk > s->warn_hk)
  2448. goto out;
  2449. if (warn_cscipher > s->warn_cscipher)
  2450. goto out;
  2451. if (warn_sccipher > s->warn_sccipher)
  2452. goto out;
  2453. if (terrapin_vulnerable(strict_kex, &cstrans))
  2454. goto out;
  2455. if (terrapin_vulnerable(strict_kex, &sctrans))
  2456. goto out;
  2457. /*
  2458. * Success! The vulnerability could have been avoided by this Conf
  2459. * tweak, and we should tell the user so.
  2460. */
  2461. avoidable = true;
  2462. out:
  2463. for (size_t i = 0; i < NKEXLIST; i++)
  2464. sfree(alt_kexlists[i].algs);
  2465. strbuf_free(alt_client_kexinit);
  2466. conf_free(alt_conf);
  2467. return avoidable;
  2468. }