transport2.h 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268
  1. /*
  2. * Header connecting the pieces of the SSH-2 transport layer.
  3. */
  4. #ifndef PUTTY_SSH2TRANSPORT_H
  5. #define PUTTY_SSH2TRANSPORT_H
  6. #ifndef NO_GSSAPI
  7. #include "gssc.h"
  8. #include "gss.h"
  9. #define MIN_CTXT_LIFETIME 5 /* Avoid rekey with short lifetime (seconds) */
  10. #define GSS_KEX_CAPABLE (1<<0) /* Can do GSS KEX */
  11. #define GSS_CRED_UPDATED (1<<1) /* Cred updated since previous delegation */
  12. #define GSS_CTXT_EXPIRES (1<<2) /* Context expires before next timer */
  13. #define GSS_CTXT_MAYFAIL (1<<3) /* Context may expire during handshake */
  14. #endif
  15. #define DH_MIN_SIZE 1024
  16. #define DH_MAX_SIZE 8192
  17. struct kexinit_algorithm {
  18. ptrlen name;
  19. union {
  20. struct {
  21. const ssh_kex *kex;
  22. bool warn;
  23. } kex;
  24. struct {
  25. const ssh_keyalg *hostkey;
  26. unsigned hkflags;
  27. bool warn;
  28. } hk;
  29. struct {
  30. const ssh_cipheralg *cipher;
  31. bool warn;
  32. } cipher;
  33. struct {
  34. const ssh2_macalg *mac;
  35. bool etm;
  36. } mac;
  37. struct {
  38. const ssh_compression_alg *comp;
  39. bool delayed;
  40. } comp;
  41. } u;
  42. };
  43. struct kexinit_algorithm_list {
  44. struct kexinit_algorithm *algs;
  45. size_t nalgs, algsize;
  46. };
  47. #define HOSTKEY_ALGORITHMS(X) \
  48. X(HK_ED25519, ssh_ecdsa_ed25519) \
  49. X(HK_ED448, ssh_ecdsa_ed448) \
  50. X(HK_ECDSA, ssh_ecdsa_nistp256) \
  51. X(HK_ECDSA, ssh_ecdsa_nistp384) \
  52. X(HK_ECDSA, ssh_ecdsa_nistp521) \
  53. X(HK_DSA, ssh_dsa) \
  54. X(HK_RSA, ssh_rsa_sha512) \
  55. X(HK_RSA, ssh_rsa_sha256) \
  56. X(HK_RSA, ssh_rsa) \
  57. X(HK_ED25519, opensshcert_ssh_ecdsa_ed25519) \
  58. /* OpenSSH defines no certified version of Ed448 */ \
  59. X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp256) \
  60. X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp384) \
  61. X(HK_ECDSA, opensshcert_ssh_ecdsa_nistp521) \
  62. X(HK_DSA, opensshcert_ssh_dsa) \
  63. X(HK_RSA, opensshcert_ssh_rsa_sha512) \
  64. X(HK_RSA, opensshcert_ssh_rsa_sha256) \
  65. X(HK_RSA, opensshcert_ssh_rsa) \
  66. /* end of list */
  67. #define COUNT_HOSTKEY_ALGORITHM(type, alg) +1
  68. #define N_HOSTKEY_ALGORITHMS (0 HOSTKEY_ALGORITHMS(COUNT_HOSTKEY_ALGORITHM))
  69. struct ssh_signkey_with_user_pref_id {
  70. const ssh_keyalg *alg;
  71. int id;
  72. };
  73. extern const struct ssh_signkey_with_user_pref_id
  74. ssh2_hostkey_algs[N_HOSTKEY_ALGORITHMS];
  75. /*
  76. * Enumeration of high-level classes of reason why we might need to do
  77. * a repeat key exchange. A full detailed reason in human-readable
  78. * string form for the Event Log is also provided, but this enum type
  79. * is used to discriminate between classes of reason that the code
  80. * needs to treat differently.
  81. *
  82. * RK_NONE == 0 is the value indicating that no rekey is currently
  83. * needed at all. RK_INITIAL indicates that we haven't even done the
  84. * _first_ key exchange yet. RK_SERVER indicates that we're rekeying
  85. * because the server asked for it, not because we decided it
  86. * ourselves. RK_NORMAL is the usual case. RK_GSS_UPDATE indicates
  87. * that we're rekeying because we've just got new GSSAPI credentials
  88. * (hence there's no point in doing a preliminary check for new GSS
  89. * creds, because we already know the answer); RK_POST_USERAUTH
  90. * indicates that _if_ we're going to need a post-userauth immediate
  91. * rekey for any reason, this is the moment to do it.
  92. *
  93. * So RK_POST_USERAUTH only tells the transport layer to _consider_
  94. * rekeying, not to definitely do it. Also, that one enum value is
  95. * special in that the user-readable reason text is passed in to the
  96. * transport layer as NULL, whereas fills in the reason text after it
  97. * decides whether it needs a rekey at all. In the other cases,
  98. * rekey_reason is passed in to the at the same time as rekey_class.
  99. */
  100. typedef enum RekeyClass {
  101. RK_NONE = 0,
  102. RK_INITIAL,
  103. RK_SERVER,
  104. RK_NORMAL,
  105. RK_POST_USERAUTH,
  106. RK_GSS_UPDATE
  107. } RekeyClass;
  108. typedef struct transport_direction {
  109. const ssh_cipheralg *cipher;
  110. const ssh2_macalg *mac;
  111. bool etm_mode;
  112. const ssh_compression_alg *comp;
  113. bool comp_delayed;
  114. int mkkey_adjust;
  115. } transport_direction;
  116. struct ssh2_transport_state {
  117. int crState, crStateKex;
  118. PacketProtocolLayer *higher_layer;
  119. PktInQueue pq_in_higher;
  120. PktOutQueue pq_out_higher;
  121. IdempotentCallback ic_pq_out_higher;
  122. Conf *conf;
  123. char *savedhost;
  124. int savedport;
  125. const char *rekey_reason;
  126. enum RekeyClass rekey_class;
  127. unsigned long max_data_size;
  128. const ssh_kex *kex_alg;
  129. const ssh_keyalg *hostkey_alg;
  130. unsigned char session_id[MAX_HASH_LEN];
  131. int session_id_len;
  132. int dh_min_size, dh_max_size;
  133. bool dh_got_size_bounds;
  134. dh_ctx *dh_ctx;
  135. ssh_hash *exhash;
  136. struct DataTransferStats *stats;
  137. const SshServerConfig *ssc;
  138. char *client_greeting, *server_greeting;
  139. bool kex_in_progress, kexinit_delayed;
  140. unsigned long next_rekey, last_rekey;
  141. const char *deferred_rekey_reason;
  142. bool higher_layer_ok;
  143. /*
  144. * Fully qualified host name, which we need if doing GSSAPI.
  145. */
  146. char *fullhostname;
  147. /* shgss is outside the ifdef on purpose to keep APIs simple. If
  148. * NO_GSSAPI is not defined, then it's just an opaque structure
  149. * tag and the pointer will be NULL. */
  150. struct ssh_connection_shared_gss_state *shgss;
  151. #ifndef NO_GSSAPI
  152. int gss_status;
  153. time_t gss_cred_expiry; /* Re-delegate if newer */
  154. unsigned long gss_ctxt_lifetime; /* Re-delegate when short */
  155. #endif
  156. ssh_transient_hostkey_cache *thc;
  157. bool gss_kex_used;
  158. tree234 *host_cas;
  159. int nbits, pbits;
  160. bool warn_kex, warn_hk, warn_cscipher, warn_sccipher;
  161. struct {
  162. const char *csvuln, *scvuln;
  163. WeakCryptoReason wcr;
  164. } terrapin;
  165. mp_int *p, *g, *e, *f;
  166. strbuf *ebuf, *fbuf;
  167. strbuf *kex_shared_secret;
  168. strbuf *outgoing_kexinit, *incoming_kexinit;
  169. strbuf *client_kexinit, *server_kexinit; /* aliases to the above */
  170. int kex_init_value, kex_reply_value;
  171. transport_direction in, out, *cstrans, *sctrans;
  172. ptrlen hostkeydata, sigdata;
  173. strbuf *hostkeyblob; /* used in server to construct host key to
  174. * send to client; in client to check in rekeys */
  175. char *keystr;
  176. ssh_key *hkey; /* actual host key */
  177. unsigned hkflags; /* signing flags, used in server */
  178. RSAKey *rsa_kex_key; /* for RSA kex */
  179. bool rsa_kex_key_needs_freeing;
  180. ecdh_key *ecdh_key; /* for ECDH kex */
  181. unsigned char exchange_hash[MAX_HASH_LEN];
  182. bool can_gssapi_keyex;
  183. bool need_gss_transient_hostkey;
  184. bool warned_about_no_gss_transient_hostkey;
  185. bool got_session_id;
  186. bool can_send_ext_info, post_newkeys_ext_info;
  187. bool strict_kex, enabled_outgoing_crypto, enabled_incoming_crypto;
  188. bool seen_non_kexinit;
  189. SeatPromptResult spr;
  190. bool guessok;
  191. bool ignorepkt;
  192. struct kexinit_algorithm_list kexlists[NKEXLIST];
  193. #ifndef NO_GSSAPI
  194. Ssh_gss_buf gss_buf;
  195. Ssh_gss_buf gss_rcvtok, gss_sndtok;
  196. Ssh_gss_stat gss_stat;
  197. Ssh_gss_buf mic;
  198. bool init_token_sent;
  199. bool complete_rcvd;
  200. bool gss_delegate;
  201. #endif
  202. /* List of crypto primitives below the warning threshold that the
  203. * user has already clicked OK to, so that we don't keep asking
  204. * about them again during rekeys. This directly stores pointers
  205. * to the algorithm vtables, compared by pointer value (which is
  206. * not a determinism hazard, because we're only using it as a
  207. * set). */
  208. tree234 *weak_algorithms_consented_to;
  209. /*
  210. * List of host key algorithms for which we _don't_ have a stored
  211. * host key. These are indices into the main hostkey_algs[] array
  212. */
  213. int uncert_hostkeys[N_HOSTKEY_ALGORITHMS];
  214. int n_uncert_hostkeys;
  215. /*
  216. * Indicate that the current rekey is intended to finish with a
  217. * newly cross-certified host key. To double-check that we
  218. * certified the right one, we set this to point to the host key
  219. * algorithm we expect it to be.
  220. */
  221. const ssh_keyalg *cross_certifying;
  222. ssh_key *const *hostkeys;
  223. int nhostkeys;
  224. PacketProtocolLayer ppl;
  225. };
  226. /* Helpers shared between transport and kex */
  227. PktIn *ssh2_transport_pop(struct ssh2_transport_state *s);
  228. void ssh2_transport_dialog_callback(void *, SeatPromptResult);
  229. /* Provided by transport for use in kex */
  230. void ssh2transport_finalise_exhash(struct ssh2_transport_state *s);
  231. /* Provided by kex for use in transport. Must set the 'aborted' flag
  232. * if it throws a connection-terminating error, so that the caller
  233. * won't have to check that by looking inside its state parameter
  234. * which might already have been freed. */
  235. void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted);
  236. #endif /* PUTTY_SSH2TRANSPORT_H */