1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
|
/*
* Code to handle the initial SSH version string exchange.
*/
#include <assert.h>
#include <string.h>
#include <stdlib.h>
#include "putty.h"
#include "ssh.h"
#include "sshbpp.h"
#include "sshcr.h"
#define PREFIX_MAXLEN 64
struct ssh_verstring_state {
int crState;
Conf *conf;
ptrlen prefix_wanted;
char *our_protoversion;
struct ssh_version_receiver *receiver;
bool send_early;
bool found_prefix;
int major_protoversion;
int remote_bugs;
char prefix[PREFIX_MAXLEN];
char *impl_name;
strbuf *vstring;
char *protoversion;
const char *softwareversion;
char *our_vstring;
int i;
BinaryPacketProtocol bpp;
};
static void ssh_verstring_free(BinaryPacketProtocol *bpp);
static void ssh_verstring_handle_input(BinaryPacketProtocol *bpp);
static void ssh_verstring_handle_output(BinaryPacketProtocol *bpp);
static PktOut *ssh_verstring_new_pktout(int type);
static void ssh_verstring_queue_disconnect(BinaryPacketProtocol *bpp,
const char *msg, int category);
static const struct BinaryPacketProtocolVtable ssh_verstring_vtable = {
ssh_verstring_free,
ssh_verstring_handle_input,
ssh_verstring_handle_output,
ssh_verstring_new_pktout,
ssh_verstring_queue_disconnect,
0xFFFFFFFF, /* no special packet size limit for this bpp */
};
static void ssh_detect_bugs(struct ssh_verstring_state *s);
static bool ssh_version_includes_v1(const char *ver);
static bool ssh_version_includes_v2(const char *ver);
BinaryPacketProtocol *ssh_verstring_new(
Conf *conf, LogContext *logctx, bool bare_connection_mode,
const char *protoversion, struct ssh_version_receiver *rcv,
bool server_mode, const char *impl_name)
{
struct ssh_verstring_state *s = snew(struct ssh_verstring_state);
memset(s, 0, sizeof(struct ssh_verstring_state));
if (!bare_connection_mode) {
s->prefix_wanted = PTRLEN_LITERAL("SSH-");
} else {
/*
* Ordinary SSH begins with the banner "SSH-x.y-...". Here,
* we're going to be speaking just the ssh-connection
* subprotocol, extracted and given a trivial binary packet
* protocol, so we need a new banner.
*
* The new banner is like the ordinary SSH banner, but
* replaces the prefix 'SSH-' at the start with a new name. In
* proper SSH style (though of course this part of the proper
* SSH protocol _isn't_ subject to this kind of
* DNS-domain-based extension), we define the new name in our
* extension space.
*/
s->prefix_wanted = PTRLEN_LITERAL(
"SSHCONNECTION@putty.projects.tartarus.org-");
}
assert(s->prefix_wanted.len <= PREFIX_MAXLEN);
s->conf = conf_copy(conf);
s->bpp.logctx = logctx;
s->our_protoversion = dupstr(protoversion);
s->receiver = rcv;
s->impl_name = dupstr(impl_name);
s->vstring = strbuf_new();
/*
* We send our version string early if we can. But if it includes
* SSH-1, we can't, because we have to take the other end into
* account too (see below).
*
* In server mode, we do send early.
*/
s->send_early = server_mode || !ssh_version_includes_v1(protoversion);
s->bpp.vt = &ssh_verstring_vtable;
ssh_bpp_common_setup(&s->bpp);
return &s->bpp;
}
void ssh_verstring_free(BinaryPacketProtocol *bpp)
{
struct ssh_verstring_state *s =
container_of(bpp, struct ssh_verstring_state, bpp);
conf_free(s->conf);
sfree(s->impl_name);
strbuf_free(s->vstring);
sfree(s->protoversion);
sfree(s->our_vstring);
sfree(s->our_protoversion);
sfree(s);
}
static int ssh_versioncmp(const char *a, const char *b)
{
char *ae, *be;
unsigned long av, bv;
av = strtoul(a, &ae, 10);
bv = strtoul(b, &be, 10);
if (av != bv)
return (av < bv ? -1 : +1);
if (*ae == '.')
ae++;
if (*be == '.')
be++;
av = strtoul(ae, &ae, 10);
bv = strtoul(be, &be, 10);
if (av != bv)
return (av < bv ? -1 : +1);
return 0;
}
static bool ssh_version_includes_v1(const char *ver)
{
return ssh_versioncmp(ver, "2.0") < 0;
}
static bool ssh_version_includes_v2(const char *ver)
{
return ssh_versioncmp(ver, "1.99") >= 0;
}
static void ssh_verstring_send(struct ssh_verstring_state *s)
{
BinaryPacketProtocol *bpp = &s->bpp; /* for bpp_logevent */
char *p;
int sv_pos;
/*
* Construct our outgoing version string.
*/
s->our_vstring = dupprintf(
"%.*s%s-%s%s",
(int)s->prefix_wanted.len, (const char *)s->prefix_wanted.ptr,
s->our_protoversion, s->impl_name, sshver);
sv_pos = s->prefix_wanted.len + strlen(s->our_protoversion) + 1;
/* Convert minus signs and spaces in the software version string
* into underscores. */
for (p = s->our_vstring + sv_pos; *p; p++) {
if (*p == '-' || *p == ' ')
*p = '_';
}
#ifdef FUZZING
/*
* Replace the first character of the string with an "I" if we're
* compiling this code for fuzzing - i.e. the protocol prefix
* becomes "ISH-" instead of "SSH-".
*
* This is irrelevant to any real client software (the only thing
* reading the output of PuTTY built for fuzzing is the fuzzer,
* which can adapt to whatever it sees anyway). But it's a safety
* precaution making it difficult to accidentally run such a
* version of PuTTY (which would be hugely insecure) against a
* live peer implementation.
*
* (So the replacement prefix "ISH" notionally stands for
* 'Insecure Shell', of course.)
*/
s->our_vstring[0] = 'I';
#endif
/*
* Now send that version string, plus trailing \r\n or just \n
* (the latter in SSH-1 mode).
*/
bufchain_add(s->bpp.out_raw, s->our_vstring, strlen(s->our_vstring));
if (ssh_version_includes_v2(s->our_protoversion))
bufchain_add(s->bpp.out_raw, "\015", 1);
bufchain_add(s->bpp.out_raw, "\012", 1);
bpp_logevent("We claim version: %s", s->our_vstring);
}
#define BPP_WAITFOR(minlen) do \
{ \
bool success; \
crMaybeWaitUntilV( \
(success = (bufchain_size(s->bpp.in_raw) >= (minlen))) || \
s->bpp.input_eof); \
if (!success) \
goto eof; \
} while (0)
void ssh_verstring_handle_input(BinaryPacketProtocol *bpp)
{
struct ssh_verstring_state *s =
container_of(bpp, struct ssh_verstring_state, bpp);
crBegin(s->crState);
/*
* If we're sending our version string up front before seeing the
* other side's, then do it now.
*/
if (s->send_early)
ssh_verstring_send(s);
/*
* Search for a line beginning with the protocol name prefix in
* the input.
*/
s->i = 0;
while (1) {
/*
* Every time round this loop, we're at the start of a new
* line, so look for the prefix.
*/
BPP_WAITFOR(s->prefix_wanted.len);
bufchain_fetch(s->bpp.in_raw, s->prefix, s->prefix_wanted.len);
if (!memcmp(s->prefix, s->prefix_wanted.ptr, s->prefix_wanted.len)) {
bufchain_consume(s->bpp.in_raw, s->prefix_wanted.len);
ssh_check_frozen(s->bpp.ssh);
break;
}
/*
* If we didn't find it, consume data until we see a newline.
*/
while (1) {
ptrlen data;
char *nl;
/* Wait to receive at least 1 byte, but then consume more
* than that if it's there. */
BPP_WAITFOR(1);
data = bufchain_prefix(s->bpp.in_raw);
if ((nl = memchr(data.ptr, '\012', data.len)) != NULL) {
bufchain_consume(s->bpp.in_raw, nl - (char *)data.ptr + 1);
ssh_check_frozen(s->bpp.ssh);
break;
} else {
bufchain_consume(s->bpp.in_raw, data.len);
ssh_check_frozen(s->bpp.ssh);
}
}
}
s->found_prefix = true;
/*
* Copy the greeting line so far into vstring.
*/
put_data(s->vstring, s->prefix_wanted.ptr, s->prefix_wanted.len);
/*
* Now read the rest of the greeting line.
*/
s->i = 0;
do {
ptrlen data;
char *nl;
BPP_WAITFOR(1);
data = bufchain_prefix(s->bpp.in_raw);
if ((nl = memchr(data.ptr, '\012', data.len)) != NULL) {
data.len = nl - (char *)data.ptr + 1;
}
put_datapl(s->vstring, data);
bufchain_consume(s->bpp.in_raw, data.len);
ssh_check_frozen(s->bpp.ssh);
} while (s->vstring->s[s->vstring->len-1] != '\012');
/*
* Trim \r and \n from the version string, and replace them with
* a NUL terminator.
*/
while (s->vstring->len > 0 &&
(s->vstring->s[s->vstring->len-1] == '\r' ||
s->vstring->s[s->vstring->len-1] == '\n'))
strbuf_shrink_by(s->vstring, 1);
bpp_logevent("Remote version: %s", s->vstring->s);
/*
* Pick out the protocol version and software version. The former
* goes in a separately allocated string, so that s->vstring
* remains intact for later use in key exchange; the latter is the
* tail of s->vstring, so it doesn't need to be allocated.
*/
{
const char *pv_start = s->vstring->s + s->prefix_wanted.len;
int pv_len = strcspn(pv_start, "-");
s->protoversion = dupprintf("%.*s", pv_len, pv_start);
s->softwareversion = pv_start + pv_len;
if (*s->softwareversion) {
assert(*s->softwareversion == '-');
s->softwareversion++;
}
}
ssh_detect_bugs(s);
/*
* Figure out what actual SSH protocol version we're speaking.
*/
if (ssh_version_includes_v2(s->our_protoversion) &&
ssh_version_includes_v2(s->protoversion)) {
/*
* We're doing SSH-2.
*/
s->major_protoversion = 2;
} else if (ssh_version_includes_v1(s->our_protoversion) &&
ssh_version_includes_v1(s->protoversion)) {
/*
* We're doing SSH-1.
*/
s->major_protoversion = 1;
/*
* There are multiple minor versions of SSH-1, and the
* protocol does not specify that the minimum of client
* and server versions is used. So we must adjust our
* outgoing protocol version to be no higher than that of
* the other side.
*/
if (!s->send_early &&
ssh_versioncmp(s->our_protoversion, s->protoversion) > 0) {
sfree(s->our_protoversion);
s->our_protoversion = dupstr(s->protoversion);
}
} else {
/*
* Unable to agree on a major protocol version at all.
*/
if (!ssh_version_includes_v2(s->our_protoversion)) {
ssh_sw_abort(s->bpp.ssh,
"SSH protocol version 1 required by our "
"configuration but not provided by remote");
} else {
ssh_sw_abort(s->bpp.ssh,
"SSH protocol version 2 required by our "
"configuration but remote only provides "
"(old, insecure) SSH-1");
}
crStopV;
}
bpp_logevent("Using SSH protocol version %d", s->major_protoversion);
if (!s->send_early) {
/*
* If we didn't send our version string early, construct and
* send it now, because now we know what it is.
*/
ssh_verstring_send(s);
}
/*
* And we're done. Notify our receiver that we now know our
* protocol version. This will cause it to disconnect us from the
* input stream and ultimately free us, because our job is now
* done.
*/
s->receiver->got_ssh_version(s->receiver, s->major_protoversion);
return;
eof:
ssh_remote_error(s->bpp.ssh,
"Remote side unexpectedly closed network connection");
return; /* avoid touching s now it's been freed */
crFinishV;
}
static PktOut *ssh_verstring_new_pktout(int type)
{
unreachable("Should never try to send packets during SSH version "
"string exchange");
}
static void ssh_verstring_handle_output(BinaryPacketProtocol *bpp)
{
if (pq_peek(&bpp->out_pq)) {
unreachable("Should never try to send packets during SSH version "
"string exchange");
}
}
/*
* Examine the remote side's version string, and compare it against a
* list of known buggy implementations.
*/
static void ssh_detect_bugs(struct ssh_verstring_state *s)
{
BinaryPacketProtocol *bpp = &s->bpp; /* for bpp_logevent */
const char *imp = s->softwareversion;
s->remote_bugs = 0;
/*
* General notes on server version strings:
* - Not all servers reporting "Cisco-1.25" have all the bugs listed
* here -- in particular, we've heard of one that's perfectly happy
* with SSH1_MSG_IGNOREs -- but this string never seems to change,
* so we can't distinguish them.
*/
if (conf_get_int(s->conf, CONF_sshbug_ignore1) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_ignore1) == AUTO &&
(!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
!strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
!strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
!strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
/*
* These versions don't support SSH1_MSG_IGNORE, so we have
* to use a different defence against password length
* sniffing.
*/
s->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
bpp_logevent("We believe remote version has SSH-1 ignore bug");
}
if (conf_get_int(s->conf, CONF_sshbug_plainpw1) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_plainpw1) == AUTO &&
(!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
/*
* These versions need a plain password sent; they can't
* handle having a null and a random length of data after
* the password.
*/
s->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
bpp_logevent("We believe remote version needs a "
"plain SSH-1 password");
}
if (conf_get_int(s->conf, CONF_sshbug_rsa1) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_rsa1) == AUTO &&
(!strcmp(imp, "Cisco-1.25")))) {
/*
* These versions apparently have no clue whatever about
* RSA authentication and will panic and die if they see
* an AUTH_RSA message.
*/
s->remote_bugs |= BUG_CHOKES_ON_RSA;
bpp_logevent("We believe remote version can't handle SSH-1 "
"RSA authentication");
}
if (conf_get_int(s->conf, CONF_sshbug_hmac2) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_hmac2) == AUTO &&
!wc_match("* VShell", imp) &&
(wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
wc_match("2.1 *", imp)))) {
/*
* These versions have the HMAC bug.
*/
s->remote_bugs |= BUG_SSH2_HMAC;
bpp_logevent("We believe remote version has SSH-2 HMAC bug");
}
if (conf_get_int(s->conf, CONF_sshbug_derivekey2) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_derivekey2) == AUTO &&
!wc_match("* VShell", imp) &&
(wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
/*
* These versions have the key-derivation bug (failing to
* include the literal shared secret in the hashes that
* generate the keys).
*/
s->remote_bugs |= BUG_SSH2_DERIVEKEY;
bpp_logevent("We believe remote version has SSH-2 "
"key-derivation bug");
}
if (conf_get_int(s->conf, CONF_sshbug_rsapad2) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_rsapad2) == AUTO &&
(wc_match("OpenSSH_2.[5-9]*", imp) ||
wc_match("OpenSSH_3.[0-2]*", imp) ||
wc_match("mod_sftp/0.[0-8]*", imp) ||
wc_match("mod_sftp/0.9.[0-8]", imp)))) {
/*
* These versions have the SSH-2 RSA padding bug.
*/
s->remote_bugs |= BUG_SSH2_RSA_PADDING;
bpp_logevent("We believe remote version has SSH-2 RSA padding bug");
}
if (conf_get_int(s->conf, CONF_sshbug_pksessid2) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_pksessid2) == AUTO &&
wc_match("OpenSSH_2.[0-2]*", imp))) {
/*
* These versions have the SSH-2 session-ID bug in
* public-key authentication.
*/
s->remote_bugs |= BUG_SSH2_PK_SESSIONID;
bpp_logevent("We believe remote version has SSH-2 "
"public-key-session-ID bug");
}
if (conf_get_int(s->conf, CONF_sshbug_rekey2) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_rekey2) == AUTO &&
(wc_match("DigiSSH_2.0", imp) ||
wc_match("OpenSSH_2.[0-4]*", imp) ||
wc_match("OpenSSH_2.5.[0-3]*", imp) ||
wc_match("Sun_SSH_1.0", imp) ||
wc_match("Sun_SSH_1.0.1", imp) ||
/* All versions <= 1.2.6 (they changed their format in 1.2.7) */
wc_match("WeOnlyDo-*", imp)))) {
/*
* These versions have the SSH-2 rekey bug.
*/
s->remote_bugs |= BUG_SSH2_REKEY;
bpp_logevent("We believe remote version has SSH-2 rekey bug");
}
if (conf_get_int(s->conf, CONF_sshbug_maxpkt2) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_maxpkt2) == AUTO &&
(wc_match("1.36_sshlib GlobalSCAPE", imp) ||
wc_match("1.36 sshlib: GlobalScape", imp)))) {
/*
* This version ignores our makpkt and needs to be throttled.
*/
s->remote_bugs |= BUG_SSH2_MAXPKT;
bpp_logevent("We believe remote version ignores SSH-2 "
"maximum packet size");
}
if (conf_get_int(s->conf, CONF_sshbug_ignore2) == FORCE_ON) {
/*
* Servers that don't support SSH2_MSG_IGNORE. Currently,
* none detected automatically.
*/
s->remote_bugs |= BUG_CHOKES_ON_SSH2_IGNORE;
bpp_logevent("We believe remote version has SSH-2 ignore bug");
}
if (conf_get_int(s->conf, CONF_sshbug_oldgex2) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_oldgex2) == AUTO &&
(wc_match("OpenSSH_2.[235]*", imp)))) {
/*
* These versions only support the original (pre-RFC4419)
* SSH-2 GEX request, and disconnect with a protocol error if
* we use the newer version.
*/
s->remote_bugs |= BUG_SSH2_OLDGEX;
bpp_logevent("We believe remote version has outdated SSH-2 GEX");
}
if (conf_get_int(s->conf, CONF_sshbug_winadj) == FORCE_ON) {
/*
* Servers that don't support our winadj request for one
* reason or another. Currently, none detected automatically.
*/
s->remote_bugs |= BUG_CHOKES_ON_WINADJ;
bpp_logevent("We believe remote version has winadj bug");
}
if (conf_get_int(s->conf, CONF_sshbug_chanreq) == FORCE_ON ||
(conf_get_int(s->conf, CONF_sshbug_chanreq) == AUTO &&
(wc_match("OpenSSH_[2-5].*", imp) ||
wc_match("OpenSSH_6.[0-6]*", imp) ||
wc_match("dropbear_0.[2-4][0-9]*", imp) ||
wc_match("dropbear_0.5[01]*", imp)))) {
/*
* These versions have the SSH-2 channel request bug.
* OpenSSH 6.7 and above do not:
* https://bugzilla.mindrot.org/show_bug.cgi?id=1818
* dropbear_0.52 and above do not:
* https://secure.ucc.asn.au/hg/dropbear/rev/cd02449b709c
*/
s->remote_bugs |= BUG_SENDS_LATE_REQUEST_REPLY;
bpp_logevent("We believe remote version has SSH-2 "
"channel request bug");
}
}
const char *ssh_verstring_get_remote(BinaryPacketProtocol *bpp)
{
struct ssh_verstring_state *s =
container_of(bpp, struct ssh_verstring_state, bpp);
return s->vstring->s;
}
const char *ssh_verstring_get_local(BinaryPacketProtocol *bpp)
{
struct ssh_verstring_state *s =
container_of(bpp, struct ssh_verstring_state, bpp);
return s->our_vstring;
}
int ssh_verstring_get_bugs(BinaryPacketProtocol *bpp)
{
struct ssh_verstring_state *s =
container_of(bpp, struct ssh_verstring_state, bpp);
return s->remote_bugs;
}
static void ssh_verstring_queue_disconnect(BinaryPacketProtocol *bpp,
const char *msg, int category)
{
/* No way to send disconnect messages at this stage of the protocol! */
}
|
