upstream commit
remove SSHv1 support from packet and buffer APIs ok markus@ Upstream-ID: bfc290053d40b806ecac46317d300677d80e1dc9
This commit is contained in:
parent
0516435857
commit
3d6d09f2e9
42
bufbn.c
42
bufbn.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: bufbn.c,v 1.12 2014/04/30 05:29:56 djm Exp $ */
|
/* $OpenBSD: bufbn.c,v 1.13 2017/04/30 23:23:54 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||||
|
@ -28,46 +28,6 @@
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
|
|
||||||
#ifdef WITH_SSH1
|
|
||||||
int
|
|
||||||
buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
if ((ret = sshbuf_put_bignum1(buffer, value)) != 0) {
|
|
||||||
error("%s: %s", __func__, ssh_err(ret));
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
|
||||||
buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
|
||||||
{
|
|
||||||
if (buffer_put_bignum_ret(buffer, value) == -1)
|
|
||||||
fatal("%s: buffer error", __func__);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
if ((ret = sshbuf_get_bignum1(buffer, value)) != 0) {
|
|
||||||
error("%s: %s", __func__, ssh_err(ret));
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
|
||||||
buffer_get_bignum(Buffer *buffer, BIGNUM *value)
|
|
||||||
{
|
|
||||||
if (buffer_get_bignum_ret(buffer, value) == -1)
|
|
||||||
fatal("%s: buffer error", __func__);
|
|
||||||
}
|
|
||||||
#endif /* WITH_SSH1 */
|
|
||||||
|
|
||||||
int
|
int
|
||||||
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
|
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
|
||||||
{
|
{
|
||||||
|
|
6
buffer.h
6
buffer.h
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: buffer.h,v 1.25 2014/04/30 05:29:56 djm Exp $ */
|
/* $OpenBSD: buffer.h,v 1.26 2017/04/30 23:23:54 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||||
|
@ -49,9 +49,7 @@ int buffer_consume_end_ret(Buffer *, u_int);
|
||||||
|
|
||||||
#include <openssl/objects.h>
|
#include <openssl/objects.h>
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
void buffer_put_bignum(Buffer *, const BIGNUM *);
|
|
||||||
void buffer_put_bignum2(Buffer *, const BIGNUM *);
|
void buffer_put_bignum2(Buffer *, const BIGNUM *);
|
||||||
void buffer_get_bignum(Buffer *, BIGNUM *);
|
|
||||||
void buffer_get_bignum2(Buffer *, BIGNUM *);
|
void buffer_get_bignum2(Buffer *, BIGNUM *);
|
||||||
void buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int);
|
void buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int);
|
||||||
|
|
||||||
|
@ -75,8 +73,6 @@ void buffer_put_cstring(Buffer *, const char *);
|
||||||
|
|
||||||
#define buffer_skip_string(b) (void)buffer_get_string_ptr(b, NULL);
|
#define buffer_skip_string(b) (void)buffer_get_string_ptr(b, NULL);
|
||||||
|
|
||||||
int buffer_put_bignum_ret(Buffer *, const BIGNUM *);
|
|
||||||
int buffer_get_bignum_ret(Buffer *, BIGNUM *);
|
|
||||||
int buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
|
int buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
|
||||||
int buffer_get_bignum2_ret(Buffer *, BIGNUM *);
|
int buffer_get_bignum2_ret(Buffer *, BIGNUM *);
|
||||||
int buffer_get_short_ret(u_short *, Buffer *);
|
int buffer_get_short_ret(u_short *, Buffer *);
|
||||||
|
|
149
packet.c
149
packet.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: packet.c,v 1.249 2017/04/30 23:13:25 djm Exp $ */
|
/* $OpenBSD: packet.c,v 1.250 2017/04/30 23:23:54 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -1397,153 +1397,6 @@ ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Checks if a full packet is available in the data received so far via
|
|
||||||
* packet_process_incoming. If so, reads the packet; otherwise returns
|
|
||||||
* SSH_MSG_NONE. This does not wait for data from the connection.
|
|
||||||
*
|
|
||||||
* SSH_MSG_DISCONNECT is handled specially here. Also,
|
|
||||||
* SSH_MSG_IGNORE messages are skipped by this function and are never returned
|
|
||||||
* to higher levels.
|
|
||||||
*/
|
|
||||||
|
|
||||||
int
|
|
||||||
ssh_packet_read_poll1(struct ssh *ssh, u_char *typep)
|
|
||||||
{
|
|
||||||
struct session_state *state = ssh->state;
|
|
||||||
u_int len, padded_len;
|
|
||||||
const char *emsg;
|
|
||||||
const u_char *cp;
|
|
||||||
u_char *p;
|
|
||||||
u_int checksum, stored_checksum;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
*typep = SSH_MSG_NONE;
|
|
||||||
|
|
||||||
/* Check if input size is less than minimum packet size. */
|
|
||||||
if (sshbuf_len(state->input) < 4 + 8)
|
|
||||||
return 0;
|
|
||||||
/* Get length of incoming packet. */
|
|
||||||
len = PEEK_U32(sshbuf_ptr(state->input));
|
|
||||||
if (len < 1 + 2 + 2 || len > 256 * 1024) {
|
|
||||||
if ((r = sshpkt_disconnect(ssh, "Bad packet length %u",
|
|
||||||
len)) != 0)
|
|
||||||
return r;
|
|
||||||
return SSH_ERR_CONN_CORRUPT;
|
|
||||||
}
|
|
||||||
padded_len = (len + 8) & ~7;
|
|
||||||
|
|
||||||
/* Check if the packet has been entirely received. */
|
|
||||||
if (sshbuf_len(state->input) < 4 + padded_len)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* The entire packet is in buffer. */
|
|
||||||
|
|
||||||
/* Consume packet length. */
|
|
||||||
if ((r = sshbuf_consume(state->input, 4)) != 0)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Cryptographic attack detector for ssh
|
|
||||||
* (C)1998 CORE-SDI, Buenos Aires Argentina
|
|
||||||
* Ariel Futoransky(futo@core-sdi.com)
|
|
||||||
*/
|
|
||||||
if (!cipher_ctx_is_plaintext(state->receive_context)) {
|
|
||||||
emsg = NULL;
|
|
||||||
switch (detect_attack(&state->deattack,
|
|
||||||
sshbuf_ptr(state->input), padded_len)) {
|
|
||||||
case DEATTACK_OK:
|
|
||||||
break;
|
|
||||||
case DEATTACK_DETECTED:
|
|
||||||
emsg = "crc32 compensation attack detected";
|
|
||||||
break;
|
|
||||||
case DEATTACK_DOS_DETECTED:
|
|
||||||
emsg = "deattack denial of service detected";
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
emsg = "deattack error";
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (emsg != NULL) {
|
|
||||||
error("%s", emsg);
|
|
||||||
if ((r = sshpkt_disconnect(ssh, "%s", emsg)) != 0 ||
|
|
||||||
(r = ssh_packet_write_wait(ssh)) != 0)
|
|
||||||
return r;
|
|
||||||
return SSH_ERR_CONN_CORRUPT;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Decrypt data to incoming_packet. */
|
|
||||||
sshbuf_reset(state->incoming_packet);
|
|
||||||
if ((r = sshbuf_reserve(state->incoming_packet, padded_len, &p)) != 0)
|
|
||||||
goto out;
|
|
||||||
if ((r = cipher_crypt(state->receive_context, 0, p,
|
|
||||||
sshbuf_ptr(state->input), padded_len, 0, 0)) != 0)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
if ((r = sshbuf_consume(state->input, padded_len)) != 0)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
#ifdef PACKET_DEBUG
|
|
||||||
fprintf(stderr, "read_poll plain: ");
|
|
||||||
sshbuf_dump(state->incoming_packet, stderr);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Compute packet checksum. */
|
|
||||||
checksum = ssh_crc32(sshbuf_ptr(state->incoming_packet),
|
|
||||||
sshbuf_len(state->incoming_packet) - 4);
|
|
||||||
|
|
||||||
/* Skip padding. */
|
|
||||||
if ((r = sshbuf_consume(state->incoming_packet, 8 - len % 8)) != 0)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
/* Test check bytes. */
|
|
||||||
if (len != sshbuf_len(state->incoming_packet)) {
|
|
||||||
error("%s: len %d != sshbuf_len %zd", __func__,
|
|
||||||
len, sshbuf_len(state->incoming_packet));
|
|
||||||
if ((r = sshpkt_disconnect(ssh, "invalid packet length")) != 0 ||
|
|
||||||
(r = ssh_packet_write_wait(ssh)) != 0)
|
|
||||||
return r;
|
|
||||||
return SSH_ERR_CONN_CORRUPT;
|
|
||||||
}
|
|
||||||
|
|
||||||
cp = sshbuf_ptr(state->incoming_packet) + len - 4;
|
|
||||||
stored_checksum = PEEK_U32(cp);
|
|
||||||
if (checksum != stored_checksum) {
|
|
||||||
error("Corrupted check bytes on input");
|
|
||||||
if ((r = sshpkt_disconnect(ssh, "connection corrupted")) != 0 ||
|
|
||||||
(r = ssh_packet_write_wait(ssh)) != 0)
|
|
||||||
return r;
|
|
||||||
return SSH_ERR_CONN_CORRUPT;
|
|
||||||
}
|
|
||||||
if ((r = sshbuf_consume_end(state->incoming_packet, 4)) < 0)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
if (state->packet_compression) {
|
|
||||||
sshbuf_reset(state->compression_buffer);
|
|
||||||
if ((r = uncompress_buffer(ssh, state->incoming_packet,
|
|
||||||
state->compression_buffer)) != 0)
|
|
||||||
goto out;
|
|
||||||
sshbuf_reset(state->incoming_packet);
|
|
||||||
if ((r = sshbuf_putb(state->incoming_packet,
|
|
||||||
state->compression_buffer)) != 0)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
state->p_read.packets++;
|
|
||||||
state->p_read.bytes += padded_len + 4;
|
|
||||||
if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0)
|
|
||||||
goto out;
|
|
||||||
if (*typep < SSH_MSG_MIN || *typep > SSH_MSG_MAX) {
|
|
||||||
error("Invalid ssh1 packet type: %d", *typep);
|
|
||||||
if ((r = sshpkt_disconnect(ssh, "invalid packet type")) != 0 ||
|
|
||||||
(r = ssh_packet_write_wait(ssh)) != 0)
|
|
||||||
return r;
|
|
||||||
return SSH_ERR_PROTOCOL_ERROR;
|
|
||||||
}
|
|
||||||
r = 0;
|
|
||||||
out:
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||||
{
|
{
|
||||||
|
|
5
packet.h
5
packet.h
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: packet.h,v 1.77 2017/04/30 23:13:25 djm Exp $ */
|
/* $OpenBSD: packet.h,v 1.78 2017/04/30 23:23:54 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
@ -118,7 +118,6 @@ int ssh_packet_send2(struct ssh *);
|
||||||
int ssh_packet_read(struct ssh *);
|
int ssh_packet_read(struct ssh *);
|
||||||
int ssh_packet_read_expect(struct ssh *, u_int type);
|
int ssh_packet_read_expect(struct ssh *, u_int type);
|
||||||
int ssh_packet_read_poll(struct ssh *);
|
int ssh_packet_read_poll(struct ssh *);
|
||||||
int ssh_packet_read_poll1(struct ssh *, u_char *);
|
|
||||||
int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
||||||
int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
|
int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
|
||||||
int ssh_packet_read_seqnr(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
int ssh_packet_read_seqnr(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
||||||
|
@ -181,7 +180,6 @@ int sshpkt_put_string(struct ssh *ssh, const void *v, size_t len);
|
||||||
int sshpkt_put_cstring(struct ssh *ssh, const void *v);
|
int sshpkt_put_cstring(struct ssh *ssh, const void *v);
|
||||||
int sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v);
|
int sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v);
|
||||||
int sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g);
|
int sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g);
|
||||||
int sshpkt_put_bignum1(struct ssh *ssh, const BIGNUM *v);
|
|
||||||
int sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v);
|
int sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v);
|
||||||
|
|
||||||
int sshpkt_get(struct ssh *ssh, void *valp, size_t len);
|
int sshpkt_get(struct ssh *ssh, void *valp, size_t len);
|
||||||
|
@ -192,7 +190,6 @@ int sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp);
|
||||||
int sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp);
|
int sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp);
|
||||||
int sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp);
|
int sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp);
|
||||||
int sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g);
|
int sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g);
|
||||||
int sshpkt_get_bignum1(struct ssh *ssh, BIGNUM *v);
|
|
||||||
int sshpkt_get_bignum2(struct ssh *ssh, BIGNUM *v);
|
int sshpkt_get_bignum2(struct ssh *ssh, BIGNUM *v);
|
||||||
int sshpkt_get_end(struct ssh *ssh);
|
int sshpkt_get_end(struct ssh *ssh);
|
||||||
const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
||||||
|
|
Loading…
Reference in New Issue