зеркало из https://github.com/github/putty.git
630 строки
21 KiB
C
630 строки
21 KiB
C
/*
|
|
* Code to handle the initial SSH version string exchange.
|
|
*/
|
|
|
|
#include <assert.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
#include "putty.h"
|
|
#include "ssh.h"
|
|
#include "sshbpp.h"
|
|
#include "sshcr.h"
|
|
|
|
#define PREFIX_MAXLEN 64
|
|
|
|
struct ssh_verstring_state {
|
|
int crState;
|
|
|
|
Conf *conf;
|
|
ptrlen prefix_wanted;
|
|
char *our_protoversion;
|
|
struct ssh_version_receiver *receiver;
|
|
|
|
bool send_early;
|
|
|
|
bool found_prefix;
|
|
int major_protoversion;
|
|
int remote_bugs;
|
|
char prefix[PREFIX_MAXLEN];
|
|
char *impl_name;
|
|
strbuf *vstring;
|
|
char *protoversion;
|
|
const char *softwareversion;
|
|
|
|
char *our_vstring;
|
|
int i;
|
|
|
|
BinaryPacketProtocol bpp;
|
|
};
|
|
|
|
static void ssh_verstring_free(BinaryPacketProtocol *bpp);
|
|
static void ssh_verstring_handle_input(BinaryPacketProtocol *bpp);
|
|
static void ssh_verstring_handle_output(BinaryPacketProtocol *bpp);
|
|
static PktOut *ssh_verstring_new_pktout(int type);
|
|
static void ssh_verstring_queue_disconnect(BinaryPacketProtocol *bpp,
|
|
const char *msg, int category);
|
|
|
|
static const struct BinaryPacketProtocolVtable ssh_verstring_vtable = {
|
|
ssh_verstring_free,
|
|
ssh_verstring_handle_input,
|
|
ssh_verstring_handle_output,
|
|
ssh_verstring_new_pktout,
|
|
ssh_verstring_queue_disconnect,
|
|
0xFFFFFFFF, /* no special packet size limit for this bpp */
|
|
};
|
|
|
|
static void ssh_detect_bugs(struct ssh_verstring_state *s);
|
|
static bool ssh_version_includes_v1(const char *ver);
|
|
static bool ssh_version_includes_v2(const char *ver);
|
|
|
|
BinaryPacketProtocol *ssh_verstring_new(
|
|
Conf *conf, LogContext *logctx, bool bare_connection_mode,
|
|
const char *protoversion, struct ssh_version_receiver *rcv,
|
|
bool server_mode, const char *impl_name)
|
|
{
|
|
struct ssh_verstring_state *s = snew(struct ssh_verstring_state);
|
|
|
|
memset(s, 0, sizeof(struct ssh_verstring_state));
|
|
|
|
if (!bare_connection_mode) {
|
|
s->prefix_wanted = PTRLEN_LITERAL("SSH-");
|
|
} else {
|
|
/*
|
|
* Ordinary SSH begins with the banner "SSH-x.y-...". Here,
|
|
* we're going to be speaking just the ssh-connection
|
|
* subprotocol, extracted and given a trivial binary packet
|
|
* protocol, so we need a new banner.
|
|
*
|
|
* The new banner is like the ordinary SSH banner, but
|
|
* replaces the prefix 'SSH-' at the start with a new name. In
|
|
* proper SSH style (though of course this part of the proper
|
|
* SSH protocol _isn't_ subject to this kind of
|
|
* DNS-domain-based extension), we define the new name in our
|
|
* extension space.
|
|
*/
|
|
s->prefix_wanted = PTRLEN_LITERAL(
|
|
"SSHCONNECTION@putty.projects.tartarus.org-");
|
|
}
|
|
assert(s->prefix_wanted.len <= PREFIX_MAXLEN);
|
|
|
|
s->conf = conf_copy(conf);
|
|
s->bpp.logctx = logctx;
|
|
s->our_protoversion = dupstr(protoversion);
|
|
s->receiver = rcv;
|
|
s->impl_name = dupstr(impl_name);
|
|
s->vstring = strbuf_new();
|
|
|
|
/*
|
|
* We send our version string early if we can. But if it includes
|
|
* SSH-1, we can't, because we have to take the other end into
|
|
* account too (see below).
|
|
*
|
|
* In server mode, we do send early.
|
|
*/
|
|
s->send_early = server_mode || !ssh_version_includes_v1(protoversion);
|
|
|
|
s->bpp.vt = &ssh_verstring_vtable;
|
|
ssh_bpp_common_setup(&s->bpp);
|
|
return &s->bpp;
|
|
}
|
|
|
|
void ssh_verstring_free(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh_verstring_state *s =
|
|
container_of(bpp, struct ssh_verstring_state, bpp);
|
|
conf_free(s->conf);
|
|
sfree(s->impl_name);
|
|
strbuf_free(s->vstring);
|
|
sfree(s->protoversion);
|
|
sfree(s->our_vstring);
|
|
sfree(s->our_protoversion);
|
|
sfree(s);
|
|
}
|
|
|
|
static int ssh_versioncmp(const char *a, const char *b)
|
|
{
|
|
char *ae, *be;
|
|
unsigned long av, bv;
|
|
|
|
av = strtoul(a, &ae, 10);
|
|
bv = strtoul(b, &be, 10);
|
|
if (av != bv)
|
|
return (av < bv ? -1 : +1);
|
|
if (*ae == '.')
|
|
ae++;
|
|
if (*be == '.')
|
|
be++;
|
|
av = strtoul(ae, &ae, 10);
|
|
bv = strtoul(be, &be, 10);
|
|
if (av != bv)
|
|
return (av < bv ? -1 : +1);
|
|
return 0;
|
|
}
|
|
|
|
static bool ssh_version_includes_v1(const char *ver)
|
|
{
|
|
return ssh_versioncmp(ver, "2.0") < 0;
|
|
}
|
|
|
|
static bool ssh_version_includes_v2(const char *ver)
|
|
{
|
|
return ssh_versioncmp(ver, "1.99") >= 0;
|
|
}
|
|
|
|
static void ssh_verstring_send(struct ssh_verstring_state *s)
|
|
{
|
|
BinaryPacketProtocol *bpp = &s->bpp; /* for bpp_logevent */
|
|
char *p;
|
|
int sv_pos;
|
|
|
|
/*
|
|
* Construct our outgoing version string.
|
|
*/
|
|
s->our_vstring = dupprintf(
|
|
"%.*s%s-%s%s",
|
|
(int)s->prefix_wanted.len, (const char *)s->prefix_wanted.ptr,
|
|
s->our_protoversion, s->impl_name, sshver);
|
|
sv_pos = s->prefix_wanted.len + strlen(s->our_protoversion) + 1;
|
|
|
|
/* Convert minus signs and spaces in the software version string
|
|
* into underscores. */
|
|
for (p = s->our_vstring + sv_pos; *p; p++) {
|
|
if (*p == '-' || *p == ' ')
|
|
*p = '_';
|
|
}
|
|
|
|
#ifdef FUZZING
|
|
/*
|
|
* Replace the first character of the string with an "I" if we're
|
|
* compiling this code for fuzzing - i.e. the protocol prefix
|
|
* becomes "ISH-" instead of "SSH-".
|
|
*
|
|
* This is irrelevant to any real client software (the only thing
|
|
* reading the output of PuTTY built for fuzzing is the fuzzer,
|
|
* which can adapt to whatever it sees anyway). But it's a safety
|
|
* precaution making it difficult to accidentally run such a
|
|
* version of PuTTY (which would be hugely insecure) against a
|
|
* live peer implementation.
|
|
*
|
|
* (So the replacement prefix "ISH" notionally stands for
|
|
* 'Insecure Shell', of course.)
|
|
*/
|
|
s->our_vstring[0] = 'I';
|
|
#endif
|
|
|
|
/*
|
|
* Now send that version string, plus trailing \r\n or just \n
|
|
* (the latter in SSH-1 mode).
|
|
*/
|
|
bufchain_add(s->bpp.out_raw, s->our_vstring, strlen(s->our_vstring));
|
|
if (ssh_version_includes_v2(s->our_protoversion))
|
|
bufchain_add(s->bpp.out_raw, "\015", 1);
|
|
bufchain_add(s->bpp.out_raw, "\012", 1);
|
|
|
|
bpp_logevent("We claim version: %s", s->our_vstring);
|
|
}
|
|
|
|
#define BPP_WAITFOR(minlen) do \
|
|
{ \
|
|
bool success; \
|
|
crMaybeWaitUntilV( \
|
|
(success = (bufchain_size(s->bpp.in_raw) >= (minlen))) || \
|
|
s->bpp.input_eof); \
|
|
if (!success) \
|
|
goto eof; \
|
|
} while (0)
|
|
|
|
void ssh_verstring_handle_input(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh_verstring_state *s =
|
|
container_of(bpp, struct ssh_verstring_state, bpp);
|
|
|
|
crBegin(s->crState);
|
|
|
|
/*
|
|
* If we're sending our version string up front before seeing the
|
|
* other side's, then do it now.
|
|
*/
|
|
if (s->send_early)
|
|
ssh_verstring_send(s);
|
|
|
|
/*
|
|
* Search for a line beginning with the protocol name prefix in
|
|
* the input.
|
|
*/
|
|
s->i = 0;
|
|
while (1) {
|
|
/*
|
|
* Every time round this loop, we're at the start of a new
|
|
* line, so look for the prefix.
|
|
*/
|
|
BPP_WAITFOR(s->prefix_wanted.len);
|
|
bufchain_fetch(s->bpp.in_raw, s->prefix, s->prefix_wanted.len);
|
|
if (!memcmp(s->prefix, s->prefix_wanted.ptr, s->prefix_wanted.len)) {
|
|
bufchain_consume(s->bpp.in_raw, s->prefix_wanted.len);
|
|
ssh_check_frozen(s->bpp.ssh);
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* If we didn't find it, consume data until we see a newline.
|
|
*/
|
|
while (1) {
|
|
ptrlen data;
|
|
char *nl;
|
|
|
|
/* Wait to receive at least 1 byte, but then consume more
|
|
* than that if it's there. */
|
|
BPP_WAITFOR(1);
|
|
data = bufchain_prefix(s->bpp.in_raw);
|
|
if ((nl = memchr(data.ptr, '\012', data.len)) != NULL) {
|
|
bufchain_consume(s->bpp.in_raw, nl - (char *)data.ptr + 1);
|
|
ssh_check_frozen(s->bpp.ssh);
|
|
break;
|
|
} else {
|
|
bufchain_consume(s->bpp.in_raw, data.len);
|
|
ssh_check_frozen(s->bpp.ssh);
|
|
}
|
|
}
|
|
}
|
|
|
|
s->found_prefix = true;
|
|
|
|
/*
|
|
* Copy the greeting line so far into vstring.
|
|
*/
|
|
put_data(s->vstring, s->prefix_wanted.ptr, s->prefix_wanted.len);
|
|
|
|
/*
|
|
* Now read the rest of the greeting line.
|
|
*/
|
|
s->i = 0;
|
|
do {
|
|
ptrlen data;
|
|
char *nl;
|
|
|
|
BPP_WAITFOR(1);
|
|
data = bufchain_prefix(s->bpp.in_raw);
|
|
if ((nl = memchr(data.ptr, '\012', data.len)) != NULL) {
|
|
data.len = nl - (char *)data.ptr + 1;
|
|
}
|
|
|
|
put_datapl(s->vstring, data);
|
|
bufchain_consume(s->bpp.in_raw, data.len);
|
|
ssh_check_frozen(s->bpp.ssh);
|
|
|
|
} while (s->vstring->s[s->vstring->len-1] != '\012');
|
|
|
|
/*
|
|
* Trim \r and \n from the version string, and replace them with
|
|
* a NUL terminator.
|
|
*/
|
|
while (s->vstring->len > 0 &&
|
|
(s->vstring->s[s->vstring->len-1] == '\r' ||
|
|
s->vstring->s[s->vstring->len-1] == '\n'))
|
|
s->vstring->len--;
|
|
s->vstring->s[s->vstring->len] = '\0';
|
|
|
|
bpp_logevent("Remote version: %s", s->vstring->s);
|
|
|
|
/*
|
|
* Pick out the protocol version and software version. The former
|
|
* goes in a separately allocated string, so that s->vstring
|
|
* remains intact for later use in key exchange; the latter is the
|
|
* tail of s->vstring, so it doesn't need to be allocated.
|
|
*/
|
|
{
|
|
const char *pv_start = s->vstring->s + s->prefix_wanted.len;
|
|
int pv_len = strcspn(pv_start, "-");
|
|
s->protoversion = dupprintf("%.*s", pv_len, pv_start);
|
|
s->softwareversion = pv_start + pv_len;
|
|
if (*s->softwareversion) {
|
|
assert(*s->softwareversion == '-');
|
|
s->softwareversion++;
|
|
}
|
|
}
|
|
|
|
ssh_detect_bugs(s);
|
|
|
|
/*
|
|
* Figure out what actual SSH protocol version we're speaking.
|
|
*/
|
|
if (ssh_version_includes_v2(s->our_protoversion) &&
|
|
ssh_version_includes_v2(s->protoversion)) {
|
|
/*
|
|
* We're doing SSH-2.
|
|
*/
|
|
s->major_protoversion = 2;
|
|
} else if (ssh_version_includes_v1(s->our_protoversion) &&
|
|
ssh_version_includes_v1(s->protoversion)) {
|
|
/*
|
|
* We're doing SSH-1.
|
|
*/
|
|
s->major_protoversion = 1;
|
|
|
|
/*
|
|
* There are multiple minor versions of SSH-1, and the
|
|
* protocol does not specify that the minimum of client
|
|
* and server versions is used. So we must adjust our
|
|
* outgoing protocol version to be no higher than that of
|
|
* the other side.
|
|
*/
|
|
if (!s->send_early &&
|
|
ssh_versioncmp(s->our_protoversion, s->protoversion) > 0) {
|
|
sfree(s->our_protoversion);
|
|
s->our_protoversion = dupstr(s->protoversion);
|
|
}
|
|
} else {
|
|
/*
|
|
* Unable to agree on a major protocol version at all.
|
|
*/
|
|
if (!ssh_version_includes_v2(s->our_protoversion)) {
|
|
ssh_sw_abort(s->bpp.ssh,
|
|
"SSH protocol version 1 required by our "
|
|
"configuration but not provided by remote");
|
|
} else {
|
|
ssh_sw_abort(s->bpp.ssh,
|
|
"SSH protocol version 2 required by our "
|
|
"configuration but remote only provides "
|
|
"(old, insecure) SSH-1");
|
|
}
|
|
crStopV;
|
|
}
|
|
|
|
bpp_logevent("Using SSH protocol version %d", s->major_protoversion);
|
|
|
|
if (!s->send_early) {
|
|
/*
|
|
* If we didn't send our version string early, construct and
|
|
* send it now, because now we know what it is.
|
|
*/
|
|
ssh_verstring_send(s);
|
|
}
|
|
|
|
/*
|
|
* And we're done. Notify our receiver that we now know our
|
|
* protocol version. This will cause it to disconnect us from the
|
|
* input stream and ultimately free us, because our job is now
|
|
* done.
|
|
*/
|
|
s->receiver->got_ssh_version(s->receiver, s->major_protoversion);
|
|
return;
|
|
|
|
eof:
|
|
ssh_remote_error(s->bpp.ssh,
|
|
"Remote side unexpectedly closed network connection");
|
|
return; /* avoid touching s now it's been freed */
|
|
|
|
crFinishV;
|
|
}
|
|
|
|
static PktOut *ssh_verstring_new_pktout(int type)
|
|
{
|
|
unreachable("Should never try to send packets during SSH version "
|
|
"string exchange");
|
|
}
|
|
|
|
static void ssh_verstring_handle_output(BinaryPacketProtocol *bpp)
|
|
{
|
|
if (pq_peek(&bpp->out_pq)) {
|
|
unreachable("Should never try to send packets during SSH version "
|
|
"string exchange");
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Examine the remote side's version string, and compare it against a
|
|
* list of known buggy implementations.
|
|
*/
|
|
static void ssh_detect_bugs(struct ssh_verstring_state *s)
|
|
{
|
|
BinaryPacketProtocol *bpp = &s->bpp; /* for bpp_logevent */
|
|
const char *imp = s->softwareversion;
|
|
|
|
s->remote_bugs = 0;
|
|
|
|
/*
|
|
* General notes on server version strings:
|
|
* - Not all servers reporting "Cisco-1.25" have all the bugs listed
|
|
* here -- in particular, we've heard of one that's perfectly happy
|
|
* with SSH1_MSG_IGNOREs -- but this string never seems to change,
|
|
* so we can't distinguish them.
|
|
*/
|
|
if (conf_get_int(s->conf, CONF_sshbug_ignore1) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_ignore1) == AUTO &&
|
|
(!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
|
|
!strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
|
|
!strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
|
|
!strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
|
|
/*
|
|
* These versions don't support SSH1_MSG_IGNORE, so we have
|
|
* to use a different defence against password length
|
|
* sniffing.
|
|
*/
|
|
s->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
|
|
bpp_logevent("We believe remote version has SSH-1 ignore bug");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_plainpw1) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_plainpw1) == AUTO &&
|
|
(!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
|
|
/*
|
|
* These versions need a plain password sent; they can't
|
|
* handle having a null and a random length of data after
|
|
* the password.
|
|
*/
|
|
s->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
|
|
bpp_logevent("We believe remote version needs a "
|
|
"plain SSH-1 password");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_rsa1) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_rsa1) == AUTO &&
|
|
(!strcmp(imp, "Cisco-1.25")))) {
|
|
/*
|
|
* These versions apparently have no clue whatever about
|
|
* RSA authentication and will panic and die if they see
|
|
* an AUTH_RSA message.
|
|
*/
|
|
s->remote_bugs |= BUG_CHOKES_ON_RSA;
|
|
bpp_logevent("We believe remote version can't handle SSH-1 "
|
|
"RSA authentication");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_hmac2) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_hmac2) == AUTO &&
|
|
!wc_match("* VShell", imp) &&
|
|
(wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
|
|
wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
|
|
wc_match("2.1 *", imp)))) {
|
|
/*
|
|
* These versions have the HMAC bug.
|
|
*/
|
|
s->remote_bugs |= BUG_SSH2_HMAC;
|
|
bpp_logevent("We believe remote version has SSH-2 HMAC bug");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_derivekey2) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_derivekey2) == AUTO &&
|
|
!wc_match("* VShell", imp) &&
|
|
(wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
|
|
/*
|
|
* These versions have the key-derivation bug (failing to
|
|
* include the literal shared secret in the hashes that
|
|
* generate the keys).
|
|
*/
|
|
s->remote_bugs |= BUG_SSH2_DERIVEKEY;
|
|
bpp_logevent("We believe remote version has SSH-2 "
|
|
"key-derivation bug");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_rsapad2) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_rsapad2) == AUTO &&
|
|
(wc_match("OpenSSH_2.[5-9]*", imp) ||
|
|
wc_match("OpenSSH_3.[0-2]*", imp) ||
|
|
wc_match("mod_sftp/0.[0-8]*", imp) ||
|
|
wc_match("mod_sftp/0.9.[0-8]", imp)))) {
|
|
/*
|
|
* These versions have the SSH-2 RSA padding bug.
|
|
*/
|
|
s->remote_bugs |= BUG_SSH2_RSA_PADDING;
|
|
bpp_logevent("We believe remote version has SSH-2 RSA padding bug");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_pksessid2) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_pksessid2) == AUTO &&
|
|
wc_match("OpenSSH_2.[0-2]*", imp))) {
|
|
/*
|
|
* These versions have the SSH-2 session-ID bug in
|
|
* public-key authentication.
|
|
*/
|
|
s->remote_bugs |= BUG_SSH2_PK_SESSIONID;
|
|
bpp_logevent("We believe remote version has SSH-2 "
|
|
"public-key-session-ID bug");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_rekey2) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_rekey2) == AUTO &&
|
|
(wc_match("DigiSSH_2.0", imp) ||
|
|
wc_match("OpenSSH_2.[0-4]*", imp) ||
|
|
wc_match("OpenSSH_2.5.[0-3]*", imp) ||
|
|
wc_match("Sun_SSH_1.0", imp) ||
|
|
wc_match("Sun_SSH_1.0.1", imp) ||
|
|
/* All versions <= 1.2.6 (they changed their format in 1.2.7) */
|
|
wc_match("WeOnlyDo-*", imp)))) {
|
|
/*
|
|
* These versions have the SSH-2 rekey bug.
|
|
*/
|
|
s->remote_bugs |= BUG_SSH2_REKEY;
|
|
bpp_logevent("We believe remote version has SSH-2 rekey bug");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_maxpkt2) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_maxpkt2) == AUTO &&
|
|
(wc_match("1.36_sshlib GlobalSCAPE", imp) ||
|
|
wc_match("1.36 sshlib: GlobalScape", imp)))) {
|
|
/*
|
|
* This version ignores our makpkt and needs to be throttled.
|
|
*/
|
|
s->remote_bugs |= BUG_SSH2_MAXPKT;
|
|
bpp_logevent("We believe remote version ignores SSH-2 "
|
|
"maximum packet size");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_ignore2) == FORCE_ON) {
|
|
/*
|
|
* Servers that don't support SSH2_MSG_IGNORE. Currently,
|
|
* none detected automatically.
|
|
*/
|
|
s->remote_bugs |= BUG_CHOKES_ON_SSH2_IGNORE;
|
|
bpp_logevent("We believe remote version has SSH-2 ignore bug");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_oldgex2) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_oldgex2) == AUTO &&
|
|
(wc_match("OpenSSH_2.[235]*", imp)))) {
|
|
/*
|
|
* These versions only support the original (pre-RFC4419)
|
|
* SSH-2 GEX request, and disconnect with a protocol error if
|
|
* we use the newer version.
|
|
*/
|
|
s->remote_bugs |= BUG_SSH2_OLDGEX;
|
|
bpp_logevent("We believe remote version has outdated SSH-2 GEX");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_winadj) == FORCE_ON) {
|
|
/*
|
|
* Servers that don't support our winadj request for one
|
|
* reason or another. Currently, none detected automatically.
|
|
*/
|
|
s->remote_bugs |= BUG_CHOKES_ON_WINADJ;
|
|
bpp_logevent("We believe remote version has winadj bug");
|
|
}
|
|
|
|
if (conf_get_int(s->conf, CONF_sshbug_chanreq) == FORCE_ON ||
|
|
(conf_get_int(s->conf, CONF_sshbug_chanreq) == AUTO &&
|
|
(wc_match("OpenSSH_[2-5].*", imp) ||
|
|
wc_match("OpenSSH_6.[0-6]*", imp) ||
|
|
wc_match("dropbear_0.[2-4][0-9]*", imp) ||
|
|
wc_match("dropbear_0.5[01]*", imp)))) {
|
|
/*
|
|
* These versions have the SSH-2 channel request bug.
|
|
* OpenSSH 6.7 and above do not:
|
|
* https://bugzilla.mindrot.org/show_bug.cgi?id=1818
|
|
* dropbear_0.52 and above do not:
|
|
* https://secure.ucc.asn.au/hg/dropbear/rev/cd02449b709c
|
|
*/
|
|
s->remote_bugs |= BUG_SENDS_LATE_REQUEST_REPLY;
|
|
bpp_logevent("We believe remote version has SSH-2 "
|
|
"channel request bug");
|
|
}
|
|
}
|
|
|
|
const char *ssh_verstring_get_remote(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh_verstring_state *s =
|
|
container_of(bpp, struct ssh_verstring_state, bpp);
|
|
return s->vstring->s;
|
|
}
|
|
|
|
const char *ssh_verstring_get_local(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh_verstring_state *s =
|
|
container_of(bpp, struct ssh_verstring_state, bpp);
|
|
return s->our_vstring;
|
|
}
|
|
|
|
int ssh_verstring_get_bugs(BinaryPacketProtocol *bpp)
|
|
{
|
|
struct ssh_verstring_state *s =
|
|
container_of(bpp, struct ssh_verstring_state, bpp);
|
|
return s->remote_bugs;
|
|
}
|
|
|
|
static void ssh_verstring_queue_disconnect(BinaryPacketProtocol *bpp,
|
|
const char *msg, int category)
|
|
{
|
|
/* No way to send disconnect messages at this stage of the protocol! */
|
|
}
|