libssh 0.12.0
The SSH library
Loading...
Searching...
No Matches
session.h
1/*
2 * This file is part of the SSH Library
3 *
4 * Copyright (c) 2009 by Aris Adamantiadis
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
19 */
20
21#ifndef SESSION_H_
22#define SESSION_H_
23#include <stdbool.h>
24
25#include "libssh/priv.h"
26#include "libssh/callbacks.h"
27#include "libssh/kex.h"
28#include "libssh/packet.h"
29#include "libssh/pcap.h"
30#include "libssh/auth.h"
31#include "libssh/channels.h"
32#include "libssh/poll.h"
33#include "libssh/config.h"
34#include "libssh/misc.h"
35
36/* These are the different states a SSH session can be into its life */
37enum ssh_session_state_e {
38 SSH_SESSION_STATE_NONE=0,
39 SSH_SESSION_STATE_CONNECTING,
40 SSH_SESSION_STATE_SOCKET_CONNECTED,
41 SSH_SESSION_STATE_BANNER_RECEIVED,
42 SSH_SESSION_STATE_INITIAL_KEX,
43 SSH_SESSION_STATE_KEXINIT_RECEIVED,
44 SSH_SESSION_STATE_DH,
45 SSH_SESSION_STATE_AUTHENTICATING,
46 SSH_SESSION_STATE_AUTHENTICATED,
47 SSH_SESSION_STATE_ERROR,
48 SSH_SESSION_STATE_DISCONNECTED
49};
50
51enum ssh_dh_state_e {
52 DH_STATE_INIT=0,
53 DH_STATE_GROUP_SENT,
54 DH_STATE_REQUEST_SENT,
55 DH_STATE_INIT_SENT,
56 DH_STATE_NEWKEYS_SENT,
57 DH_STATE_FINISHED
58};
59
60enum ssh_pending_call_e {
61 SSH_PENDING_CALL_NONE = 0,
62 SSH_PENDING_CALL_CONNECT,
63 SSH_PENDING_CALL_AUTH_NONE,
64 SSH_PENDING_CALL_AUTH_PASSWORD,
65 SSH_PENDING_CALL_AUTH_OFFER_PUBKEY,
66 SSH_PENDING_CALL_AUTH_PUBKEY,
67 SSH_PENDING_CALL_AUTH_AGENT,
68 SSH_PENDING_CALL_AUTH_KBDINT_INIT,
69 SSH_PENDING_CALL_AUTH_KBDINT_SEND,
70 SSH_PENDING_CALL_AUTH_GSSAPI_MIC,
71 SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX,
72};
73
74/* libssh calls may block an undefined amount of time */
75#define SSH_SESSION_FLAG_BLOCKING 0x0001
76
77/* Client successfully authenticated */
78#define SSH_SESSION_FLAG_AUTHENTICATED 0x0002
79
80/* Do not accept new session channels (no-more-sessions@openssh.com) */
81#define SSH_SESSION_FLAG_NO_MORE_SESSIONS 0x0004
82
83/* The KEXINIT message can be sent first by either of the parties so this flag
84 * indicates that the message was already sent to make sure it is sent and avoid
85 * sending it twice during key exchange to simplify the state machine. */
86#define SSH_SESSION_FLAG_KEXINIT_SENT 0x0008
87
88/* The current SSH2 session implements the "strict KEX" feature and should behave
89 * differently on SSH2_MSG_NEWKEYS. */
90#define SSH_SESSION_FLAG_KEX_STRICT 0x0010
91/* Unexpected packets have been sent while the session was still unencrypted */
92#define SSH_SESSION_FLAG_KEX_TAINTED 0x0020
93/* The scp on server can not handle quoted paths. Skip the mitigation for
94 * CVE-2019-14889 when using scp */
95#define SSH_SESSION_FLAG_SCP_QUOTING_BROKEN 0x0040
96
97/* codes to use with ssh_handle_packets*() */
98/* Infinite timeout */
99#define SSH_TIMEOUT_INFINITE -1
100/* Use the timeout defined by user if any. Mostly used with new connections */
101#define SSH_TIMEOUT_USER -2
102/* Use the default timeout, depending on ssh_is_blocking() */
103#define SSH_TIMEOUT_DEFAULT -3
104/* Don't block at all */
105#define SSH_TIMEOUT_NONBLOCKING 0
106
107/* options flags */
108/* Authentication with *** allowed */
109#define SSH_OPT_FLAG_PASSWORD_AUTH 0x1
110#define SSH_OPT_FLAG_PUBKEY_AUTH 0x2
111#define SSH_OPT_FLAG_KBDINT_AUTH 0x4
112#define SSH_OPT_FLAG_GSSAPI_AUTH 0x8
113
114/* Escape expansion of different variables */
115#define SSH_OPT_EXP_FLAG_KNOWNHOSTS 0x1
116#define SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS 0x2
117#define SSH_OPT_EXP_FLAG_PROXYCOMMAND 0x4
118#define SSH_OPT_EXP_FLAG_IDENTITY 0x8
119#define SSH_OPT_EXP_FLAG_CONTROL_PATH 0x10
120
121/* extensions flags */
122/* negotiation enabled */
123#define SSH_EXT_NEGOTIATION 0x01
124/* server-sig-algs extension */
125#define SSH_EXT_SIG_RSA_SHA256 0x02
126#define SSH_EXT_SIG_RSA_SHA512 0x04
127/* Host-bound public key authentication extension */
128#define SSH_EXT_PUBLICKEY_HOSTBOUND 0x08
129
130/* members that are common to ssh_session and ssh_bind */
131struct ssh_common_struct {
132 struct error_struct error;
133 ssh_callbacks callbacks; /* Callbacks to user functions */
134 int log_verbosity; /* verbosity of the log functions */
135};
136
137struct ssh_session_struct {
138 struct ssh_common_struct common;
139 struct ssh_socket_struct *socket;
140 char *serverbanner;
141 char *clientbanner;
142 int protoversion;
143 int server;
144 int client;
145 int openssh;
146 uint32_t send_seq;
147 uint32_t recv_seq;
148 struct ssh_timestamp last_rekey_time;
149 bool proxy_root;
150
151 int connected;
152 /* !=0 when the user got a session handle */
153 int alive;
154 /* two previous are deprecated */
155 /* int auth_service_asked; */
156
157 /* session flags (SSH_SESSION_FLAG_*) */
158 int flags;
159
160 /* Extensions negotiated using RFC 8308 */
161 uint32_t extensions;
162
163 ssh_string banner; /* that's the issue banner from the server */
164 char *peer_discon_msg; /* disconnect message from the remote host */
165 char *disconnect_message; /* disconnect message to be set */
166 ssh_buffer in_buffer;
167 PACKET in_packet;
168 ssh_buffer out_buffer;
169 struct ssh_list *out_queue; /* This list is used for delaying packets
170 when rekeying is required */
171
172 /* the states are used by the nonblocking stuff to remember */
173 /* where it was before being interrupted */
174 enum ssh_pending_call_e pending_call_state;
175 enum ssh_session_state_e session_state;
176 enum ssh_packet_state_e packet_state;
177 enum ssh_dh_state_e dh_handshake_state;
178 enum ssh_channel_request_state_e global_req_state;
179 struct ssh_agent_state_struct *agent_state;
180
181 struct {
182 struct ssh_auth_auto_state_struct *auto_state;
183 enum ssh_auth_service_state_e service_state;
184 enum ssh_auth_state_e state;
185 uint32_t supported_methods;
186 uint32_t current_method;
187 } auth;
188
189 /* Sending this flag before key exchange to save one round trip during the
190 * key exchange. This might make sense on high-latency connections.
191 * So far internal only for testing. Usable only on the client side --
192 * there is no key exchange method that would start with server message */
193 bool send_first_kex_follows;
194 /*
195 * RFC 4253, 7.1: if the first_kex_packet_follows flag was set in
196 * the received SSH_MSG_KEXINIT, but the guess was wrong, this
197 * field will be set such that the following guessed packet will
198 * be ignored on the receiving side. Once that packet has been received and
199 * ignored, this field is cleared.
200 * On the sending side, this is set after we got peer KEXINIT message and we
201 * need to resend the initial message of the negotiated KEX algorithm.
202 */
203 bool first_kex_follows_guess_wrong;
204
205 ssh_string gssapi_key_exchange_mic;
206
207 ssh_buffer in_hashbuf;
208 ssh_buffer out_hashbuf;
209 struct ssh_crypto_struct *current_crypto;
210 /* next_crypto is going to be used after a SSH2_MSG_NEWKEYS */
211 struct ssh_crypto_struct *next_crypto;
212
213 struct ssh_list *channels; /* linked list of channels */
214 uint32_t maxchannel;
215 ssh_agent agent; /* ssh agent */
216
217 /* keyboard interactive data */
218 struct ssh_kbdint_struct *kbdint;
219 struct ssh_gssapi_struct *gssapi;
220
221 /* server host keys */
222 struct {
223 ssh_key rsa_key;
224 ssh_key ecdsa_key;
225 ssh_key ed25519_key;
226 /* The type of host key wanted by client */
227 enum ssh_keytypes_e hostkey;
228 enum ssh_digest_e hostkey_digest;
229 } srv;
230
231 /* auths accepted by server */
232 struct ssh_list *ssh_message_list; /* list of delayed SSH messages */
233 int (*ssh_message_callback)(struct ssh_session_struct *session,
234 ssh_message msg, void *userdata);
235 void *ssh_message_callback_data;
236 ssh_server_callbacks server_callbacks;
237 void (*ssh_connection_callback)( struct ssh_session_struct *session);
238 struct ssh_packet_callbacks_struct default_packet_callbacks;
239 struct ssh_list *packet_callbacks;
240 struct ssh_socket_callbacks_struct socket_callbacks;
241 ssh_poll_ctx default_poll_ctx;
242 /* options */
243#ifdef WITH_PCAP
244 ssh_pcap_context pcap_ctx; /* pcap debugging context */
245#endif
246 struct {
247 struct ssh_list *identity;
248 struct ssh_list *identity_non_exp;
249 struct ssh_iterator *identity_it;
250 struct ssh_list *certificate;
251 struct ssh_list *certificate_non_exp;
252 struct ssh_list *proxy_jumps;
253 struct ssh_list *proxy_jumps_user_cb;
254 char *proxy_jumps_str;
255 char *username;
256 char *host;
257 char *bindaddr; /* bind the client to an ip addr */
258 char *homedir;
259 char *sshdir;
260 char *knownhosts;
261 char *global_knownhosts;
262 char *wanted_methods[SSH_KEX_METHODS];
263 char *pubkey_accepted_types;
264 char *ProxyCommand;
265 char *agent_socket;
266 unsigned long timeout; /* seconds */
267 unsigned long timeout_usec;
268 uint16_t port;
269 socket_t fd;
270 int StrictHostKeyChecking;
271 char compressionlevel;
272 char *gss_server_identity;
273 char *gss_client_identity;
274 bool gssapi_key_exchange;
275 char *gssapi_key_exchange_algs;
276 int gss_delegate_creds;
277 int flags;
278 int exp_flags;
279 int nodelay;
280 bool config_processed;
281 uint8_t options_seen[SOC_MAX];
282 uint64_t rekey_data;
283 uint32_t rekey_time;
284 int rsa_min_size;
285 bool identities_only;
286 int control_master;
287 char *control_path;
288 int address_family;
289 } opts;
290
291 /* server options */
292 struct {
293 char *custombanner;
294 char *moduli_file;
295 } server_opts;
296
297 /* counters */
298 ssh_counter socket_counter;
299 ssh_counter raw_counter;
300
301 /* PKI context structure containing various parameters to configure PKI
302 * operations */
303 struct ssh_pki_ctx_struct *pki_context;
304};
305
311typedef int (*ssh_termination_function)(void *user);
312int ssh_handle_packets(ssh_session session, int timeout);
313int ssh_handle_packets_termination(ssh_session session,
314 int timeout,
315 ssh_termination_function fct,
316 void *user);
317void ssh_socket_exception_callback(int code, int errno_code, void *user);
318
319#endif /* SESSION_H_ */