diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php index 24852f5f..a2377993 100644 --- a/phpseclib/Net/SSH2.php +++ b/phpseclib/Net/SSH2.php @@ -146,6 +146,10 @@ class SSH2 * Dumps the content real-time to a file */ const LOG_REALTIME_FILE = 4; + /** + * Dumps the message numbers real-time + */ + const LOG_REALTIME_SIMPLE = 5; /** * Make sure that the log never gets larger than this */ @@ -1104,6 +1108,46 @@ class SSH2 */ var $extra_packets; + /** + * Bytes Transferred Since Last Key Exchange + * + * Includes outbound and inbound totals + * + * @var int + * @access private + */ + var $bytesTransferredSinceLastKEX = 0; + + /** + * After how many transferred byte should phpseclib initiate a key re-exchange? + * + * @var int + * @access private + */ + var $doKeyReexchangeAfterXBytes = 1024 * 1024 * 1024; + + /** + * Has a key re-exchange been initialized? + * + * @var bool + * @access private + */ + var $keyExchangeInProgress = false; + + /** + * KEX Buffer + * + * If we're in the middle of a key exchange we want to buffer any additional packets we get until + * the key exchange is over + * + * @see self::_get_binary_packet() + * @see self::_key_exchange() + * @see self::exec() + * @var array + * @access private + */ + var $kex_buffer = array(); + /** * Default Constructor. * @@ -1478,8 +1522,13 @@ class SSH2 */ function _key_exchange($kexinit_payload_server = false) { + $this->bytesTransferredSinceLastKEX = 0; + $preferred = $this->preferred; - $send_kex = true; + // for the initial key exchange $send_kex is true (no key re-exchange has been started) + // for phpseclib initiated key exchanges $send_kex is false + $send_kex = !$this->keyExchangeInProgress; + $this->keyExchangeInProgress = true; $kex_algorithms = isset($preferred['kex']) ? $preferred['kex'] : @@ -1565,22 +1614,29 @@ class SSH2 0 ); - if ($kexinit_payload_server === false) { + if ($kexinit_payload_server === false && $send_kex) { if (!$this->_send_binary_packet($kexinit_payload_client)) { return false; } - $this->extra_packets = 0; - $kexinit_payload_server = $this->_get_binary_packet(); - if ($kexinit_payload_server === false) { - $this->bitmap = 0; - user_error('Connection closed by server'); - return false; - } + while (true) { + $kexinit_payload_server = $this->_get_binary_packet(); + if ($kexinit_payload_server === false) { + $this->bitmap = 0; + user_error('Connection closed by server'); + return false; + } + + if (strlen($kexinit_payload_server)) { + switch (ord($kexinit_payload_server[0])) { + case NET_SSH2_MSG_KEXINIT: + break 2; + case NET_SSH2_MSG_DISCONNECT: + return $this->_handleDisconnect($kexinit_payload_server); + } + } - if (!strlen($kexinit_payload_server) || ord($kexinit_payload_server[0]) != NET_SSH2_MSG_KEXINIT) { - user_error('Expected SSH_MSG_KEXINIT'); - return false; + $this->kex_buffer[] = $kexinit_payload_server; } $send_kex = false; @@ -1596,7 +1652,7 @@ class SSH2 $temp = unpack('Nlength', $this->_string_shift($response, 4)); $this->kex_algorithms = explode(',', $this->_string_shift($response, $temp['length'])); if (in_array('kex-strict-s-v00@openssh.com', $this->kex_algorithms)) { - if ($this->session_id === false && $this->extra_packets) { + if ($this->session_id === false && count($this->kex_buffer)) { user_error('Possible Terrapin Attack detected'); return $this->_disconnect(NET_SSH2_DISCONNECT_KEY_EXCHANGE_FAILED); } @@ -2007,6 +2063,8 @@ class SSH2 return false; } + $this->keyExchangeInProgress = false; + if (in_array('kex-strict-s-v00@openssh.com', $this->kex_algorithms)) { $this->get_seq_no = $this->send_seq_no = 0; } @@ -3588,6 +3646,10 @@ class SSH2 */ function _get_binary_packet($skip_channel_filter = false) { + if (!$this->keyExchangeInProgress && count($this->kex_buffer)) { + return $this->_filter(array_shift($this->kex_buffer), $skip_channel_filter); + } + if ($skip_channel_filter) { $read = array($this->fsock); $write = $except = null; @@ -3672,9 +3734,11 @@ class SSH2 $remaining_length = $packet_length + 4 - $this->decrypt_block_size; + $this->bytesTransferredSinceLastKEX+= $packet_length + $padding_length + 5; + // quoting , // "implementations SHOULD check that the packet length is reasonable" - // PuTTY uses 0x9000 as the actual max packet size and so to shall we + // PuTTY uses 0x9000 as the actual max packet size and so, too, shall we if ($remaining_length < -$this->decrypt_block_size || $remaining_length > 0x9000 || $remaining_length % $this->decrypt_block_size != 0) { if (!$this->bad_key_size_fix && $this->_bad_algorithm_candidate($this->decryptName) && !($this->bitmap & SSH2::MASK_LOGIN)) { $this->bad_key_size_fix = true; @@ -3764,7 +3828,34 @@ class SSH2 $this->last_packet = $current; } - return $this->_filter($payload, $skip_channel_filter); + if ($this->bytesTransferredSinceLastKEX > $this->doKeyReexchangeAfterXBytes) { + $this->_key_exchange(); + } + + // don't filter if we're in the middle of a key exchange (since _filter might send out packets) + return $this->keyExchangeInProgress ? $payload : $this->_filter($payload, $skip_channel_filter); + } + + /** + * Handle Disconnect + * + * Because some binary packets need to be ignored... + * + * @see self::_filter() + * @see self::_key_exchange + * @return boolean + * @access private + */ + function _handleDisconnect($payload) + { + $this->_string_shift($payload, 1); + if (strlen($payload) < 8) { + return false; + } + extract(unpack('Nreason_code/Nlength', $this->_string_shift($payload, 8))); + $this->errors[] = 'SSH_MSG_DISCONNECT: ' . $this->disconnect_reasons[$reason_code] . "\r\n" . $this->_string_shift($payload, $length); + $this->bitmap = 0; + return false; } /** @@ -3780,20 +3871,11 @@ class SSH2 { switch (ord($payload[0])) { case NET_SSH2_MSG_DISCONNECT: - $this->_string_shift($payload, 1); - if (strlen($payload) < 8) { - return false; - } - extract(unpack('Nreason_code/Nlength', $this->_string_shift($payload, 8))); - $this->errors[] = 'SSH_MSG_DISCONNECT: ' . $this->disconnect_reasons[$reason_code] . "\r\n" . $this->_string_shift($payload, $length); - $this->bitmap = 0; - return false; + return $this->_handleDisconnect($payload); case NET_SSH2_MSG_IGNORE: - $this->extra_packets++; $payload = $this->_get_binary_packet($skip_channel_filter); break; case NET_SSH2_MSG_DEBUG: - $this->extra_packets++; $this->_string_shift($payload, 2); if (strlen($payload) < 4) { return false; @@ -3805,7 +3887,7 @@ class SSH2 case NET_SSH2_MSG_UNIMPLEMENTED: return false; case NET_SSH2_MSG_KEXINIT: - // this is here for key re-exchanges after the initial key exchange + // this is here for server initiated key re-exchanges after the initial key exchange if ($this->session_id !== false) { $this->send_kex_first = false; if (!$this->_key_exchange($payload)) { @@ -4369,6 +4451,8 @@ class SSH2 $packet.= $hmac; + $this->bytesTransferredSinceLastKEX+= strlen($packet); + $start = microtime(true); $result = strlen($packet) == @fputs($this->fsock, $packet); $stop = microtime(true); @@ -4382,6 +4466,10 @@ class SSH2 $this->last_packet = $current; } + if ($this->bytesTransferredSinceLastKEX > $this->doKeyReexchangeAfterXBytes) { + $this->_key_exchange(); + } + return $result; } @@ -4459,6 +4547,10 @@ class SSH2 $this->realtime_log_wrap = true; } fputs($this->realtime_log_file, $entry); + break; + case NET_SSH2_LOG_REALTIME_SIMPLE: + echo $message_number; + echo PHP_SAPI == 'cli' ? "\r\n" : '
'; } }