-
Notifications
You must be signed in to change notification settings - Fork 11
/
ssh1censor.c
76 lines (69 loc) · 2.55 KB
/
ssh1censor.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
/*
* Packet-censoring code for SSH-1, used to identify sensitive fields
* like passwords so that the logging system can avoid writing them
* into log files.
*/
#include <assert.h>
#include "putty.h"
#include "ssh.h"
int ssh1_censor_packet(
const PacketLogSettings *pls, int type, int sender_is_client,
ptrlen pkt, logblank_t *blanks)
{
int nblanks = 0;
ptrlen str;
BinarySource src[1];
BinarySource_BARE_INIT(src, pkt.ptr, pkt.len);
if (pls->omit_data &&
(type == SSH1_SMSG_STDOUT_DATA ||
type == SSH1_SMSG_STDERR_DATA ||
type == SSH1_CMSG_STDIN_DATA ||
type == SSH1_MSG_CHANNEL_DATA)) {
/* "Session data" packets - omit the data string. */
if (type == SSH1_MSG_CHANNEL_DATA)
get_uint32(src); /* skip channel id */
str = get_string(src);
if (!get_err(src)) {
assert(nblanks < MAX_BLANKS);
blanks[nblanks].offset = src->pos - str.len;
blanks[nblanks].type = PKTLOG_OMIT;
blanks[nblanks].len = str.len;
nblanks++;
}
}
if (sender_is_client && pls->omit_passwords) {
if (type == SSH1_CMSG_AUTH_PASSWORD ||
type == SSH1_CMSG_AUTH_TIS_RESPONSE ||
type == SSH1_CMSG_AUTH_CCARD_RESPONSE) {
/* If this is a password or similar packet, blank the
* password(s). */
assert(nblanks < MAX_BLANKS);
blanks[nblanks].offset = 0;
blanks[nblanks].len = pkt.len;
blanks[nblanks].type = PKTLOG_BLANK;
nblanks++;
} else if (type == SSH1_CMSG_X11_REQUEST_FORWARDING) {
/*
* If this is an X forwarding request packet, blank the
* fake auth data.
*
* Note that while we blank the X authentication data
* here, we don't take any special action to blank the
* start of an X11 channel, so using MIT-MAGIC-COOKIE-1
* and actually opening an X connection without having
* session blanking enabled is likely to leak your cookie
* into the log.
*/
get_string(src); /* skip protocol name */
str = get_string(src);
if (!get_err(src)) {
assert(nblanks < MAX_BLANKS);
blanks[nblanks].offset = src->pos - str.len;
blanks[nblanks].type = PKTLOG_BLANK;
blanks[nblanks].len = str.len;
nblanks++;
}
}
}
return nblanks;
}