=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/packet.c,v retrieving revision 1.121.2.2 retrieving revision 1.122 diff -u -r1.121.2.2 -r1.122 --- src/usr.bin/ssh/packet.c 2006/11/08 00:17:14 1.121.2.2 +++ src/usr.bin/ssh/packet.c 2006/03/13 08:33:00 1.122 @@ -1,4 +1,3 @@ -/* $OpenBSD: packet.c,v 1.121.2.2 2006/11/08 00:17:14 brad Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -37,36 +36,30 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include +#include "includes.h" +RCSID("$OpenBSD: packet.c,v 1.122 2006/03/13 08:33:00 dtucker Exp $"); + #include -#include -#include -#include #include -#include #include -#include -#include -#include -#include -#include -#include -#include - #include "xmalloc.h" #include "buffer.h" #include "packet.h" +#include "bufaux.h" #include "crc32.h" +#include "getput.h" + #include "compress.h" #include "deattack.h" #include "channels.h" + #include "compat.h" #include "ssh1.h" #include "ssh2.h" + #include "cipher.h" -#include "key.h" #include "kex.h" #include "mac.h" #include "log.h" @@ -268,7 +261,6 @@ return (cipher_get_keyiv_len(cc)); } - void packet_set_iv(int mode, u_char *dat) { @@ -281,7 +273,6 @@ cipher_set_keyiv(cc, dat); } - int packet_get_ssh1_cipher(void) { @@ -478,37 +469,31 @@ buffer_append(&outgoing_packet, &ch, 1); } - void packet_put_int(u_int value) { buffer_put_int(&outgoing_packet, value); } - void packet_put_string(const void *buf, u_int len) { buffer_put_string(&outgoing_packet, buf, len); } - void packet_put_cstring(const char *str) { buffer_put_cstring(&outgoing_packet, str); } - void packet_put_raw(const void *buf, u_int len) { buffer_append(&outgoing_packet, buf, len); } - void packet_put_bignum(BIGNUM * value) { buffer_put_bignum(&outgoing_packet, value); } - void packet_put_bignum2(BIGNUM * value) { @@ -562,7 +547,7 @@ /* Add check bytes. */ checksum = ssh_crc32(buffer_ptr(&outgoing_packet), buffer_len(&outgoing_packet)); - put_u32(buf, checksum); + PUT_32BIT(buf, checksum); buffer_append(&outgoing_packet, buf, 4); #ifdef PACKET_DEBUG @@ -571,7 +556,7 @@ #endif /* Append to output. */ - put_u32(buf, len); + PUT_32BIT(buf, len); buffer_append(&output, buf, 4); cp = buffer_append_space(&output, buffer_len(&outgoing_packet)); cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet), @@ -667,7 +652,7 @@ /* * Delayed compression for SSH2 is enabled after authentication: - * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent, + * This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent, * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received. */ static void @@ -682,9 +667,6 @@ */ after_authentication = 1; for (mode = 0; mode < MODE_MAX; mode++) { - /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ - if (newkeys[mode] == NULL) - continue; comp = &newkeys[mode]->comp; if (comp && !comp->enabled && comp->type == COMP_DELAYED) { packet_init_compression(); @@ -777,7 +759,7 @@ /* packet_length includes payload, padding and padding length field */ packet_length = buffer_len(&outgoing_packet) - 4; cp = buffer_ptr(&outgoing_packet); - put_u32(cp, packet_length); + PUT_32BIT(cp, packet_length); cp[4] = padlen; DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen)); @@ -794,7 +776,7 @@ buffer_len(&outgoing_packet)); /* append unencrypted MAC */ if (mac && mac->enabled) - buffer_append(&output, macbuf, mac->mac_len); + buffer_append(&output, (char *)macbuf, mac->mac_len); #ifdef PACKET_DEBUG fprintf(stderr, "encrypted: "); buffer_dump(&output); @@ -884,7 +866,7 @@ char buf[8192]; DBG(debug("packet_read()")); - setp = (fd_set *)xcalloc(howmany(connection_in+1, NFDBITS), + setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) * sizeof(fd_mask)); /* Since we are blocking, ensure that all written packets have been sent. */ @@ -975,7 +957,7 @@ return SSH_MSG_NONE; /* Get length of incoming packet. */ cp = buffer_ptr(&input); - len = get_u32(cp); + len = GET_32BIT(cp); if (len < 1 + 2 + 2 || len > 256 * 1024) packet_disconnect("Bad packet length %u.", len); padded_len = (len + 8) & ~7; @@ -994,16 +976,9 @@ * (C)1998 CORE-SDI, Buenos Aires Argentina * Ariel Futoransky(futo@core-sdi.com) */ - if (!receive_context.plaintext) { - switch (detect_attack(buffer_ptr(&input), padded_len)) { - case DEATTACK_DETECTED: - packet_disconnect("crc32 compensation attack: " - "network attack detected"); - case DEATTACK_DOS_DETECTED: - packet_disconnect("deattack denial of " - "service detected"); - } - } + if (!receive_context.plaintext && + detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED) + packet_disconnect("crc32 compensation attack: network attack detected"); /* Decrypt data to incoming_packet. */ buffer_clear(&incoming_packet); @@ -1030,7 +1005,7 @@ len, buffer_len(&incoming_packet)); cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4; - stored_checksum = get_u32(cp); + stored_checksum = GET_32BIT(cp); if (checksum != stored_checksum) packet_disconnect("Corrupted check bytes on input."); buffer_consume_end(&incoming_packet, 4); @@ -1079,7 +1054,7 @@ cipher_crypt(&receive_context, cp, buffer_ptr(&input), block_size); cp = buffer_ptr(&incoming_packet); - packet_length = get_u32(cp); + packet_length = GET_32BIT(cp); if (packet_length < 1 + 4 || packet_length > 256 * 1024) { #ifdef PACKET_DEBUG buffer_dump(&incoming_packet); @@ -1210,6 +1185,7 @@ break; default: return type; + break; } } else { type = packet_read_poll1(); @@ -1232,6 +1208,7 @@ if (type) DBG(debug("received packet type %d", type)); return type; + break; } } } @@ -1433,7 +1410,7 @@ { fd_set *setp; - setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS), + setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) * sizeof(fd_mask)); packet_write_poll(); while (packet_have_data_to_write()) { @@ -1559,7 +1536,7 @@ for (i = 0; i < nbytes; i++) { if (i % 4 == 0) rnd = arc4random(); - packet_put_char((u_char)rnd & 0xff); + packet_put_char(rnd & 0xff); rnd >>= 8; } }