Annotation of src/usr.bin/ssh/packet.c, Revision 1.289
1.289 ! dtucker 1: /* $OpenBSD: packet.c,v 1.288 2020/01/23 10:24:29 dtucker Exp $ */
1.1 deraadt 2: /*
1.15 deraadt 3: * Author: Tatu Ylonen <ylo@cs.hut.fi>
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: * All rights reserved
1.35 deraadt 6: * This file contains code implementing the packet protocol and communication
7: * with the other side. This same code is used both on client and server side.
1.29 markus 8: *
1.35 deraadt 9: * As far as I am concerned, the code I have written for this software
10: * can be used freely for any purpose. Any derived versions of this
11: * software must be clearly marked as such, and if the derived work is
12: * incompatible with the protocol description in the RFC file, it must be
13: * called by a name other than "ssh" or "Secure Shell".
1.29 markus 14: *
1.25 markus 15: *
16: * SSH2 packet format added by Markus Friedl.
1.69 markus 17: * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
1.25 markus 18: *
1.35 deraadt 19: * Redistribution and use in source and binary forms, with or without
20: * modification, are permitted provided that the following conditions
21: * are met:
22: * 1. Redistributions of source code must retain the above copyright
23: * notice, this list of conditions and the following disclaimer.
24: * 2. Redistributions in binary form must reproduce the above copyright
25: * notice, this list of conditions and the following disclaimer in the
26: * documentation and/or other materials provided with the distribution.
27: *
28: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.15 deraadt 38: */
1.1 deraadt 39:
1.142 deraadt 40: #include <sys/types.h>
1.105 markus 41: #include <sys/queue.h>
1.132 stevesk 42: #include <sys/socket.h>
1.138 stevesk 43: #include <sys/time.h>
1.132 stevesk 44: #include <netinet/in.h>
1.121 stevesk 45: #include <netinet/ip.h>
1.134 stevesk 46:
1.135 stevesk 47: #include <errno.h>
1.230 djm 48: #include <netdb.h>
1.134 stevesk 49: #include <stdarg.h>
1.141 stevesk 50: #include <stdio.h>
1.140 stevesk 51: #include <stdlib.h>
1.137 stevesk 52: #include <string.h>
1.136 stevesk 53: #include <unistd.h>
1.203 deraadt 54: #include <limits.h>
1.278 djm 55: #include <poll.h>
1.142 deraadt 56: #include <signal.h>
1.184 dtucker 57: #include <time.h>
1.1 deraadt 58:
1.288 dtucker 59: #ifdef WITH_ZLIB
1.201 markus 60: #include <zlib.h>
1.288 dtucker 61: #endif
1.201 markus 62:
1.1 deraadt 63: #include "xmalloc.h"
1.25 markus 64: #include "compat.h"
65: #include "ssh2.h"
1.37 markus 66: #include "cipher.h"
1.201 markus 67: #include "sshkey.h"
1.25 markus 68: #include "kex.h"
1.200 markus 69: #include "digest.h"
1.50 markus 70: #include "mac.h"
1.46 markus 71: #include "log.h"
72: #include "canohost.h"
1.87 stevesk 73: #include "misc.h"
1.198 millert 74: #include "channels.h"
1.95 markus 75: #include "ssh.h"
1.201 markus 76: #include "packet.h"
1.197 djm 77: #include "ssherr.h"
1.201 markus 78: #include "sshbuf.h"
1.25 markus 79:
80: #ifdef PACKET_DEBUG
81: #define DBG(x) x
82: #else
83: #define DBG(x)
84: #endif
85:
1.159 markus 86: #define PACKET_MAX_SIZE (256 * 1024)
87:
1.161 andreas 88: struct packet_state {
89: u_int32_t seqnr;
90: u_int32_t packets;
91: u_int64_t blocks;
92: u_int64_t bytes;
93: };
94:
95: struct packet {
96: TAILQ_ENTRY(packet) next;
97: u_char type;
1.201 markus 98: struct sshbuf *payload;
1.161 andreas 99: };
100:
101: struct session_state {
102: /*
103: * This variable contains the file descriptors used for
104: * communicating with the other side. connection_in is used for
105: * reading; connection_out for writing. These can be the same
106: * descriptor, in which case it is assumed to be a socket.
107: */
108: int connection_in;
109: int connection_out;
110:
111: /* Protocol flags for the remote side. */
112: u_int remote_protocol_flags;
1.1 deraadt 113:
1.161 andreas 114: /* Encryption context for receiving data. Only used for decryption. */
1.235 djm 115: struct sshcipher_ctx *receive_context;
1.1 deraadt 116:
1.161 andreas 117: /* Encryption context for sending data. Only used for encryption. */
1.235 djm 118: struct sshcipher_ctx *send_context;
1.14 markus 119:
1.161 andreas 120: /* Buffer for raw input data from the socket. */
1.201 markus 121: struct sshbuf *input;
1.1 deraadt 122:
1.161 andreas 123: /* Buffer for raw output data going to the socket. */
1.201 markus 124: struct sshbuf *output;
1.1 deraadt 125:
1.161 andreas 126: /* Buffer for the partial outgoing packet being constructed. */
1.201 markus 127: struct sshbuf *outgoing_packet;
1.1 deraadt 128:
1.161 andreas 129: /* Buffer for the incoming packet currently being processed. */
1.201 markus 130: struct sshbuf *incoming_packet;
1.1 deraadt 131:
1.161 andreas 132: /* Scratch buffer for packet compression/decompression. */
1.201 markus 133: struct sshbuf *compression_buffer;
134:
1.288 dtucker 135: #ifdef WITH_ZLIB
1.201 markus 136: /* Incoming/outgoing compression dictionaries */
137: z_stream compression_in_stream;
138: z_stream compression_out_stream;
1.288 dtucker 139: #endif
1.201 markus 140: int compression_in_started;
141: int compression_out_started;
142: int compression_in_failures;
143: int compression_out_failures;
1.1 deraadt 144:
1.161 andreas 145: /* default maximum packet size */
146: u_int max_packet_size;
1.1 deraadt 147:
1.161 andreas 148: /* Flag indicating whether this module has been initialized. */
149: int initialized;
1.12 markus 150:
1.161 andreas 151: /* Set to true if the connection is interactive. */
152: int interactive_mode;
1.1 deraadt 153:
1.161 andreas 154: /* Set to true if we are the server side. */
155: int server_side;
1.1 deraadt 156:
1.161 andreas 157: /* Set to true if we are authenticated. */
158: int after_authentication;
1.118 markus 159:
1.161 andreas 160: int keep_alive_timeouts;
1.118 markus 161:
1.161 andreas 162: /* The maximum time that we will wait to send or receive a packet */
163: int packet_timeout_ms;
1.151 dtucker 164:
1.161 andreas 165: /* Session key information for Encryption and MAC */
1.201 markus 166: struct newkeys *newkeys[MODE_MAX];
1.161 andreas 167: struct packet_state p_read, p_send;
1.154 dtucker 168:
1.184 dtucker 169: /* Volume-based rekeying */
1.224 dtucker 170: u_int64_t max_blocks_in, max_blocks_out, rekey_limit;
1.105 markus 171:
1.184 dtucker 172: /* Time-based rekeying */
1.208 markus 173: u_int32_t rekey_interval; /* how often in seconds */
1.184 dtucker 174: time_t rekey_time; /* time of last rekeying */
175:
1.161 andreas 176: /* roundup current message to extra_pad bytes */
177: u_char extra_pad;
1.95 markus 178:
1.161 andreas 179: /* XXX discard incoming data after MAC error */
180: u_int packet_discard;
1.234 markus 181: size_t packet_discard_mac_already;
1.201 markus 182: struct sshmac *packet_discard_mac;
1.71 markus 183:
1.161 andreas 184: /* Used in packet_read_poll2() */
185: u_int packlen;
1.159 markus 186:
1.165 andreas 187: /* Used in packet_send2 */
188: int rekeying;
189:
1.242 markus 190: /* Used in ssh_packet_send_mux() */
191: int mux;
192:
1.165 andreas 193: /* Used in packet_set_interactive */
194: int set_interactive_called;
195:
196: /* Used in packet_set_maxsize */
197: int set_maxsize_called;
198:
1.201 markus 199: /* One-off warning about weak ciphers */
200: int cipher_warning_done;
201:
1.243 djm 202: /* Hook for fuzzing inbound packets */
203: ssh_packet_hook_fn *hook_in;
204: void *hook_in_ctx;
205:
1.161 andreas 206: TAILQ_HEAD(, packet) outgoing;
1.105 markus 207: };
1.161 andreas 208:
1.201 markus 209: struct ssh *
210: ssh_alloc_session_state(void)
1.161 andreas 211: {
1.201 markus 212: struct ssh *ssh = NULL;
213: struct session_state *state = NULL;
1.161 andreas 214:
1.201 markus 215: if ((ssh = calloc(1, sizeof(*ssh))) == NULL ||
216: (state = calloc(1, sizeof(*state))) == NULL ||
1.278 djm 217: (ssh->kex = kex_new()) == NULL ||
1.201 markus 218: (state->input = sshbuf_new()) == NULL ||
219: (state->output = sshbuf_new()) == NULL ||
220: (state->outgoing_packet = sshbuf_new()) == NULL ||
221: (state->incoming_packet = sshbuf_new()) == NULL)
222: goto fail;
223: TAILQ_INIT(&state->outgoing);
1.202 markus 224: TAILQ_INIT(&ssh->private_keys);
225: TAILQ_INIT(&ssh->public_keys);
1.201 markus 226: state->connection_in = -1;
227: state->connection_out = -1;
228: state->max_packet_size = 32768;
229: state->packet_timeout_ms = -1;
230: state->p_send.packets = state->p_read.packets = 0;
231: state->initialized = 1;
232: /*
233: * ssh_packet_send2() needs to queue packets until
234: * we've done the initial key exchange.
235: */
236: state->rekeying = 1;
237: ssh->state = state;
238: return ssh;
239: fail:
1.278 djm 240: if (ssh) {
241: kex_free(ssh->kex);
242: free(ssh);
243: }
1.201 markus 244: if (state) {
245: sshbuf_free(state->input);
246: sshbuf_free(state->output);
247: sshbuf_free(state->incoming_packet);
248: sshbuf_free(state->outgoing_packet);
249: free(state);
250: }
251: return NULL;
1.161 andreas 252: }
1.105 markus 253:
1.243 djm 254: void
255: ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx)
256: {
257: ssh->state->hook_in = hook;
258: ssh->state->hook_in_ctx = ctx;
259: }
260:
1.228 djm 261: /* Returns nonzero if rekeying is in progress */
262: int
263: ssh_packet_is_rekeying(struct ssh *ssh)
264: {
1.278 djm 265: return ssh->state->rekeying || ssh->kex->done == 0;
1.228 djm 266: }
267:
1.16 markus 268: /*
1.253 naddy 269: * Sets the descriptors used for communication.
1.16 markus 270: */
1.201 markus 271: struct ssh *
272: ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
1.1 deraadt 273: {
1.201 markus 274: struct session_state *state;
275: const struct sshcipher *none = cipher_by_name("none");
1.197 djm 276: int r;
1.97 deraadt 277:
1.205 djm 278: if (none == NULL) {
279: error("%s: cannot load cipher 'none'", __func__);
280: return NULL;
281: }
1.201 markus 282: if (ssh == NULL)
283: ssh = ssh_alloc_session_state();
1.205 djm 284: if (ssh == NULL) {
1.285 dtucker 285: error("%s: could not allocate state", __func__);
1.205 djm 286: return NULL;
287: }
1.201 markus 288: state = ssh->state;
289: state->connection_in = fd_in;
290: state->connection_out = fd_out;
291: if ((r = cipher_init(&state->send_context, none,
1.197 djm 292: (const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
1.201 markus 293: (r = cipher_init(&state->receive_context, none,
1.205 djm 294: (const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0) {
295: error("%s: cipher_init failed: %s", __func__, ssh_err(r));
1.230 djm 296: free(ssh); /* XXX need ssh_free_session_state? */
1.205 djm 297: return NULL;
298: }
1.201 markus 299: state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL;
1.207 djm 300: /*
301: * Cache the IP address of the remote connection for use in error
302: * messages that might be generated after the connection has closed.
303: */
304: (void)ssh_remote_ipaddr(ssh);
1.201 markus 305: return ssh;
1.1 deraadt 306: }
307:
1.154 dtucker 308: void
1.201 markus 309: ssh_packet_set_timeout(struct ssh *ssh, int timeout, int count)
1.154 dtucker 310: {
1.201 markus 311: struct session_state *state = ssh->state;
312:
1.174 djm 313: if (timeout <= 0 || count <= 0) {
1.201 markus 314: state->packet_timeout_ms = -1;
1.154 dtucker 315: return;
316: }
317: if ((INT_MAX / 1000) / count < timeout)
1.201 markus 318: state->packet_timeout_ms = INT_MAX;
1.154 dtucker 319: else
1.201 markus 320: state->packet_timeout_ms = timeout * count * 1000;
1.154 dtucker 321: }
322:
1.242 markus 323: void
324: ssh_packet_set_mux(struct ssh *ssh)
325: {
326: ssh->state->mux = 1;
327: ssh->state->rekeying = 0;
328: }
329:
330: int
331: ssh_packet_get_mux(struct ssh *ssh)
332: {
333: return ssh->state->mux;
334: }
335:
1.201 markus 336: int
1.245 djm 337: ssh_packet_set_log_preamble(struct ssh *ssh, const char *fmt, ...)
338: {
339: va_list args;
340: int r;
341:
342: free(ssh->log_preamble);
343: if (fmt == NULL)
344: ssh->log_preamble = NULL;
345: else {
346: va_start(args, fmt);
347: r = vasprintf(&ssh->log_preamble, fmt, args);
348: va_end(args);
349: if (r < 0 || ssh->log_preamble == NULL)
350: return SSH_ERR_ALLOC_FAIL;
351: }
352: return 0;
353: }
354:
355: int
1.201 markus 356: ssh_packet_stop_discard(struct ssh *ssh)
1.159 markus 357: {
1.201 markus 358: struct session_state *state = ssh->state;
359: int r;
360:
361: if (state->packet_discard_mac) {
1.159 markus 362: char buf[1024];
1.234 markus 363: size_t dlen = PACKET_MAX_SIZE;
1.201 markus 364:
1.234 markus 365: if (dlen > state->packet_discard_mac_already)
366: dlen -= state->packet_discard_mac_already;
1.159 markus 367: memset(buf, 'a', sizeof(buf));
1.234 markus 368: while (sshbuf_len(state->incoming_packet) < dlen)
1.201 markus 369: if ((r = sshbuf_put(state->incoming_packet, buf,
370: sizeof(buf))) != 0)
371: return r;
372: (void) mac_compute(state->packet_discard_mac,
373: state->p_read.seqnr,
1.234 markus 374: sshbuf_ptr(state->incoming_packet), dlen,
1.201 markus 375: NULL, 0);
1.159 markus 376: }
1.220 djm 377: logit("Finished discarding for %.200s port %d",
378: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
1.201 markus 379: return SSH_ERR_MAC_INVALID;
1.159 markus 380: }
381:
1.201 markus 382: static int
383: ssh_packet_start_discard(struct ssh *ssh, struct sshenc *enc,
1.234 markus 384: struct sshmac *mac, size_t mac_already, u_int discard)
1.159 markus 385: {
1.201 markus 386: struct session_state *state = ssh->state;
387: int r;
388:
389: if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) {
390: if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
391: return r;
392: return SSH_ERR_MAC_INVALID;
393: }
1.234 markus 394: /*
395: * Record number of bytes over which the mac has already
396: * been computed in order to minimize timing attacks.
397: */
398: if (mac && mac->enabled) {
1.201 markus 399: state->packet_discard_mac = mac;
1.234 markus 400: state->packet_discard_mac_already = mac_already;
401: }
402: if (sshbuf_len(state->input) >= discard)
403: return ssh_packet_stop_discard(ssh);
1.201 markus 404: state->packet_discard = discard - sshbuf_len(state->input);
405: return 0;
1.159 markus 406: }
407:
1.19 markus 408: /* Returns 1 if remote host is connected via socket, 0 if not. */
409:
410: int
1.201 markus 411: ssh_packet_connection_is_on_socket(struct ssh *ssh)
1.19 markus 412: {
1.271 djm 413: struct session_state *state;
1.19 markus 414: struct sockaddr_storage from, to;
415: socklen_t fromlen, tolen;
416:
1.271 djm 417: if (ssh == NULL || ssh->state == NULL)
418: return 0;
419:
420: state = ssh->state;
1.230 djm 421: if (state->connection_in == -1 || state->connection_out == -1)
422: return 0;
1.19 markus 423: /* filedescriptors in and out are the same, so it's a socket */
1.201 markus 424: if (state->connection_in == state->connection_out)
1.19 markus 425: return 1;
426: fromlen = sizeof(from);
427: memset(&from, 0, sizeof(from));
1.201 markus 428: if (getpeername(state->connection_in, (struct sockaddr *)&from,
1.286 deraadt 429: &fromlen) == -1)
1.19 markus 430: return 0;
431: tolen = sizeof(to);
432: memset(&to, 0, sizeof(to));
1.201 markus 433: if (getpeername(state->connection_out, (struct sockaddr *)&to,
1.286 deraadt 434: &tolen) == -1)
1.19 markus 435: return 0;
436: if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
437: return 0;
438: if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
439: return 0;
440: return 1;
441: }
442:
1.91 markus 443: void
1.201 markus 444: ssh_packet_get_bytes(struct ssh *ssh, u_int64_t *ibytes, u_int64_t *obytes)
1.91 markus 445: {
1.201 markus 446: if (ibytes)
447: *ibytes = ssh->state->p_read.bytes;
448: if (obytes)
449: *obytes = ssh->state->p_send.bytes;
1.91 markus 450: }
1.125 deraadt 451:
1.91 markus 452: int
1.201 markus 453: ssh_packet_connection_af(struct ssh *ssh)
1.19 markus 454: {
455: struct sockaddr_storage to;
1.21 deraadt 456: socklen_t tolen = sizeof(to);
1.19 markus 457:
458: memset(&to, 0, sizeof(to));
1.201 markus 459: if (getsockname(ssh->state->connection_out, (struct sockaddr *)&to,
1.286 deraadt 460: &tolen) == -1)
1.19 markus 461: return 0;
1.173 djm 462: return to.ss_family;
1.19 markus 463: }
464:
1.1 deraadt 465: /* Sets the connection into non-blocking mode. */
466:
1.2 provos 467: void
1.201 markus 468: ssh_packet_set_nonblocking(struct ssh *ssh)
1.1 deraadt 469: {
1.14 markus 470: /* Set the socket into non-blocking mode. */
1.201 markus 471: set_nonblock(ssh->state->connection_in);
1.14 markus 472:
1.201 markus 473: if (ssh->state->connection_out != ssh->state->connection_in)
474: set_nonblock(ssh->state->connection_out);
1.1 deraadt 475: }
476:
477: /* Returns the socket used for reading. */
478:
1.2 provos 479: int
1.201 markus 480: ssh_packet_get_connection_in(struct ssh *ssh)
1.1 deraadt 481: {
1.201 markus 482: return ssh->state->connection_in;
1.1 deraadt 483: }
484:
485: /* Returns the descriptor used for writing. */
486:
1.2 provos 487: int
1.201 markus 488: ssh_packet_get_connection_out(struct ssh *ssh)
1.1 deraadt 489: {
1.201 markus 490: return ssh->state->connection_out;
491: }
492:
493: /*
494: * Returns the IP-address of the remote host as a string. The returned
495: * string must not be freed.
496: */
497:
498: const char *
499: ssh_remote_ipaddr(struct ssh *ssh)
500: {
1.271 djm 501: int sock;
1.220 djm 502:
1.201 markus 503: /* Check whether we have cached the ipaddr. */
1.220 djm 504: if (ssh->remote_ipaddr == NULL) {
505: if (ssh_packet_connection_is_on_socket(ssh)) {
1.271 djm 506: sock = ssh->state->connection_in;
1.220 djm 507: ssh->remote_ipaddr = get_peer_ipaddr(sock);
1.230 djm 508: ssh->remote_port = get_peer_port(sock);
509: ssh->local_ipaddr = get_local_ipaddr(sock);
510: ssh->local_port = get_local_port(sock);
1.220 djm 511: } else {
1.287 tobhe 512: ssh->remote_ipaddr = xstrdup("UNKNOWN");
1.230 djm 513: ssh->remote_port = 65535;
1.287 tobhe 514: ssh->local_ipaddr = xstrdup("UNKNOWN");
1.230 djm 515: ssh->local_port = 65535;
1.220 djm 516: }
517: }
1.201 markus 518: return ssh->remote_ipaddr;
1.1 deraadt 519: }
520:
1.220 djm 521: /* Returns the port number of the remote host. */
522:
523: int
524: ssh_remote_port(struct ssh *ssh)
525: {
526: (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
527: return ssh->remote_port;
1.230 djm 528: }
529:
530: /*
531: * Returns the IP-address of the local host as a string. The returned
532: * string must not be freed.
533: */
534:
535: const char *
536: ssh_local_ipaddr(struct ssh *ssh)
537: {
538: (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
539: return ssh->local_ipaddr;
540: }
541:
542: /* Returns the port number of the local host. */
543:
544: int
545: ssh_local_port(struct ssh *ssh)
546: {
547: (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
548: return ssh->local_port;
1.266 djm 549: }
550:
551: /* Returns the routing domain of the input socket, or NULL if unavailable */
552: const char *
553: ssh_packet_rdomain_in(struct ssh *ssh)
554: {
555: if (ssh->rdomain_in != NULL)
556: return ssh->rdomain_in;
557: if (!ssh_packet_connection_is_on_socket(ssh))
558: return NULL;
559: ssh->rdomain_in = get_rdomain(ssh->state->connection_in);
560: return ssh->rdomain_in;
1.220 djm 561: }
562:
1.1 deraadt 563: /* Closes the connection and clears and frees internal data structures. */
564:
1.257 markus 565: static void
566: ssh_packet_close_internal(struct ssh *ssh, int do_close)
1.1 deraadt 567: {
1.201 markus 568: struct session_state *state = ssh->state;
569: u_int mode;
570:
571: if (!state->initialized)
1.14 markus 572: return;
1.201 markus 573: state->initialized = 0;
1.257 markus 574: if (do_close) {
575: if (state->connection_in == state->connection_out) {
576: close(state->connection_out);
577: } else {
578: close(state->connection_in);
579: close(state->connection_out);
580: }
1.14 markus 581: }
1.201 markus 582: sshbuf_free(state->input);
583: sshbuf_free(state->output);
584: sshbuf_free(state->outgoing_packet);
585: sshbuf_free(state->incoming_packet);
1.257 markus 586: for (mode = 0; mode < MODE_MAX; mode++) {
587: kex_free_newkeys(state->newkeys[mode]); /* current keys */
588: state->newkeys[mode] = NULL;
589: ssh_clear_newkeys(ssh, mode); /* next keys */
590: }
1.288 dtucker 591: #ifdef WITH_ZLIB
1.289 ! dtucker 592: /* compression state is in shared mem, so we can only release it once */
1.257 markus 593: if (do_close && state->compression_buffer) {
1.201 markus 594: sshbuf_free(state->compression_buffer);
595: if (state->compression_out_started) {
596: z_streamp stream = &state->compression_out_stream;
597: debug("compress outgoing: "
598: "raw data %llu, compressed %llu, factor %.2f",
599: (unsigned long long)stream->total_in,
600: (unsigned long long)stream->total_out,
601: stream->total_in == 0 ? 0.0 :
602: (double) stream->total_out / stream->total_in);
603: if (state->compression_out_failures == 0)
604: deflateEnd(stream);
605: }
606: if (state->compression_in_started) {
1.260 dtucker 607: z_streamp stream = &state->compression_in_stream;
1.201 markus 608: debug("compress incoming: "
609: "raw data %llu, compressed %llu, factor %.2f",
610: (unsigned long long)stream->total_out,
611: (unsigned long long)stream->total_in,
612: stream->total_out == 0 ? 0.0 :
613: (double) stream->total_in / stream->total_out);
614: if (state->compression_in_failures == 0)
615: inflateEnd(stream);
616: }
1.14 markus 617: }
1.288 dtucker 618: #endif /* WITH_ZLIB */
1.235 djm 619: cipher_free(state->send_context);
620: cipher_free(state->receive_context);
621: state->send_context = state->receive_context = NULL;
1.257 markus 622: if (do_close) {
1.277 djm 623: free(ssh->local_ipaddr);
624: ssh->local_ipaddr = NULL;
1.257 markus 625: free(ssh->remote_ipaddr);
626: ssh->remote_ipaddr = NULL;
627: free(ssh->state);
628: ssh->state = NULL;
629: }
630: }
631:
632: void
633: ssh_packet_close(struct ssh *ssh)
634: {
635: ssh_packet_close_internal(ssh, 1);
636: }
637:
638: void
639: ssh_packet_clear_keys(struct ssh *ssh)
640: {
641: ssh_packet_close_internal(ssh, 0);
1.1 deraadt 642: }
643:
644: /* Sets remote side protocol flags. */
645:
1.2 provos 646: void
1.201 markus 647: ssh_packet_set_protocol_flags(struct ssh *ssh, u_int protocol_flags)
1.1 deraadt 648: {
1.201 markus 649: ssh->state->remote_protocol_flags = protocol_flags;
1.1 deraadt 650: }
651:
652: /* Returns the remote protocol flags set earlier by the above function. */
653:
1.40 markus 654: u_int
1.201 markus 655: ssh_packet_get_protocol_flags(struct ssh *ssh)
1.1 deraadt 656: {
1.201 markus 657: return ssh->state->remote_protocol_flags;
1.1 deraadt 658: }
659:
1.16 markus 660: /*
661: * Starts packet compression from the next packet on in both directions.
662: * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
663: */
1.1 deraadt 664:
1.201 markus 665: static int
666: ssh_packet_init_compression(struct ssh *ssh)
1.60 markus 667: {
1.201 markus 668: if (!ssh->state->compression_buffer &&
669: ((ssh->state->compression_buffer = sshbuf_new()) == NULL))
670: return SSH_ERR_ALLOC_FAIL;
671: return 0;
1.60 markus 672: }
673:
1.288 dtucker 674: #ifdef WITH_ZLIB
1.201 markus 675: static int
676: start_compression_out(struct ssh *ssh, int level)
1.1 deraadt 677: {
1.201 markus 678: if (level < 1 || level > 9)
679: return SSH_ERR_INVALID_ARGUMENT;
680: debug("Enabling compression at level %d.", level);
681: if (ssh->state->compression_out_started == 1)
682: deflateEnd(&ssh->state->compression_out_stream);
683: switch (deflateInit(&ssh->state->compression_out_stream, level)) {
684: case Z_OK:
685: ssh->state->compression_out_started = 1;
686: break;
687: case Z_MEM_ERROR:
688: return SSH_ERR_ALLOC_FAIL;
689: default:
690: return SSH_ERR_INTERNAL_ERROR;
691: }
692: return 0;
1.1 deraadt 693: }
694:
1.201 markus 695: static int
696: start_compression_in(struct ssh *ssh)
697: {
698: if (ssh->state->compression_in_started == 1)
699: inflateEnd(&ssh->state->compression_in_stream);
700: switch (inflateInit(&ssh->state->compression_in_stream)) {
701: case Z_OK:
702: ssh->state->compression_in_started = 1;
703: break;
704: case Z_MEM_ERROR:
705: return SSH_ERR_ALLOC_FAIL;
706: default:
707: return SSH_ERR_INTERNAL_ERROR;
708: }
709: return 0;
1.95 markus 710: }
711:
1.201 markus 712: /* XXX remove need for separate compression buffer */
713: static int
714: compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
1.95 markus 715: {
1.201 markus 716: u_char buf[4096];
717: int r, status;
718:
719: if (ssh->state->compression_out_started != 1)
720: return SSH_ERR_INTERNAL_ERROR;
721:
722: /* This case is not handled below. */
723: if (sshbuf_len(in) == 0)
724: return 0;
725:
726: /* Input is the contents of the input buffer. */
727: if ((ssh->state->compression_out_stream.next_in =
728: sshbuf_mutable_ptr(in)) == NULL)
729: return SSH_ERR_INTERNAL_ERROR;
730: ssh->state->compression_out_stream.avail_in = sshbuf_len(in);
731:
732: /* Loop compressing until deflate() returns with avail_out != 0. */
733: do {
734: /* Set up fixed-size output buffer. */
735: ssh->state->compression_out_stream.next_out = buf;
736: ssh->state->compression_out_stream.avail_out = sizeof(buf);
737:
738: /* Compress as much data into the buffer as possible. */
739: status = deflate(&ssh->state->compression_out_stream,
740: Z_PARTIAL_FLUSH);
741: switch (status) {
742: case Z_MEM_ERROR:
743: return SSH_ERR_ALLOC_FAIL;
744: case Z_OK:
745: /* Append compressed data to output_buffer. */
746: if ((r = sshbuf_put(out, buf, sizeof(buf) -
747: ssh->state->compression_out_stream.avail_out)) != 0)
748: return r;
749: break;
750: case Z_STREAM_ERROR:
751: default:
752: ssh->state->compression_out_failures++;
753: return SSH_ERR_INVALID_FORMAT;
754: }
755: } while (ssh->state->compression_out_stream.avail_out == 0);
756: return 0;
1.1 deraadt 757: }
758:
1.201 markus 759: static int
760: uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
1.1 deraadt 761: {
1.201 markus 762: u_char buf[4096];
763: int r, status;
1.1 deraadt 764:
1.201 markus 765: if (ssh->state->compression_in_started != 1)
766: return SSH_ERR_INTERNAL_ERROR;
1.25 markus 767:
1.201 markus 768: if ((ssh->state->compression_in_stream.next_in =
769: sshbuf_mutable_ptr(in)) == NULL)
770: return SSH_ERR_INTERNAL_ERROR;
771: ssh->state->compression_in_stream.avail_in = sshbuf_len(in);
1.97 deraadt 772:
1.201 markus 773: for (;;) {
774: /* Set up fixed-size output buffer. */
775: ssh->state->compression_in_stream.next_out = buf;
776: ssh->state->compression_in_stream.avail_out = sizeof(buf);
777:
778: status = inflate(&ssh->state->compression_in_stream,
779: Z_PARTIAL_FLUSH);
780: switch (status) {
781: case Z_OK:
782: if ((r = sshbuf_put(out, buf, sizeof(buf) -
783: ssh->state->compression_in_stream.avail_out)) != 0)
784: return r;
785: break;
786: case Z_BUF_ERROR:
787: /*
788: * Comments in zlib.h say that we should keep calling
789: * inflate() until we get an error. This appears to
790: * be the error that we get.
791: */
792: return 0;
793: case Z_DATA_ERROR:
794: return SSH_ERR_INVALID_FORMAT;
795: case Z_MEM_ERROR:
796: return SSH_ERR_ALLOC_FAIL;
797: case Z_STREAM_ERROR:
798: default:
799: ssh->state->compression_in_failures++;
800: return SSH_ERR_INTERNAL_ERROR;
801: }
802: }
803: /* NOTREACHED */
1.170 djm 804: }
1.288 dtucker 805:
806: #else /* WITH_ZLIB */
807:
808: static int
809: start_compression_out(struct ssh *ssh, int level)
810: {
811: return SSH_ERR_INTERNAL_ERROR;
812: }
813:
814: static int
815: start_compression_in(struct ssh *ssh)
816: {
817: return SSH_ERR_INTERNAL_ERROR;
818: }
819:
820: static int
821: compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
822: {
823: return SSH_ERR_INTERNAL_ERROR;
824: }
825:
826: static int
827: uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
828: {
829: return SSH_ERR_INTERNAL_ERROR;
830: }
831: #endif /* WITH_ZLIB */
1.170 djm 832:
1.257 markus 833: void
834: ssh_clear_newkeys(struct ssh *ssh, int mode)
835: {
1.259 djm 836: if (ssh->kex && ssh->kex->newkeys[mode]) {
1.257 markus 837: kex_free_newkeys(ssh->kex->newkeys[mode]);
838: ssh->kex->newkeys[mode] = NULL;
839: }
840: }
841:
1.201 markus 842: int
843: ssh_set_newkeys(struct ssh *ssh, int mode)
1.57 markus 844: {
1.201 markus 845: struct session_state *state = ssh->state;
846: struct sshenc *enc;
847: struct sshmac *mac;
848: struct sshcomp *comp;
1.235 djm 849: struct sshcipher_ctx **ccp;
1.236 markus 850: struct packet_state *ps;
1.105 markus 851: u_int64_t *max_blocks;
1.259 djm 852: const char *wmsg;
1.197 djm 853: int r, crypt_type;
1.283 djm 854: const char *dir = mode == MODE_OUT ? "out" : "in";
1.57 markus 855:
1.100 markus 856: debug2("set_newkeys: mode %d", mode);
1.57 markus 857:
1.88 markus 858: if (mode == MODE_OUT) {
1.235 djm 859: ccp = &state->send_context;
1.115 avsm 860: crypt_type = CIPHER_ENCRYPT;
1.236 markus 861: ps = &state->p_send;
1.201 markus 862: max_blocks = &state->max_blocks_out;
1.88 markus 863: } else {
1.235 djm 864: ccp = &state->receive_context;
1.115 avsm 865: crypt_type = CIPHER_DECRYPT;
1.236 markus 866: ps = &state->p_read;
1.201 markus 867: max_blocks = &state->max_blocks_in;
1.88 markus 868: }
1.201 markus 869: if (state->newkeys[mode] != NULL) {
1.283 djm 870: debug("%s: rekeying %s, input %llu bytes %llu blocks, "
871: "output %llu bytes %llu blocks", __func__, dir,
1.257 markus 872: (unsigned long long)state->p_read.bytes,
873: (unsigned long long)state->p_read.blocks,
874: (unsigned long long)state->p_send.bytes,
875: (unsigned long long)state->p_send.blocks);
876: kex_free_newkeys(state->newkeys[mode]);
877: state->newkeys[mode] = NULL;
1.57 markus 878: }
1.236 markus 879: /* note that both bytes and the seqnr are not reset */
880: ps->packets = ps->blocks = 0;
1.201 markus 881: /* move newkeys from kex to state */
882: if ((state->newkeys[mode] = ssh->kex->newkeys[mode]) == NULL)
883: return SSH_ERR_INTERNAL_ERROR;
884: ssh->kex->newkeys[mode] = NULL;
885: enc = &state->newkeys[mode]->enc;
886: mac = &state->newkeys[mode]->mac;
887: comp = &state->newkeys[mode]->comp;
888: if (cipher_authlen(enc->cipher) == 0) {
889: if ((r = mac_init(mac)) != 0)
890: return r;
891: }
892: mac->enabled = 1;
1.283 djm 893: DBG(debug("%s: cipher_init_context: %s", __func__, dir));
1.279 djm 894: cipher_free(*ccp);
895: *ccp = NULL;
1.235 djm 896: if ((r = cipher_init(ccp, enc->cipher, enc->key, enc->key_len,
1.197 djm 897: enc->iv, enc->iv_len, crypt_type)) != 0)
1.201 markus 898: return r;
899: if (!state->cipher_warning_done &&
1.235 djm 900: (wmsg = cipher_warning_message(*ccp)) != NULL) {
1.201 markus 901: error("Warning: %s", wmsg);
902: state->cipher_warning_done = 1;
903: }
1.91 markus 904: /* Deleting the keys does not gain extra security */
1.192 djm 905: /* explicit_bzero(enc->iv, enc->block_size);
906: explicit_bzero(enc->key, enc->key_len);
907: explicit_bzero(mac->key, mac->key_len); */
1.275 sf 908: if ((comp->type == COMP_ZLIB ||
909: (comp->type == COMP_DELAYED &&
910: state->after_authentication)) && comp->enabled == 0) {
1.201 markus 911: if ((r = ssh_packet_init_compression(ssh)) < 0)
912: return r;
913: if (mode == MODE_OUT) {
914: if ((r = start_compression_out(ssh, 6)) != 0)
915: return r;
916: } else {
917: if ((r = start_compression_in(ssh)) != 0)
918: return r;
919: }
1.57 markus 920: comp->enabled = 1;
921: }
1.109 markus 922: /*
923: * The 2^(blocksize*2) limit is too expensive for 3DES,
1.254 djm 924: * so enforce a 1GB limit for small blocksizes.
1.261 dtucker 925: * See RFC4344 section 3.2.
1.109 markus 926: */
927: if (enc->block_size >= 16)
928: *max_blocks = (u_int64_t)1 << (enc->block_size*2);
929: else
930: *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
1.201 markus 931: if (state->rekey_limit)
1.237 deraadt 932: *max_blocks = MINIMUM(*max_blocks,
1.201 markus 933: state->rekey_limit / enc->block_size);
1.283 djm 934: debug("rekey %s after %llu blocks", dir,
935: (unsigned long long)*max_blocks);
1.201 markus 936: return 0;
1.57 markus 937: }
938:
1.228 djm 939: #define MAX_PACKETS (1U<<31)
940: static int
941: ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
942: {
943: struct session_state *state = ssh->state;
944: u_int32_t out_blocks;
945:
946: /* XXX client can't cope with rekeying pre-auth */
947: if (!state->after_authentication)
948: return 0;
949:
950: /* Haven't keyed yet or KEX in progress. */
1.278 djm 951: if (ssh_packet_is_rekeying(ssh))
1.228 djm 952: return 0;
953:
954: /* Peer can't rekey */
955: if (ssh->compat & SSH_BUG_NOREKEY)
956: return 0;
957:
958: /*
959: * Permit one packet in or out per rekey - this allows us to
960: * make progress when rekey limits are very small.
961: */
962: if (state->p_send.packets == 0 && state->p_read.packets == 0)
963: return 0;
964:
965: /* Time-based rekeying */
966: if (state->rekey_interval != 0 &&
1.244 dtucker 967: (int64_t)state->rekey_time + state->rekey_interval <= monotime())
1.228 djm 968: return 1;
969:
1.261 dtucker 970: /*
971: * Always rekey when MAX_PACKETS sent in either direction
972: * As per RFC4344 section 3.1 we do this after 2^31 packets.
973: */
1.228 djm 974: if (state->p_send.packets > MAX_PACKETS ||
975: state->p_read.packets > MAX_PACKETS)
976: return 1;
977:
978: /* Rekey after (cipher-specific) maxiumum blocks */
1.237 deraadt 979: out_blocks = ROUNDUP(outbound_packet_len,
1.228 djm 980: state->newkeys[MODE_OUT]->enc.block_size);
981: return (state->max_blocks_out &&
982: (state->p_send.blocks + out_blocks > state->max_blocks_out)) ||
983: (state->max_blocks_in &&
984: (state->p_read.blocks > state->max_blocks_in));
985: }
986:
1.16 markus 987: /*
1.118 markus 988: * Delayed compression for SSH2 is enabled after authentication:
1.143 dtucker 989: * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
1.118 markus 990: * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
991: */
1.201 markus 992: static int
993: ssh_packet_enable_delayed_compress(struct ssh *ssh)
1.118 markus 994: {
1.201 markus 995: struct session_state *state = ssh->state;
996: struct sshcomp *comp = NULL;
997: int r, mode;
1.118 markus 998:
999: /*
1000: * Remember that we are past the authentication step, so rekeying
1.275 sf 1001: * with COMP_DELAYED will turn on compression immediately.
1.118 markus 1002: */
1.201 markus 1003: state->after_authentication = 1;
1.118 markus 1004: for (mode = 0; mode < MODE_MAX; mode++) {
1.145 markus 1005: /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
1.201 markus 1006: if (state->newkeys[mode] == NULL)
1.145 markus 1007: continue;
1.201 markus 1008: comp = &state->newkeys[mode]->comp;
1.275 sf 1009: if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
1.201 markus 1010: if ((r = ssh_packet_init_compression(ssh)) != 0)
1011: return r;
1012: if (mode == MODE_OUT) {
1013: if ((r = start_compression_out(ssh, 6)) != 0)
1014: return r;
1015: } else {
1016: if ((r = start_compression_in(ssh)) != 0)
1017: return r;
1018: }
1.118 markus 1019: comp->enabled = 1;
1020: }
1021: }
1.201 markus 1022: return 0;
1.118 markus 1023: }
1024:
1.226 djm 1025: /* Used to mute debug logging for noisy packet types */
1.242 markus 1026: int
1.226 djm 1027: ssh_packet_log_type(u_char type)
1028: {
1029: switch (type) {
1030: case SSH2_MSG_CHANNEL_DATA:
1031: case SSH2_MSG_CHANNEL_EXTENDED_DATA:
1032: case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
1033: return 0;
1034: default:
1035: return 1;
1036: }
1037: }
1038:
1.118 markus 1039: /*
1.25 markus 1040: * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
1041: */
1.201 markus 1042: int
1043: ssh_packet_send2_wrapped(struct ssh *ssh)
1.25 markus 1044: {
1.201 markus 1045: struct session_state *state = ssh->state;
1.200 markus 1046: u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH];
1.233 djm 1047: u_char tmp, padlen, pad = 0;
1.201 markus 1048: u_int authlen = 0, aadlen = 0;
1049: u_int len;
1050: struct sshenc *enc = NULL;
1051: struct sshmac *mac = NULL;
1052: struct sshcomp *comp = NULL;
1053: int r, block_size;
1054:
1055: if (state->newkeys[MODE_OUT] != NULL) {
1056: enc = &state->newkeys[MODE_OUT]->enc;
1057: mac = &state->newkeys[MODE_OUT]->mac;
1058: comp = &state->newkeys[MODE_OUT]->comp;
1.180 markus 1059: /* disable mac for authenticated encryption */
1060: if ((authlen = cipher_authlen(enc->cipher)) != 0)
1061: mac = NULL;
1.25 markus 1062: }
1.88 markus 1063: block_size = enc ? enc->block_size : 8;
1.180 markus 1064: aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
1.25 markus 1065:
1.201 markus 1066: type = (sshbuf_ptr(state->outgoing_packet))[5];
1.226 djm 1067: if (ssh_packet_log_type(type))
1068: debug3("send packet: type %u", type);
1.25 markus 1069: #ifdef PACKET_DEBUG
1070: fprintf(stderr, "plain: ");
1.201 markus 1071: sshbuf_dump(state->outgoing_packet, stderr);
1.25 markus 1072: #endif
1073:
1074: if (comp && comp->enabled) {
1.201 markus 1075: len = sshbuf_len(state->outgoing_packet);
1.25 markus 1076: /* skip header, compress only payload */
1.201 markus 1077: if ((r = sshbuf_consume(state->outgoing_packet, 5)) != 0)
1078: goto out;
1079: sshbuf_reset(state->compression_buffer);
1080: if ((r = compress_buffer(ssh, state->outgoing_packet,
1081: state->compression_buffer)) != 0)
1082: goto out;
1083: sshbuf_reset(state->outgoing_packet);
1084: if ((r = sshbuf_put(state->outgoing_packet,
1085: "\0\0\0\0\0", 5)) != 0 ||
1086: (r = sshbuf_putb(state->outgoing_packet,
1087: state->compression_buffer)) != 0)
1088: goto out;
1089: DBG(debug("compression: raw %d compressed %zd", len,
1090: sshbuf_len(state->outgoing_packet)));
1.25 markus 1091: }
1092:
1093: /* sizeof (packet_len + pad_len + payload) */
1.201 markus 1094: len = sshbuf_len(state->outgoing_packet);
1.25 markus 1095:
1096: /*
1097: * calc size of padding, alloc space, get random data,
1098: * minimum padding is 4 bytes
1099: */
1.178 markus 1100: len -= aadlen; /* packet length is not encrypted for EtM modes */
1.25 markus 1101: padlen = block_size - (len % block_size);
1102: if (padlen < 4)
1103: padlen += block_size;
1.201 markus 1104: if (state->extra_pad) {
1.233 djm 1105: tmp = state->extra_pad;
1.201 markus 1106: state->extra_pad =
1.237 deraadt 1107: ROUNDUP(state->extra_pad, block_size);
1.233 djm 1108: /* check if roundup overflowed */
1109: if (state->extra_pad < tmp)
1110: return SSH_ERR_INVALID_ARGUMENT;
1111: tmp = (len + padlen) % state->extra_pad;
1112: /* Check whether pad calculation below will underflow */
1113: if (tmp > state->extra_pad)
1114: return SSH_ERR_INVALID_ARGUMENT;
1115: pad = state->extra_pad - tmp;
1.193 djm 1116: DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
1.201 markus 1117: __func__, pad, len, padlen, state->extra_pad));
1.233 djm 1118: tmp = padlen;
1.71 markus 1119: padlen += pad;
1.233 djm 1120: /* Check whether padlen calculation overflowed */
1121: if (padlen < tmp)
1122: return SSH_ERR_INVALID_ARGUMENT; /* overflow */
1.201 markus 1123: state->extra_pad = 0;
1.71 markus 1124: }
1.201 markus 1125: if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0)
1126: goto out;
1.235 djm 1127: if (enc && !cipher_ctx_is_plaintext(state->send_context)) {
1.32 markus 1128: /* random padding */
1.201 markus 1129: arc4random_buf(cp, padlen);
1.32 markus 1130: } else {
1131: /* clear padding */
1.192 djm 1132: explicit_bzero(cp, padlen);
1.25 markus 1133: }
1.178 markus 1134: /* sizeof (packet_len + pad_len + payload + padding) */
1.201 markus 1135: len = sshbuf_len(state->outgoing_packet);
1136: cp = sshbuf_mutable_ptr(state->outgoing_packet);
1137: if (cp == NULL) {
1138: r = SSH_ERR_INTERNAL_ERROR;
1139: goto out;
1140: }
1.25 markus 1141: /* packet_length includes payload, padding and padding length field */
1.201 markus 1142: POKE_U32(cp, len - 4);
1.89 markus 1143: cp[4] = padlen;
1.178 markus 1144: DBG(debug("send: len %d (includes padlen %d, aadlen %d)",
1145: len, padlen, aadlen));
1.25 markus 1146:
1147: /* compute MAC over seqnr and packet(length fields, payload, padding) */
1.178 markus 1148: if (mac && mac->enabled && !mac->etm) {
1.201 markus 1149: if ((r = mac_compute(mac, state->p_send.seqnr,
1150: sshbuf_ptr(state->outgoing_packet), len,
1.200 markus 1151: macbuf, sizeof(macbuf))) != 0)
1.201 markus 1152: goto out;
1153: DBG(debug("done calc MAC out #%d", state->p_send.seqnr));
1.25 markus 1154: }
1155: /* encrypt packet and append to output buffer. */
1.201 markus 1156: if ((r = sshbuf_reserve(state->output,
1157: sshbuf_len(state->outgoing_packet) + authlen, &cp)) != 0)
1158: goto out;
1.235 djm 1159: if ((r = cipher_crypt(state->send_context, state->p_send.seqnr, cp,
1.201 markus 1160: sshbuf_ptr(state->outgoing_packet),
1161: len - aadlen, aadlen, authlen)) != 0)
1162: goto out;
1.25 markus 1163: /* append unencrypted MAC */
1.178 markus 1164: if (mac && mac->enabled) {
1165: if (mac->etm) {
1166: /* EtM: compute mac over aadlen + cipher text */
1.201 markus 1167: if ((r = mac_compute(mac, state->p_send.seqnr,
1168: cp, len, macbuf, sizeof(macbuf))) != 0)
1169: goto out;
1.178 markus 1170: DBG(debug("done calc MAC(EtM) out #%d",
1.201 markus 1171: state->p_send.seqnr));
1.178 markus 1172: }
1.201 markus 1173: if ((r = sshbuf_put(state->output, macbuf, mac->mac_len)) != 0)
1174: goto out;
1.178 markus 1175: }
1.25 markus 1176: #ifdef PACKET_DEBUG
1177: fprintf(stderr, "encrypted: ");
1.201 markus 1178: sshbuf_dump(state->output, stderr);
1.25 markus 1179: #endif
1.29 markus 1180: /* increment sequence number for outgoing packets */
1.201 markus 1181: if (++state->p_send.seqnr == 0)
1.106 itojun 1182: logit("outgoing seqnr wraps around");
1.201 markus 1183: if (++state->p_send.packets == 0)
1184: if (!(ssh->compat & SSH_BUG_NOREKEY))
1185: return SSH_ERR_NEED_REKEY;
1186: state->p_send.blocks += len / block_size;
1187: state->p_send.bytes += len;
1188: sshbuf_reset(state->outgoing_packet);
1.25 markus 1189:
1.57 markus 1190: if (type == SSH2_MSG_NEWKEYS)
1.201 markus 1191: r = ssh_set_newkeys(ssh, MODE_OUT);
1192: else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
1193: r = ssh_packet_enable_delayed_compress(ssh);
1194: else
1195: r = 0;
1196: out:
1197: return r;
1.25 markus 1198: }
1199:
1.228 djm 1200: /* returns non-zero if the specified packet type is usec by KEX */
1201: static int
1202: ssh_packet_type_is_kex(u_char type)
1203: {
1204: return
1205: type >= SSH2_MSG_TRANSPORT_MIN &&
1206: type <= SSH2_MSG_TRANSPORT_MAX &&
1207: type != SSH2_MSG_SERVICE_REQUEST &&
1208: type != SSH2_MSG_SERVICE_ACCEPT &&
1209: type != SSH2_MSG_EXT_INFO;
1210: }
1211:
1.201 markus 1212: int
1213: ssh_packet_send2(struct ssh *ssh)
1.105 markus 1214: {
1.201 markus 1215: struct session_state *state = ssh->state;
1.105 markus 1216: struct packet *p;
1.201 markus 1217: u_char type;
1.228 djm 1218: int r, need_rekey;
1.105 markus 1219:
1.228 djm 1220: if (sshbuf_len(state->outgoing_packet) < 6)
1221: return SSH_ERR_INTERNAL_ERROR;
1.201 markus 1222: type = sshbuf_ptr(state->outgoing_packet)[5];
1.228 djm 1223: need_rekey = !ssh_packet_type_is_kex(type) &&
1224: ssh_packet_need_rekeying(ssh, sshbuf_len(state->outgoing_packet));
1.105 markus 1225:
1.228 djm 1226: /*
1227: * During rekeying we can only send key exchange messages.
1228: * Queue everything else.
1229: */
1230: if ((need_rekey || state->rekeying) && !ssh_packet_type_is_kex(type)) {
1231: if (need_rekey)
1232: debug3("%s: rekex triggered", __func__);
1233: debug("enqueue packet: %u", type);
1234: p = calloc(1, sizeof(*p));
1235: if (p == NULL)
1236: return SSH_ERR_ALLOC_FAIL;
1237: p->type = type;
1238: p->payload = state->outgoing_packet;
1239: TAILQ_INSERT_TAIL(&state->outgoing, p, next);
1240: state->outgoing_packet = sshbuf_new();
1241: if (state->outgoing_packet == NULL)
1242: return SSH_ERR_ALLOC_FAIL;
1243: if (need_rekey) {
1244: /*
1245: * This packet triggered a rekey, so send the
1246: * KEXINIT now.
1247: * NB. reenters this function via kex_start_rekex().
1248: */
1249: return kex_start_rekex(ssh);
1.105 markus 1250: }
1.228 djm 1251: return 0;
1.105 markus 1252: }
1253:
1254: /* rekeying starts with sending KEXINIT */
1255: if (type == SSH2_MSG_KEXINIT)
1.201 markus 1256: state->rekeying = 1;
1.105 markus 1257:
1.201 markus 1258: if ((r = ssh_packet_send2_wrapped(ssh)) != 0)
1259: return r;
1.105 markus 1260:
1261: /* after a NEWKEYS message we can send the complete queue */
1262: if (type == SSH2_MSG_NEWKEYS) {
1.201 markus 1263: state->rekeying = 0;
1264: state->rekey_time = monotime();
1265: while ((p = TAILQ_FIRST(&state->outgoing))) {
1.105 markus 1266: type = p->type;
1.228 djm 1267: /*
1268: * If this packet triggers a rekex, then skip the
1269: * remaining packets in the queue for now.
1270: * NB. re-enters this function via kex_start_rekex.
1271: */
1272: if (ssh_packet_need_rekeying(ssh,
1273: sshbuf_len(p->payload))) {
1274: debug3("%s: queued packet triggered rekex",
1275: __func__);
1276: return kex_start_rekex(ssh);
1277: }
1.105 markus 1278: debug("dequeue packet: %u", type);
1.201 markus 1279: sshbuf_free(state->outgoing_packet);
1280: state->outgoing_packet = p->payload;
1281: TAILQ_REMOVE(&state->outgoing, p, next);
1.228 djm 1282: memset(p, 0, sizeof(*p));
1.186 djm 1283: free(p);
1.201 markus 1284: if ((r = ssh_packet_send2_wrapped(ssh)) != 0)
1285: return r;
1.105 markus 1286: }
1287: }
1.201 markus 1288: return 0;
1.25 markus 1289: }
1290:
1291: /*
1.16 markus 1292: * Waits until a packet has been received, and returns its type. Note that
1293: * no other data is processed until this returns, so this function should not
1294: * be used during the interactive session.
1295: */
1.1 deraadt 1296:
1.2 provos 1297: int
1.201 markus 1298: ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1.1 deraadt 1299: {
1.201 markus 1300: struct session_state *state = ssh->state;
1.222 markus 1301: int len, r, ms_remain;
1.56 millert 1302: fd_set *setp;
1.14 markus 1303: char buf[8192];
1.155 deraadt 1304: struct timeval timeout, start, *timeoutp = NULL;
1305:
1.25 markus 1306: DBG(debug("packet_read()"));
1.14 markus 1307:
1.214 deraadt 1308: setp = calloc(howmany(state->connection_in + 1,
1.161 andreas 1309: NFDBITS), sizeof(fd_mask));
1.201 markus 1310: if (setp == NULL)
1311: return SSH_ERR_ALLOC_FAIL;
1.56 millert 1312:
1.205 djm 1313: /*
1314: * Since we are blocking, ensure that all written packets have
1315: * been sent.
1316: */
1.210 markus 1317: if ((r = ssh_packet_write_wait(ssh)) != 0)
1318: goto out;
1.14 markus 1319:
1320: /* Stay in the loop until we have received a complete packet. */
1321: for (;;) {
1322: /* Try to read a packet from the buffer. */
1.201 markus 1323: r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
1324: if (r != 0)
1325: break;
1.14 markus 1326: /* If we got a packet, return it. */
1.201 markus 1327: if (*typep != SSH_MSG_NONE)
1328: break;
1.16 markus 1329: /*
1330: * Otherwise, wait for some data to arrive, add it to the
1331: * buffer, and try again.
1332: */
1.201 markus 1333: memset(setp, 0, howmany(state->connection_in + 1,
1.161 andreas 1334: NFDBITS) * sizeof(fd_mask));
1.201 markus 1335: FD_SET(state->connection_in, setp);
1.16 markus 1336:
1.201 markus 1337: if (state->packet_timeout_ms > 0) {
1338: ms_remain = state->packet_timeout_ms;
1.154 dtucker 1339: timeoutp = &timeout;
1340: }
1.14 markus 1341: /* Wait for some data to arrive. */
1.154 dtucker 1342: for (;;) {
1.201 markus 1343: if (state->packet_timeout_ms != -1) {
1.154 dtucker 1344: ms_to_timeval(&timeout, ms_remain);
1.267 dtucker 1345: monotime_tv(&start);
1.154 dtucker 1346: }
1.201 markus 1347: if ((r = select(state->connection_in + 1, setp,
1.161 andreas 1348: NULL, NULL, timeoutp)) >= 0)
1.154 dtucker 1349: break;
1.270 dtucker 1350: if (errno != EAGAIN && errno != EINTR) {
1351: r = SSH_ERR_SYSTEM_ERROR;
1352: goto out;
1353: }
1.201 markus 1354: if (state->packet_timeout_ms == -1)
1.154 dtucker 1355: continue;
1356: ms_subtract_diff(&start, &ms_remain);
1357: if (ms_remain <= 0) {
1.201 markus 1358: r = 0;
1.154 dtucker 1359: break;
1360: }
1361: }
1.246 djm 1362: if (r == 0) {
1363: r = SSH_ERR_CONN_TIMEOUT;
1364: goto out;
1365: }
1.14 markus 1366: /* Read data from the socket. */
1.222 markus 1367: len = read(state->connection_in, buf, sizeof(buf));
1.210 markus 1368: if (len == 0) {
1369: r = SSH_ERR_CONN_CLOSED;
1370: goto out;
1371: }
1.286 deraadt 1372: if (len == -1) {
1.210 markus 1373: r = SSH_ERR_SYSTEM_ERROR;
1374: goto out;
1375: }
1.204 djm 1376:
1.14 markus 1377: /* Append it to the buffer. */
1.204 djm 1378: if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0)
1.210 markus 1379: goto out;
1.14 markus 1380: }
1.210 markus 1381: out:
1.201 markus 1382: free(setp);
1383: return r;
1.1 deraadt 1384: }
1385:
1.77 djm 1386: int
1.201 markus 1387: ssh_packet_read(struct ssh *ssh)
1.77 djm 1388: {
1.201 markus 1389: u_char type;
1390: int r;
1391:
1392: if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
1393: fatal("%s: %s", __func__, ssh_err(r));
1394: return type;
1.77 djm 1395: }
1396:
1.16 markus 1397: /*
1398: * Waits until a packet has been received, verifies that its type matches
1399: * that given, and gives a fatal error and exits if there is a mismatch.
1400: */
1.1 deraadt 1401:
1.205 djm 1402: int
1403: ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)
1.1 deraadt 1404: {
1.205 djm 1405: int r;
1406: u_char type;
1.1 deraadt 1407:
1.205 djm 1408: if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
1409: return r;
1410: if (type != expected_type) {
1411: if ((r = sshpkt_disconnect(ssh,
1.201 markus 1412: "Protocol error: expected packet type %d, got %d",
1.205 djm 1413: expected_type, type)) != 0)
1414: return r;
1415: return SSH_ERR_PROTOCOL_ERROR;
1416: }
1417: return 0;
1.1 deraadt 1418: }
1.14 markus 1419:
1.242 markus 1420: static int
1421: ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1422: {
1423: struct session_state *state = ssh->state;
1424: const u_char *cp;
1425: size_t need;
1426: int r;
1427:
1428: if (ssh->kex)
1429: return SSH_ERR_INTERNAL_ERROR;
1430: *typep = SSH_MSG_NONE;
1431: cp = sshbuf_ptr(state->input);
1432: if (state->packlen == 0) {
1433: if (sshbuf_len(state->input) < 4 + 1)
1434: return 0; /* packet is incomplete */
1435: state->packlen = PEEK_U32(cp);
1436: if (state->packlen < 4 + 1 ||
1437: state->packlen > PACKET_MAX_SIZE)
1438: return SSH_ERR_MESSAGE_INCOMPLETE;
1439: }
1440: need = state->packlen + 4;
1441: if (sshbuf_len(state->input) < need)
1442: return 0; /* packet is incomplete */
1443: sshbuf_reset(state->incoming_packet);
1444: if ((r = sshbuf_put(state->incoming_packet, cp + 4,
1445: state->packlen)) != 0 ||
1446: (r = sshbuf_consume(state->input, need)) != 0 ||
1447: (r = sshbuf_get_u8(state->incoming_packet, NULL)) != 0 ||
1448: (r = sshbuf_get_u8(state->incoming_packet, typep)) != 0)
1449: return r;
1450: if (ssh_packet_log_type(*typep))
1451: debug3("%s: type %u", __func__, *typep);
1452: /* sshbuf_dump(state->incoming_packet, stderr); */
1453: /* reset for next packet */
1454: state->packlen = 0;
1455: return r;
1456: }
1457:
1.201 markus 1458: int
1459: ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1.25 markus 1460: {
1.201 markus 1461: struct session_state *state = ssh->state;
1.40 markus 1462: u_int padlen, need;
1.231 djm 1463: u_char *cp;
1.201 markus 1464: u_int maclen, aadlen = 0, authlen = 0, block_size;
1465: struct sshenc *enc = NULL;
1466: struct sshmac *mac = NULL;
1467: struct sshcomp *comp = NULL;
1.200 markus 1468: int r;
1.201 markus 1469:
1.242 markus 1470: if (state->mux)
1471: return ssh_packet_read_poll2_mux(ssh, typep, seqnr_p);
1472:
1.201 markus 1473: *typep = SSH_MSG_NONE;
1474:
1475: if (state->packet_discard)
1476: return 0;
1477:
1478: if (state->newkeys[MODE_IN] != NULL) {
1479: enc = &state->newkeys[MODE_IN]->enc;
1480: mac = &state->newkeys[MODE_IN]->mac;
1481: comp = &state->newkeys[MODE_IN]->comp;
1.180 markus 1482: /* disable mac for authenticated encryption */
1483: if ((authlen = cipher_authlen(enc->cipher)) != 0)
1484: mac = NULL;
1.25 markus 1485: }
1486: maclen = mac && mac->enabled ? mac->mac_len : 0;
1.88 markus 1487: block_size = enc ? enc->block_size : 8;
1.180 markus 1488: aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
1.25 markus 1489:
1.201 markus 1490: if (aadlen && state->packlen == 0) {
1.235 djm 1491: if (cipher_get_length(state->receive_context,
1.201 markus 1492: &state->packlen, state->p_read.seqnr,
1493: sshbuf_ptr(state->input), sshbuf_len(state->input)) != 0)
1494: return 0;
1495: if (state->packlen < 1 + 4 ||
1496: state->packlen > PACKET_MAX_SIZE) {
1.178 markus 1497: #ifdef PACKET_DEBUG
1.201 markus 1498: sshbuf_dump(state->input, stderr);
1.178 markus 1499: #endif
1.201 markus 1500: logit("Bad packet length %u.", state->packlen);
1501: if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
1502: return r;
1.217 djm 1503: return SSH_ERR_CONN_CORRUPT;
1.178 markus 1504: }
1.201 markus 1505: sshbuf_reset(state->incoming_packet);
1506: } else if (state->packlen == 0) {
1.25 markus 1507: /*
1508: * check if input size is less than the cipher block size,
1509: * decrypt first block and extract length of incoming packet
1510: */
1.201 markus 1511: if (sshbuf_len(state->input) < block_size)
1512: return 0;
1513: sshbuf_reset(state->incoming_packet);
1514: if ((r = sshbuf_reserve(state->incoming_packet, block_size,
1515: &cp)) != 0)
1516: goto out;
1.235 djm 1517: if ((r = cipher_crypt(state->receive_context,
1.201 markus 1518: state->p_send.seqnr, cp, sshbuf_ptr(state->input),
1519: block_size, 0, 0)) != 0)
1520: goto out;
1521: state->packlen = PEEK_U32(sshbuf_ptr(state->incoming_packet));
1522: if (state->packlen < 1 + 4 ||
1523: state->packlen > PACKET_MAX_SIZE) {
1.110 markus 1524: #ifdef PACKET_DEBUG
1.201 markus 1525: fprintf(stderr, "input: \n");
1526: sshbuf_dump(state->input, stderr);
1527: fprintf(stderr, "incoming_packet: \n");
1528: sshbuf_dump(state->incoming_packet, stderr);
1.110 markus 1529: #endif
1.201 markus 1530: logit("Bad packet length %u.", state->packlen);
1.234 markus 1531: return ssh_packet_start_discard(ssh, enc, mac, 0,
1532: PACKET_MAX_SIZE);
1.25 markus 1533: }
1.201 markus 1534: if ((r = sshbuf_consume(state->input, block_size)) != 0)
1535: goto out;
1.25 markus 1536: }
1.201 markus 1537: DBG(debug("input: packet len %u", state->packlen+4));
1538:
1.178 markus 1539: if (aadlen) {
1540: /* only the payload is encrypted */
1.201 markus 1541: need = state->packlen;
1.178 markus 1542: } else {
1543: /*
1544: * the payload size and the payload are encrypted, but we
1545: * have a partial packet of block_size bytes
1546: */
1.201 markus 1547: need = 4 + state->packlen - block_size;
1.178 markus 1548: }
1.180 markus 1549: DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d,"
1550: " aadlen %d", block_size, need, maclen, authlen, aadlen));
1.158 markus 1551: if (need % block_size != 0) {
1552: logit("padding error: need %d block %d mod %d",
1.25 markus 1553: need, block_size, need % block_size);
1.234 markus 1554: return ssh_packet_start_discard(ssh, enc, mac, 0,
1555: PACKET_MAX_SIZE - block_size);
1.158 markus 1556: }
1.25 markus 1557: /*
1558: * check if the entire packet has been received and
1.178 markus 1559: * decrypt into incoming_packet:
1560: * 'aadlen' bytes are unencrypted, but authenticated.
1.180 markus 1561: * 'need' bytes are encrypted, followed by either
1562: * 'authlen' bytes of authentication tag or
1.178 markus 1563: * 'maclen' bytes of message authentication code.
1.25 markus 1564: */
1.201 markus 1565: if (sshbuf_len(state->input) < aadlen + need + authlen + maclen)
1.231 djm 1566: return 0; /* packet is incomplete */
1.25 markus 1567: #ifdef PACKET_DEBUG
1568: fprintf(stderr, "read_poll enc/full: ");
1.201 markus 1569: sshbuf_dump(state->input, stderr);
1.25 markus 1570: #endif
1.231 djm 1571: /* EtM: check mac over encrypted input */
1.201 markus 1572: if (mac && mac->enabled && mac->etm) {
1.231 djm 1573: if ((r = mac_check(mac, state->p_read.seqnr,
1.201 markus 1574: sshbuf_ptr(state->input), aadlen + need,
1.231 djm 1575: sshbuf_ptr(state->input) + aadlen + need + authlen,
1576: maclen)) != 0) {
1577: if (r == SSH_ERR_MAC_INVALID)
1578: logit("Corrupted MAC on input.");
1.201 markus 1579: goto out;
1.231 djm 1580: }
1.201 markus 1581: }
1582: if ((r = sshbuf_reserve(state->incoming_packet, aadlen + need,
1583: &cp)) != 0)
1584: goto out;
1.235 djm 1585: if ((r = cipher_crypt(state->receive_context, state->p_read.seqnr, cp,
1.201 markus 1586: sshbuf_ptr(state->input), need, aadlen, authlen)) != 0)
1587: goto out;
1588: if ((r = sshbuf_consume(state->input, aadlen + need + authlen)) != 0)
1589: goto out;
1.29 markus 1590: if (mac && mac->enabled) {
1.231 djm 1591: /* Not EtM: check MAC over cleartext */
1592: if (!mac->etm && (r = mac_check(mac, state->p_read.seqnr,
1593: sshbuf_ptr(state->incoming_packet),
1594: sshbuf_len(state->incoming_packet),
1595: sshbuf_ptr(state->input), maclen)) != 0) {
1596: if (r != SSH_ERR_MAC_INVALID)
1.201 markus 1597: goto out;
1.159 markus 1598: logit("Corrupted MAC on input.");
1.247 markus 1599: if (need + block_size > PACKET_MAX_SIZE)
1.201 markus 1600: return SSH_ERR_INTERNAL_ERROR;
1601: return ssh_packet_start_discard(ssh, enc, mac,
1.234 markus 1602: sshbuf_len(state->incoming_packet),
1.247 markus 1603: PACKET_MAX_SIZE - need - block_size);
1.201 markus 1604: }
1.231 djm 1605: /* Remove MAC from input buffer */
1.201 markus 1606: DBG(debug("MAC #%d ok", state->p_read.seqnr));
1607: if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
1608: goto out;
1.25 markus 1609: }
1.77 djm 1610: if (seqnr_p != NULL)
1.201 markus 1611: *seqnr_p = state->p_read.seqnr;
1612: if (++state->p_read.seqnr == 0)
1.106 itojun 1613: logit("incoming seqnr wraps around");
1.201 markus 1614: if (++state->p_read.packets == 0)
1615: if (!(ssh->compat & SSH_BUG_NOREKEY))
1616: return SSH_ERR_NEED_REKEY;
1617: state->p_read.blocks += (state->packlen + 4) / block_size;
1618: state->p_read.bytes += state->packlen + 4;
1.25 markus 1619:
1620: /* get padlen */
1.201 markus 1621: padlen = sshbuf_ptr(state->incoming_packet)[4];
1.25 markus 1622: DBG(debug("input: padlen %d", padlen));
1.205 djm 1623: if (padlen < 4) {
1624: if ((r = sshpkt_disconnect(ssh,
1625: "Corrupted padlen %d on input.", padlen)) != 0 ||
1626: (r = ssh_packet_write_wait(ssh)) != 0)
1627: return r;
1628: return SSH_ERR_CONN_CORRUPT;
1629: }
1.25 markus 1630:
1631: /* skip packet size + padlen, discard padding */
1.201 markus 1632: if ((r = sshbuf_consume(state->incoming_packet, 4 + 1)) != 0 ||
1633: ((r = sshbuf_consume_end(state->incoming_packet, padlen)) != 0))
1634: goto out;
1.25 markus 1635:
1.201 markus 1636: DBG(debug("input: len before de-compress %zd",
1637: sshbuf_len(state->incoming_packet)));
1.25 markus 1638: if (comp && comp->enabled) {
1.201 markus 1639: sshbuf_reset(state->compression_buffer);
1640: if ((r = uncompress_buffer(ssh, state->incoming_packet,
1641: state->compression_buffer)) != 0)
1642: goto out;
1643: sshbuf_reset(state->incoming_packet);
1644: if ((r = sshbuf_putb(state->incoming_packet,
1645: state->compression_buffer)) != 0)
1646: goto out;
1647: DBG(debug("input: len after de-compress %zd",
1648: sshbuf_len(state->incoming_packet)));
1.25 markus 1649: }
1650: /*
1651: * get packet type, implies consume.
1652: * return length of payload (without type field)
1653: */
1.201 markus 1654: if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0)
1655: goto out;
1.226 djm 1656: if (ssh_packet_log_type(*typep))
1657: debug3("receive packet: type %u", *typep);
1.205 djm 1658: if (*typep < SSH2_MSG_MIN || *typep >= SSH2_MSG_LOCAL_MIN) {
1659: if ((r = sshpkt_disconnect(ssh,
1660: "Invalid ssh2 packet type: %d", *typep)) != 0 ||
1661: (r = ssh_packet_write_wait(ssh)) != 0)
1662: return r;
1663: return SSH_ERR_PROTOCOL_ERROR;
1664: }
1.243 djm 1665: if (state->hook_in != NULL &&
1666: (r = state->hook_in(ssh, state->incoming_packet, typep,
1667: state->hook_in_ctx)) != 0)
1668: return r;
1.238 markus 1669: if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
1.201 markus 1670: r = ssh_packet_enable_delayed_compress(ssh);
1671: else
1672: r = 0;
1.25 markus 1673: #ifdef PACKET_DEBUG
1.201 markus 1674: fprintf(stderr, "read/plain[%d]:\r\n", *typep);
1675: sshbuf_dump(state->incoming_packet, stderr);
1.25 markus 1676: #endif
1.62 markus 1677: /* reset for next packet */
1.201 markus 1678: state->packlen = 0;
1.228 djm 1679:
1680: /* do we need to rekey? */
1681: if (ssh_packet_need_rekeying(ssh, 0)) {
1682: debug3("%s: rekex triggered", __func__);
1683: if ((r = kex_start_rekex(ssh)) != 0)
1684: return r;
1685: }
1.201 markus 1686: out:
1687: return r;
1.25 markus 1688: }
1689:
1690: int
1.201 markus 1691: ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1.25 markus 1692: {
1.201 markus 1693: struct session_state *state = ssh->state;
1.96 deraadt 1694: u_int reason, seqnr;
1.201 markus 1695: int r;
1696: u_char *msg;
1.62 markus 1697:
1.25 markus 1698: for (;;) {
1.201 markus 1699: msg = NULL;
1.249 djm 1700: r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
1701: if (r != 0)
1702: return r;
1703: if (*typep) {
1704: state->keep_alive_timeouts = 0;
1705: DBG(debug("received packet type %d", *typep));
1706: }
1707: switch (*typep) {
1708: case SSH2_MSG_IGNORE:
1709: debug3("Received SSH2_MSG_IGNORE");
1710: break;
1711: case SSH2_MSG_DEBUG:
1712: if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||
1713: (r = sshpkt_get_string(ssh, &msg, NULL)) != 0 ||
1714: (r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
1715: free(msg);
1.201 markus 1716: return r;
1.48 stevesk 1717: }
1.249 djm 1718: debug("Remote: %.900s", msg);
1719: free(msg);
1720: break;
1721: case SSH2_MSG_DISCONNECT:
1722: if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
1723: (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
1724: return r;
1725: /* Ignore normal client exit notifications */
1726: do_log2(ssh->state->server_side &&
1727: reason == SSH2_DISCONNECT_BY_APPLICATION ?
1728: SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
1729: "Received disconnect from %s port %d:"
1730: "%u: %.400s", ssh_remote_ipaddr(ssh),
1731: ssh_remote_port(ssh), reason, msg);
1732: free(msg);
1733: return SSH_ERR_DISCONNECTED;
1734: case SSH2_MSG_UNIMPLEMENTED:
1735: if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
1736: return r;
1737: debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
1738: seqnr);
1739: break;
1740: default:
1741: return 0;
1.25 markus 1742: }
1743: }
1744: }
1745:
1.16 markus 1746: /*
1747: * Buffers the given amount of input characters. This is intended to be used
1748: * together with packet_read_poll.
1749: */
1.1 deraadt 1750:
1.204 djm 1751: int
1.201 markus 1752: ssh_packet_process_incoming(struct ssh *ssh, const char *buf, u_int len)
1.1 deraadt 1753: {
1.201 markus 1754: struct session_state *state = ssh->state;
1755: int r;
1756:
1757: if (state->packet_discard) {
1758: state->keep_alive_timeouts = 0; /* ?? */
1759: if (len >= state->packet_discard) {
1760: if ((r = ssh_packet_stop_discard(ssh)) != 0)
1.204 djm 1761: return r;
1.201 markus 1762: }
1763: state->packet_discard -= len;
1.204 djm 1764: return 0;
1.159 markus 1765: }
1.201 markus 1766: if ((r = sshbuf_put(ssh->state->input, buf, len)) != 0)
1.204 djm 1767: return r;
1768:
1769: return 0;
1.28 markus 1770: }
1771:
1772: int
1.201 markus 1773: ssh_packet_remaining(struct ssh *ssh)
1.28 markus 1774: {
1.201 markus 1775: return sshbuf_len(ssh->state->incoming_packet);
1.1 deraadt 1776: }
1777:
1.16 markus 1778: /*
1779: * Sends a diagnostic message from the server to the client. This message
1780: * can be sent at any time (but not while constructing another message). The
1781: * message is printed immediately, but only if the client is being executed
1782: * in verbose mode. These messages are primarily intended to ease debugging
1783: * authentication problems. The length of the formatted message must not
1.205 djm 1784: * exceed 1024 bytes. This will automatically call ssh_packet_write_wait.
1.16 markus 1785: */
1.2 provos 1786: void
1.201 markus 1787: ssh_packet_send_debug(struct ssh *ssh, const char *fmt,...)
1.1 deraadt 1788: {
1.14 markus 1789: char buf[1024];
1790: va_list args;
1.201 markus 1791: int r;
1.39 markus 1792:
1.249 djm 1793: if ((ssh->compat & SSH_BUG_DEBUG))
1.39 markus 1794: return;
1.14 markus 1795:
1796: va_start(args, fmt);
1797: vsnprintf(buf, sizeof(buf), fmt, args);
1798: va_end(args);
1.265 djm 1799:
1800: debug3("sending debug message: %s", buf);
1.14 markus 1801:
1.249 djm 1802: if ((r = sshpkt_start(ssh, SSH2_MSG_DEBUG)) != 0 ||
1803: (r = sshpkt_put_u8(ssh, 0)) != 0 || /* always display */
1804: (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
1805: (r = sshpkt_put_cstring(ssh, "")) != 0 ||
1806: (r = sshpkt_send(ssh)) != 0 ||
1807: (r = ssh_packet_write_wait(ssh)) != 0)
1.205 djm 1808: fatal("%s: %s", __func__, ssh_err(r));
1809: }
1810:
1.268 dtucker 1811: void
1812: sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l)
1.245 djm 1813: {
1814: snprintf(s, l, "%.200s%s%s port %d",
1815: ssh->log_preamble ? ssh->log_preamble : "",
1816: ssh->log_preamble ? " " : "",
1817: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
1818: }
1819:
1.205 djm 1820: /*
1821: * Pretty-print connection-terminating errors and exit.
1822: */
1.280 djm 1823: static void
1824: sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, va_list ap)
1.205 djm 1825: {
1.280 djm 1826: char *tag = NULL, remote_id[512];
1.245 djm 1827:
1.268 dtucker 1828: sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
1.245 djm 1829:
1.205 djm 1830: switch (r) {
1831: case SSH_ERR_CONN_CLOSED:
1.257 markus 1832: ssh_packet_clear_keys(ssh);
1.245 djm 1833: logdie("Connection closed by %s", remote_id);
1.205 djm 1834: case SSH_ERR_CONN_TIMEOUT:
1.257 markus 1835: ssh_packet_clear_keys(ssh);
1.245 djm 1836: logdie("Connection %s %s timed out",
1837: ssh->state->server_side ? "from" : "to", remote_id);
1.212 djm 1838: case SSH_ERR_DISCONNECTED:
1.257 markus 1839: ssh_packet_clear_keys(ssh);
1.245 djm 1840: logdie("Disconnected from %s", remote_id);
1.212 djm 1841: case SSH_ERR_SYSTEM_ERROR:
1.257 markus 1842: if (errno == ECONNRESET) {
1843: ssh_packet_clear_keys(ssh);
1.245 djm 1844: logdie("Connection reset by %s", remote_id);
1.257 markus 1845: }
1.213 djm 1846: /* FALLTHROUGH */
1847: case SSH_ERR_NO_CIPHER_ALG_MATCH:
1848: case SSH_ERR_NO_MAC_ALG_MATCH:
1849: case SSH_ERR_NO_COMPRESS_ALG_MATCH:
1850: case SSH_ERR_NO_KEX_ALG_MATCH:
1851: case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
1852: if (ssh && ssh->kex && ssh->kex->failed_choice) {
1.257 markus 1853: ssh_packet_clear_keys(ssh);
1.245 djm 1854: logdie("Unable to negotiate with %s: %s. "
1855: "Their offer: %s", remote_id, ssh_err(r),
1.220 djm 1856: ssh->kex->failed_choice);
1.212 djm 1857: }
1858: /* FALLTHROUGH */
1.205 djm 1859: default:
1.280 djm 1860: if (vasprintf(&tag, fmt, ap) == -1) {
1861: ssh_packet_clear_keys(ssh);
1862: logdie("%s: could not allocate failure message",
1863: __func__);
1864: }
1.257 markus 1865: ssh_packet_clear_keys(ssh);
1.245 djm 1866: logdie("%s%sConnection %s %s: %s",
1.205 djm 1867: tag != NULL ? tag : "", tag != NULL ? ": " : "",
1.220 djm 1868: ssh->state->server_side ? "from" : "to",
1.245 djm 1869: remote_id, ssh_err(r));
1.205 djm 1870: }
1.1 deraadt 1871: }
1872:
1.280 djm 1873: void
1874: sshpkt_fatal(struct ssh *ssh, int r, const char *fmt, ...)
1875: {
1876: va_list ap;
1877:
1878: va_start(ap, fmt);
1879: sshpkt_vfatal(ssh, r, fmt, ap);
1880: /* NOTREACHED */
1881: va_end(ap);
1882: logdie("%s: should have exited", __func__);
1883: }
1884:
1.16 markus 1885: /*
1886: * Logs the error plus constructs and sends a disconnect packet, closes the
1887: * connection, and exits. This function never returns. The error message
1888: * should not contain a newline. The length of the formatted message must
1889: * not exceed 1024 bytes.
1890: */
1.2 provos 1891: void
1.201 markus 1892: ssh_packet_disconnect(struct ssh *ssh, const char *fmt,...)
1.1 deraadt 1893: {
1.245 djm 1894: char buf[1024], remote_id[512];
1.14 markus 1895: va_list args;
1896: static int disconnecting = 0;
1.201 markus 1897: int r;
1.97 deraadt 1898:
1.14 markus 1899: if (disconnecting) /* Guard against recursive invocations. */
1900: fatal("packet_disconnect called recursively.");
1901: disconnecting = 1;
1902:
1.16 markus 1903: /*
1904: * Format the message. Note that the caller must make sure the
1905: * message is of limited size.
1906: */
1.268 dtucker 1907: sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
1.14 markus 1908: va_start(args, fmt);
1909: vsnprintf(buf, sizeof(buf), fmt, args);
1910: va_end(args);
1911:
1.99 markus 1912: /* Display the error locally */
1.245 djm 1913: logit("Disconnecting %s: %.100s", remote_id, buf);
1.99 markus 1914:
1.205 djm 1915: /*
1916: * Send the disconnect message to the other side, and wait
1917: * for it to get sent.
1918: */
1919: if ((r = sshpkt_disconnect(ssh, "%s", buf)) != 0)
1.280 djm 1920: sshpkt_fatal(ssh, r, "%s", __func__);
1.205 djm 1921:
1922: if ((r = ssh_packet_write_wait(ssh)) != 0)
1.280 djm 1923: sshpkt_fatal(ssh, r, "%s", __func__);
1.14 markus 1924:
1925: /* Close the connection. */
1.201 markus 1926: ssh_packet_close(ssh);
1.112 markus 1927: cleanup_exit(255);
1.1 deraadt 1928: }
1929:
1.205 djm 1930: /*
1931: * Checks if there is any buffered output, and tries to write some of
1932: * the output.
1933: */
1934: int
1.201 markus 1935: ssh_packet_write_poll(struct ssh *ssh)
1.1 deraadt 1936: {
1.201 markus 1937: struct session_state *state = ssh->state;
1938: int len = sshbuf_len(state->output);
1.222 markus 1939: int r;
1.97 deraadt 1940:
1.14 markus 1941: if (len > 0) {
1.222 markus 1942: len = write(state->connection_out,
1943: sshbuf_ptr(state->output), len);
1.156 djm 1944: if (len == -1) {
1945: if (errno == EINTR || errno == EAGAIN)
1.205 djm 1946: return 0;
1947: return SSH_ERR_SYSTEM_ERROR;
1.14 markus 1948: }
1.222 markus 1949: if (len == 0)
1.205 djm 1950: return SSH_ERR_CONN_CLOSED;
1.201 markus 1951: if ((r = sshbuf_consume(state->output, len)) != 0)
1.205 djm 1952: return r;
1.14 markus 1953: }
1.205 djm 1954: return 0;
1.1 deraadt 1955: }
1956:
1.16 markus 1957: /*
1958: * Calls packet_write_poll repeatedly until all pending output data has been
1959: * written.
1960: */
1.205 djm 1961: int
1.201 markus 1962: ssh_packet_write_wait(struct ssh *ssh)
1.1 deraadt 1963: {
1.56 millert 1964: fd_set *setp;
1.205 djm 1965: int ret, r, ms_remain = 0;
1.154 dtucker 1966: struct timeval start, timeout, *timeoutp = NULL;
1.201 markus 1967: struct session_state *state = ssh->state;
1.56 millert 1968:
1.214 deraadt 1969: setp = calloc(howmany(state->connection_out + 1,
1.161 andreas 1970: NFDBITS), sizeof(fd_mask));
1.201 markus 1971: if (setp == NULL)
1.205 djm 1972: return SSH_ERR_ALLOC_FAIL;
1.216 gsoares 1973: if ((r = ssh_packet_write_poll(ssh)) != 0) {
1974: free(setp);
1.215 djm 1975: return r;
1.216 gsoares 1976: }
1.201 markus 1977: while (ssh_packet_have_data_to_write(ssh)) {
1978: memset(setp, 0, howmany(state->connection_out + 1,
1.161 andreas 1979: NFDBITS) * sizeof(fd_mask));
1.201 markus 1980: FD_SET(state->connection_out, setp);
1.154 dtucker 1981:
1.201 markus 1982: if (state->packet_timeout_ms > 0) {
1983: ms_remain = state->packet_timeout_ms;
1.154 dtucker 1984: timeoutp = &timeout;
1985: }
1986: for (;;) {
1.201 markus 1987: if (state->packet_timeout_ms != -1) {
1.154 dtucker 1988: ms_to_timeval(&timeout, ms_remain);
1.267 dtucker 1989: monotime_tv(&start);
1.154 dtucker 1990: }
1.201 markus 1991: if ((ret = select(state->connection_out + 1,
1.161 andreas 1992: NULL, setp, NULL, timeoutp)) >= 0)
1.154 dtucker 1993: break;
1.161 andreas 1994: if (errno != EAGAIN && errno != EINTR)
1.154 dtucker 1995: break;
1.201 markus 1996: if (state->packet_timeout_ms == -1)
1.154 dtucker 1997: continue;
1998: ms_subtract_diff(&start, &ms_remain);
1999: if (ms_remain <= 0) {
2000: ret = 0;
2001: break;
2002: }
2003: }
2004: if (ret == 0) {
1.205 djm 2005: free(setp);
2006: return SSH_ERR_CONN_TIMEOUT;
2007: }
2008: if ((r = ssh_packet_write_poll(ssh)) != 0) {
2009: free(setp);
2010: return r;
1.154 dtucker 2011: }
1.14 markus 2012: }
1.186 djm 2013: free(setp);
1.205 djm 2014: return 0;
1.1 deraadt 2015: }
2016:
2017: /* Returns true if there is buffered data to write to the connection. */
2018:
1.2 provos 2019: int
1.201 markus 2020: ssh_packet_have_data_to_write(struct ssh *ssh)
1.1 deraadt 2021: {
1.201 markus 2022: return sshbuf_len(ssh->state->output) != 0;
1.1 deraadt 2023: }
2024:
2025: /* Returns true if there is not too much data to write to the connection. */
2026:
1.2 provos 2027: int
1.201 markus 2028: ssh_packet_not_very_much_data_to_write(struct ssh *ssh)
1.1 deraadt 2029: {
1.201 markus 2030: if (ssh->state->interactive_mode)
2031: return sshbuf_len(ssh->state->output) < 16384;
1.14 markus 2032: else
1.201 markus 2033: return sshbuf_len(ssh->state->output) < 128 * 1024;
1.1 deraadt 2034: }
2035:
1.201 markus 2036: void
2037: ssh_packet_set_tos(struct ssh *ssh, int tos)
1.101 markus 2038: {
1.263 djm 2039: if (!ssh_packet_connection_is_on_socket(ssh) || tos == INT_MAX)
1.101 markus 2040: return;
1.201 markus 2041: switch (ssh_packet_connection_af(ssh)) {
1.173 djm 2042: case AF_INET:
2043: debug3("%s: set IP_TOS 0x%02x", __func__, tos);
1.201 markus 2044: if (setsockopt(ssh->state->connection_in,
1.286 deraadt 2045: IPPROTO_IP, IP_TOS, &tos, sizeof(tos)) == -1)
1.173 djm 2046: error("setsockopt IP_TOS %d: %.100s:",
2047: tos, strerror(errno));
2048: break;
2049: case AF_INET6:
2050: debug3("%s: set IPV6_TCLASS 0x%02x", __func__, tos);
1.201 markus 2051: if (setsockopt(ssh->state->connection_in,
1.286 deraadt 2052: IPPROTO_IPV6, IPV6_TCLASS, &tos, sizeof(tos)) == -1)
1.173 djm 2053: error("setsockopt IPV6_TCLASS %d: %.100s:",
2054: tos, strerror(errno));
2055: break;
2056: }
1.101 markus 2057: }
2058:
1.1 deraadt 2059: /* Informs that the current session is interactive. Sets IP flags for that. */
2060:
1.2 provos 2061: void
1.201 markus 2062: ssh_packet_set_interactive(struct ssh *ssh, int interactive, int qos_interactive, int qos_bulk)
1.1 deraadt 2063: {
1.201 markus 2064: struct session_state *state = ssh->state;
2065:
2066: if (state->set_interactive_called)
1.43 markus 2067: return;
1.201 markus 2068: state->set_interactive_called = 1;
1.1 deraadt 2069:
1.14 markus 2070: /* Record that we are in interactive mode. */
1.201 markus 2071: state->interactive_mode = interactive;
1.1 deraadt 2072:
1.19 markus 2073: /* Only set socket options if using a socket. */
1.201 markus 2074: if (!ssh_packet_connection_is_on_socket(ssh))
1.14 markus 2075: return;
1.201 markus 2076: set_nodelay(state->connection_in);
2077: ssh_packet_set_tos(ssh, interactive ? qos_interactive :
2078: qos_bulk);
1.1 deraadt 2079: }
2080:
2081: /* Returns true if the current connection is interactive. */
2082:
1.2 provos 2083: int
1.201 markus 2084: ssh_packet_is_interactive(struct ssh *ssh)
1.1 deraadt 2085: {
1.201 markus 2086: return ssh->state->interactive_mode;
1.12 markus 2087: }
2088:
1.113 deraadt 2089: int
1.201 markus 2090: ssh_packet_set_maxsize(struct ssh *ssh, u_int s)
1.12 markus 2091: {
1.201 markus 2092: struct session_state *state = ssh->state;
2093:
2094: if (state->set_maxsize_called) {
1.106 itojun 2095: logit("packet_set_maxsize: called twice: old %d new %d",
1.201 markus 2096: state->max_packet_size, s);
1.14 markus 2097: return -1;
2098: }
2099: if (s < 4 * 1024 || s > 1024 * 1024) {
1.106 itojun 2100: logit("packet_set_maxsize: bad size %d", s);
1.14 markus 2101: return -1;
2102: }
1.201 markus 2103: state->set_maxsize_called = 1;
1.66 markus 2104: debug("packet_set_maxsize: setting to %d", s);
1.201 markus 2105: state->max_packet_size = s;
1.14 markus 2106: return s;
1.53 markus 2107: }
2108:
1.161 andreas 2109: int
1.201 markus 2110: ssh_packet_inc_alive_timeouts(struct ssh *ssh)
1.161 andreas 2111: {
1.201 markus 2112: return ++ssh->state->keep_alive_timeouts;
1.161 andreas 2113: }
2114:
2115: void
1.201 markus 2116: ssh_packet_set_alive_timeouts(struct ssh *ssh, int ka)
1.161 andreas 2117: {
1.201 markus 2118: ssh->state->keep_alive_timeouts = ka;
1.161 andreas 2119: }
2120:
2121: u_int
1.201 markus 2122: ssh_packet_get_maxsize(struct ssh *ssh)
1.71 markus 2123: {
1.201 markus 2124: return ssh->state->max_packet_size;
1.71 markus 2125: }
2126:
1.105 markus 2127: void
1.244 dtucker 2128: ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, u_int32_t seconds)
1.105 markus 2129: {
1.244 dtucker 2130: debug3("rekey after %llu bytes, %u seconds", (unsigned long long)bytes,
2131: (unsigned int)seconds);
1.201 markus 2132: ssh->state->rekey_limit = bytes;
2133: ssh->state->rekey_interval = seconds;
1.184 dtucker 2134: }
2135:
2136: time_t
1.201 markus 2137: ssh_packet_get_rekey_timeout(struct ssh *ssh)
1.184 dtucker 2138: {
2139: time_t seconds;
2140:
1.201 markus 2141: seconds = ssh->state->rekey_time + ssh->state->rekey_interval -
1.187 dtucker 2142: monotime();
1.185 dtucker 2143: return (seconds <= 0 ? 1 : seconds);
1.118 markus 2144: }
2145:
2146: void
1.201 markus 2147: ssh_packet_set_server(struct ssh *ssh)
1.118 markus 2148: {
1.201 markus 2149: ssh->state->server_side = 1;
1.278 djm 2150: ssh->kex->server = 1; /* XXX unify? */
1.118 markus 2151: }
2152:
2153: void
1.201 markus 2154: ssh_packet_set_authenticated(struct ssh *ssh)
1.118 markus 2155: {
1.201 markus 2156: ssh->state->after_authentication = 1;
1.161 andreas 2157: }
2158:
2159: void *
1.201 markus 2160: ssh_packet_get_input(struct ssh *ssh)
1.161 andreas 2161: {
1.201 markus 2162: return (void *)ssh->state->input;
1.161 andreas 2163: }
2164:
2165: void *
1.201 markus 2166: ssh_packet_get_output(struct ssh *ssh)
1.161 andreas 2167: {
1.201 markus 2168: return (void *)ssh->state->output;
1.166 andreas 2169: }
2170:
1.196 markus 2171: /* Reset after_authentication and reset compression in post-auth privsep */
1.201 markus 2172: static int
2173: ssh_packet_set_postauth(struct ssh *ssh)
1.196 markus 2174: {
1.239 djm 2175: int r;
1.196 markus 2176:
2177: debug("%s: called", __func__);
2178: /* This was set in net child, but is not visible in user child */
1.201 markus 2179: ssh->state->after_authentication = 1;
2180: ssh->state->rekeying = 0;
1.239 djm 2181: if ((r = ssh_packet_enable_delayed_compress(ssh)) != 0)
2182: return r;
1.201 markus 2183: return 0;
2184: }
2185:
2186: /* Packet state (de-)serialization for privsep */
2187:
2188: /* turn kex into a blob for packet state serialization */
2189: static int
2190: kex_to_blob(struct sshbuf *m, struct kex *kex)
2191: {
2192: int r;
2193:
2194: if ((r = sshbuf_put_string(m, kex->session_id,
2195: kex->session_id_len)) != 0 ||
2196: (r = sshbuf_put_u32(m, kex->we_need)) != 0 ||
1.269 djm 2197: (r = sshbuf_put_cstring(m, kex->hostkey_alg)) != 0 ||
1.201 markus 2198: (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
1.269 djm 2199: (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
1.201 markus 2200: (r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
2201: (r = sshbuf_put_stringb(m, kex->my)) != 0 ||
2202: (r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
1.278 djm 2203: (r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
2204: (r = sshbuf_put_stringb(m, kex->server_version)) != 0 ||
2205: (r = sshbuf_put_u32(m, kex->flags)) != 0)
1.201 markus 2206: return r;
2207: return 0;
2208: }
2209:
2210: /* turn key exchange results into a blob for packet state serialization */
2211: static int
2212: newkeys_to_blob(struct sshbuf *m, struct ssh *ssh, int mode)
2213: {
2214: struct sshbuf *b;
2215: struct sshcipher_ctx *cc;
2216: struct sshcomp *comp;
2217: struct sshenc *enc;
2218: struct sshmac *mac;
2219: struct newkeys *newkey;
2220: int r;
2221:
2222: if ((newkey = ssh->state->newkeys[mode]) == NULL)
2223: return SSH_ERR_INTERNAL_ERROR;
2224: enc = &newkey->enc;
2225: mac = &newkey->mac;
2226: comp = &newkey->comp;
1.235 djm 2227: cc = (mode == MODE_OUT) ? ssh->state->send_context :
2228: ssh->state->receive_context;
1.201 markus 2229: if ((r = cipher_get_keyiv(cc, enc->iv, enc->iv_len)) != 0)
2230: return r;
2231: if ((b = sshbuf_new()) == NULL)
2232: return SSH_ERR_ALLOC_FAIL;
2233: if ((r = sshbuf_put_cstring(b, enc->name)) != 0 ||
2234: (r = sshbuf_put_u32(b, enc->enabled)) != 0 ||
2235: (r = sshbuf_put_u32(b, enc->block_size)) != 0 ||
2236: (r = sshbuf_put_string(b, enc->key, enc->key_len)) != 0 ||
2237: (r = sshbuf_put_string(b, enc->iv, enc->iv_len)) != 0)
2238: goto out;
2239: if (cipher_authlen(enc->cipher) == 0) {
2240: if ((r = sshbuf_put_cstring(b, mac->name)) != 0 ||
2241: (r = sshbuf_put_u32(b, mac->enabled)) != 0 ||
2242: (r = sshbuf_put_string(b, mac->key, mac->key_len)) != 0)
2243: goto out;
2244: }
2245: if ((r = sshbuf_put_u32(b, comp->type)) != 0 ||
2246: (r = sshbuf_put_cstring(b, comp->name)) != 0)
2247: goto out;
2248: r = sshbuf_put_stringb(m, b);
2249: out:
1.221 mmcc 2250: sshbuf_free(b);
1.201 markus 2251: return r;
2252: }
2253:
2254: /* serialize packet state into a blob */
2255: int
2256: ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m)
2257: {
2258: struct session_state *state = ssh->state;
1.249 djm 2259: int r;
1.201 markus 2260:
1.249 djm 2261: if ((r = kex_to_blob(m, ssh->kex)) != 0 ||
2262: (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 ||
2263: (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 ||
2264: (r = sshbuf_put_u64(m, state->rekey_limit)) != 0 ||
2265: (r = sshbuf_put_u32(m, state->rekey_interval)) != 0 ||
2266: (r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 ||
2267: (r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 ||
2268: (r = sshbuf_put_u32(m, state->p_send.packets)) != 0 ||
2269: (r = sshbuf_put_u64(m, state->p_send.bytes)) != 0 ||
2270: (r = sshbuf_put_u32(m, state->p_read.seqnr)) != 0 ||
2271: (r = sshbuf_put_u64(m, state->p_read.blocks)) != 0 ||
2272: (r = sshbuf_put_u32(m, state->p_read.packets)) != 0 ||
1.255 djm 2273: (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 ||
2274: (r = sshbuf_put_stringb(m, state->input)) != 0 ||
2275: (r = sshbuf_put_stringb(m, state->output)) != 0)
1.256 djm 2276: return r;
1.201 markus 2277:
2278: return 0;
2279: }
2280:
2281: /* restore key exchange results from blob for packet state de-serialization */
2282: static int
2283: newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode)
2284: {
2285: struct sshbuf *b = NULL;
2286: struct sshcomp *comp;
2287: struct sshenc *enc;
2288: struct sshmac *mac;
2289: struct newkeys *newkey = NULL;
2290: size_t keylen, ivlen, maclen;
2291: int r;
2292:
2293: if ((newkey = calloc(1, sizeof(*newkey))) == NULL) {
2294: r = SSH_ERR_ALLOC_FAIL;
2295: goto out;
2296: }
2297: if ((r = sshbuf_froms(m, &b)) != 0)
2298: goto out;
2299: #ifdef DEBUG_PK
2300: sshbuf_dump(b, stderr);
2301: #endif
2302: enc = &newkey->enc;
2303: mac = &newkey->mac;
2304: comp = &newkey->comp;
2305:
2306: if ((r = sshbuf_get_cstring(b, &enc->name, NULL)) != 0 ||
2307: (r = sshbuf_get_u32(b, (u_int *)&enc->enabled)) != 0 ||
2308: (r = sshbuf_get_u32(b, &enc->block_size)) != 0 ||
2309: (r = sshbuf_get_string(b, &enc->key, &keylen)) != 0 ||
2310: (r = sshbuf_get_string(b, &enc->iv, &ivlen)) != 0)
2311: goto out;
1.262 djm 2312: if ((enc->cipher = cipher_by_name(enc->name)) == NULL) {
2313: r = SSH_ERR_INVALID_FORMAT;
2314: goto out;
2315: }
1.201 markus 2316: if (cipher_authlen(enc->cipher) == 0) {
2317: if ((r = sshbuf_get_cstring(b, &mac->name, NULL)) != 0)
2318: goto out;
2319: if ((r = mac_setup(mac, mac->name)) != 0)
2320: goto out;
2321: if ((r = sshbuf_get_u32(b, (u_int *)&mac->enabled)) != 0 ||
2322: (r = sshbuf_get_string(b, &mac->key, &maclen)) != 0)
2323: goto out;
2324: if (maclen > mac->key_len) {
2325: r = SSH_ERR_INVALID_FORMAT;
2326: goto out;
2327: }
2328: mac->key_len = maclen;
2329: }
2330: if ((r = sshbuf_get_u32(b, &comp->type)) != 0 ||
2331: (r = sshbuf_get_cstring(b, &comp->name, NULL)) != 0)
2332: goto out;
2333: if (sshbuf_len(b) != 0) {
2334: r = SSH_ERR_INVALID_FORMAT;
2335: goto out;
2336: }
2337: enc->key_len = keylen;
2338: enc->iv_len = ivlen;
2339: ssh->kex->newkeys[mode] = newkey;
2340: newkey = NULL;
2341: r = 0;
2342: out:
1.219 mmcc 2343: free(newkey);
1.221 mmcc 2344: sshbuf_free(b);
1.201 markus 2345: return r;
2346: }
2347:
2348: /* restore kex from blob for packet state de-serialization */
2349: static int
2350: kex_from_blob(struct sshbuf *m, struct kex **kexp)
2351: {
2352: struct kex *kex;
2353: int r;
2354:
1.278 djm 2355: if ((kex = kex_new()) == NULL)
2356: return SSH_ERR_ALLOC_FAIL;
1.201 markus 2357: if ((r = sshbuf_get_string(m, &kex->session_id, &kex->session_id_len)) != 0 ||
2358: (r = sshbuf_get_u32(m, &kex->we_need)) != 0 ||
1.269 djm 2359: (r = sshbuf_get_cstring(m, &kex->hostkey_alg, NULL)) != 0 ||
1.201 markus 2360: (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
1.269 djm 2361: (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
1.201 markus 2362: (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
2363: (r = sshbuf_get_stringb(m, kex->my)) != 0 ||
2364: (r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
1.278 djm 2365: (r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
2366: (r = sshbuf_get_stringb(m, kex->server_version)) != 0 ||
2367: (r = sshbuf_get_u32(m, &kex->flags)) != 0)
1.201 markus 2368: goto out;
2369: kex->server = 1;
2370: kex->done = 1;
2371: r = 0;
2372: out:
2373: if (r != 0 || kexp == NULL) {
1.278 djm 2374: kex_free(kex);
1.201 markus 2375: if (kexp != NULL)
2376: *kexp = NULL;
2377: } else {
1.278 djm 2378: kex_free(*kexp);
1.201 markus 2379: *kexp = kex;
2380: }
2381: return r;
2382: }
2383:
2384: /*
2385: * Restore packet state from content of blob 'm' (de-serialization).
2386: * Note that 'm' will be partially consumed on parsing or any other errors.
2387: */
2388: int
2389: ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m)
2390: {
2391: struct session_state *state = ssh->state;
1.254 djm 2392: const u_char *input, *output;
2393: size_t ilen, olen;
1.201 markus 2394: int r;
2395:
1.249 djm 2396: if ((r = kex_from_blob(m, &ssh->kex)) != 0 ||
2397: (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 ||
2398: (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 ||
2399: (r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 ||
2400: (r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 ||
2401: (r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 ||
2402: (r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 ||
2403: (r = sshbuf_get_u32(m, &state->p_send.packets)) != 0 ||
2404: (r = sshbuf_get_u64(m, &state->p_send.bytes)) != 0 ||
2405: (r = sshbuf_get_u32(m, &state->p_read.seqnr)) != 0 ||
2406: (r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 ||
2407: (r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 ||
2408: (r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0)
2409: return r;
2410: /*
2411: * We set the time here so that in post-auth privsep slave we
2412: * count from the completion of the authentication.
2413: */
2414: state->rekey_time = monotime();
2415: /* XXX ssh_set_newkeys overrides p_read.packets? XXX */
2416: if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 ||
2417: (r = ssh_set_newkeys(ssh, MODE_OUT)) != 0)
2418: return r;
1.201 markus 2419:
1.239 djm 2420: if ((r = ssh_packet_set_postauth(ssh)) != 0)
1.201 markus 2421: return r;
2422:
2423: sshbuf_reset(state->input);
2424: sshbuf_reset(state->output);
2425: if ((r = sshbuf_get_string_direct(m, &input, &ilen)) != 0 ||
2426: (r = sshbuf_get_string_direct(m, &output, &olen)) != 0 ||
2427: (r = sshbuf_put(state->input, input, ilen)) != 0 ||
2428: (r = sshbuf_put(state->output, output, olen)) != 0)
2429: return r;
2430:
2431: if (sshbuf_len(m))
2432: return SSH_ERR_INVALID_FORMAT;
2433: debug3("%s: done", __func__);
2434: return 0;
2435: }
2436:
2437: /* NEW API */
2438:
2439: /* put data to the outgoing packet */
2440:
2441: int
2442: sshpkt_put(struct ssh *ssh, const void *v, size_t len)
2443: {
2444: return sshbuf_put(ssh->state->outgoing_packet, v, len);
2445: }
2446:
2447: int
2448: sshpkt_putb(struct ssh *ssh, const struct sshbuf *b)
2449: {
2450: return sshbuf_putb(ssh->state->outgoing_packet, b);
2451: }
2452:
2453: int
2454: sshpkt_put_u8(struct ssh *ssh, u_char val)
2455: {
2456: return sshbuf_put_u8(ssh->state->outgoing_packet, val);
2457: }
2458:
2459: int
2460: sshpkt_put_u32(struct ssh *ssh, u_int32_t val)
2461: {
2462: return sshbuf_put_u32(ssh->state->outgoing_packet, val);
2463: }
2464:
2465: int
2466: sshpkt_put_u64(struct ssh *ssh, u_int64_t val)
2467: {
2468: return sshbuf_put_u64(ssh->state->outgoing_packet, val);
2469: }
2470:
2471: int
2472: sshpkt_put_string(struct ssh *ssh, const void *v, size_t len)
2473: {
2474: return sshbuf_put_string(ssh->state->outgoing_packet, v, len);
2475: }
2476:
2477: int
2478: sshpkt_put_cstring(struct ssh *ssh, const void *v)
2479: {
2480: return sshbuf_put_cstring(ssh->state->outgoing_packet, v);
2481: }
2482:
2483: int
2484: sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v)
2485: {
2486: return sshbuf_put_stringb(ssh->state->outgoing_packet, v);
2487: }
2488:
1.211 djm 2489: #ifdef WITH_OPENSSL
1.201 markus 2490: int
2491: sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g)
2492: {
2493: return sshbuf_put_ec(ssh->state->outgoing_packet, v, g);
2494: }
2495:
2496:
2497: int
2498: sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v)
2499: {
2500: return sshbuf_put_bignum2(ssh->state->outgoing_packet, v);
2501: }
1.211 djm 2502: #endif /* WITH_OPENSSL */
1.201 markus 2503:
2504: /* fetch data from the incoming packet */
2505:
2506: int
2507: sshpkt_get(struct ssh *ssh, void *valp, size_t len)
2508: {
2509: return sshbuf_get(ssh->state->incoming_packet, valp, len);
2510: }
2511:
2512: int
2513: sshpkt_get_u8(struct ssh *ssh, u_char *valp)
2514: {
2515: return sshbuf_get_u8(ssh->state->incoming_packet, valp);
2516: }
2517:
2518: int
2519: sshpkt_get_u32(struct ssh *ssh, u_int32_t *valp)
2520: {
2521: return sshbuf_get_u32(ssh->state->incoming_packet, valp);
2522: }
2523:
2524: int
2525: sshpkt_get_u64(struct ssh *ssh, u_int64_t *valp)
2526: {
2527: return sshbuf_get_u64(ssh->state->incoming_packet, valp);
2528: }
2529:
2530: int
2531: sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp)
2532: {
2533: return sshbuf_get_string(ssh->state->incoming_packet, valp, lenp);
2534: }
2535:
2536: int
2537: sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp)
2538: {
2539: return sshbuf_get_string_direct(ssh->state->incoming_packet, valp, lenp);
2540: }
2541:
2542: int
1.264 djm 2543: sshpkt_peek_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp)
2544: {
2545: return sshbuf_peek_string_direct(ssh->state->incoming_packet, valp, lenp);
2546: }
2547:
2548: int
1.201 markus 2549: sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp)
2550: {
2551: return sshbuf_get_cstring(ssh->state->incoming_packet, valp, lenp);
1.282 djm 2552: }
2553:
2554: int
2555: sshpkt_getb_froms(struct ssh *ssh, struct sshbuf **valp)
2556: {
2557: return sshbuf_froms(ssh->state->incoming_packet, valp);
1.201 markus 2558: }
2559:
1.211 djm 2560: #ifdef WITH_OPENSSL
1.201 markus 2561: int
2562: sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g)
2563: {
2564: return sshbuf_get_ec(ssh->state->incoming_packet, v, g);
2565: }
2566:
2567: int
1.281 djm 2568: sshpkt_get_bignum2(struct ssh *ssh, BIGNUM **valp)
1.201 markus 2569: {
1.281 djm 2570: return sshbuf_get_bignum2(ssh->state->incoming_packet, valp);
1.201 markus 2571: }
1.211 djm 2572: #endif /* WITH_OPENSSL */
1.201 markus 2573:
2574: int
2575: sshpkt_get_end(struct ssh *ssh)
2576: {
2577: if (sshbuf_len(ssh->state->incoming_packet) > 0)
2578: return SSH_ERR_UNEXPECTED_TRAILING_DATA;
2579: return 0;
2580: }
2581:
2582: const u_char *
2583: sshpkt_ptr(struct ssh *ssh, size_t *lenp)
2584: {
2585: if (lenp != NULL)
2586: *lenp = sshbuf_len(ssh->state->incoming_packet);
2587: return sshbuf_ptr(ssh->state->incoming_packet);
2588: }
2589:
2590: /* start a new packet */
2591:
2592: int
2593: sshpkt_start(struct ssh *ssh, u_char type)
2594: {
1.249 djm 2595: u_char buf[6]; /* u32 packet length, u8 pad len, u8 type */
1.201 markus 2596:
2597: DBG(debug("packet_start[%d]", type));
1.249 djm 2598: memset(buf, 0, sizeof(buf));
2599: buf[sizeof(buf) - 1] = type;
1.201 markus 2600: sshbuf_reset(ssh->state->outgoing_packet);
1.249 djm 2601: return sshbuf_put(ssh->state->outgoing_packet, buf, sizeof(buf));
1.201 markus 2602: }
2603:
1.242 markus 2604: static int
2605: ssh_packet_send_mux(struct ssh *ssh)
2606: {
2607: struct session_state *state = ssh->state;
2608: u_char type, *cp;
2609: size_t len;
2610: int r;
2611:
2612: if (ssh->kex)
2613: return SSH_ERR_INTERNAL_ERROR;
2614: len = sshbuf_len(state->outgoing_packet);
2615: if (len < 6)
2616: return SSH_ERR_INTERNAL_ERROR;
2617: cp = sshbuf_mutable_ptr(state->outgoing_packet);
2618: type = cp[5];
2619: if (ssh_packet_log_type(type))
2620: debug3("%s: type %u", __func__, type);
2621: /* drop everything, but the connection protocol */
2622: if (type >= SSH2_MSG_CONNECTION_MIN &&
2623: type <= SSH2_MSG_CONNECTION_MAX) {
2624: POKE_U32(cp, len - 4);
2625: if ((r = sshbuf_putb(state->output,
2626: state->outgoing_packet)) != 0)
2627: return r;
2628: /* sshbuf_dump(state->output, stderr); */
2629: }
2630: sshbuf_reset(state->outgoing_packet);
1.264 djm 2631: return 0;
2632: }
2633:
2634: /*
2635: * 9.2. Ignored Data Message
2636: *
2637: * byte SSH_MSG_IGNORE
2638: * string data
2639: *
2640: * All implementations MUST understand (and ignore) this message at any
2641: * time (after receiving the protocol version). No implementation is
2642: * required to send them. This message can be used as an additional
2643: * protection measure against advanced traffic analysis techniques.
2644: */
2645: int
2646: sshpkt_msg_ignore(struct ssh *ssh, u_int nbytes)
2647: {
2648: u_int32_t rnd = 0;
2649: int r;
2650: u_int i;
2651:
2652: if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE)) != 0 ||
2653: (r = sshpkt_put_u32(ssh, nbytes)) != 0)
2654: return r;
2655: for (i = 0; i < nbytes; i++) {
2656: if (i % 4 == 0)
2657: rnd = arc4random();
2658: if ((r = sshpkt_put_u8(ssh, (u_char)rnd & 0xff)) != 0)
2659: return r;
2660: rnd >>= 8;
2661: }
1.242 markus 2662: return 0;
2663: }
2664:
1.201 markus 2665: /* send it */
2666:
2667: int
2668: sshpkt_send(struct ssh *ssh)
2669: {
1.242 markus 2670: if (ssh->state && ssh->state->mux)
2671: return ssh_packet_send_mux(ssh);
1.249 djm 2672: return ssh_packet_send2(ssh);
1.201 markus 2673: }
2674:
2675: int
2676: sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
2677: {
2678: char buf[1024];
2679: va_list args;
2680: int r;
2681:
2682: va_start(args, fmt);
2683: vsnprintf(buf, sizeof(buf), fmt, args);
2684: va_end(args);
2685:
1.249 djm 2686: if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
2687: (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
2688: (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
2689: (r = sshpkt_put_cstring(ssh, "")) != 0 ||
2690: (r = sshpkt_send(ssh)) != 0)
2691: return r;
1.201 markus 2692: return 0;
2693: }
2694:
2695: /* roundup current message to pad bytes */
2696: int
2697: sshpkt_add_padding(struct ssh *ssh, u_char pad)
2698: {
2699: ssh->state->extra_pad = pad;
2700: return 0;
1.1 deraadt 2701: }