Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: packet.c,v 1.313 2023/12/18 14:45:17 djm Exp $ */ |
2 | | /* |
3 | | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | | * All rights reserved |
6 | | * This file contains code implementing the packet protocol and communication |
7 | | * with the other side. This same code is used both on client and server side. |
8 | | * |
9 | | * As far as I am concerned, the code I have written for this software |
10 | | * can be used freely for any purpose. Any derived versions of this |
11 | | * software must be clearly marked as such, and if the derived work is |
12 | | * incompatible with the protocol description in the RFC file, it must be |
13 | | * called by a name other than "ssh" or "Secure Shell". |
14 | | * |
15 | | * |
16 | | * SSH2 packet format added by Markus Friedl. |
17 | | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
18 | | * |
19 | | * Redistribution and use in source and binary forms, with or without |
20 | | * modification, are permitted provided that the following conditions |
21 | | * are met: |
22 | | * 1. Redistributions of source code must retain the above copyright |
23 | | * notice, this list of conditions and the following disclaimer. |
24 | | * 2. Redistributions in binary form must reproduce the above copyright |
25 | | * notice, this list of conditions and the following disclaimer in the |
26 | | * documentation and/or other materials provided with the distribution. |
27 | | * |
28 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
29 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
30 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
31 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
32 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
33 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
34 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
35 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
36 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
37 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
38 | | */ |
39 | | |
40 | | #include "includes.h" |
41 | | |
42 | | #include <sys/types.h> |
43 | | #include "openbsd-compat/sys-queue.h" |
44 | | #include <sys/socket.h> |
45 | | #ifdef HAVE_SYS_TIME_H |
46 | | # include <sys/time.h> |
47 | | #endif |
48 | | |
49 | | #include <netinet/in.h> |
50 | | #include <netinet/ip.h> |
51 | | #include <arpa/inet.h> |
52 | | |
53 | | #include <errno.h> |
54 | | #include <netdb.h> |
55 | | #include <stdarg.h> |
56 | | #include <stdio.h> |
57 | | #include <stdlib.h> |
58 | | #include <string.h> |
59 | | #include <unistd.h> |
60 | | #include <limits.h> |
61 | | #ifdef HAVE_POLL_H |
62 | | #include <poll.h> |
63 | | #endif |
64 | | #include <signal.h> |
65 | | #include <time.h> |
66 | | #ifdef HAVE_UTIL_H |
67 | | # include <util.h> |
68 | | #endif |
69 | | |
70 | | /* |
71 | | * Explicitly include OpenSSL before zlib as some versions of OpenSSL have |
72 | | * "free_func" in their headers, which zlib typedefs. |
73 | | */ |
74 | | #ifdef WITH_OPENSSL |
75 | | # include <openssl/bn.h> |
76 | | # include <openssl/evp.h> |
77 | | # ifdef OPENSSL_HAS_ECC |
78 | | # include <openssl/ec.h> |
79 | | # endif |
80 | | #endif |
81 | | |
82 | | #ifdef WITH_ZLIB |
83 | | #include <zlib.h> |
84 | | #endif |
85 | | |
86 | | #include "xmalloc.h" |
87 | | #include "compat.h" |
88 | | #include "ssh2.h" |
89 | | #include "cipher.h" |
90 | | #include "sshkey.h" |
91 | | #include "kex.h" |
92 | | #include "digest.h" |
93 | | #include "mac.h" |
94 | | #include "log.h" |
95 | | #include "canohost.h" |
96 | | #include "misc.h" |
97 | | #include "channels.h" |
98 | | #include "ssh.h" |
99 | | #include "packet.h" |
100 | | #include "ssherr.h" |
101 | | #include "sshbuf.h" |
102 | | |
103 | | #ifdef PACKET_DEBUG |
104 | | #define DBG(x) x |
105 | | #else |
106 | | #define DBG(x) |
107 | | #endif |
108 | | |
109 | | /* OpenSSH usings 256KB packet size max but that consumes a |
110 | | * lot of memory with the buffers we are using. However, we need |
111 | | * a large packet size if the banner that's being sent is large. |
112 | | * So we need a 256KB packet pre authentication and a smaller one |
113 | | * in this case SSH_IOBUFSZ + 1KB, afterwards. So we change |
114 | | * PACKET_MAX_SIZE from a #define to a global. Then, in the function |
115 | | * ssh_packet_set_authentcated we reduce the size to something |
116 | | * more memory efficient. -cjr 04/07/23 |
117 | | */ |
118 | | u_int packet_max_size = 256 * 1024; |
119 | | |
120 | | /* global to support forced rekeying */ |
121 | | int rekey_requested = 0; |
122 | | |
123 | | |
124 | | struct packet_state { |
125 | | u_int32_t seqnr; |
126 | | u_int32_t packets; |
127 | | u_int64_t blocks; |
128 | | u_int64_t bytes; |
129 | | }; |
130 | | |
131 | | struct packet { |
132 | | TAILQ_ENTRY(packet) next; |
133 | | u_char type; |
134 | | struct sshbuf *payload; |
135 | | }; |
136 | | |
137 | | struct session_state { |
138 | | /* |
139 | | * This variable contains the file descriptors used for |
140 | | * communicating with the other side. connection_in is used for |
141 | | * reading; connection_out for writing. These can be the same |
142 | | * descriptor, in which case it is assumed to be a socket. |
143 | | */ |
144 | | int connection_in; |
145 | | int connection_out; |
146 | | |
147 | | /* Protocol flags for the remote side. */ |
148 | | u_int remote_protocol_flags; |
149 | | |
150 | | /* Encryption context for receiving data. Only used for decryption. */ |
151 | | struct sshcipher_ctx *receive_context; |
152 | | |
153 | | /* Encryption context for sending data. Only used for encryption. */ |
154 | | struct sshcipher_ctx *send_context; |
155 | | |
156 | | /* Buffer for raw input data from the socket. */ |
157 | | struct sshbuf *input; |
158 | | |
159 | | /* Buffer for raw output data going to the socket. */ |
160 | | struct sshbuf *output; |
161 | | |
162 | | /* Buffer for the partial outgoing packet being constructed. */ |
163 | | struct sshbuf *outgoing_packet; |
164 | | |
165 | | /* Buffer for the incoming packet currently being processed. */ |
166 | | struct sshbuf *incoming_packet; |
167 | | |
168 | | /* Scratch buffer for packet compression/decompression. */ |
169 | | struct sshbuf *compression_buffer; |
170 | | |
171 | | #ifdef WITH_ZLIB |
172 | | /* Incoming/outgoing compression dictionaries */ |
173 | | z_stream compression_in_stream; |
174 | | z_stream compression_out_stream; |
175 | | #endif |
176 | | int compression_in_started; |
177 | | int compression_out_started; |
178 | | int compression_in_failures; |
179 | | int compression_out_failures; |
180 | | |
181 | | /* default maximum packet size */ |
182 | | u_int max_packet_size; |
183 | | |
184 | | /* Flag indicating whether this module has been initialized. */ |
185 | | int initialized; |
186 | | |
187 | | /* Set to true if the connection is interactive. */ |
188 | | int interactive_mode; |
189 | | |
190 | | /* Set to true if we are the server side. */ |
191 | | int server_side; |
192 | | |
193 | | /* Set to true if we are authenticated. */ |
194 | | int after_authentication; |
195 | | |
196 | | int keep_alive_timeouts; |
197 | | |
198 | | /* The maximum time that we will wait to send or receive a packet */ |
199 | | int packet_timeout_ms; |
200 | | |
201 | | /* Session key information for Encryption and MAC */ |
202 | | struct newkeys *newkeys[MODE_MAX]; |
203 | | struct packet_state p_read, p_send; |
204 | | |
205 | | /* Volume-based rekeying */ |
206 | | u_int64_t max_blocks_in, max_blocks_out, rekey_limit; |
207 | | |
208 | | /* Time-based rekeying */ |
209 | | u_int32_t rekey_interval; /* how often in seconds */ |
210 | | time_t rekey_time; /* time of last rekeying */ |
211 | | |
212 | | /* roundup current message to extra_pad bytes */ |
213 | | u_char extra_pad; |
214 | | |
215 | | /* XXX discard incoming data after MAC error */ |
216 | | u_int packet_discard; |
217 | | size_t packet_discard_mac_already; |
218 | | struct sshmac *packet_discard_mac; |
219 | | |
220 | | /* Used in packet_read_poll2() */ |
221 | | u_int packlen; |
222 | | |
223 | | /* Used in packet_send2 */ |
224 | | int rekeying; |
225 | | |
226 | | /* Used in ssh_packet_send_mux() */ |
227 | | int mux; |
228 | | |
229 | | /* Used in packet_set_interactive */ |
230 | | int set_interactive_called; |
231 | | |
232 | | /* Used in packet_set_maxsize */ |
233 | | int set_maxsize_called; |
234 | | |
235 | | /* One-off warning about weak ciphers */ |
236 | | int cipher_warning_done; |
237 | | |
238 | | /* Hook for fuzzing inbound packets */ |
239 | | ssh_packet_hook_fn *hook_in; |
240 | | void *hook_in_ctx; |
241 | | |
242 | | TAILQ_HEAD(, packet) outgoing; |
243 | | }; |
244 | | |
245 | | struct ssh * |
246 | | ssh_alloc_session_state(void) |
247 | 70.0k | { |
248 | 70.0k | struct ssh *ssh = NULL; |
249 | 70.0k | struct session_state *state = NULL; |
250 | | |
251 | 70.0k | if ((ssh = calloc(1, sizeof(*ssh))) == NULL || |
252 | 70.0k | (state = calloc(1, sizeof(*state))) == NULL || |
253 | 70.0k | (ssh->kex = kex_new()) == NULL || |
254 | 70.0k | (state->input = sshbuf_new()) == NULL || |
255 | 70.0k | (state->output = sshbuf_new()) == NULL || |
256 | 70.0k | (state->outgoing_packet = sshbuf_new()) == NULL || |
257 | 70.0k | (state->incoming_packet = sshbuf_new()) == NULL) |
258 | 0 | goto fail; |
259 | | /* these buffers are important in terms of tracking buffer usage |
260 | | * so we explicitly label and type them with descriptive names */ |
261 | 70.0k | sshbuf_relabel(state->input, "input"); |
262 | 70.0k | sshbuf_type(state->input, BUF_PACKET_INPUT); |
263 | 70.0k | sshbuf_relabel(state->incoming_packet, "inpacket"); |
264 | 70.0k | sshbuf_type(state->incoming_packet, BUF_PACKET_INCOMING); |
265 | 70.0k | sshbuf_relabel(state->output, "output"); |
266 | 70.0k | sshbuf_type(state->output, BUF_PACKET_OUTPUT); |
267 | 70.0k | sshbuf_relabel(state->outgoing_packet, "outpacket"); |
268 | 70.0k | sshbuf_type(state->outgoing_packet, BUF_PACKET_OUTGOING); |
269 | | |
270 | 70.0k | TAILQ_INIT(&state->outgoing); |
271 | 70.0k | TAILQ_INIT(&ssh->private_keys); |
272 | 70.0k | TAILQ_INIT(&ssh->public_keys); |
273 | 70.0k | state->connection_in = -1; |
274 | 70.0k | state->connection_out = -1; |
275 | 70.0k | state->max_packet_size = CHAN_SES_PACKET_DEFAULT; |
276 | 70.0k | state->packet_timeout_ms = -1; |
277 | 70.0k | state->p_send.packets = state->p_read.packets = 0; |
278 | 70.0k | state->initialized = 1; |
279 | | /* |
280 | | * ssh_packet_send2() needs to queue packets until |
281 | | * we've done the initial key exchange. |
282 | | */ |
283 | 70.0k | state->rekeying = 1; |
284 | 70.0k | ssh->state = state; |
285 | 70.0k | return ssh; |
286 | 0 | fail: |
287 | 0 | if (ssh) { |
288 | 0 | kex_free(ssh->kex); |
289 | 0 | free(ssh); |
290 | 0 | } |
291 | 0 | if (state) { |
292 | 0 | sshbuf_free(state->input); |
293 | 0 | sshbuf_free(state->output); |
294 | 0 | sshbuf_free(state->incoming_packet); |
295 | 0 | sshbuf_free(state->outgoing_packet); |
296 | 0 | free(state); |
297 | 0 | } |
298 | 0 | return NULL; |
299 | 70.0k | } |
300 | | |
301 | | void |
302 | | ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx) |
303 | 0 | { |
304 | 0 | ssh->state->hook_in = hook; |
305 | 0 | ssh->state->hook_in_ctx = ctx; |
306 | 0 | } |
307 | | |
308 | | /* Returns nonzero if rekeying is in progress */ |
309 | | int |
310 | | ssh_packet_is_rekeying(struct ssh *ssh) |
311 | 0 | { |
312 | 0 | return ssh->state->rekeying || |
313 | 0 | (ssh->kex != NULL && ssh->kex->done == 0); |
314 | 0 | } |
315 | | |
316 | | /* |
317 | | * Sets the descriptors used for communication. |
318 | | */ |
319 | | struct ssh * |
320 | | ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
321 | 70.0k | { |
322 | 70.0k | struct session_state *state; |
323 | 70.0k | struct sshcipher *none = cipher_by_name("none"); |
324 | 70.0k | int r; |
325 | | |
326 | 70.0k | if (none == NULL) { |
327 | 0 | error_f("cannot load cipher 'none'"); |
328 | 0 | return NULL; |
329 | 0 | } |
330 | 70.0k | if (ssh == NULL) |
331 | 70.0k | ssh = ssh_alloc_session_state(); |
332 | 70.0k | if (ssh == NULL) { |
333 | 0 | error_f("could not allocate state"); |
334 | 0 | return NULL; |
335 | 0 | } |
336 | 70.0k | state = ssh->state; |
337 | 70.0k | state->connection_in = fd_in; |
338 | 70.0k | state->connection_out = fd_out; |
339 | 70.0k | if ((r = cipher_init(&state->send_context, none, (const u_char *)"", 0, |
340 | 70.0k | NULL, 0, 0, CIPHER_ENCRYPT, state->after_authentication)) != 0 || |
341 | 70.0k | (r = cipher_init(&state->receive_context, none, (const u_char *)"", |
342 | 70.0k | 0, NULL, 0, 0, CIPHER_DECRYPT, state->after_authentication)) != 0) { |
343 | 0 | error_fr(r, "cipher_init failed"); |
344 | 0 | free(ssh); /* XXX need ssh_free_session_state? */ |
345 | 0 | return NULL; |
346 | 0 | } |
347 | 70.0k | state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL; |
348 | | /* |
349 | | * Cache the IP address of the remote connection for use in error |
350 | | * messages that might be generated after the connection has closed. |
351 | | */ |
352 | 70.0k | (void)ssh_remote_ipaddr(ssh); |
353 | 70.0k | return ssh; |
354 | 70.0k | } |
355 | | |
356 | | void |
357 | | ssh_packet_set_timeout(struct ssh *ssh, int timeout, int count) |
358 | 0 | { |
359 | 0 | struct session_state *state = ssh->state; |
360 | |
|
361 | 0 | if (timeout <= 0 || count <= 0) { |
362 | 0 | state->packet_timeout_ms = -1; |
363 | 0 | return; |
364 | 0 | } |
365 | 0 | if ((INT_MAX / 1000) / count < timeout) |
366 | 0 | state->packet_timeout_ms = INT_MAX; |
367 | 0 | else |
368 | 0 | state->packet_timeout_ms = timeout * count * 1000; |
369 | 0 | } |
370 | | |
371 | | void |
372 | | ssh_packet_set_mux(struct ssh *ssh) |
373 | 0 | { |
374 | 0 | ssh->state->mux = 1; |
375 | 0 | ssh->state->rekeying = 0; |
376 | 0 | kex_free(ssh->kex); |
377 | 0 | ssh->kex = NULL; |
378 | 0 | } |
379 | | |
380 | | int |
381 | | ssh_packet_get_mux(struct ssh *ssh) |
382 | 0 | { |
383 | 0 | return ssh->state->mux; |
384 | 0 | } |
385 | | |
386 | | int |
387 | | ssh_packet_set_log_preamble(struct ssh *ssh, const char *fmt, ...) |
388 | 0 | { |
389 | 0 | va_list args; |
390 | 0 | int r; |
391 | |
|
392 | 0 | free(ssh->log_preamble); |
393 | 0 | if (fmt == NULL) |
394 | 0 | ssh->log_preamble = NULL; |
395 | 0 | else { |
396 | 0 | va_start(args, fmt); |
397 | 0 | r = vasprintf(&ssh->log_preamble, fmt, args); |
398 | 0 | va_end(args); |
399 | 0 | if (r < 0 || ssh->log_preamble == NULL) |
400 | 0 | return SSH_ERR_ALLOC_FAIL; |
401 | 0 | } |
402 | 0 | return 0; |
403 | 0 | } |
404 | | |
405 | | int |
406 | | ssh_packet_stop_discard(struct ssh *ssh) |
407 | 0 | { |
408 | 0 | struct session_state *state = ssh->state; |
409 | 0 | int r; |
410 | |
|
411 | 0 | if (state->packet_discard_mac) { |
412 | 0 | char buf[1024]; |
413 | 0 | size_t dlen = packet_max_size; |
414 | |
|
415 | 0 | if (dlen > state->packet_discard_mac_already) |
416 | 0 | dlen -= state->packet_discard_mac_already; |
417 | 0 | memset(buf, 'a', sizeof(buf)); |
418 | 0 | while (sshbuf_len(state->incoming_packet) < dlen) |
419 | 0 | if ((r = sshbuf_put(state->incoming_packet, buf, |
420 | 0 | sizeof(buf))) != 0) |
421 | 0 | return r; |
422 | 0 | (void) mac_compute(state->packet_discard_mac, |
423 | 0 | state->p_read.seqnr, |
424 | 0 | sshbuf_ptr(state->incoming_packet), dlen, |
425 | 0 | NULL, 0); |
426 | 0 | } |
427 | 0 | logit("Finished discarding for %.200s port %d", |
428 | 0 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); |
429 | 0 | return SSH_ERR_MAC_INVALID; |
430 | 0 | } |
431 | | |
432 | | static int |
433 | | ssh_packet_start_discard(struct ssh *ssh, struct sshenc *enc, |
434 | | struct sshmac *mac, size_t mac_already, u_int discard) |
435 | 9.26k | { |
436 | 9.26k | struct session_state *state = ssh->state; |
437 | 9.26k | int r; |
438 | | |
439 | 9.26k | if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) { |
440 | 9.26k | if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) |
441 | 0 | return r; |
442 | 9.26k | return SSH_ERR_MAC_INVALID; |
443 | 9.26k | } |
444 | | /* |
445 | | * Record number of bytes over which the mac has already |
446 | | * been computed in order to minimize timing attacks. |
447 | | */ |
448 | 0 | if (mac && mac->enabled) { |
449 | 0 | state->packet_discard_mac = mac; |
450 | 0 | state->packet_discard_mac_already = mac_already; |
451 | 0 | } |
452 | 0 | if (sshbuf_len(state->input) >= discard) |
453 | 0 | return ssh_packet_stop_discard(ssh); |
454 | 0 | state->packet_discard = discard - sshbuf_len(state->input); |
455 | 0 | return 0; |
456 | 0 | } |
457 | | |
458 | | /* Returns 1 if remote host is connected via socket, 0 if not. */ |
459 | | |
460 | | int |
461 | | ssh_packet_connection_is_on_socket(struct ssh *ssh) |
462 | 70.0k | { |
463 | 70.0k | struct session_state *state; |
464 | 70.0k | struct sockaddr_storage from, to; |
465 | 70.0k | socklen_t fromlen, tolen; |
466 | | |
467 | 70.0k | if (ssh == NULL || ssh->state == NULL) |
468 | 0 | return 0; |
469 | | |
470 | 70.0k | state = ssh->state; |
471 | 70.0k | if (state->connection_in == -1 || state->connection_out == -1) |
472 | 70.0k | return 0; |
473 | | /* filedescriptors in and out are the same, so it's a socket */ |
474 | 0 | if (state->connection_in == state->connection_out) |
475 | 0 | return 1; |
476 | 0 | fromlen = sizeof(from); |
477 | 0 | memset(&from, 0, sizeof(from)); |
478 | 0 | if (getpeername(state->connection_in, (struct sockaddr *)&from, |
479 | 0 | &fromlen) == -1) |
480 | 0 | return 0; |
481 | 0 | tolen = sizeof(to); |
482 | 0 | memset(&to, 0, sizeof(to)); |
483 | 0 | if (getpeername(state->connection_out, (struct sockaddr *)&to, |
484 | 0 | &tolen) == -1) |
485 | 0 | return 0; |
486 | 0 | if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0) |
487 | 0 | return 0; |
488 | 0 | if (from.ss_family != AF_INET && from.ss_family != AF_INET6) |
489 | 0 | return 0; |
490 | 0 | return 1; |
491 | 0 | } |
492 | | |
493 | | void |
494 | | ssh_packet_get_bytes(struct ssh *ssh, u_int64_t *ibytes, u_int64_t *obytes) |
495 | 0 | { |
496 | 0 | if (ibytes) |
497 | 0 | *ibytes = ssh->state->p_read.bytes; |
498 | 0 | if (obytes) |
499 | 0 | *obytes = ssh->state->p_send.bytes; |
500 | 0 | } |
501 | | |
502 | | int |
503 | | ssh_packet_connection_af(struct ssh *ssh) |
504 | 0 | { |
505 | 0 | return get_sock_af(ssh->state->connection_out); |
506 | 0 | } |
507 | | |
508 | | /* Sets the connection into non-blocking mode. */ |
509 | | |
510 | | void |
511 | | ssh_packet_set_nonblocking(struct ssh *ssh) |
512 | 0 | { |
513 | | /* Set the socket into non-blocking mode. */ |
514 | 0 | set_nonblock(ssh->state->connection_in); |
515 | |
|
516 | 0 | if (ssh->state->connection_out != ssh->state->connection_in) |
517 | 0 | set_nonblock(ssh->state->connection_out); |
518 | 0 | } |
519 | | |
520 | | /* Returns the socket used for reading. */ |
521 | | |
522 | | int |
523 | | ssh_packet_get_connection_in(struct ssh *ssh) |
524 | 0 | { |
525 | 0 | return ssh->state->connection_in; |
526 | 0 | } |
527 | | |
528 | | /* Returns the descriptor used for writing. */ |
529 | | |
530 | | int |
531 | | ssh_packet_get_connection_out(struct ssh *ssh) |
532 | 0 | { |
533 | 0 | return ssh->state->connection_out; |
534 | 0 | } |
535 | | |
536 | | /* |
537 | | * Returns the IP-address of the remote host as a string. The returned |
538 | | * string must not be freed. |
539 | | */ |
540 | | |
541 | | const char * |
542 | | ssh_remote_ipaddr(struct ssh *ssh) |
543 | 70.0k | { |
544 | 70.0k | int sock; |
545 | | |
546 | | /* Check whether we have cached the ipaddr. */ |
547 | 70.0k | if (ssh->remote_ipaddr == NULL) { |
548 | 70.0k | if (ssh_packet_connection_is_on_socket(ssh)) { |
549 | 0 | sock = ssh->state->connection_in; |
550 | 0 | ssh->remote_ipaddr = get_peer_ipaddr(sock); |
551 | 0 | ssh->remote_port = get_peer_port(sock); |
552 | 0 | ssh->local_ipaddr = get_local_ipaddr(sock); |
553 | 0 | ssh->local_port = get_local_port(sock); |
554 | 70.0k | } else { |
555 | 70.0k | ssh->remote_ipaddr = xstrdup("UNKNOWN"); |
556 | 70.0k | ssh->remote_port = 65535; |
557 | 70.0k | ssh->local_ipaddr = xstrdup("UNKNOWN"); |
558 | 70.0k | ssh->local_port = 65535; |
559 | 70.0k | } |
560 | 70.0k | } |
561 | 70.0k | return ssh->remote_ipaddr; |
562 | 70.0k | } |
563 | | |
564 | | /* Returns the port number of the remote host. */ |
565 | | |
566 | | int |
567 | | ssh_remote_port(struct ssh *ssh) |
568 | 0 | { |
569 | 0 | (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
570 | 0 | return ssh->remote_port; |
571 | 0 | } |
572 | | |
573 | | /* |
574 | | * Returns the IP-address of the local host as a string. The returned |
575 | | * string must not be freed. |
576 | | */ |
577 | | |
578 | | const char * |
579 | | ssh_local_ipaddr(struct ssh *ssh) |
580 | 0 | { |
581 | 0 | (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
582 | 0 | return ssh->local_ipaddr; |
583 | 0 | } |
584 | | |
585 | | /* Returns the port number of the local host. */ |
586 | | |
587 | | int |
588 | | ssh_local_port(struct ssh *ssh) |
589 | 0 | { |
590 | 0 | (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
591 | 0 | return ssh->local_port; |
592 | 0 | } |
593 | | |
594 | | /* Returns the routing domain of the input socket, or NULL if unavailable */ |
595 | | const char * |
596 | | ssh_packet_rdomain_in(struct ssh *ssh) |
597 | 0 | { |
598 | 0 | if (ssh->rdomain_in != NULL) |
599 | 0 | return ssh->rdomain_in; |
600 | 0 | if (!ssh_packet_connection_is_on_socket(ssh)) |
601 | 0 | return NULL; |
602 | 0 | ssh->rdomain_in = get_rdomain(ssh->state->connection_in); |
603 | 0 | return ssh->rdomain_in; |
604 | 0 | } |
605 | | |
606 | | /* Closes the connection and clears and frees internal data structures. */ |
607 | | |
608 | | static void |
609 | | ssh_packet_close_internal(struct ssh *ssh, int do_close) |
610 | 70.0k | { |
611 | 70.0k | struct session_state *state = ssh->state; |
612 | 70.0k | u_int mode; |
613 | | |
614 | 70.0k | if (!state->initialized) |
615 | 0 | return; |
616 | 70.0k | state->initialized = 0; |
617 | 70.0k | if (do_close) { |
618 | 70.0k | if (state->connection_in == state->connection_out) { |
619 | 70.0k | close(state->connection_out); |
620 | 70.0k | } else { |
621 | 0 | close(state->connection_in); |
622 | 0 | close(state->connection_out); |
623 | 0 | } |
624 | 70.0k | } |
625 | 70.0k | sshbuf_free(state->input); |
626 | 70.0k | sshbuf_free(state->output); |
627 | 70.0k | sshbuf_free(state->outgoing_packet); |
628 | 70.0k | sshbuf_free(state->incoming_packet); |
629 | 210k | for (mode = 0; mode < MODE_MAX; mode++) { |
630 | 140k | kex_free_newkeys(state->newkeys[mode]); /* current keys */ |
631 | 140k | state->newkeys[mode] = NULL; |
632 | 140k | ssh_clear_newkeys(ssh, mode); /* next keys */ |
633 | 140k | } |
634 | 70.0k | #ifdef WITH_ZLIB |
635 | | /* compression state is in shared mem, so we can only release it once */ |
636 | 70.0k | if (do_close && state->compression_buffer) { |
637 | 0 | sshbuf_free(state->compression_buffer); |
638 | 0 | if (state->compression_out_started) { |
639 | 0 | z_streamp stream = &state->compression_out_stream; |
640 | 0 | debug("compress outgoing: " |
641 | 0 | "raw data %llu, compressed %llu, factor %.2f", |
642 | 0 | (unsigned long long)stream->total_in, |
643 | 0 | (unsigned long long)stream->total_out, |
644 | 0 | stream->total_in == 0 ? 0.0 : |
645 | 0 | (double) stream->total_out / stream->total_in); |
646 | 0 | if (state->compression_out_failures == 0) |
647 | 0 | deflateEnd(stream); |
648 | 0 | } |
649 | 0 | if (state->compression_in_started) { |
650 | 0 | z_streamp stream = &state->compression_in_stream; |
651 | 0 | debug("compress incoming: " |
652 | 0 | "raw data %llu, compressed %llu, factor %.2f", |
653 | 0 | (unsigned long long)stream->total_out, |
654 | 0 | (unsigned long long)stream->total_in, |
655 | 0 | stream->total_out == 0 ? 0.0 : |
656 | 0 | (double) stream->total_in / stream->total_out); |
657 | 0 | if (state->compression_in_failures == 0) |
658 | 0 | inflateEnd(stream); |
659 | 0 | } |
660 | 0 | } |
661 | 70.0k | #endif /* WITH_ZLIB */ |
662 | 70.0k | cipher_free(state->send_context); |
663 | 70.0k | cipher_free(state->receive_context); |
664 | 70.0k | state->send_context = state->receive_context = NULL; |
665 | 70.0k | if (do_close) { |
666 | 70.0k | free(ssh->local_ipaddr); |
667 | 70.0k | ssh->local_ipaddr = NULL; |
668 | 70.0k | free(ssh->remote_ipaddr); |
669 | 70.0k | ssh->remote_ipaddr = NULL; |
670 | 70.0k | free(ssh->state); |
671 | 70.0k | ssh->state = NULL; |
672 | 70.0k | kex_free(ssh->kex); |
673 | 70.0k | ssh->kex = NULL; |
674 | 70.0k | } |
675 | 70.0k | } |
676 | | |
677 | | void |
678 | | ssh_packet_close(struct ssh *ssh) |
679 | 70.0k | { |
680 | 70.0k | ssh_packet_close_internal(ssh, 1); |
681 | 70.0k | } |
682 | | |
683 | | void |
684 | | ssh_packet_clear_keys(struct ssh *ssh) |
685 | 0 | { |
686 | 0 | ssh_packet_close_internal(ssh, 0); |
687 | 0 | } |
688 | | |
689 | | /* Sets remote side protocol flags. */ |
690 | | |
691 | | void |
692 | | ssh_packet_set_protocol_flags(struct ssh *ssh, u_int protocol_flags) |
693 | 0 | { |
694 | 0 | ssh->state->remote_protocol_flags = protocol_flags; |
695 | 0 | } |
696 | | |
697 | | /* Returns the remote protocol flags set earlier by the above function. */ |
698 | | |
699 | | u_int |
700 | | ssh_packet_get_protocol_flags(struct ssh *ssh) |
701 | 0 | { |
702 | 0 | return ssh->state->remote_protocol_flags; |
703 | 0 | } |
704 | | |
705 | | /* |
706 | | * Starts packet compression from the next packet on in both directions. |
707 | | * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip. |
708 | | */ |
709 | | |
710 | | static int |
711 | | ssh_packet_init_compression(struct ssh *ssh) |
712 | 0 | { |
713 | 0 | if (!ssh->state->compression_buffer && |
714 | 0 | ((ssh->state->compression_buffer = sshbuf_new()) == NULL)) |
715 | 0 | return SSH_ERR_ALLOC_FAIL; |
716 | 0 | return 0; |
717 | 0 | } |
718 | | |
719 | | #ifdef WITH_ZLIB |
720 | | static int |
721 | | start_compression_out(struct ssh *ssh, int level) |
722 | 0 | { |
723 | 0 | if (level < 1 || level > 9) |
724 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
725 | 0 | debug("Enabling compression at level %d.", level); |
726 | 0 | if (ssh->state->compression_out_started == 1) |
727 | 0 | deflateEnd(&ssh->state->compression_out_stream); |
728 | 0 | switch (deflateInit(&ssh->state->compression_out_stream, level)) { |
729 | 0 | case Z_OK: |
730 | 0 | ssh->state->compression_out_started = 1; |
731 | 0 | break; |
732 | 0 | case Z_MEM_ERROR: |
733 | 0 | return SSH_ERR_ALLOC_FAIL; |
734 | 0 | default: |
735 | 0 | return SSH_ERR_INTERNAL_ERROR; |
736 | 0 | } |
737 | 0 | return 0; |
738 | 0 | } |
739 | | |
740 | | static int |
741 | | start_compression_in(struct ssh *ssh) |
742 | 0 | { |
743 | 0 | if (ssh->state->compression_in_started == 1) |
744 | 0 | inflateEnd(&ssh->state->compression_in_stream); |
745 | 0 | switch (inflateInit(&ssh->state->compression_in_stream)) { |
746 | 0 | case Z_OK: |
747 | 0 | ssh->state->compression_in_started = 1; |
748 | 0 | break; |
749 | 0 | case Z_MEM_ERROR: |
750 | 0 | return SSH_ERR_ALLOC_FAIL; |
751 | 0 | default: |
752 | 0 | return SSH_ERR_INTERNAL_ERROR; |
753 | 0 | } |
754 | 0 | return 0; |
755 | 0 | } |
756 | | |
757 | | /* XXX remove need for separate compression buffer */ |
758 | | static int |
759 | | compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
760 | 0 | { |
761 | 0 | u_char buf[4096]; |
762 | 0 | int r, status; |
763 | |
|
764 | 0 | if (ssh->state->compression_out_started != 1) |
765 | 0 | return SSH_ERR_INTERNAL_ERROR; |
766 | | |
767 | | /* This case is not handled below. */ |
768 | 0 | if (sshbuf_len(in) == 0) |
769 | 0 | return 0; |
770 | | |
771 | | /* Input is the contents of the input buffer. */ |
772 | 0 | if ((ssh->state->compression_out_stream.next_in = |
773 | 0 | sshbuf_mutable_ptr(in)) == NULL) |
774 | 0 | return SSH_ERR_INTERNAL_ERROR; |
775 | 0 | ssh->state->compression_out_stream.avail_in = sshbuf_len(in); |
776 | | |
777 | | /* Loop compressing until deflate() returns with avail_out != 0. */ |
778 | 0 | do { |
779 | | /* Set up fixed-size output buffer. */ |
780 | 0 | ssh->state->compression_out_stream.next_out = buf; |
781 | 0 | ssh->state->compression_out_stream.avail_out = sizeof(buf); |
782 | | |
783 | | /* Compress as much data into the buffer as possible. */ |
784 | 0 | status = deflate(&ssh->state->compression_out_stream, |
785 | 0 | Z_PARTIAL_FLUSH); |
786 | 0 | switch (status) { |
787 | 0 | case Z_MEM_ERROR: |
788 | 0 | return SSH_ERR_ALLOC_FAIL; |
789 | 0 | case Z_OK: |
790 | | /* Append compressed data to output_buffer. */ |
791 | 0 | if ((r = sshbuf_put(out, buf, sizeof(buf) - |
792 | 0 | ssh->state->compression_out_stream.avail_out)) != 0) |
793 | 0 | return r; |
794 | 0 | break; |
795 | 0 | case Z_STREAM_ERROR: |
796 | 0 | default: |
797 | 0 | ssh->state->compression_out_failures++; |
798 | 0 | return SSH_ERR_INVALID_FORMAT; |
799 | 0 | } |
800 | 0 | } while (ssh->state->compression_out_stream.avail_out == 0); |
801 | 0 | return 0; |
802 | 0 | } |
803 | | |
804 | | static int |
805 | | uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
806 | 0 | { |
807 | 0 | u_char buf[4096]; |
808 | 0 | int r, status; |
809 | |
|
810 | 0 | if (ssh->state->compression_in_started != 1) |
811 | 0 | return SSH_ERR_INTERNAL_ERROR; |
812 | | |
813 | 0 | if ((ssh->state->compression_in_stream.next_in = |
814 | 0 | sshbuf_mutable_ptr(in)) == NULL) |
815 | 0 | return SSH_ERR_INTERNAL_ERROR; |
816 | 0 | ssh->state->compression_in_stream.avail_in = sshbuf_len(in); |
817 | |
|
818 | 0 | for (;;) { |
819 | | /* Set up fixed-size output buffer. */ |
820 | 0 | ssh->state->compression_in_stream.next_out = buf; |
821 | 0 | ssh->state->compression_in_stream.avail_out = sizeof(buf); |
822 | |
|
823 | 0 | status = inflate(&ssh->state->compression_in_stream, |
824 | 0 | Z_SYNC_FLUSH); |
825 | 0 | switch (status) { |
826 | 0 | case Z_OK: |
827 | 0 | if ((r = sshbuf_put(out, buf, sizeof(buf) - |
828 | 0 | ssh->state->compression_in_stream.avail_out)) != 0) |
829 | 0 | return r; |
830 | 0 | break; |
831 | 0 | case Z_BUF_ERROR: |
832 | | /* |
833 | | * Comments in zlib.h say that we should keep calling |
834 | | * inflate() until we get an error. This appears to |
835 | | * be the error that we get. |
836 | | */ |
837 | 0 | return 0; |
838 | 0 | case Z_DATA_ERROR: |
839 | 0 | return SSH_ERR_INVALID_FORMAT; |
840 | 0 | case Z_MEM_ERROR: |
841 | 0 | return SSH_ERR_ALLOC_FAIL; |
842 | 0 | case Z_STREAM_ERROR: |
843 | 0 | default: |
844 | 0 | ssh->state->compression_in_failures++; |
845 | 0 | return SSH_ERR_INTERNAL_ERROR; |
846 | 0 | } |
847 | 0 | } |
848 | | /* NOTREACHED */ |
849 | 0 | } |
850 | | |
851 | | #else /* WITH_ZLIB */ |
852 | | |
853 | | static int |
854 | | start_compression_out(struct ssh *ssh, int level) |
855 | | { |
856 | | return SSH_ERR_INTERNAL_ERROR; |
857 | | } |
858 | | |
859 | | static int |
860 | | start_compression_in(struct ssh *ssh) |
861 | | { |
862 | | return SSH_ERR_INTERNAL_ERROR; |
863 | | } |
864 | | |
865 | | static int |
866 | | compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
867 | | { |
868 | | return SSH_ERR_INTERNAL_ERROR; |
869 | | } |
870 | | |
871 | | static int |
872 | | uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
873 | | { |
874 | | return SSH_ERR_INTERNAL_ERROR; |
875 | | } |
876 | | #endif /* WITH_ZLIB */ |
877 | | |
878 | | void |
879 | | ssh_clear_newkeys(struct ssh *ssh, int mode) |
880 | 140k | { |
881 | 140k | if (ssh->kex && ssh->kex->newkeys[mode]) { |
882 | 116 | kex_free_newkeys(ssh->kex->newkeys[mode]); |
883 | 116 | ssh->kex->newkeys[mode] = NULL; |
884 | 116 | } |
885 | 140k | } |
886 | | |
887 | | int |
888 | | ssh_set_newkeys(struct ssh *ssh, int mode) |
889 | 0 | { |
890 | 0 | struct session_state *state = ssh->state; |
891 | 0 | struct sshenc *enc; |
892 | 0 | struct sshmac *mac; |
893 | 0 | struct sshcomp *comp; |
894 | 0 | struct sshcipher_ctx **ccp; |
895 | 0 | struct packet_state *ps; |
896 | 0 | u_int64_t *max_blocks; |
897 | 0 | const char *wmsg; |
898 | 0 | int r, crypt_type; |
899 | 0 | const char *dir = mode == MODE_OUT ? "out" : "in"; |
900 | 0 | char blocks_s[FMT_SCALED_STRSIZE], bytes_s[FMT_SCALED_STRSIZE]; |
901 | |
|
902 | 0 | debug2_f("mode %d", mode); |
903 | |
|
904 | 0 | if (mode == MODE_OUT) { |
905 | 0 | ccp = &state->send_context; |
906 | 0 | crypt_type = CIPHER_ENCRYPT; |
907 | 0 | ps = &state->p_send; |
908 | 0 | max_blocks = &state->max_blocks_out; |
909 | 0 | } else { |
910 | 0 | ccp = &state->receive_context; |
911 | 0 | crypt_type = CIPHER_DECRYPT; |
912 | 0 | ps = &state->p_read; |
913 | 0 | max_blocks = &state->max_blocks_in; |
914 | 0 | } |
915 | 0 | if (state->newkeys[mode] != NULL) { |
916 | 0 | debug_f("rekeying %s, input %llu bytes %llu blocks, " |
917 | 0 | "output %llu bytes %llu blocks", dir, |
918 | 0 | (unsigned long long)state->p_read.bytes, |
919 | 0 | (unsigned long long)state->p_read.blocks, |
920 | 0 | (unsigned long long)state->p_send.bytes, |
921 | 0 | (unsigned long long)state->p_send.blocks); |
922 | 0 | kex_free_newkeys(state->newkeys[mode]); |
923 | 0 | state->newkeys[mode] = NULL; |
924 | 0 | } |
925 | | /* note that both bytes and the seqnr are not reset */ |
926 | 0 | ps->packets = ps->blocks = 0; |
927 | | /* move newkeys from kex to state */ |
928 | 0 | if ((state->newkeys[mode] = ssh->kex->newkeys[mode]) == NULL) |
929 | 0 | return SSH_ERR_INTERNAL_ERROR; |
930 | 0 | ssh->kex->newkeys[mode] = NULL; |
931 | 0 | enc = &state->newkeys[mode]->enc; |
932 | 0 | mac = &state->newkeys[mode]->mac; |
933 | 0 | comp = &state->newkeys[mode]->comp; |
934 | 0 | if (cipher_authlen(enc->cipher) == 0) { |
935 | 0 | if ((r = mac_init(mac)) != 0) |
936 | 0 | return r; |
937 | 0 | } |
938 | | |
939 | | /* if we are using NONE MAC then we don't need to enable the |
940 | | * mac routines. This disables them and we can claw back some cycles |
941 | | * from the CPU -cjr 3/21/2023 */ |
942 | 0 | if (ssh->none_mac != 1) |
943 | 0 | mac->enabled = 1; |
944 | |
|
945 | 0 | DBG(debug_f("cipher_init: %s", dir)); |
946 | 0 | cipher_free(*ccp); |
947 | 0 | *ccp = NULL; |
948 | 0 | #ifdef WITH_OPENSSL |
949 | 0 | if (strcmp(enc->name, "chacha20-poly1305-mt@hpnssh.org") == 0) { |
950 | 0 | if (state->after_authentication) |
951 | 0 | enc->cipher = cipher_by_name( |
952 | 0 | "chacha20-poly1305-mt@hpnssh.org"); |
953 | 0 | else |
954 | 0 | enc->cipher = cipher_by_name( |
955 | 0 | "chacha20-poly1305@openssh.com"); |
956 | 0 | if (enc->cipher == NULL) |
957 | 0 | return r; |
958 | 0 | } |
959 | 0 | #endif |
960 | 0 | if ((r = cipher_init(ccp, enc->cipher, enc->key, enc->key_len, enc->iv, |
961 | 0 | enc->iv_len, crypt_type ? state->p_send.seqnr : state->p_read.seqnr, |
962 | 0 | crypt_type, state->after_authentication)) != 0) |
963 | 0 | return r; |
964 | 0 | if (!state->cipher_warning_done && |
965 | 0 | (wmsg = cipher_warning_message(*ccp)) != NULL) { |
966 | 0 | error("Warning: %s", wmsg); |
967 | 0 | state->cipher_warning_done = 1; |
968 | 0 | } |
969 | | /* Deleting the keys does not gain extra security */ |
970 | | /* explicit_bzero(enc->iv, enc->block_size); |
971 | | explicit_bzero(enc->key, enc->key_len); |
972 | | explicit_bzero(mac->key, mac->key_len); */ |
973 | 0 | if ((comp->type == COMP_ZLIB || |
974 | 0 | (comp->type == COMP_DELAYED && |
975 | 0 | state->after_authentication)) && comp->enabled == 0) { |
976 | 0 | if ((r = ssh_packet_init_compression(ssh)) < 0) |
977 | 0 | return r; |
978 | 0 | if (mode == MODE_OUT) { |
979 | 0 | if ((r = start_compression_out(ssh, 6)) != 0) |
980 | 0 | return r; |
981 | 0 | } else { |
982 | 0 | if ((r = start_compression_in(ssh)) != 0) |
983 | 0 | return r; |
984 | 0 | } |
985 | 0 | comp->enabled = 1; |
986 | 0 | } |
987 | | |
988 | | /* get the maximum number of blocks the cipher can |
989 | | * handle safely */ |
990 | 0 | *max_blocks = cipher_rekey_blocks(enc->cipher); |
991 | | |
992 | | /* if we have a custom oRekeyLimit use that. */ |
993 | 0 | if (state->rekey_limit) |
994 | 0 | *max_blocks = MINIMUM(*max_blocks, |
995 | 0 | state->rekey_limit / enc->block_size); |
996 | | |
997 | | /* these lines support the debug */ |
998 | 0 | strlcpy(blocks_s, "?", sizeof(blocks_s)); |
999 | 0 | strlcpy(bytes_s, "?", sizeof(bytes_s)); |
1000 | 0 | if (*max_blocks * enc->block_size < LLONG_MAX) { |
1001 | 0 | fmt_scaled((long long)*max_blocks, blocks_s); |
1002 | 0 | fmt_scaled((long long)*max_blocks * enc->block_size, bytes_s); |
1003 | 0 | } |
1004 | 0 | debug("rekey %s after %s blocks / %sB data", dir, blocks_s, bytes_s); |
1005 | |
|
1006 | 0 | return 0; |
1007 | 0 | } |
1008 | | |
1009 | | /* this supports the forced rekeying required for the NONE cipher */ |
1010 | | void |
1011 | | packet_request_rekeying(void) |
1012 | 0 | { |
1013 | 0 | rekey_requested = 1; |
1014 | 0 | } |
1015 | | |
1016 | | /* used to determine if pre or post auth when rekeying for aes-ctr |
1017 | | * and none cipher switch */ |
1018 | | int |
1019 | | packet_authentication_state(const struct ssh *ssh) |
1020 | 3.60k | { |
1021 | 3.60k | struct session_state *state = ssh->state; |
1022 | | |
1023 | 3.60k | return state->after_authentication; |
1024 | 3.60k | } |
1025 | | |
1026 | 0 | #define MAX_PACKETS (1U<<31) |
1027 | | static int |
1028 | | ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
1029 | 207k | { |
1030 | 207k | struct session_state *state = ssh->state; |
1031 | 207k | u_int32_t out_blocks; |
1032 | | |
1033 | | /* XXX client can't cope with rekeying pre-auth */ |
1034 | 207k | if (!state->after_authentication) |
1035 | 207k | return 0; |
1036 | | |
1037 | | /* Haven't keyed yet or KEX in progress. */ |
1038 | 0 | if (ssh_packet_is_rekeying(ssh)) |
1039 | 0 | return 0; |
1040 | | |
1041 | | /* Peer can't rekey */ |
1042 | 0 | if (ssh->compat & SSH_BUG_NOREKEY) |
1043 | 0 | return 0; |
1044 | | |
1045 | | /* |
1046 | | * Permit one packet in or out per rekey - this allows us to |
1047 | | * make progress when rekey limits are very small. |
1048 | | */ |
1049 | 0 | if (state->p_send.packets == 0 && state->p_read.packets == 0) |
1050 | 0 | return 0; |
1051 | | |
1052 | | /* used to force rekeying when called for by the none |
1053 | | * cipher switch and aes-mt-ctr methods -cjr */ |
1054 | 0 | if (rekey_requested == 1) { |
1055 | 0 | debug_f("Got the rekey request"); |
1056 | 0 | rekey_requested = 0; |
1057 | 0 | return 1; |
1058 | 0 | } |
1059 | | |
1060 | | /* Time-based rekeying */ |
1061 | 0 | if (state->rekey_interval != 0 && |
1062 | 0 | (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
1063 | 0 | return 1; |
1064 | | |
1065 | | /* |
1066 | | * Always rekey when MAX_PACKETS sent in either direction |
1067 | | * As per RFC4344 section 3.1 we do this after 2^31 packets. |
1068 | | */ |
1069 | 0 | if (state->p_send.packets > MAX_PACKETS || |
1070 | 0 | state->p_read.packets > MAX_PACKETS) |
1071 | 0 | return 1; |
1072 | | |
1073 | | /* Rekey after (cipher-specific) maximum blocks */ |
1074 | 0 | out_blocks = ROUNDUP(outbound_packet_len, |
1075 | 0 | state->newkeys[MODE_OUT]->enc.block_size); |
1076 | 0 | return (state->max_blocks_out && |
1077 | 0 | (state->p_send.blocks + out_blocks > state->max_blocks_out)) || |
1078 | 0 | (state->max_blocks_in && |
1079 | 0 | (state->p_read.blocks > state->max_blocks_in)); |
1080 | 0 | } |
1081 | | |
1082 | | int |
1083 | | ssh_packet_check_rekey(struct ssh *ssh) |
1084 | 207k | { |
1085 | 207k | if (!ssh_packet_need_rekeying(ssh, 0)) |
1086 | 207k | return 0; |
1087 | 0 | debug3_f("rekex triggered"); |
1088 | 0 | return kex_start_rekex(ssh); |
1089 | 207k | } |
1090 | | |
1091 | | /* |
1092 | | * Delayed compression for SSH2 is enabled after authentication: |
1093 | | * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent, |
1094 | | * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received. |
1095 | | */ |
1096 | | static int |
1097 | | ssh_packet_enable_delayed_compress(struct ssh *ssh) |
1098 | 0 | { |
1099 | 0 | struct session_state *state = ssh->state; |
1100 | 0 | struct sshcomp *comp = NULL; |
1101 | 0 | int r, mode; |
1102 | | |
1103 | | /* |
1104 | | * Remember that we are past the authentication step, so rekeying |
1105 | | * with COMP_DELAYED will turn on compression immediately. |
1106 | | */ |
1107 | 0 | state->after_authentication = 1; |
1108 | 0 | for (mode = 0; mode < MODE_MAX; mode++) { |
1109 | | /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ |
1110 | 0 | if (state->newkeys[mode] == NULL) |
1111 | 0 | continue; |
1112 | 0 | comp = &state->newkeys[mode]->comp; |
1113 | 0 | if (comp && !comp->enabled && comp->type == COMP_DELAYED) { |
1114 | 0 | if ((r = ssh_packet_init_compression(ssh)) != 0) |
1115 | 0 | return r; |
1116 | 0 | if (mode == MODE_OUT) { |
1117 | 0 | if ((r = start_compression_out(ssh, 6)) != 0) |
1118 | 0 | return r; |
1119 | 0 | } else { |
1120 | 0 | if ((r = start_compression_in(ssh)) != 0) |
1121 | 0 | return r; |
1122 | 0 | } |
1123 | 0 | comp->enabled = 1; |
1124 | 0 | } |
1125 | 0 | } |
1126 | 0 | return 0; |
1127 | 0 | } |
1128 | | |
1129 | | /* Used to mute debug logging for noisy packet types */ |
1130 | | int |
1131 | | ssh_packet_log_type(u_char type) |
1132 | 436k | { |
1133 | 436k | switch (type) { |
1134 | 0 | case SSH2_MSG_PING: |
1135 | 0 | case SSH2_MSG_PONG: |
1136 | 0 | case SSH2_MSG_CHANNEL_DATA: |
1137 | 0 | case SSH2_MSG_CHANNEL_EXTENDED_DATA: |
1138 | 0 | case SSH2_MSG_CHANNEL_WINDOW_ADJUST: |
1139 | 0 | return 0; |
1140 | 436k | default: |
1141 | 436k | return 1; |
1142 | 436k | } |
1143 | 436k | } |
1144 | | |
1145 | | /* |
1146 | | * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) |
1147 | | */ |
1148 | | int |
1149 | | ssh_packet_send2_wrapped(struct ssh *ssh) |
1150 | 228k | { |
1151 | 228k | struct session_state *state = ssh->state; |
1152 | 228k | u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH]; |
1153 | 228k | u_char tmp, padlen, pad = 0; |
1154 | 228k | u_int authlen = 0, aadlen = 0; |
1155 | 228k | u_int len; |
1156 | 228k | struct sshenc *enc = NULL; |
1157 | 228k | struct sshmac *mac = NULL; |
1158 | 228k | struct sshcomp *comp = NULL; |
1159 | 228k | int r, block_size; |
1160 | | |
1161 | 228k | if (state->newkeys[MODE_OUT] != NULL) { |
1162 | 0 | enc = &state->newkeys[MODE_OUT]->enc; |
1163 | 0 | mac = &state->newkeys[MODE_OUT]->mac; |
1164 | 0 | comp = &state->newkeys[MODE_OUT]->comp; |
1165 | | /* disable mac for authenticated encryption */ |
1166 | 0 | if ((authlen = cipher_authlen(enc->cipher)) != 0) |
1167 | 0 | mac = NULL; |
1168 | 0 | } |
1169 | 228k | block_size = enc ? enc->block_size : 8; |
1170 | 228k | aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; |
1171 | | |
1172 | 228k | type = (sshbuf_ptr(state->outgoing_packet))[5]; |
1173 | 228k | if (ssh_packet_log_type(type)) |
1174 | 228k | debug3("send packet: type %u", type); |
1175 | | #ifdef PACKET_DEBUG |
1176 | | fprintf(stderr, "plain: "); |
1177 | | sshbuf_dump(state->outgoing_packet, stderr); |
1178 | | #endif |
1179 | | |
1180 | 228k | if (comp && comp->enabled) { |
1181 | 0 | len = sshbuf_len(state->outgoing_packet); |
1182 | | /* skip header, compress only payload */ |
1183 | 0 | if ((r = sshbuf_consume(state->outgoing_packet, 5)) != 0) |
1184 | 0 | goto out; |
1185 | 0 | sshbuf_reset(state->compression_buffer); |
1186 | 0 | if ((r = compress_buffer(ssh, state->outgoing_packet, |
1187 | 0 | state->compression_buffer)) != 0) |
1188 | 0 | goto out; |
1189 | 0 | sshbuf_reset(state->outgoing_packet); |
1190 | 0 | if ((r = sshbuf_put(state->outgoing_packet, |
1191 | 0 | "\0\0\0\0\0", 5)) != 0 || |
1192 | 0 | (r = sshbuf_putb(state->outgoing_packet, |
1193 | 0 | state->compression_buffer)) != 0) |
1194 | 0 | goto out; |
1195 | 0 | DBG(debug("compression: raw %d compressed %zd", len, |
1196 | 0 | sshbuf_len(state->outgoing_packet))); |
1197 | 0 | } |
1198 | | |
1199 | | /* sizeof (packet_len + pad_len + payload) */ |
1200 | 228k | len = sshbuf_len(state->outgoing_packet); |
1201 | | |
1202 | | /* |
1203 | | * calc size of padding, alloc space, get random data, |
1204 | | * minimum padding is 4 bytes |
1205 | | */ |
1206 | 228k | len -= aadlen; /* packet length is not encrypted for EtM modes */ |
1207 | 228k | padlen = block_size - (len % block_size); |
1208 | 228k | if (padlen < 4) |
1209 | 3.14k | padlen += block_size; |
1210 | 228k | if (state->extra_pad) { |
1211 | 0 | tmp = state->extra_pad; |
1212 | 0 | state->extra_pad = |
1213 | 0 | ROUNDUP(state->extra_pad, block_size); |
1214 | | /* check if roundup overflowed */ |
1215 | 0 | if (state->extra_pad < tmp) |
1216 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
1217 | 0 | tmp = (len + padlen) % state->extra_pad; |
1218 | | /* Check whether pad calculation below will underflow */ |
1219 | 0 | if (tmp > state->extra_pad) |
1220 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
1221 | 0 | pad = state->extra_pad - tmp; |
1222 | 0 | DBG(debug3_f("adding %d (len %d padlen %d extra_pad %d)", |
1223 | 0 | pad, len, padlen, state->extra_pad)); |
1224 | 0 | tmp = padlen; |
1225 | 0 | padlen += pad; |
1226 | | /* Check whether padlen calculation overflowed */ |
1227 | 0 | if (padlen < tmp) |
1228 | 0 | return SSH_ERR_INVALID_ARGUMENT; /* overflow */ |
1229 | 0 | state->extra_pad = 0; |
1230 | 0 | } |
1231 | 228k | if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0) |
1232 | 0 | goto out; |
1233 | 228k | if (enc && !cipher_ctx_is_plaintext(state->send_context)) { |
1234 | | /* random padding */ |
1235 | 0 | arc4random_buf(cp, padlen); |
1236 | 228k | } else { |
1237 | | /* clear padding */ |
1238 | 228k | explicit_bzero(cp, padlen); |
1239 | 228k | } |
1240 | | /* sizeof (packet_len + pad_len + payload + padding) */ |
1241 | 228k | len = sshbuf_len(state->outgoing_packet); |
1242 | 228k | cp = sshbuf_mutable_ptr(state->outgoing_packet); |
1243 | 228k | if (cp == NULL) { |
1244 | 0 | r = SSH_ERR_INTERNAL_ERROR; |
1245 | 0 | goto out; |
1246 | 0 | } |
1247 | | /* packet_length includes payload, padding and padding length field */ |
1248 | 228k | POKE_U32(cp, len - 4); |
1249 | 228k | cp[4] = padlen; |
1250 | 228k | DBG(debug("send: len %d (includes padlen %d, aadlen %d)", |
1251 | 228k | len, padlen, aadlen)); |
1252 | | |
1253 | | /* compute MAC over seqnr and packet(length fields, payload, padding) */ |
1254 | 228k | if (mac && mac->enabled && !mac->etm) { |
1255 | 0 | if ((r = mac_compute(mac, state->p_send.seqnr, |
1256 | 0 | sshbuf_ptr(state->outgoing_packet), len, |
1257 | 0 | macbuf, sizeof(macbuf))) != 0) |
1258 | 0 | goto out; |
1259 | 0 | DBG(debug("done calc MAC out #%d", state->p_send.seqnr)); |
1260 | 0 | } |
1261 | | /* encrypt packet and append to output buffer. */ |
1262 | 228k | if ((r = sshbuf_reserve(state->output, |
1263 | 228k | sshbuf_len(state->outgoing_packet) + authlen, &cp)) != 0) |
1264 | 0 | goto out; |
1265 | 228k | if ((r = cipher_crypt(state->send_context, state->p_send.seqnr, cp, |
1266 | 228k | sshbuf_ptr(state->outgoing_packet), len - aadlen, aadlen, authlen)) |
1267 | 228k | != 0) |
1268 | 0 | goto out; |
1269 | | /* append unencrypted MAC */ |
1270 | 228k | if (mac && mac->enabled) { |
1271 | 0 | if (mac->etm) { |
1272 | | /* EtM: compute mac over aadlen + cipher text */ |
1273 | 0 | if ((r = mac_compute(mac, state->p_send.seqnr, |
1274 | 0 | cp, len, macbuf, sizeof(macbuf))) != 0) |
1275 | 0 | goto out; |
1276 | 0 | DBG(debug("done calc MAC(EtM) out #%d", |
1277 | 0 | state->p_send.seqnr)); |
1278 | 0 | } |
1279 | 0 | if ((r = sshbuf_put(state->output, macbuf, mac->mac_len)) != 0) |
1280 | 0 | goto out; |
1281 | 0 | } |
1282 | | #ifdef PACKET_DEBUG |
1283 | | fprintf(stderr, "encrypted: "); |
1284 | | sshbuf_dump(state->output, stderr); |
1285 | | #endif |
1286 | | /* increment sequence number for outgoing packets */ |
1287 | 228k | if (++state->p_send.seqnr == 0) { |
1288 | 0 | if ((ssh->kex->flags & KEX_INITIAL) != 0) { |
1289 | 0 | ssh_packet_disconnect(ssh, "outgoing sequence number " |
1290 | 0 | "wrapped during initial key exchange"); |
1291 | 0 | } |
1292 | 0 | logit("outgoing seqnr wraps around"); |
1293 | 0 | } |
1294 | 228k | if (++state->p_send.packets == 0) |
1295 | 0 | if (!(ssh->compat & SSH_BUG_NOREKEY)) |
1296 | 0 | return SSH_ERR_NEED_REKEY; |
1297 | 228k | state->p_send.blocks += len / block_size; |
1298 | 228k | state->p_send.bytes += len; |
1299 | 228k | sshbuf_reset(state->outgoing_packet); |
1300 | | |
1301 | 228k | if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { |
1302 | 0 | debug_f("resetting send seqnr %u", state->p_send.seqnr); |
1303 | 0 | state->p_send.seqnr = 0; |
1304 | 0 | } |
1305 | | |
1306 | 228k | if (type == SSH2_MSG_NEWKEYS) |
1307 | 0 | r = ssh_set_newkeys(ssh, MODE_OUT); |
1308 | 228k | else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) |
1309 | 0 | r = ssh_packet_enable_delayed_compress(ssh); |
1310 | 228k | else |
1311 | 228k | r = 0; |
1312 | 228k | out: |
1313 | 228k | return r; |
1314 | 228k | } |
1315 | | |
1316 | | /* returns non-zero if the specified packet type is usec by KEX */ |
1317 | | static int |
1318 | | ssh_packet_type_is_kex(u_char type) |
1319 | 457k | { |
1320 | 457k | return |
1321 | 457k | type >= SSH2_MSG_TRANSPORT_MIN && |
1322 | 457k | type <= SSH2_MSG_TRANSPORT_MAX && |
1323 | 457k | type != SSH2_MSG_SERVICE_REQUEST && |
1324 | 457k | type != SSH2_MSG_SERVICE_ACCEPT && |
1325 | 457k | type != SSH2_MSG_EXT_INFO; |
1326 | 457k | } |
1327 | | |
1328 | | int |
1329 | | ssh_packet_send2(struct ssh *ssh) |
1330 | 228k | { |
1331 | 228k | struct session_state *state = ssh->state; |
1332 | 228k | struct packet *p; |
1333 | 228k | u_char type; |
1334 | 228k | int r, need_rekey; |
1335 | | |
1336 | 228k | if (sshbuf_len(state->outgoing_packet) < 6) |
1337 | 0 | return SSH_ERR_INTERNAL_ERROR; |
1338 | 228k | type = sshbuf_ptr(state->outgoing_packet)[5]; |
1339 | 228k | need_rekey = !ssh_packet_type_is_kex(type) && |
1340 | 228k | ssh_packet_need_rekeying(ssh, sshbuf_len(state->outgoing_packet)); |
1341 | | |
1342 | | /* |
1343 | | * During rekeying we can only send key exchange messages. |
1344 | | * Queue everything else. |
1345 | | */ |
1346 | 228k | if ((need_rekey || state->rekeying) && !ssh_packet_type_is_kex(type)) { |
1347 | 0 | if (need_rekey) |
1348 | 0 | debug3_f("rekex triggered"); |
1349 | 0 | debug_f("enqueue packet: %u", type); |
1350 | 0 | p = calloc(1, sizeof(*p)); |
1351 | 0 | if (p == NULL) |
1352 | 0 | return SSH_ERR_ALLOC_FAIL; |
1353 | 0 | p->type = type; |
1354 | 0 | p->payload = state->outgoing_packet; |
1355 | 0 | TAILQ_INSERT_TAIL(&state->outgoing, p, next); |
1356 | 0 | state->outgoing_packet = sshbuf_new(); |
1357 | 0 | if (state->outgoing_packet == NULL) |
1358 | 0 | return SSH_ERR_ALLOC_FAIL; |
1359 | 0 | if (need_rekey) { |
1360 | | /* |
1361 | | * This packet triggered a rekey, so send the |
1362 | | * KEXINIT now. |
1363 | | * NB. reenters this function via kex_start_rekex(). |
1364 | | */ |
1365 | 0 | return kex_start_rekex(ssh); |
1366 | 0 | } |
1367 | 0 | return 0; |
1368 | 0 | } |
1369 | | |
1370 | | /* rekeying starts with sending KEXINIT */ |
1371 | 228k | if (type == SSH2_MSG_KEXINIT) |
1372 | 20.0k | state->rekeying = 1; |
1373 | | |
1374 | 228k | if ((r = ssh_packet_send2_wrapped(ssh)) != 0) |
1375 | 0 | return r; |
1376 | | |
1377 | | /* after a NEWKEYS message we can send the complete queue */ |
1378 | 228k | if (type == SSH2_MSG_NEWKEYS) { |
1379 | 0 | state->rekeying = 0; |
1380 | 0 | state->rekey_time = monotime(); |
1381 | 0 | while ((p = TAILQ_FIRST(&state->outgoing))) { |
1382 | 0 | type = p->type; |
1383 | | /* |
1384 | | * If this packet triggers a rekex, then skip the |
1385 | | * remaining packets in the queue for now. |
1386 | | * NB. re-enters this function via kex_start_rekex. |
1387 | | */ |
1388 | 0 | if (ssh_packet_need_rekeying(ssh, |
1389 | 0 | sshbuf_len(p->payload))) { |
1390 | 0 | debug3_f("queued packet triggered rekex"); |
1391 | 0 | return kex_start_rekex(ssh); |
1392 | 0 | } |
1393 | 0 | debug_f("dequeue packet: %u", type); |
1394 | 0 | sshbuf_free(state->outgoing_packet); |
1395 | 0 | state->outgoing_packet = p->payload; |
1396 | 0 | TAILQ_REMOVE(&state->outgoing, p, next); |
1397 | 0 | memset(p, 0, sizeof(*p)); |
1398 | 0 | free(p); |
1399 | 0 | if ((r = ssh_packet_send2_wrapped(ssh)) != 0) |
1400 | 0 | return r; |
1401 | 0 | } |
1402 | 0 | } |
1403 | 228k | return 0; |
1404 | 228k | } |
1405 | | |
1406 | | /* |
1407 | | * Waits until a packet has been received, and returns its type. Note that |
1408 | | * no other data is processed until this returns, so this function should not |
1409 | | * be used during the interactive session. |
1410 | | */ |
1411 | | |
1412 | | int |
1413 | | ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1414 | 0 | { |
1415 | 0 | struct session_state *state = ssh->state; |
1416 | 0 | int len, r, ms_remain = 0; |
1417 | 0 | struct pollfd pfd; |
1418 | 0 | char buf[SSH_IOBUFSZ]; |
1419 | 0 | struct timeval start; |
1420 | 0 | struct timespec timespec, *timespecp = NULL; |
1421 | |
|
1422 | 0 | DBG(debug("packet_read()")); |
1423 | | |
1424 | | /* |
1425 | | * Since we are blocking, ensure that all written packets have |
1426 | | * been sent. |
1427 | | */ |
1428 | 0 | if ((r = ssh_packet_write_wait(ssh)) != 0) |
1429 | 0 | goto out; |
1430 | | |
1431 | | /* Stay in the loop until we have received a complete packet. */ |
1432 | 0 | for (;;) { |
1433 | | /* Try to read a packet from the buffer. */ |
1434 | 0 | if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0) |
1435 | 0 | break; |
1436 | | /* If we got a packet, return it. */ |
1437 | 0 | if (*typep != SSH_MSG_NONE) |
1438 | 0 | break; |
1439 | | /* |
1440 | | * Otherwise, wait for some data to arrive, add it to the |
1441 | | * buffer, and try again. |
1442 | | */ |
1443 | 0 | pfd.fd = state->connection_in; |
1444 | 0 | pfd.events = POLLIN; |
1445 | |
|
1446 | 0 | if (state->packet_timeout_ms > 0) { |
1447 | 0 | ms_remain = state->packet_timeout_ms; |
1448 | 0 | timespecp = ×pec; |
1449 | 0 | } |
1450 | | /* Wait for some data to arrive. */ |
1451 | 0 | for (;;) { |
1452 | 0 | if (state->packet_timeout_ms > 0) { |
1453 | 0 | ms_to_timespec(×pec, ms_remain); |
1454 | 0 | monotime_tv(&start); |
1455 | 0 | } |
1456 | 0 | if ((r = ppoll(&pfd, 1, timespecp, NULL)) >= 0) |
1457 | 0 | break; |
1458 | 0 | if (errno != EAGAIN && errno != EINTR && |
1459 | 0 | errno != EWOULDBLOCK) { |
1460 | 0 | r = SSH_ERR_SYSTEM_ERROR; |
1461 | 0 | goto out; |
1462 | 0 | } |
1463 | 0 | if (state->packet_timeout_ms <= 0) |
1464 | 0 | continue; |
1465 | 0 | ms_subtract_diff(&start, &ms_remain); |
1466 | 0 | if (ms_remain <= 0) { |
1467 | 0 | r = 0; |
1468 | 0 | break; |
1469 | 0 | } |
1470 | 0 | } |
1471 | 0 | if (r == 0) { |
1472 | 0 | r = SSH_ERR_CONN_TIMEOUT; |
1473 | 0 | goto out; |
1474 | 0 | } |
1475 | | /* Read data from the socket. */ |
1476 | 0 | len = read(state->connection_in, buf, sizeof(buf)); |
1477 | 0 | if (len == 0) { |
1478 | 0 | r = SSH_ERR_CONN_CLOSED; |
1479 | 0 | goto out; |
1480 | 0 | } |
1481 | 0 | if (len == -1) { |
1482 | 0 | r = SSH_ERR_SYSTEM_ERROR; |
1483 | 0 | goto out; |
1484 | 0 | } |
1485 | | |
1486 | | /* Append it to the buffer. */ |
1487 | 0 | if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0) |
1488 | 0 | goto out; |
1489 | 0 | } |
1490 | 0 | out: |
1491 | 0 | return r; |
1492 | 0 | } |
1493 | | |
1494 | | int |
1495 | | ssh_packet_read(struct ssh *ssh) |
1496 | 0 | { |
1497 | 0 | u_char type; |
1498 | 0 | int r; |
1499 | |
|
1500 | 0 | if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0) |
1501 | 0 | fatal_fr(r, "read"); |
1502 | 0 | return type; |
1503 | 0 | } |
1504 | | |
1505 | | static int |
1506 | | ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1507 | 0 | { |
1508 | 0 | struct session_state *state = ssh->state; |
1509 | 0 | const u_char *cp; |
1510 | 0 | size_t need; |
1511 | 0 | int r; |
1512 | |
|
1513 | 0 | if (ssh->kex) |
1514 | 0 | return SSH_ERR_INTERNAL_ERROR; |
1515 | 0 | *typep = SSH_MSG_NONE; |
1516 | 0 | cp = sshbuf_ptr(state->input); |
1517 | 0 | if (state->packlen == 0) { |
1518 | 0 | if (sshbuf_len(state->input) < 4 + 1) |
1519 | 0 | return 0; /* packet is incomplete */ |
1520 | 0 | state->packlen = PEEK_U32(cp); |
1521 | 0 | if (state->packlen < 4 + 1 || |
1522 | 0 | state->packlen > packet_max_size) |
1523 | 0 | return SSH_ERR_MESSAGE_INCOMPLETE; |
1524 | 0 | } |
1525 | 0 | need = state->packlen + 4; |
1526 | 0 | if (sshbuf_len(state->input) < need) |
1527 | 0 | return 0; /* packet is incomplete */ |
1528 | 0 | sshbuf_reset(state->incoming_packet); |
1529 | 0 | if ((r = sshbuf_put(state->incoming_packet, cp + 4, |
1530 | 0 | state->packlen)) != 0 || |
1531 | 0 | (r = sshbuf_consume(state->input, need)) != 0 || |
1532 | 0 | (r = sshbuf_get_u8(state->incoming_packet, NULL)) != 0 || |
1533 | 0 | (r = sshbuf_get_u8(state->incoming_packet, typep)) != 0) |
1534 | 0 | return r; |
1535 | 0 | if (ssh_packet_log_type(*typep)) |
1536 | 0 | debug3_f("type %u", *typep); |
1537 | | /* sshbuf_dump(state->incoming_packet, stderr); */ |
1538 | | /* reset for next packet */ |
1539 | 0 | state->packlen = 0; |
1540 | 0 | return r; |
1541 | 0 | } |
1542 | | |
1543 | | int |
1544 | | ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1545 | 218k | { |
1546 | 218k | struct session_state *state = ssh->state; |
1547 | 218k | u_int padlen, need; |
1548 | 218k | u_char *cp; |
1549 | 218k | u_int maclen, aadlen = 0, authlen = 0, block_size; |
1550 | 218k | struct sshenc *enc = NULL; |
1551 | 218k | struct sshmac *mac = NULL; |
1552 | 218k | struct sshcomp *comp = NULL; |
1553 | 218k | int r; |
1554 | | |
1555 | 218k | if (state->mux) |
1556 | 0 | return ssh_packet_read_poll2_mux(ssh, typep, seqnr_p); |
1557 | | |
1558 | 218k | *typep = SSH_MSG_NONE; |
1559 | | |
1560 | 218k | if (state->packet_discard) |
1561 | 0 | return 0; |
1562 | | |
1563 | 218k | if (state->newkeys[MODE_IN] != NULL) { |
1564 | 0 | enc = &state->newkeys[MODE_IN]->enc; |
1565 | 0 | mac = &state->newkeys[MODE_IN]->mac; |
1566 | 0 | comp = &state->newkeys[MODE_IN]->comp; |
1567 | | /* disable mac for authenticated encryption */ |
1568 | 0 | if ((authlen = cipher_authlen(enc->cipher)) != 0) |
1569 | 0 | mac = NULL; |
1570 | 0 | } |
1571 | 218k | maclen = mac && mac->enabled ? mac->mac_len : 0; |
1572 | 218k | block_size = enc ? enc->block_size : 8; |
1573 | 218k | aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; |
1574 | | |
1575 | 218k | if (aadlen && state->packlen == 0) { |
1576 | 0 | if (cipher_get_length(state->receive_context, &state->packlen, |
1577 | 0 | state->p_read.seqnr, sshbuf_ptr(state->input), |
1578 | 0 | sshbuf_len(state->input)) != 0) |
1579 | 0 | return 0; |
1580 | 0 | if (state->packlen < 1 + 4 || |
1581 | 0 | state->packlen > packet_max_size) { |
1582 | | #ifdef PACKET_DEBUG |
1583 | | sshbuf_dump(state->input, stderr); |
1584 | | #endif |
1585 | 0 | logit("Bad packet length %u.", state->packlen); |
1586 | 0 | if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) |
1587 | 0 | return r; |
1588 | 0 | return SSH_ERR_CONN_CORRUPT; |
1589 | 0 | } |
1590 | 0 | sshbuf_reset(state->incoming_packet); |
1591 | 218k | } else if (state->packlen == 0) { |
1592 | | /* |
1593 | | * check if input size is less than the cipher block size, |
1594 | | * decrypt first block and extract length of incoming packet |
1595 | | */ |
1596 | 218k | if (sshbuf_len(state->input) < block_size) |
1597 | 0 | return 0; |
1598 | 218k | sshbuf_reset(state->incoming_packet); |
1599 | 218k | if ((r = sshbuf_reserve(state->incoming_packet, block_size, |
1600 | 218k | &cp)) != 0) |
1601 | 0 | goto out; |
1602 | 218k | if ((r = cipher_crypt(state->receive_context, |
1603 | 218k | state->p_send.seqnr, cp, sshbuf_ptr(state->input), |
1604 | 218k | block_size, 0, 0)) != 0) |
1605 | 0 | goto out; |
1606 | 218k | state->packlen = PEEK_U32(sshbuf_ptr(state->incoming_packet)); |
1607 | 218k | if (state->packlen < 1 + 4 || |
1608 | 218k | state->packlen > packet_max_size) { |
1609 | | #ifdef PACKET_DEBUG |
1610 | | fprintf(stderr, "input: \n"); |
1611 | | sshbuf_dump(state->input, stderr); |
1612 | | fprintf(stderr, "incoming_packet: \n"); |
1613 | | sshbuf_dump(state->incoming_packet, stderr); |
1614 | | #endif |
1615 | 8.76k | logit("Bad packet length %u.", state->packlen); |
1616 | 8.76k | return ssh_packet_start_discard(ssh, enc, mac, 0, |
1617 | 8.76k | packet_max_size); |
1618 | 8.76k | } |
1619 | 209k | if ((r = sshbuf_consume(state->input, block_size)) != 0) |
1620 | 0 | goto out; |
1621 | 209k | } |
1622 | 209k | DBG(debug("input: packet len %u", state->packlen+4)); |
1623 | | |
1624 | 209k | if (aadlen) { |
1625 | | /* only the payload is encrypted */ |
1626 | 0 | need = state->packlen; |
1627 | 209k | } else { |
1628 | | /* |
1629 | | * the payload size and the payload are encrypted, but we |
1630 | | * have a partial packet of block_size bytes |
1631 | | */ |
1632 | 209k | need = 4 + state->packlen - block_size; |
1633 | 209k | } |
1634 | 209k | DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d," |
1635 | 209k | " aadlen %d", block_size, need, maclen, authlen, aadlen)); |
1636 | 209k | if (need % block_size != 0) { |
1637 | 500 | logit("padding error: need %d block %d mod %d", |
1638 | 500 | need, block_size, need % block_size); |
1639 | 500 | return ssh_packet_start_discard(ssh, enc, mac, 0, |
1640 | 500 | packet_max_size - block_size); |
1641 | 500 | } |
1642 | | /* |
1643 | | * check if the entire packet has been received and |
1644 | | * decrypt into incoming_packet: |
1645 | | * 'aadlen' bytes are unencrypted, but authenticated. |
1646 | | * 'need' bytes are encrypted, followed by either |
1647 | | * 'authlen' bytes of authentication tag or |
1648 | | * 'maclen' bytes of message authentication code. |
1649 | | */ |
1650 | 208k | if (sshbuf_len(state->input) < aadlen + need + authlen + maclen) |
1651 | 0 | return 0; /* packet is incomplete */ |
1652 | | #ifdef PACKET_DEBUG |
1653 | | fprintf(stderr, "read_poll enc/full: "); |
1654 | | sshbuf_dump(state->input, stderr); |
1655 | | #endif |
1656 | | /* EtM: check mac over encrypted input */ |
1657 | 208k | if (mac && mac->enabled && mac->etm) { |
1658 | 0 | if ((r = mac_check(mac, state->p_read.seqnr, |
1659 | 0 | sshbuf_ptr(state->input), aadlen + need, |
1660 | 0 | sshbuf_ptr(state->input) + aadlen + need + authlen, |
1661 | 0 | maclen)) != 0) { |
1662 | 0 | if (r == SSH_ERR_MAC_INVALID) |
1663 | 0 | logit("Corrupted MAC on input."); |
1664 | 0 | goto out; |
1665 | 0 | } |
1666 | 0 | } |
1667 | 208k | if ((r = sshbuf_reserve(state->incoming_packet, aadlen + need, |
1668 | 208k | &cp)) != 0) |
1669 | 0 | goto out; |
1670 | 208k | if ((r = cipher_crypt(state->receive_context, state->p_read.seqnr, cp, |
1671 | 208k | sshbuf_ptr(state->input), need, aadlen, authlen)) != 0) |
1672 | 0 | goto out; |
1673 | 208k | if ((r = sshbuf_consume(state->input, aadlen + need + authlen)) != 0) |
1674 | 0 | goto out; |
1675 | 208k | if (mac && mac->enabled) { |
1676 | | /* Not EtM: check MAC over cleartext */ |
1677 | 0 | if (!mac->etm && (r = mac_check(mac, state->p_read.seqnr, |
1678 | 0 | sshbuf_ptr(state->incoming_packet), |
1679 | 0 | sshbuf_len(state->incoming_packet), |
1680 | 0 | sshbuf_ptr(state->input), maclen)) != 0) { |
1681 | 0 | if (r != SSH_ERR_MAC_INVALID) |
1682 | 0 | goto out; |
1683 | 0 | logit("Corrupted MAC on input."); |
1684 | 0 | if (need + block_size > packet_max_size) |
1685 | 0 | return SSH_ERR_INTERNAL_ERROR; |
1686 | 0 | return ssh_packet_start_discard(ssh, enc, mac, |
1687 | 0 | sshbuf_len(state->incoming_packet), |
1688 | 0 | packet_max_size - need - block_size); |
1689 | 0 | } |
1690 | | /* Remove MAC from input buffer */ |
1691 | 0 | DBG(debug("MAC #%d ok", state->p_read.seqnr)); |
1692 | 0 | if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) |
1693 | 0 | goto out; |
1694 | 0 | } |
1695 | | |
1696 | 208k | if (seqnr_p != NULL) |
1697 | 208k | *seqnr_p = state->p_read.seqnr; |
1698 | 208k | if (++state->p_read.seqnr == 0) { |
1699 | 0 | if ((ssh->kex->flags & KEX_INITIAL) != 0) { |
1700 | 0 | ssh_packet_disconnect(ssh, "incoming sequence number " |
1701 | 0 | "wrapped during initial key exchange"); |
1702 | 0 | } |
1703 | 0 | logit("incoming seqnr wraps around"); |
1704 | 0 | } |
1705 | 208k | if (++state->p_read.packets == 0) |
1706 | 0 | if (!(ssh->compat & SSH_BUG_NOREKEY)) |
1707 | 0 | return SSH_ERR_NEED_REKEY; |
1708 | 208k | state->p_read.blocks += (state->packlen + 4) / block_size; |
1709 | 208k | state->p_read.bytes += state->packlen + 4; |
1710 | | |
1711 | | /* get padlen */ |
1712 | 208k | padlen = sshbuf_ptr(state->incoming_packet)[4]; |
1713 | 208k | DBG(debug("input: padlen %d", padlen)); |
1714 | 208k | if (padlen < 4) { |
1715 | 220 | if ((r = sshpkt_disconnect(ssh, |
1716 | 220 | "Corrupted padlen %d on input.", padlen)) != 0 || |
1717 | 220 | (r = ssh_packet_write_wait(ssh)) != 0) |
1718 | 220 | return r; |
1719 | 0 | return SSH_ERR_CONN_CORRUPT; |
1720 | 220 | } |
1721 | | |
1722 | | /* skip packet size + padlen, discard padding */ |
1723 | 208k | if ((r = sshbuf_consume(state->incoming_packet, 4 + 1)) != 0 || |
1724 | 208k | ((r = sshbuf_consume_end(state->incoming_packet, padlen)) != 0)) |
1725 | 260 | goto out; |
1726 | | |
1727 | 208k | DBG(debug("input: len before de-compress %zd", |
1728 | 208k | sshbuf_len(state->incoming_packet))); |
1729 | 208k | if (comp && comp->enabled) { |
1730 | 0 | sshbuf_reset(state->compression_buffer); |
1731 | 0 | if ((r = uncompress_buffer(ssh, state->incoming_packet, |
1732 | 0 | state->compression_buffer)) != 0) |
1733 | 0 | goto out; |
1734 | 0 | sshbuf_reset(state->incoming_packet); |
1735 | 0 | if ((r = sshbuf_putb(state->incoming_packet, |
1736 | 0 | state->compression_buffer)) != 0) |
1737 | 0 | goto out; |
1738 | 0 | DBG(debug("input: len after de-compress %zd", |
1739 | 0 | sshbuf_len(state->incoming_packet))); |
1740 | 0 | } |
1741 | | /* |
1742 | | * get packet type, implies consume. |
1743 | | * return length of payload (without type field) |
1744 | | */ |
1745 | 208k | if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0) |
1746 | 60 | goto out; |
1747 | 208k | if (ssh_packet_log_type(*typep)) |
1748 | 208k | debug3("receive packet: type %u", *typep); |
1749 | 208k | if (*typep < SSH2_MSG_MIN) { |
1750 | 920 | if ((r = sshpkt_disconnect(ssh, |
1751 | 920 | "Invalid ssh2 packet type: %d", *typep)) != 0 || |
1752 | 920 | (r = ssh_packet_write_wait(ssh)) != 0) |
1753 | 920 | return r; |
1754 | 0 | return SSH_ERR_PROTOCOL_ERROR; |
1755 | 920 | } |
1756 | 207k | if (state->hook_in != NULL && |
1757 | 207k | (r = state->hook_in(ssh, state->incoming_packet, typep, |
1758 | 0 | state->hook_in_ctx)) != 0) |
1759 | 0 | return r; |
1760 | 207k | if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) |
1761 | 0 | r = ssh_packet_enable_delayed_compress(ssh); |
1762 | 207k | else |
1763 | 207k | r = 0; |
1764 | | #ifdef PACKET_DEBUG |
1765 | | fprintf(stderr, "read/plain[%d]:\r\n", *typep); |
1766 | | sshbuf_dump(state->incoming_packet, stderr); |
1767 | | #endif |
1768 | | /* reset for next packet */ |
1769 | 207k | state->packlen = 0; |
1770 | 207k | if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { |
1771 | 0 | debug_f("resetting read seqnr %u", state->p_read.seqnr); |
1772 | 0 | state->p_read.seqnr = 0; |
1773 | 0 | } |
1774 | | |
1775 | 207k | if ((r = ssh_packet_check_rekey(ssh)) != 0) |
1776 | 0 | return r; |
1777 | 207k | out: |
1778 | 207k | return r; |
1779 | 207k | } |
1780 | | |
1781 | | int |
1782 | | ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1783 | 0 | { |
1784 | 0 | struct session_state *state = ssh->state; |
1785 | 0 | u_int reason, seqnr; |
1786 | 0 | int r; |
1787 | 0 | u_char *msg; |
1788 | 0 | const u_char *d; |
1789 | 0 | size_t len; |
1790 | |
|
1791 | 0 | for (;;) { |
1792 | 0 | msg = NULL; |
1793 | 0 | r = ssh_packet_read_poll2(ssh, typep, seqnr_p); |
1794 | 0 | if (r != 0) |
1795 | 0 | return r; |
1796 | 0 | if (*typep == 0) { |
1797 | | /* no message ready */ |
1798 | 0 | return 0; |
1799 | 0 | } |
1800 | 0 | state->keep_alive_timeouts = 0; |
1801 | 0 | DBG(debug("received packet type %d", *typep)); |
1802 | | |
1803 | | /* Always process disconnect messages */ |
1804 | 0 | if (*typep == SSH2_MSG_DISCONNECT) { |
1805 | 0 | if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || |
1806 | 0 | (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) |
1807 | 0 | return r; |
1808 | | /* Ignore normal client exit notifications */ |
1809 | 0 | do_log2(ssh->state->server_side && |
1810 | 0 | reason == SSH2_DISCONNECT_BY_APPLICATION ? |
1811 | 0 | SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, |
1812 | 0 | "Received disconnect from %s port %d:" |
1813 | 0 | "%u: %.400s", ssh_remote_ipaddr(ssh), |
1814 | 0 | ssh_remote_port(ssh), reason, msg); |
1815 | 0 | free(msg); |
1816 | 0 | return SSH_ERR_DISCONNECTED; |
1817 | 0 | } |
1818 | | |
1819 | | /* |
1820 | | * Do not implicitly handle any messages here during initial |
1821 | | * KEX when in strict mode. They will be need to be allowed |
1822 | | * explicitly by the KEX dispatch table or they will generate |
1823 | | * protocol errors. |
1824 | | */ |
1825 | 0 | if (ssh->kex != NULL && |
1826 | 0 | (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) |
1827 | 0 | return 0; |
1828 | | /* Implicitly handle transport-level messages */ |
1829 | 0 | switch (*typep) { |
1830 | 0 | case SSH2_MSG_IGNORE: |
1831 | 0 | debug3("Received SSH2_MSG_IGNORE"); |
1832 | 0 | break; |
1833 | 0 | case SSH2_MSG_DEBUG: |
1834 | 0 | if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || |
1835 | 0 | (r = sshpkt_get_string(ssh, &msg, NULL)) != 0 || |
1836 | 0 | (r = sshpkt_get_string(ssh, NULL, NULL)) != 0) { |
1837 | 0 | free(msg); |
1838 | 0 | return r; |
1839 | 0 | } |
1840 | 0 | debug("Remote: %.900s", msg); |
1841 | 0 | free(msg); |
1842 | 0 | break; |
1843 | 0 | case SSH2_MSG_UNIMPLEMENTED: |
1844 | 0 | if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) |
1845 | 0 | return r; |
1846 | 0 | debug("Received SSH2_MSG_UNIMPLEMENTED for %u", |
1847 | 0 | seqnr); |
1848 | 0 | break; |
1849 | 0 | case SSH2_MSG_PING: |
1850 | 0 | if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0) |
1851 | 0 | return r; |
1852 | 0 | DBG(debug("Received SSH2_MSG_PING len %zu", len)); |
1853 | 0 | if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 || |
1854 | 0 | (r = sshpkt_put_string(ssh, d, len)) != 0 || |
1855 | 0 | (r = sshpkt_send(ssh)) != 0) |
1856 | 0 | return r; |
1857 | 0 | break; |
1858 | 0 | case SSH2_MSG_PONG: |
1859 | 0 | if ((r = sshpkt_get_string_direct(ssh, |
1860 | 0 | NULL, &len)) != 0) |
1861 | 0 | return r; |
1862 | 0 | DBG(debug("Received SSH2_MSG_PONG len %zu", len)); |
1863 | 0 | break; |
1864 | 0 | default: |
1865 | 0 | return 0; |
1866 | 0 | } |
1867 | 0 | } |
1868 | 0 | } |
1869 | | |
1870 | | /* |
1871 | | * Buffers the supplied input data. This is intended to be used together |
1872 | | * with packet_read_poll(). |
1873 | | */ |
1874 | | int |
1875 | | ssh_packet_process_incoming(struct ssh *ssh, const char *buf, u_int len) |
1876 | 0 | { |
1877 | 0 | struct session_state *state = ssh->state; |
1878 | 0 | int r; |
1879 | |
|
1880 | 0 | if (state->packet_discard) { |
1881 | 0 | state->keep_alive_timeouts = 0; /* ?? */ |
1882 | 0 | if (len >= state->packet_discard) { |
1883 | 0 | if ((r = ssh_packet_stop_discard(ssh)) != 0) |
1884 | 0 | return r; |
1885 | 0 | } |
1886 | 0 | state->packet_discard -= len; |
1887 | 0 | return 0; |
1888 | 0 | } |
1889 | 0 | if ((r = sshbuf_put(state->input, buf, len)) != 0) |
1890 | 0 | return r; |
1891 | | |
1892 | 0 | return 0; |
1893 | 0 | } |
1894 | | |
1895 | | /* Reads and buffers data from the specified fd */ |
1896 | | int |
1897 | | ssh_packet_process_read(struct ssh *ssh, int fd) |
1898 | 0 | { |
1899 | 0 | struct session_state *state = ssh->state; |
1900 | 0 | int r; |
1901 | 0 | size_t rlen; |
1902 | |
|
1903 | 0 | if ((r = sshbuf_read(fd, state->input, packet_max_size, &rlen)) != 0) |
1904 | 0 | return r; |
1905 | | |
1906 | 0 | if (state->packet_discard) { |
1907 | 0 | if ((r = sshbuf_consume_end(state->input, rlen)) != 0) |
1908 | 0 | return r; |
1909 | 0 | state->keep_alive_timeouts = 0; /* ?? */ |
1910 | 0 | if (rlen >= state->packet_discard) { |
1911 | 0 | if ((r = ssh_packet_stop_discard(ssh)) != 0) |
1912 | 0 | return r; |
1913 | 0 | } |
1914 | 0 | state->packet_discard -= rlen; |
1915 | 0 | return 0; |
1916 | 0 | } |
1917 | 0 | return 0; |
1918 | 0 | } |
1919 | | |
1920 | | int |
1921 | | ssh_packet_remaining(struct ssh *ssh) |
1922 | 0 | { |
1923 | 0 | return sshbuf_len(ssh->state->incoming_packet); |
1924 | 0 | } |
1925 | | |
1926 | | /* |
1927 | | * Sends a diagnostic message from the server to the client. This message |
1928 | | * can be sent at any time (but not while constructing another message). The |
1929 | | * message is printed immediately, but only if the client is being executed |
1930 | | * in verbose mode. These messages are primarily intended to ease debugging |
1931 | | * authentication problems. The length of the formatted message must not |
1932 | | * exceed 1024 bytes. This will automatically call ssh_packet_write_wait. |
1933 | | */ |
1934 | | void |
1935 | | ssh_packet_send_debug(struct ssh *ssh, const char *fmt,...) |
1936 | 0 | { |
1937 | 0 | char buf[1024]; |
1938 | 0 | va_list args; |
1939 | 0 | int r; |
1940 | |
|
1941 | 0 | if ((ssh->compat & SSH_BUG_DEBUG)) |
1942 | 0 | return; |
1943 | | |
1944 | 0 | va_start(args, fmt); |
1945 | 0 | vsnprintf(buf, sizeof(buf), fmt, args); |
1946 | 0 | va_end(args); |
1947 | |
|
1948 | 0 | debug3("sending debug message: %s", buf); |
1949 | |
|
1950 | 0 | if ((r = sshpkt_start(ssh, SSH2_MSG_DEBUG)) != 0 || |
1951 | 0 | (r = sshpkt_put_u8(ssh, 0)) != 0 || /* always display */ |
1952 | 0 | (r = sshpkt_put_cstring(ssh, buf)) != 0 || |
1953 | 0 | (r = sshpkt_put_cstring(ssh, "")) != 0 || |
1954 | 0 | (r = sshpkt_send(ssh)) != 0 || |
1955 | 0 | (r = ssh_packet_write_wait(ssh)) != 0) |
1956 | 0 | fatal_fr(r, "send DEBUG"); |
1957 | 0 | } |
1958 | | |
1959 | | void |
1960 | | sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l) |
1961 | 0 | { |
1962 | 0 | snprintf(s, l, "%.200s%s%s port %d", |
1963 | 0 | ssh->log_preamble ? ssh->log_preamble : "", |
1964 | 0 | ssh->log_preamble ? " " : "", |
1965 | 0 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); |
1966 | 0 | } |
1967 | | |
1968 | | /* |
1969 | | * Pretty-print connection-terminating errors and exit. |
1970 | | */ |
1971 | | static void |
1972 | | sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, va_list ap) |
1973 | 0 | { |
1974 | 0 | char *tag = NULL, remote_id[512]; |
1975 | 0 | int oerrno = errno; |
1976 | |
|
1977 | 0 | sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); |
1978 | |
|
1979 | 0 | switch (r) { |
1980 | 0 | case SSH_ERR_CONN_CLOSED: |
1981 | 0 | ssh_packet_clear_keys(ssh); |
1982 | 0 | sshpkt_final_log_entry(ssh); |
1983 | 0 | logdie("Connection closed by %s", remote_id); |
1984 | 0 | case SSH_ERR_CONN_TIMEOUT: |
1985 | 0 | ssh_packet_clear_keys(ssh); |
1986 | 0 | sshpkt_final_log_entry(ssh); |
1987 | 0 | logdie("Connection %s %s timed out", |
1988 | 0 | ssh->state->server_side ? "from" : "to", remote_id); |
1989 | 0 | case SSH_ERR_DISCONNECTED: |
1990 | 0 | ssh_packet_clear_keys(ssh); |
1991 | 0 | sshpkt_final_log_entry(ssh); |
1992 | 0 | logdie("Disconnected from %s", remote_id); |
1993 | 0 | case SSH_ERR_SYSTEM_ERROR: |
1994 | 0 | if (errno == ECONNRESET) { |
1995 | 0 | ssh_packet_clear_keys(ssh); |
1996 | 0 | sshpkt_final_log_entry(ssh); |
1997 | 0 | logdie("Connection reset by %s", remote_id); |
1998 | 0 | } |
1999 | | /* FALLTHROUGH */ |
2000 | 0 | case SSH_ERR_NO_CIPHER_ALG_MATCH: |
2001 | 0 | case SSH_ERR_NO_MAC_ALG_MATCH: |
2002 | 0 | case SSH_ERR_NO_COMPRESS_ALG_MATCH: |
2003 | 0 | case SSH_ERR_NO_KEX_ALG_MATCH: |
2004 | 0 | case SSH_ERR_NO_HOSTKEY_ALG_MATCH: |
2005 | 0 | if (ssh->kex && ssh->kex->failed_choice) { |
2006 | 0 | ssh_packet_clear_keys(ssh); |
2007 | 0 | errno = oerrno; |
2008 | 0 | logdie("Unable to negotiate with %s: %s. " |
2009 | 0 | "Their offer: %s", remote_id, ssh_err(r), |
2010 | 0 | ssh->kex->failed_choice); |
2011 | 0 | } |
2012 | | /* FALLTHROUGH */ |
2013 | 0 | default: |
2014 | 0 | if (vasprintf(&tag, fmt, ap) == -1) { |
2015 | 0 | ssh_packet_clear_keys(ssh); |
2016 | 0 | logdie_f("could not allocate failure message"); |
2017 | 0 | } |
2018 | 0 | ssh_packet_clear_keys(ssh); |
2019 | 0 | errno = oerrno; |
2020 | 0 | logdie_r(r, "%s%sConnection %s %s", |
2021 | 0 | tag != NULL ? tag : "", tag != NULL ? ": " : "", |
2022 | 0 | ssh->state->server_side ? "from" : "to", remote_id); |
2023 | 0 | } |
2024 | 0 | } |
2025 | | |
2026 | | void |
2027 | | sshpkt_fatal(struct ssh *ssh, int r, const char *fmt, ...) |
2028 | 0 | { |
2029 | 0 | va_list ap; |
2030 | |
|
2031 | 0 | va_start(ap, fmt); |
2032 | 0 | sshpkt_vfatal(ssh, r, fmt, ap); |
2033 | | /* NOTREACHED */ |
2034 | 0 | va_end(ap); |
2035 | 0 | logdie_f("should have exited"); |
2036 | 0 | } |
2037 | | |
2038 | | /* this prints out the final log entry */ |
2039 | | void |
2040 | 0 | sshpkt_final_log_entry (struct ssh *ssh) { |
2041 | 0 | double total_time; |
2042 | |
|
2043 | 0 | if (ssh->start_time < 1) |
2044 | | /* this will produce a NaN in the output. -cjr */ |
2045 | 0 | total_time = 0; |
2046 | 0 | else |
2047 | 0 | total_time = monotime_double() - ssh->start_time; |
2048 | |
|
2049 | 0 | logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f", |
2050 | 0 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), |
2051 | 0 | ssh->stdin_bytes, ssh->fdout_bytes, total_time, |
2052 | 0 | ssh->stdin_bytes / total_time, |
2053 | 0 | ssh->fdout_bytes / total_time); |
2054 | 0 | } |
2055 | | |
2056 | | /* |
2057 | | * Logs the error plus constructs and sends a disconnect packet, closes the |
2058 | | * connection, and exits. This function never returns. The error message |
2059 | | * should not contain a newline. The length of the formatted message must |
2060 | | * not exceed 1024 bytes. |
2061 | | */ |
2062 | | void |
2063 | | ssh_packet_disconnect(struct ssh *ssh, const char *fmt,...) |
2064 | 0 | { |
2065 | 0 | char buf[1024], remote_id[512]; |
2066 | 0 | va_list args; |
2067 | 0 | static int disconnecting = 0; |
2068 | 0 | int r; |
2069 | |
|
2070 | 0 | if (disconnecting) /* Guard against recursive invocations. */ |
2071 | 0 | fatal("packet_disconnect called recursively."); |
2072 | 0 | disconnecting = 1; |
2073 | | |
2074 | | /* |
2075 | | * Format the message. Note that the caller must make sure the |
2076 | | * message is of limited size. |
2077 | | */ |
2078 | 0 | sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); |
2079 | 0 | va_start(args, fmt); |
2080 | 0 | vsnprintf(buf, sizeof(buf), fmt, args); |
2081 | 0 | va_end(args); |
2082 | | |
2083 | | /* Display the error locally */ |
2084 | 0 | logit("Disconnecting %s: %.100s", remote_id, buf); |
2085 | | |
2086 | | /* |
2087 | | * Send the disconnect message to the other side, and wait |
2088 | | * for it to get sent. |
2089 | | */ |
2090 | 0 | if ((r = sshpkt_disconnect(ssh, "%s", buf)) != 0) |
2091 | 0 | sshpkt_fatal(ssh, r, "%s", __func__); |
2092 | | |
2093 | 0 | if ((r = ssh_packet_write_wait(ssh)) != 0) |
2094 | 0 | sshpkt_fatal(ssh, r, "%s", __func__); |
2095 | | |
2096 | | /* Close the connection. */ |
2097 | 0 | ssh_packet_close(ssh); |
2098 | 0 | cleanup_exit(255); |
2099 | 0 | } |
2100 | | |
2101 | | /* |
2102 | | * Checks if there is any buffered output, and tries to write some of |
2103 | | * the output. |
2104 | | */ |
2105 | | int |
2106 | | ssh_packet_write_poll(struct ssh *ssh) |
2107 | 1.14k | { |
2108 | 1.14k | struct session_state *state = ssh->state; |
2109 | 1.14k | int len = sshbuf_len(state->output); |
2110 | 1.14k | int r; |
2111 | | |
2112 | 1.14k | if (len > 0) { |
2113 | 1.14k | len = write(state->connection_out, |
2114 | 1.14k | sshbuf_ptr(state->output), len); |
2115 | 1.14k | if (len == -1) { |
2116 | 1.14k | if (errno == EINTR || errno == EAGAIN || |
2117 | 1.14k | errno == EWOULDBLOCK) |
2118 | 0 | return 0; |
2119 | 1.14k | return SSH_ERR_SYSTEM_ERROR; |
2120 | 1.14k | } |
2121 | 0 | if (len == 0) |
2122 | 0 | return SSH_ERR_CONN_CLOSED; |
2123 | 0 | if ((r = sshbuf_consume(state->output, len)) != 0) |
2124 | 0 | return r; |
2125 | 0 | } |
2126 | 0 | return 0; |
2127 | 1.14k | } |
2128 | | |
2129 | | /* |
2130 | | * Calls packet_write_poll repeatedly until all pending output data has been |
2131 | | * written. |
2132 | | */ |
2133 | | int |
2134 | | ssh_packet_write_wait(struct ssh *ssh) |
2135 | 1.14k | { |
2136 | 1.14k | int ret, r, ms_remain = 0; |
2137 | 1.14k | struct timeval start; |
2138 | 1.14k | struct timespec timespec, *timespecp = NULL; |
2139 | 1.14k | struct session_state *state = ssh->state; |
2140 | 1.14k | struct pollfd pfd; |
2141 | | |
2142 | 1.14k | if ((r = ssh_packet_write_poll(ssh)) != 0) |
2143 | 1.14k | return r; |
2144 | 0 | while (ssh_packet_have_data_to_write(ssh)) { |
2145 | 0 | pfd.fd = state->connection_out; |
2146 | 0 | pfd.events = POLLOUT; |
2147 | |
|
2148 | 0 | if (state->packet_timeout_ms > 0) { |
2149 | 0 | ms_remain = state->packet_timeout_ms; |
2150 | 0 | timespecp = ×pec; |
2151 | 0 | } |
2152 | 0 | for (;;) { |
2153 | 0 | if (state->packet_timeout_ms > 0) { |
2154 | 0 | ms_to_timespec(×pec, ms_remain); |
2155 | 0 | monotime_tv(&start); |
2156 | 0 | } |
2157 | 0 | if ((ret = ppoll(&pfd, 1, timespecp, NULL)) >= 0) |
2158 | 0 | break; |
2159 | 0 | if (errno != EAGAIN && errno != EINTR && |
2160 | 0 | errno != EWOULDBLOCK) |
2161 | 0 | break; |
2162 | 0 | if (state->packet_timeout_ms <= 0) |
2163 | 0 | continue; |
2164 | 0 | ms_subtract_diff(&start, &ms_remain); |
2165 | 0 | if (ms_remain <= 0) { |
2166 | 0 | ret = 0; |
2167 | 0 | break; |
2168 | 0 | } |
2169 | 0 | } |
2170 | 0 | if (ret == 0) |
2171 | 0 | return SSH_ERR_CONN_TIMEOUT; |
2172 | 0 | if ((r = ssh_packet_write_poll(ssh)) != 0) |
2173 | 0 | return r; |
2174 | 0 | } |
2175 | 0 | return 0; |
2176 | 0 | } |
2177 | | |
2178 | | /* Returns true if there is buffered data to write to the connection. */ |
2179 | | |
2180 | | int |
2181 | | ssh_packet_have_data_to_write(struct ssh *ssh) |
2182 | 0 | { |
2183 | 0 | return sshbuf_len(ssh->state->output) != 0; |
2184 | 0 | } |
2185 | | |
2186 | | /* Returns true if there is not too much data to write to the connection. */ |
2187 | | |
2188 | | int |
2189 | | ssh_packet_not_very_much_data_to_write(struct ssh *ssh) |
2190 | 0 | { |
2191 | 0 | if (ssh->state->interactive_mode) |
2192 | 0 | return sshbuf_len(ssh->state->output) < 16384; |
2193 | 0 | else |
2194 | 0 | return sshbuf_len(ssh->state->output) < 128 * 1024; |
2195 | 0 | } |
2196 | | |
2197 | | /* |
2198 | | * returns true when there are at most a few keystrokes of data to write |
2199 | | * and the connection is in interactive mode. |
2200 | | */ |
2201 | | |
2202 | | int |
2203 | | ssh_packet_interactive_data_to_write(struct ssh *ssh) |
2204 | 0 | { |
2205 | 0 | return ssh->state->interactive_mode && |
2206 | 0 | sshbuf_len(ssh->state->output) < 256; |
2207 | 0 | } |
2208 | | |
2209 | | void |
2210 | | ssh_packet_set_tos(struct ssh *ssh, int tos) |
2211 | 0 | { |
2212 | 0 | if (!ssh_packet_connection_is_on_socket(ssh) || tos == INT_MAX) |
2213 | 0 | return; |
2214 | 0 | set_sock_tos(ssh->state->connection_in, tos); |
2215 | 0 | } |
2216 | | |
2217 | | /* Informs that the current session is interactive. Sets IP flags for that. */ |
2218 | | |
2219 | | void |
2220 | | ssh_packet_set_interactive(struct ssh *ssh, int interactive, int qos_interactive, int qos_bulk) |
2221 | 0 | { |
2222 | 0 | struct session_state *state = ssh->state; |
2223 | |
|
2224 | 0 | if (state->set_interactive_called) |
2225 | 0 | return; |
2226 | 0 | state->set_interactive_called = 1; |
2227 | | |
2228 | | /* Record that we are in interactive mode. */ |
2229 | 0 | state->interactive_mode = interactive; |
2230 | | |
2231 | | /* Only set socket options if using a socket. */ |
2232 | 0 | if (!ssh_packet_connection_is_on_socket(ssh)) |
2233 | 0 | return; |
2234 | 0 | set_nodelay(state->connection_in); |
2235 | 0 | ssh_packet_set_tos(ssh, interactive ? qos_interactive : qos_bulk); |
2236 | 0 | } |
2237 | | |
2238 | | /* Returns true if the current connection is interactive. */ |
2239 | | |
2240 | | int |
2241 | | ssh_packet_is_interactive(struct ssh *ssh) |
2242 | 0 | { |
2243 | 0 | return ssh->state->interactive_mode; |
2244 | 0 | } |
2245 | | |
2246 | | int |
2247 | | ssh_packet_set_maxsize(struct ssh *ssh, u_int s) |
2248 | 0 | { |
2249 | 0 | struct session_state *state = ssh->state; |
2250 | |
|
2251 | 0 | if (state->set_maxsize_called) { |
2252 | 0 | logit_f("called twice: old %d new %d", |
2253 | 0 | state->max_packet_size, s); |
2254 | 0 | return -1; |
2255 | 0 | } |
2256 | 0 | if (s < 4 * 1024 || s > 1024 * 1024) { |
2257 | 0 | logit_f("bad size %d", s); |
2258 | 0 | return -1; |
2259 | 0 | } |
2260 | 0 | state->set_maxsize_called = 1; |
2261 | 0 | debug_f("setting to %d", s); |
2262 | 0 | state->max_packet_size = s; |
2263 | 0 | return s; |
2264 | 0 | } |
2265 | | |
2266 | | int |
2267 | | ssh_packet_inc_alive_timeouts(struct ssh *ssh) |
2268 | 0 | { |
2269 | 0 | return ++ssh->state->keep_alive_timeouts; |
2270 | 0 | } |
2271 | | |
2272 | | void |
2273 | | ssh_packet_set_alive_timeouts(struct ssh *ssh, int ka) |
2274 | 0 | { |
2275 | 0 | ssh->state->keep_alive_timeouts = ka; |
2276 | 0 | } |
2277 | | |
2278 | | u_int |
2279 | | ssh_packet_get_maxsize(struct ssh *ssh) |
2280 | 0 | { |
2281 | 0 | return ssh->state->max_packet_size; |
2282 | 0 | } |
2283 | | |
2284 | | void |
2285 | | ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, u_int32_t seconds) |
2286 | 0 | { |
2287 | 0 | debug3("rekey after %llu bytes, %u seconds", (unsigned long long)bytes, |
2288 | 0 | (unsigned int)seconds); |
2289 | 0 | ssh->state->rekey_limit = bytes; |
2290 | 0 | ssh->state->rekey_interval = seconds; |
2291 | 0 | } |
2292 | | |
2293 | | time_t |
2294 | | ssh_packet_get_rekey_timeout(struct ssh *ssh) |
2295 | 0 | { |
2296 | 0 | time_t seconds; |
2297 | |
|
2298 | 0 | seconds = ssh->state->rekey_time + ssh->state->rekey_interval - |
2299 | 0 | monotime(); |
2300 | 0 | return (seconds <= 0 ? 1 : seconds); |
2301 | 0 | } |
2302 | | |
2303 | | void |
2304 | | ssh_packet_set_server(struct ssh *ssh) |
2305 | 35.0k | { |
2306 | 35.0k | ssh->state->server_side = 1; |
2307 | 35.0k | ssh->kex->server = 1; /* XXX unify? */ |
2308 | 35.0k | } |
2309 | | |
2310 | | /* Set the state of the connection to post auth |
2311 | | * While we are here also decrease the size of |
2312 | | * packet_max_size to something more reasonable. |
2313 | | * In this case thats 33k. Which is the size of |
2314 | | * the largest packet we expect to see and some space |
2315 | | * for overhead. This reduces memory usage in high |
2316 | | * BDP environments without impacting performance |
2317 | | * -cjr 4/11/23 */ |
2318 | | void |
2319 | | ssh_packet_set_authenticated(struct ssh *ssh) |
2320 | 0 | { |
2321 | 0 | ssh->state->after_authentication = 1; |
2322 | 0 | packet_max_size = SSH_IOBUFSZ + 1024; |
2323 | 0 | } |
2324 | | |
2325 | | void * |
2326 | | ssh_packet_get_input(struct ssh *ssh) |
2327 | 125k | { |
2328 | 125k | return (void *)ssh->state->input; |
2329 | 125k | } |
2330 | | |
2331 | | void * |
2332 | | ssh_packet_get_output(struct ssh *ssh) |
2333 | 148k | { |
2334 | 148k | return (void *)ssh->state->output; |
2335 | 148k | } |
2336 | | |
2337 | | /* Reset after_authentication and reset compression in post-auth privsep */ |
2338 | | static int |
2339 | | ssh_packet_set_postauth(struct ssh *ssh) |
2340 | 0 | { |
2341 | 0 | int r; |
2342 | |
|
2343 | 0 | debug_f("called"); |
2344 | | /* This was set in net child, but is not visible in user child */ |
2345 | 0 | ssh->state->after_authentication = 1; |
2346 | 0 | ssh->state->rekeying = 0; |
2347 | 0 | if ((r = ssh_packet_enable_delayed_compress(ssh)) != 0) |
2348 | 0 | return r; |
2349 | 0 | return 0; |
2350 | 0 | } |
2351 | | |
2352 | | /* Packet state (de-)serialization for privsep */ |
2353 | | |
2354 | | /* turn kex into a blob for packet state serialization */ |
2355 | | static int |
2356 | | kex_to_blob(struct sshbuf *m, struct kex *kex) |
2357 | 0 | { |
2358 | 0 | int r; |
2359 | |
|
2360 | 0 | if ((r = sshbuf_put_u32(m, kex->we_need)) != 0 || |
2361 | 0 | (r = sshbuf_put_cstring(m, kex->hostkey_alg)) != 0 || |
2362 | 0 | (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || |
2363 | 0 | (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 || |
2364 | 0 | (r = sshbuf_put_u32(m, kex->kex_type)) != 0 || |
2365 | 0 | (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 || |
2366 | 0 | (r = sshbuf_put_stringb(m, kex->my)) != 0 || |
2367 | 0 | (r = sshbuf_put_stringb(m, kex->peer)) != 0 || |
2368 | 0 | (r = sshbuf_put_stringb(m, kex->client_version)) != 0 || |
2369 | 0 | (r = sshbuf_put_stringb(m, kex->server_version)) != 0 || |
2370 | 0 | (r = sshbuf_put_stringb(m, kex->session_id)) != 0 || |
2371 | 0 | (r = sshbuf_put_u32(m, kex->flags)) != 0) |
2372 | 0 | return r; |
2373 | 0 | return 0; |
2374 | 0 | } |
2375 | | |
2376 | | /* turn key exchange results into a blob for packet state serialization */ |
2377 | | static int |
2378 | | newkeys_to_blob(struct sshbuf *m, struct ssh *ssh, int mode) |
2379 | 0 | { |
2380 | 0 | struct sshbuf *b; |
2381 | 0 | struct sshcipher_ctx *cc; |
2382 | 0 | struct sshcomp *comp; |
2383 | 0 | struct sshenc *enc; |
2384 | 0 | struct sshmac *mac; |
2385 | 0 | struct newkeys *newkey; |
2386 | 0 | int r; |
2387 | |
|
2388 | 0 | if ((newkey = ssh->state->newkeys[mode]) == NULL) |
2389 | 0 | return SSH_ERR_INTERNAL_ERROR; |
2390 | 0 | enc = &newkey->enc; |
2391 | 0 | mac = &newkey->mac; |
2392 | 0 | comp = &newkey->comp; |
2393 | 0 | cc = (mode == MODE_OUT) ? ssh->state->send_context : |
2394 | 0 | ssh->state->receive_context; |
2395 | 0 | if ((r = cipher_get_keyiv(cc, enc->iv, enc->iv_len)) != 0) |
2396 | 0 | return r; |
2397 | 0 | if ((b = sshbuf_new()) == NULL) |
2398 | 0 | return SSH_ERR_ALLOC_FAIL; |
2399 | 0 | if ((r = sshbuf_put_cstring(b, enc->name)) != 0 || |
2400 | 0 | (r = sshbuf_put_u32(b, enc->enabled)) != 0 || |
2401 | 0 | (r = sshbuf_put_u32(b, enc->block_size)) != 0 || |
2402 | 0 | (r = sshbuf_put_string(b, enc->key, enc->key_len)) != 0 || |
2403 | 0 | (r = sshbuf_put_string(b, enc->iv, enc->iv_len)) != 0) |
2404 | 0 | goto out; |
2405 | 0 | if (cipher_authlen(enc->cipher) == 0) { |
2406 | 0 | if ((r = sshbuf_put_cstring(b, mac->name)) != 0 || |
2407 | 0 | (r = sshbuf_put_u32(b, mac->enabled)) != 0 || |
2408 | 0 | (r = sshbuf_put_string(b, mac->key, mac->key_len)) != 0) |
2409 | 0 | goto out; |
2410 | 0 | } |
2411 | 0 | if ((r = sshbuf_put_u32(b, comp->type)) != 0 || |
2412 | 0 | (r = sshbuf_put_cstring(b, comp->name)) != 0) |
2413 | 0 | goto out; |
2414 | 0 | r = sshbuf_put_stringb(m, b); |
2415 | 0 | out: |
2416 | 0 | sshbuf_free(b); |
2417 | 0 | return r; |
2418 | 0 | } |
2419 | | |
2420 | | /* serialize packet state into a blob */ |
2421 | | int |
2422 | | ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) |
2423 | 0 | { |
2424 | 0 | struct session_state *state = ssh->state; |
2425 | 0 | int r; |
2426 | |
|
2427 | 0 | if ((r = kex_to_blob(m, ssh->kex)) != 0 || |
2428 | 0 | (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 || |
2429 | 0 | (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 || |
2430 | 0 | (r = sshbuf_put_u64(m, state->rekey_limit)) != 0 || |
2431 | 0 | (r = sshbuf_put_u32(m, state->rekey_interval)) != 0 || |
2432 | 0 | (r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 || |
2433 | 0 | (r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 || |
2434 | 0 | (r = sshbuf_put_u32(m, state->p_send.packets)) != 0 || |
2435 | 0 | (r = sshbuf_put_u64(m, state->p_send.bytes)) != 0 || |
2436 | 0 | (r = sshbuf_put_u32(m, state->p_read.seqnr)) != 0 || |
2437 | 0 | (r = sshbuf_put_u64(m, state->p_read.blocks)) != 0 || |
2438 | 0 | (r = sshbuf_put_u32(m, state->p_read.packets)) != 0 || |
2439 | 0 | (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 || |
2440 | 0 | (r = sshbuf_put_stringb(m, state->input)) != 0 || |
2441 | 0 | (r = sshbuf_put_stringb(m, state->output)) != 0) |
2442 | 0 | return r; |
2443 | | |
2444 | 0 | return 0; |
2445 | 0 | } |
2446 | | |
2447 | | /* restore key exchange results from blob for packet state de-serialization */ |
2448 | | static int |
2449 | | newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode) |
2450 | 0 | { |
2451 | 0 | struct sshbuf *b = NULL; |
2452 | 0 | struct sshcomp *comp; |
2453 | 0 | struct sshenc *enc; |
2454 | 0 | struct sshmac *mac; |
2455 | 0 | struct newkeys *newkey = NULL; |
2456 | 0 | size_t keylen, ivlen, maclen; |
2457 | 0 | int r; |
2458 | |
|
2459 | 0 | if ((newkey = calloc(1, sizeof(*newkey))) == NULL) { |
2460 | 0 | r = SSH_ERR_ALLOC_FAIL; |
2461 | 0 | goto out; |
2462 | 0 | } |
2463 | 0 | if ((r = sshbuf_froms(m, &b)) != 0) |
2464 | 0 | goto out; |
2465 | | #ifdef DEBUG_PK |
2466 | | sshbuf_dump(b, stderr); |
2467 | | #endif |
2468 | 0 | enc = &newkey->enc; |
2469 | 0 | mac = &newkey->mac; |
2470 | 0 | comp = &newkey->comp; |
2471 | |
|
2472 | 0 | if ((r = sshbuf_get_cstring(b, &enc->name, NULL)) != 0 || |
2473 | 0 | (r = sshbuf_get_u32(b, (u_int *)&enc->enabled)) != 0 || |
2474 | 0 | (r = sshbuf_get_u32(b, &enc->block_size)) != 0 || |
2475 | 0 | (r = sshbuf_get_string(b, &enc->key, &keylen)) != 0 || |
2476 | 0 | (r = sshbuf_get_string(b, &enc->iv, &ivlen)) != 0) |
2477 | 0 | goto out; |
2478 | 0 | if ((enc->cipher = cipher_by_name(enc->name)) == NULL) { |
2479 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2480 | 0 | goto out; |
2481 | 0 | } |
2482 | 0 | if (cipher_authlen(enc->cipher) == 0) { |
2483 | 0 | if ((r = sshbuf_get_cstring(b, &mac->name, NULL)) != 0) |
2484 | 0 | goto out; |
2485 | 0 | if ((r = mac_setup(mac, mac->name)) != 0) |
2486 | 0 | goto out; |
2487 | 0 | if ((r = sshbuf_get_u32(b, (u_int *)&mac->enabled)) != 0 || |
2488 | 0 | (r = sshbuf_get_string(b, &mac->key, &maclen)) != 0) |
2489 | 0 | goto out; |
2490 | 0 | if (maclen > mac->key_len) { |
2491 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2492 | 0 | goto out; |
2493 | 0 | } |
2494 | 0 | mac->key_len = maclen; |
2495 | 0 | } |
2496 | 0 | if ((r = sshbuf_get_u32(b, &comp->type)) != 0 || |
2497 | 0 | (r = sshbuf_get_cstring(b, &comp->name, NULL)) != 0) |
2498 | 0 | goto out; |
2499 | 0 | if (sshbuf_len(b) != 0) { |
2500 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2501 | 0 | goto out; |
2502 | 0 | } |
2503 | 0 | enc->key_len = keylen; |
2504 | 0 | enc->iv_len = ivlen; |
2505 | 0 | ssh->kex->newkeys[mode] = newkey; |
2506 | 0 | newkey = NULL; |
2507 | 0 | r = 0; |
2508 | 0 | out: |
2509 | 0 | free(newkey); |
2510 | 0 | sshbuf_free(b); |
2511 | 0 | return r; |
2512 | 0 | } |
2513 | | |
2514 | | /* restore kex from blob for packet state de-serialization */ |
2515 | | static int |
2516 | | kex_from_blob(struct sshbuf *m, struct kex **kexp) |
2517 | 0 | { |
2518 | 0 | struct kex *kex; |
2519 | 0 | int r; |
2520 | |
|
2521 | 0 | if ((kex = kex_new()) == NULL) |
2522 | 0 | return SSH_ERR_ALLOC_FAIL; |
2523 | 0 | if ((r = sshbuf_get_u32(m, &kex->we_need)) != 0 || |
2524 | 0 | (r = sshbuf_get_cstring(m, &kex->hostkey_alg, NULL)) != 0 || |
2525 | 0 | (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || |
2526 | 0 | (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 || |
2527 | 0 | (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || |
2528 | 0 | (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 || |
2529 | 0 | (r = sshbuf_get_stringb(m, kex->my)) != 0 || |
2530 | 0 | (r = sshbuf_get_stringb(m, kex->peer)) != 0 || |
2531 | 0 | (r = sshbuf_get_stringb(m, kex->client_version)) != 0 || |
2532 | 0 | (r = sshbuf_get_stringb(m, kex->server_version)) != 0 || |
2533 | 0 | (r = sshbuf_get_stringb(m, kex->session_id)) != 0 || |
2534 | 0 | (r = sshbuf_get_u32(m, &kex->flags)) != 0) |
2535 | 0 | goto out; |
2536 | 0 | kex->server = 1; |
2537 | 0 | kex->done = 1; |
2538 | 0 | r = 0; |
2539 | 0 | out: |
2540 | 0 | if (r != 0 || kexp == NULL) { |
2541 | 0 | kex_free(kex); |
2542 | 0 | if (kexp != NULL) |
2543 | 0 | *kexp = NULL; |
2544 | 0 | } else { |
2545 | 0 | kex_free(*kexp); |
2546 | 0 | *kexp = kex; |
2547 | 0 | } |
2548 | 0 | return r; |
2549 | 0 | } |
2550 | | |
2551 | | /* |
2552 | | * Restore packet state from content of blob 'm' (de-serialization). |
2553 | | * Note that 'm' will be partially consumed on parsing or any other errors. |
2554 | | */ |
2555 | | int |
2556 | | ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) |
2557 | 0 | { |
2558 | 0 | struct session_state *state = ssh->state; |
2559 | 0 | const u_char *input, *output; |
2560 | 0 | size_t ilen, olen; |
2561 | 0 | int r; |
2562 | |
|
2563 | 0 | if ((r = kex_from_blob(m, &ssh->kex)) != 0 || |
2564 | 0 | (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 || |
2565 | 0 | (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 || |
2566 | 0 | (r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 || |
2567 | 0 | (r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 || |
2568 | 0 | (r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 || |
2569 | 0 | (r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 || |
2570 | 0 | (r = sshbuf_get_u32(m, &state->p_send.packets)) != 0 || |
2571 | 0 | (r = sshbuf_get_u64(m, &state->p_send.bytes)) != 0 || |
2572 | 0 | (r = sshbuf_get_u32(m, &state->p_read.seqnr)) != 0 || |
2573 | 0 | (r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 || |
2574 | 0 | (r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 || |
2575 | 0 | (r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0) |
2576 | 0 | return r; |
2577 | | /* |
2578 | | * We set the time here so that in post-auth privsep child we |
2579 | | * count from the completion of the authentication. |
2580 | | */ |
2581 | 0 | state->rekey_time = monotime(); |
2582 | | /* XXX ssh_set_newkeys overrides p_read.packets? XXX */ |
2583 | 0 | if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 || |
2584 | 0 | (r = ssh_set_newkeys(ssh, MODE_OUT)) != 0) |
2585 | 0 | return r; |
2586 | | |
2587 | 0 | if ((r = ssh_packet_set_postauth(ssh)) != 0) |
2588 | 0 | return r; |
2589 | | |
2590 | 0 | sshbuf_reset(state->input); |
2591 | 0 | sshbuf_reset(state->output); |
2592 | 0 | if ((r = sshbuf_get_string_direct(m, &input, &ilen)) != 0 || |
2593 | 0 | (r = sshbuf_get_string_direct(m, &output, &olen)) != 0 || |
2594 | 0 | (r = sshbuf_put(state->input, input, ilen)) != 0 || |
2595 | 0 | (r = sshbuf_put(state->output, output, olen)) != 0) |
2596 | 0 | return r; |
2597 | | |
2598 | 0 | if (sshbuf_len(m)) |
2599 | 0 | return SSH_ERR_INVALID_FORMAT; |
2600 | 0 | debug3_f("done"); |
2601 | 0 | return 0; |
2602 | 0 | } |
2603 | | |
2604 | | /* NEW API */ |
2605 | | |
2606 | | /* put data to the outgoing packet */ |
2607 | | |
2608 | | int |
2609 | | sshpkt_put(struct ssh *ssh, const void *v, size_t len) |
2610 | 0 | { |
2611 | 0 | return sshbuf_put(ssh->state->outgoing_packet, v, len); |
2612 | 0 | } |
2613 | | |
2614 | | int |
2615 | | sshpkt_putb(struct ssh *ssh, const struct sshbuf *b) |
2616 | 20.0k | { |
2617 | 20.0k | return sshbuf_putb(ssh->state->outgoing_packet, b); |
2618 | 20.0k | } |
2619 | | |
2620 | | int |
2621 | | sshpkt_put_u8(struct ssh *ssh, u_char val) |
2622 | 0 | { |
2623 | 0 | return sshbuf_put_u8(ssh->state->outgoing_packet, val); |
2624 | 0 | } |
2625 | | |
2626 | | int |
2627 | | sshpkt_put_u32(struct ssh *ssh, u_int32_t val) |
2628 | 208k | { |
2629 | 208k | return sshbuf_put_u32(ssh->state->outgoing_packet, val); |
2630 | 208k | } |
2631 | | |
2632 | | int |
2633 | | sshpkt_put_u64(struct ssh *ssh, u_int64_t val) |
2634 | 0 | { |
2635 | 0 | return sshbuf_put_u64(ssh->state->outgoing_packet, val); |
2636 | 0 | } |
2637 | | |
2638 | | int |
2639 | | sshpkt_put_string(struct ssh *ssh, const void *v, size_t len) |
2640 | 0 | { |
2641 | 0 | return sshbuf_put_string(ssh->state->outgoing_packet, v, len); |
2642 | 0 | } |
2643 | | |
2644 | | int |
2645 | | sshpkt_put_cstring(struct ssh *ssh, const void *v) |
2646 | 20.8k | { |
2647 | 20.8k | return sshbuf_put_cstring(ssh->state->outgoing_packet, v); |
2648 | 20.8k | } |
2649 | | |
2650 | | int |
2651 | | sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v) |
2652 | 0 | { |
2653 | 0 | return sshbuf_put_stringb(ssh->state->outgoing_packet, v); |
2654 | 0 | } |
2655 | | |
2656 | | int |
2657 | | sshpkt_getb_froms(struct ssh *ssh, struct sshbuf **valp) |
2658 | 0 | { |
2659 | 0 | return sshbuf_froms(ssh->state->incoming_packet, valp); |
2660 | 0 | } |
2661 | | |
2662 | | #ifdef WITH_OPENSSL |
2663 | | #ifdef OPENSSL_HAS_ECC |
2664 | | int |
2665 | | sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g) |
2666 | 0 | { |
2667 | 0 | return sshbuf_put_ec(ssh->state->outgoing_packet, v, g); |
2668 | 0 | } |
2669 | | #endif /* OPENSSL_HAS_ECC */ |
2670 | | |
2671 | | |
2672 | | int |
2673 | | sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v) |
2674 | 0 | { |
2675 | 0 | return sshbuf_put_bignum2(ssh->state->outgoing_packet, v); |
2676 | 0 | } |
2677 | | #endif /* WITH_OPENSSL */ |
2678 | | |
2679 | | /* fetch data from the incoming packet */ |
2680 | | |
2681 | | int |
2682 | | sshpkt_get(struct ssh *ssh, void *valp, size_t len) |
2683 | 0 | { |
2684 | 0 | return sshbuf_get(ssh->state->incoming_packet, valp, len); |
2685 | 0 | } |
2686 | | |
2687 | | int |
2688 | | sshpkt_get_u8(struct ssh *ssh, u_char *valp) |
2689 | 145k | { |
2690 | 145k | return sshbuf_get_u8(ssh->state->incoming_packet, valp); |
2691 | 145k | } |
2692 | | |
2693 | | int |
2694 | | sshpkt_get_u32(struct ssh *ssh, u_int32_t *valp) |
2695 | 3.98k | { |
2696 | 3.98k | return sshbuf_get_u32(ssh->state->incoming_packet, valp); |
2697 | 3.98k | } |
2698 | | |
2699 | | int |
2700 | | sshpkt_get_u64(struct ssh *ssh, u_int64_t *valp) |
2701 | 0 | { |
2702 | 0 | return sshbuf_get_u64(ssh->state->incoming_packet, valp); |
2703 | 0 | } |
2704 | | |
2705 | | int |
2706 | | sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp) |
2707 | 51.1k | { |
2708 | 51.1k | return sshbuf_get_string(ssh->state->incoming_packet, valp, lenp); |
2709 | 51.1k | } |
2710 | | |
2711 | | int |
2712 | | sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp) |
2713 | 0 | { |
2714 | 0 | return sshbuf_get_string_direct(ssh->state->incoming_packet, valp, lenp); |
2715 | 0 | } |
2716 | | |
2717 | | int |
2718 | | sshpkt_peek_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp) |
2719 | 0 | { |
2720 | 0 | return sshbuf_peek_string_direct(ssh->state->incoming_packet, valp, lenp); |
2721 | 0 | } |
2722 | | |
2723 | | int |
2724 | | sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp) |
2725 | 0 | { |
2726 | 0 | return sshbuf_get_cstring(ssh->state->incoming_packet, valp, lenp); |
2727 | 0 | } |
2728 | | |
2729 | | #ifdef WITH_OPENSSL |
2730 | | #ifdef OPENSSL_HAS_ECC |
2731 | | int |
2732 | | sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g) |
2733 | 0 | { |
2734 | 0 | return sshbuf_get_ec(ssh->state->incoming_packet, v, g); |
2735 | 0 | } |
2736 | | #endif /* OPENSSL_HAS_ECC */ |
2737 | | |
2738 | | int |
2739 | | sshpkt_get_bignum2(struct ssh *ssh, BIGNUM **valp) |
2740 | 0 | { |
2741 | 0 | return sshbuf_get_bignum2(ssh->state->incoming_packet, valp); |
2742 | 0 | } |
2743 | | #endif /* WITH_OPENSSL */ |
2744 | | |
2745 | | int |
2746 | | sshpkt_get_end(struct ssh *ssh) |
2747 | 3.92k | { |
2748 | 3.92k | if (sshbuf_len(ssh->state->incoming_packet) > 0) |
2749 | 320 | return SSH_ERR_UNEXPECTED_TRAILING_DATA; |
2750 | 3.60k | return 0; |
2751 | 3.92k | } |
2752 | | |
2753 | | const u_char * |
2754 | | sshpkt_ptr(struct ssh *ssh, size_t *lenp) |
2755 | 9.34k | { |
2756 | 9.34k | if (lenp != NULL) |
2757 | 9.34k | *lenp = sshbuf_len(ssh->state->incoming_packet); |
2758 | 9.34k | return sshbuf_ptr(ssh->state->incoming_packet); |
2759 | 9.34k | } |
2760 | | |
2761 | | /* start a new packet */ |
2762 | | |
2763 | | int |
2764 | | sshpkt_start(struct ssh *ssh, u_char type) |
2765 | 228k | { |
2766 | 228k | u_char buf[6]; /* u32 packet length, u8 pad len, u8 type */ |
2767 | | |
2768 | 228k | DBG(debug("packet_start[%d]", type)); |
2769 | 228k | memset(buf, 0, sizeof(buf)); |
2770 | 228k | buf[sizeof(buf) - 1] = type; |
2771 | 228k | sshbuf_reset(ssh->state->outgoing_packet); |
2772 | 228k | return sshbuf_put(ssh->state->outgoing_packet, buf, sizeof(buf)); |
2773 | 228k | } |
2774 | | |
2775 | | static int |
2776 | | ssh_packet_send_mux(struct ssh *ssh) |
2777 | 0 | { |
2778 | 0 | struct session_state *state = ssh->state; |
2779 | 0 | u_char type, *cp; |
2780 | 0 | size_t len; |
2781 | 0 | int r; |
2782 | |
|
2783 | 0 | if (ssh->kex) |
2784 | 0 | return SSH_ERR_INTERNAL_ERROR; |
2785 | 0 | len = sshbuf_len(state->outgoing_packet); |
2786 | 0 | if (len < 6) |
2787 | 0 | return SSH_ERR_INTERNAL_ERROR; |
2788 | 0 | cp = sshbuf_mutable_ptr(state->outgoing_packet); |
2789 | 0 | type = cp[5]; |
2790 | 0 | if (ssh_packet_log_type(type)) |
2791 | 0 | debug3_f("type %u", type); |
2792 | | /* drop everything, but the connection protocol */ |
2793 | 0 | if (type >= SSH2_MSG_CONNECTION_MIN && |
2794 | 0 | type <= SSH2_MSG_CONNECTION_MAX) { |
2795 | 0 | POKE_U32(cp, len - 4); |
2796 | 0 | if ((r = sshbuf_putb(state->output, |
2797 | 0 | state->outgoing_packet)) != 0) |
2798 | 0 | return r; |
2799 | | /* sshbuf_dump(state->output, stderr); */ |
2800 | 0 | } |
2801 | 0 | sshbuf_reset(state->outgoing_packet); |
2802 | 0 | return 0; |
2803 | 0 | } |
2804 | | |
2805 | | /* |
2806 | | * 9.2. Ignored Data Message |
2807 | | * |
2808 | | * byte SSH_MSG_IGNORE |
2809 | | * string data |
2810 | | * |
2811 | | * All implementations MUST understand (and ignore) this message at any |
2812 | | * time (after receiving the protocol version). No implementation is |
2813 | | * required to send them. This message can be used as an additional |
2814 | | * protection measure against advanced traffic analysis techniques. |
2815 | | */ |
2816 | | int |
2817 | | sshpkt_msg_ignore(struct ssh *ssh, u_int nbytes) |
2818 | 0 | { |
2819 | 0 | u_int32_t rnd = 0; |
2820 | 0 | int r; |
2821 | 0 | u_int i; |
2822 | |
|
2823 | 0 | if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE)) != 0 || |
2824 | 0 | (r = sshpkt_put_u32(ssh, nbytes)) != 0) |
2825 | 0 | return r; |
2826 | 0 | for (i = 0; i < nbytes; i++) { |
2827 | 0 | if (i % 4 == 0) |
2828 | 0 | rnd = arc4random(); |
2829 | 0 | if ((r = sshpkt_put_u8(ssh, (u_char)rnd & 0xff)) != 0) |
2830 | 0 | return r; |
2831 | 0 | rnd >>= 8; |
2832 | 0 | } |
2833 | 0 | return 0; |
2834 | 0 | } |
2835 | | |
2836 | | /* send it */ |
2837 | | |
2838 | | int |
2839 | | sshpkt_send(struct ssh *ssh) |
2840 | 228k | { |
2841 | 228k | if (ssh->state && ssh->state->mux) |
2842 | 0 | return ssh_packet_send_mux(ssh); |
2843 | 228k | return ssh_packet_send2(ssh); |
2844 | 228k | } |
2845 | | |
2846 | | int |
2847 | | sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) |
2848 | 10.4k | { |
2849 | 10.4k | char buf[1024]; |
2850 | 10.4k | va_list args; |
2851 | 10.4k | int r; |
2852 | | |
2853 | 10.4k | va_start(args, fmt); |
2854 | 10.4k | vsnprintf(buf, sizeof(buf), fmt, args); |
2855 | 10.4k | va_end(args); |
2856 | | |
2857 | 10.4k | debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf); |
2858 | 10.4k | if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || |
2859 | 10.4k | (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || |
2860 | 10.4k | (r = sshpkt_put_cstring(ssh, buf)) != 0 || |
2861 | 10.4k | (r = sshpkt_put_cstring(ssh, "")) != 0 || |
2862 | 10.4k | (r = sshpkt_send(ssh)) != 0) |
2863 | 0 | return r; |
2864 | 10.4k | return 0; |
2865 | 10.4k | } |
2866 | | |
2867 | | /* roundup current message to pad bytes */ |
2868 | | int |
2869 | | sshpkt_add_padding(struct ssh *ssh, u_char pad) |
2870 | 0 | { |
2871 | 0 | ssh->state->extra_pad = pad; |
2872 | 0 | return 0; |
2873 | 0 | } |
2874 | | |
2875 | | /* used for cipher switching |
2876 | | * only called in cipher-swtich.c */ |
2877 | | void * |
2878 | | ssh_packet_get_send_context(struct ssh *ssh) |
2879 | 0 | { |
2880 | 0 | return ssh->state->send_context; |
2881 | 0 | } |
2882 | | |
2883 | | void * |
2884 | | ssh_packet_get_receive_context(struct ssh *ssh) |
2885 | 0 | { |
2886 | 0 | return ssh->state->receive_context; |
2887 | 0 | } |