Line | Count | Source |
1 | | /* |
2 | | * packet.c - packet building functions |
3 | | * |
4 | | * This file is part of the SSH Library |
5 | | * |
6 | | * Copyright (c) 2003-2013 by Aris Adamantiadis |
7 | | * |
8 | | * The SSH Library is free software; you can redistribute it and/or modify |
9 | | * it under the terms of the GNU Lesser General Public License as published by |
10 | | * the Free Software Foundation; either version 2.1 of the License, or (at your |
11 | | * option) any later version. |
12 | | * |
13 | | * The SSH Library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
15 | | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public |
16 | | * License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with the SSH Library; see the file COPYING. If not, write to |
20 | | * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, |
21 | | * MA 02111-1307, USA. |
22 | | */ |
23 | | |
24 | | #include "config.h" |
25 | | |
26 | | #include <stdlib.h> |
27 | | #include <stdio.h> |
28 | | #include <string.h> |
29 | | #include <errno.h> |
30 | | |
31 | | #ifndef _WIN32 |
32 | | #include <netinet/in.h> |
33 | | #include <arpa/inet.h> |
34 | | #endif |
35 | | |
36 | | #include "libssh/priv.h" |
37 | | #include "libssh/ssh2.h" |
38 | | #include "libssh/crypto.h" |
39 | | #include "libssh/buffer.h" |
40 | | #include "libssh/packet.h" |
41 | | #include "libssh/socket.h" |
42 | | #include "libssh/channels.h" |
43 | | #include "libssh/misc.h" |
44 | | #include "libssh/session.h" |
45 | | #include "libssh/messages.h" |
46 | | #include "libssh/pcap.h" |
47 | | #include "libssh/kex.h" |
48 | | #include "libssh/auth.h" |
49 | | #include "libssh/gssapi.h" |
50 | | #include "libssh/bytearray.h" |
51 | | #include "libssh/dh.h" |
52 | | |
53 | | static ssh_packet_callback default_packet_handlers[]= { |
54 | | ssh_packet_disconnect_callback, // SSH2_MSG_DISCONNECT 1 |
55 | | ssh_packet_ignore_callback, // SSH2_MSG_IGNORE 2 |
56 | | ssh_packet_unimplemented, // SSH2_MSG_UNIMPLEMENTED 3 |
57 | | ssh_packet_debug_callback, // SSH2_MSG_DEBUG 4 |
58 | | #if WITH_SERVER |
59 | | ssh_packet_service_request, // SSH2_MSG_SERVICE_REQUEST 5 |
60 | | #else |
61 | | NULL, |
62 | | #endif |
63 | | ssh_packet_service_accept, // SSH2_MSG_SERVICE_ACCEPT 6 |
64 | | ssh_packet_ext_info, // SSH2_MSG_EXT_INFO 7 |
65 | | NULL, NULL, NULL, NULL, NULL, NULL, |
66 | | NULL, NULL, NULL, NULL, NULL, NULL, // 8-19 |
67 | | ssh_packet_kexinit, // SSH2_MSG_KEXINIT 20 |
68 | | ssh_packet_newkeys, // SSH2_MSG_NEWKEYS 21 |
69 | | NULL, NULL, NULL, NULL, NULL, NULL, NULL, |
70 | | NULL, // 22-29 |
71 | | #if WITH_SERVER |
72 | | ssh_packet_kexdh_init, // SSH2_MSG_KEXDH_INIT 30 |
73 | | // SSH2_MSG_KEX_DH_GEX_REQUEST_OLD 30 |
74 | | #else |
75 | | NULL, |
76 | | #endif |
77 | | NULL, // SSH2_MSG_KEXDH_REPLY 31 |
78 | | // SSH2_MSG_KEX_DH_GEX_GROUP 31 |
79 | | NULL, // SSH2_MSG_KEX_DH_GEX_INIT 32 |
80 | | NULL, // SSH2_MSG_KEX_DH_GEX_REPLY 33 |
81 | | NULL, // SSH2_MSG_KEX_DH_GEX_REQUEST 34 |
82 | | NULL, NULL, NULL, NULL, NULL, NULL, NULL, |
83 | | NULL, NULL, NULL, NULL, NULL, NULL, NULL, |
84 | | NULL, // 35-49 |
85 | | #if WITH_SERVER |
86 | | ssh_packet_userauth_request, // SSH2_MSG_USERAUTH_REQUEST 50 |
87 | | #else |
88 | | NULL, |
89 | | #endif |
90 | | ssh_packet_userauth_failure, // SSH2_MSG_USERAUTH_FAILURE 51 |
91 | | ssh_packet_userauth_success, // SSH2_MSG_USERAUTH_SUCCESS 52 |
92 | | ssh_packet_userauth_banner, // SSH2_MSG_USERAUTH_BANNER 53 |
93 | | NULL,NULL,NULL,NULL,NULL,NULL, // 54-59 |
94 | | ssh_packet_userauth_pk_ok, // SSH2_MSG_USERAUTH_PK_OK 60 |
95 | | // SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 |
96 | | // SSH2_MSG_USERAUTH_INFO_REQUEST 60 |
97 | | // SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 |
98 | | ssh_packet_userauth_info_response, // SSH2_MSG_USERAUTH_INFO_RESPONSE 61 |
99 | | // SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61 |
100 | | NULL, // 62 |
101 | | NULL, // SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63 |
102 | | NULL, // SSH2_MSG_USERAUTH_GSSAPI_ERROR 64 |
103 | | NULL, // SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65 |
104 | | #if defined(WITH_GSSAPI) && defined(WITH_SERVER) |
105 | | ssh_packet_userauth_gssapi_mic, // SSH2_MSG_USERAUTH_GSSAPI_MIC 66 |
106 | | #else /* WITH_GSSAPI && WITH_SERVER */ |
107 | | NULL, |
108 | | #endif /* WITH_GSSAPI && WITH_SERVER */ |
109 | | NULL, NULL, |
110 | | NULL, NULL, NULL, NULL, NULL, NULL, NULL, |
111 | | NULL, NULL, NULL, NULL, // 67-79 |
112 | | #ifdef WITH_SERVER |
113 | | ssh_packet_global_request, // SSH2_MSG_GLOBAL_REQUEST 80 |
114 | | #else /* WITH_SERVER */ |
115 | | NULL, |
116 | | #endif /* WITH_SERVER */ |
117 | | ssh_request_success, // SSH2_MSG_REQUEST_SUCCESS 81 |
118 | | ssh_request_denied, // SSH2_MSG_REQUEST_FAILURE 82 |
119 | | NULL, NULL, NULL, NULL, NULL, NULL, NULL,// 83-89 |
120 | | ssh_packet_channel_open, // SSH2_MSG_CHANNEL_OPEN 90 |
121 | | ssh_packet_channel_open_conf, // SSH2_MSG_CHANNEL_OPEN_CONFIRMATION 91 |
122 | | ssh_packet_channel_open_fail, // SSH2_MSG_CHANNEL_OPEN_FAILURE 92 |
123 | | channel_rcv_change_window, // SSH2_MSG_CHANNEL_WINDOW_ADJUST 93 |
124 | | channel_rcv_data, // SSH2_MSG_CHANNEL_DATA 94 |
125 | | channel_rcv_data, // SSH2_MSG_CHANNEL_EXTENDED_DATA 95 |
126 | | channel_rcv_eof, // SSH2_MSG_CHANNEL_EOF 96 |
127 | | channel_rcv_close, // SSH2_MSG_CHANNEL_CLOSE 97 |
128 | | channel_rcv_request, // SSH2_MSG_CHANNEL_REQUEST 98 |
129 | | ssh_packet_channel_success, // SSH2_MSG_CHANNEL_SUCCESS 99 |
130 | | ssh_packet_channel_failure, // SSH2_MSG_CHANNEL_FAILURE 100 |
131 | | }; |
132 | | |
133 | | /** @internal |
134 | | * @brief check if the received packet is allowed for the current session state |
135 | | * @param session current ssh_session |
136 | | * @returns SSH_PACKET_ALLOWED if the packet is allowed; SSH_PACKET_DENIED |
137 | | * if the packet arrived in wrong state; SSH_PACKET_UNKNOWN if the packet type |
138 | | * is unknown |
139 | | */ |
140 | | static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session session) |
141 | 0 | { |
142 | 0 | enum ssh_packet_filter_result_e rc; |
143 | |
|
144 | | #ifdef DEBUG_PACKET |
145 | | SSH_LOG(SSH_LOG_PACKET, "Filtering packet type %d", |
146 | | session->in_packet.type); |
147 | | #endif |
148 | |
|
149 | 0 | switch(session->in_packet.type) { |
150 | 0 | case SSH2_MSG_DISCONNECT: // 1 |
151 | | /* |
152 | | * States required: |
153 | | * - None |
154 | | * |
155 | | * Transitions: |
156 | | * - session->socket->state = SSH_SOCKET_CLOSED |
157 | | * - session->session_state = SSH_SESSION_STATE_ERROR |
158 | | * */ |
159 | | |
160 | | /* Always allowed */ |
161 | 0 | rc = SSH_PACKET_ALLOWED; |
162 | 0 | break; |
163 | 0 | case SSH2_MSG_IGNORE: // 2 |
164 | | /* |
165 | | * States required: |
166 | | * - None |
167 | | * |
168 | | * Transitions: |
169 | | * - None |
170 | | * */ |
171 | | |
172 | | /* Always allowed */ |
173 | 0 | rc = SSH_PACKET_ALLOWED; |
174 | 0 | break; |
175 | 0 | case SSH2_MSG_UNIMPLEMENTED: // 3 |
176 | | /* |
177 | | * States required: |
178 | | * - None |
179 | | * |
180 | | * Transitions: |
181 | | * - None |
182 | | * */ |
183 | | |
184 | | /* Always allowed */ |
185 | 0 | rc = SSH_PACKET_ALLOWED; |
186 | 0 | break; |
187 | 0 | case SSH2_MSG_DEBUG: // 4 |
188 | | /* |
189 | | * States required: |
190 | | * - None |
191 | | * |
192 | | * Transitions: |
193 | | * - None |
194 | | * */ |
195 | | |
196 | | /* Always allowed */ |
197 | 0 | rc = SSH_PACKET_ALLOWED; |
198 | 0 | break; |
199 | 0 | case SSH2_MSG_SERVICE_REQUEST: // 5 |
200 | | /* Server only */ |
201 | | |
202 | | /* |
203 | | * States required: |
204 | | * - session->session_state == SSH_SESSION_STATE_AUTHENTICATING |
205 | | * or session->session_state == SSH_SESSION_STATE_AUTHENTICATED |
206 | | * - session->dh_handshake_state == DH_STATE_FINISHED |
207 | | * |
208 | | * Transitions: |
209 | | * - None |
210 | | * */ |
211 | | |
212 | | /* If this is a client, reject the message */ |
213 | 0 | if (session->client) { |
214 | 0 | rc = SSH_PACKET_DENIED; |
215 | 0 | break; |
216 | 0 | } |
217 | | |
218 | 0 | if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATING) && |
219 | 0 | (session->session_state != SSH_SESSION_STATE_AUTHENTICATED)) |
220 | 0 | { |
221 | 0 | rc = SSH_PACKET_DENIED; |
222 | 0 | break; |
223 | 0 | } |
224 | | |
225 | 0 | if (session->dh_handshake_state != DH_STATE_FINISHED) { |
226 | 0 | rc = SSH_PACKET_DENIED; |
227 | 0 | break; |
228 | 0 | } |
229 | | |
230 | 0 | rc = SSH_PACKET_ALLOWED; |
231 | 0 | break; |
232 | 0 | case SSH2_MSG_SERVICE_ACCEPT: // 6 |
233 | | /* |
234 | | * States required: |
235 | | * - session->session_state == SSH_SESSION_STATE_AUTHENTICATING |
236 | | * or session->session_state == SSH_SESSION_STATE_AUTHENTICATED |
237 | | * - session->dh_handshake_state == DH_STATE_FINISHED |
238 | | * - session->auth.service_state == SSH_AUTH_SERVICE_SENT |
239 | | * |
240 | | * Transitions: |
241 | | * - auth.service_state = SSH_AUTH_SERVICE_ACCEPTED |
242 | | * */ |
243 | |
|
244 | 0 | if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATING) && |
245 | 0 | (session->session_state != SSH_SESSION_STATE_AUTHENTICATED)) |
246 | 0 | { |
247 | 0 | rc = SSH_PACKET_DENIED; |
248 | 0 | break; |
249 | 0 | } |
250 | | |
251 | 0 | if (session->dh_handshake_state != DH_STATE_FINISHED) { |
252 | 0 | rc = SSH_PACKET_DENIED; |
253 | 0 | break; |
254 | 0 | } |
255 | | |
256 | | /* TODO check if only auth service can be requested */ |
257 | 0 | if (session->auth.service_state != SSH_AUTH_SERVICE_SENT) { |
258 | 0 | rc = SSH_PACKET_DENIED; |
259 | 0 | break; |
260 | 0 | } |
261 | | |
262 | 0 | rc = SSH_PACKET_ALLOWED; |
263 | 0 | break; |
264 | 0 | case SSH2_MSG_EXT_INFO: // 7 |
265 | | /* |
266 | | * States required: |
267 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
268 | | * or session->session_state == SSH_SESSION_STATE_AUTHENTICATED |
269 | | * (re-exchange) |
270 | | * - dh_handshake_state == DH_STATE_FINISHED |
271 | | * |
272 | | * Transitions: |
273 | | * - None |
274 | | * */ |
275 | |
|
276 | 0 | if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATING) && |
277 | 0 | (session->session_state != SSH_SESSION_STATE_AUTHENTICATED)) |
278 | 0 | { |
279 | 0 | rc = SSH_PACKET_DENIED; |
280 | 0 | break; |
281 | 0 | } |
282 | | |
283 | 0 | if (session->dh_handshake_state != DH_STATE_FINISHED) { |
284 | 0 | rc = SSH_PACKET_DENIED; |
285 | 0 | break; |
286 | 0 | } |
287 | | |
288 | 0 | rc = SSH_PACKET_ALLOWED; |
289 | 0 | break; |
290 | 0 | case SSH2_MSG_KEXINIT: // 20 |
291 | | /* |
292 | | * States required: |
293 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
294 | | * or session_state == SSH_SESSION_STATE_INITIAL_KEX |
295 | | * - dh_handshake_state == DH_STATE_INIT |
296 | | * or dh_handshake_state == DH_STATE_INIT_SENT (re-exchange) |
297 | | * or dh_handshake_state == DH_STATE_REQUEST_SENT (dh-gex) |
298 | | * or dh_handshake_state == DH_STATE_FINISHED (re-exchange) |
299 | | * |
300 | | * Transitions: |
301 | | * - session->dh_handshake_state = DH_STATE_INIT |
302 | | * - session->session_state = SSH_SESSION_STATE_KEXINIT_RECEIVED |
303 | | * |
304 | | * On server: |
305 | | * - session->session_state = SSH_SESSION_STATE_DH |
306 | | * */ |
307 | |
|
308 | 0 | if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATED) && |
309 | 0 | (session->session_state != SSH_SESSION_STATE_INITIAL_KEX)) |
310 | 0 | { |
311 | 0 | rc = SSH_PACKET_DENIED; |
312 | 0 | break; |
313 | 0 | } |
314 | | |
315 | 0 | if ((session->dh_handshake_state != DH_STATE_INIT) && |
316 | 0 | (session->dh_handshake_state != DH_STATE_INIT_SENT) && |
317 | 0 | (session->dh_handshake_state != DH_STATE_REQUEST_SENT) && |
318 | 0 | (session->dh_handshake_state != DH_STATE_FINISHED)) |
319 | 0 | { |
320 | 0 | rc = SSH_PACKET_DENIED; |
321 | 0 | break; |
322 | 0 | } |
323 | | |
324 | 0 | rc = SSH_PACKET_ALLOWED; |
325 | 0 | break; |
326 | 0 | case SSH2_MSG_NEWKEYS: // 21 |
327 | | /* |
328 | | * States required: |
329 | | * - session_state == SSH_SESSION_STATE_DH |
330 | | * - dh_handshake_state == DH_STATE_NEWKEYS_SENT |
331 | | * |
332 | | * Transitions: |
333 | | * - session->dh_handshake_state = DH_STATE_FINISHED |
334 | | * - session->session_state = SSH_SESSION_STATE_AUTHENTICATING |
335 | | * if session->flags & SSH_SESSION_FLAG_AUTHENTICATED |
336 | | * - session->session_state = SSH_SESSION_STATE_AUTHENTICATED |
337 | | * */ |
338 | | |
339 | | /* If DH has not been started, reject message */ |
340 | 0 | if (session->session_state != SSH_SESSION_STATE_DH) { |
341 | 0 | rc = SSH_PACKET_DENIED; |
342 | 0 | break; |
343 | 0 | } |
344 | | |
345 | | /* Only allowed if dh_handshake_state is in NEWKEYS_SENT state */ |
346 | 0 | if (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) { |
347 | 0 | rc = SSH_PACKET_DENIED; |
348 | 0 | break; |
349 | 0 | } |
350 | | |
351 | 0 | rc = SSH_PACKET_ALLOWED; |
352 | 0 | break; |
353 | 0 | case SSH2_MSG_KEXDH_INIT: // 30 |
354 | | // SSH2_MSG_KEX_ECDH_INIT: // 30 |
355 | | // SSH2_MSG_KEX_HYBRID_INIT: // 30 |
356 | | // SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: // 30 |
357 | | |
358 | | /* Server only */ |
359 | | |
360 | | /* |
361 | | * States required: |
362 | | * - session_state == SSH_SESSION_STATE_DH |
363 | | * - dh_handshake_state == DH_STATE_INIT |
364 | | * |
365 | | * Transitions: |
366 | | * - session->dh_handshake_state = DH_STATE_INIT_SENT |
367 | | * then calls dh_handshake_server which triggers: |
368 | | * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT |
369 | | * */ |
370 | |
|
371 | 0 | if (session->client) { |
372 | 0 | rc = SSH_PACKET_DENIED; |
373 | 0 | break; |
374 | 0 | } |
375 | | |
376 | 0 | if (session->session_state != SSH_SESSION_STATE_DH) { |
377 | 0 | rc = SSH_PACKET_DENIED; |
378 | 0 | break; |
379 | 0 | } |
380 | | |
381 | | /* Only allowed if dh_handshake_state is in initial state */ |
382 | 0 | if (session->dh_handshake_state != DH_STATE_INIT) { |
383 | 0 | rc = SSH_PACKET_DENIED; |
384 | 0 | break; |
385 | 0 | } |
386 | | |
387 | 0 | rc = SSH_PACKET_ALLOWED; |
388 | 0 | break; |
389 | 0 | case SSH2_MSG_KEXDH_REPLY: // 31 |
390 | | // SSH2_MSG_KEX_ECDH_REPLY: // 31 |
391 | | // SSH2_MSG_KEX_HYBRID_REPLY: // 31 |
392 | | // SSH2_MSG_KEX_DH_GEX_GROUP: // 31 |
393 | | |
394 | | /* Client only */ |
395 | | |
396 | | /* |
397 | | * States required: |
398 | | * - session_state == SSH_SESSION_STATE_DH |
399 | | * - dh_handshake_state == DH_STATE_INIT_SENT |
400 | | * or dh_handshake_state == DH_STATE_REQUEST_SENT (dh-gex) |
401 | | * |
402 | | * Transitions: |
403 | | * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT |
404 | | * */ |
405 | |
|
406 | 0 | if (session->server) { |
407 | 0 | rc = SSH_PACKET_DENIED; |
408 | 0 | break; |
409 | 0 | } |
410 | | |
411 | 0 | if (session->session_state != SSH_SESSION_STATE_DH) { |
412 | 0 | rc = SSH_PACKET_DENIED; |
413 | 0 | break; |
414 | 0 | } |
415 | | |
416 | 0 | if (session->dh_handshake_state != DH_STATE_INIT_SENT && |
417 | 0 | session->dh_handshake_state != DH_STATE_REQUEST_SENT) { |
418 | 0 | rc = SSH_PACKET_DENIED; |
419 | 0 | break; |
420 | 0 | } |
421 | | |
422 | 0 | rc = SSH_PACKET_ALLOWED; |
423 | 0 | break; |
424 | 0 | case SSH2_MSG_KEX_DH_GEX_INIT: // 32 |
425 | | // SSH2_MSG_KEXGSS_COMPLETE: // 32 |
426 | 0 | if (ssh_kex_is_gss(session->next_crypto)) { |
427 | | /* SSH2_MSG_KEXGSS_COMPLETE */ |
428 | | /* Client only */ |
429 | | |
430 | | /* |
431 | | * States required: |
432 | | * - session_state == SSH_SESSION_STATE_DH |
433 | | * - dh_handshake_state == DH_STATE_INIT_SENT |
434 | | * |
435 | | * Transitions: |
436 | | * - session->dh_handshake_state = DH_STATE_INIT_SENT |
437 | | * then calls ssh_packet_client_gss_kex_reply which triggers: |
438 | | * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT |
439 | | * */ |
440 | |
|
441 | 0 | if (!session->client) { |
442 | 0 | rc = SSH_PACKET_DENIED; |
443 | 0 | break; |
444 | 0 | } |
445 | | |
446 | 0 | if (session->session_state != SSH_SESSION_STATE_DH) { |
447 | 0 | rc = SSH_PACKET_DENIED; |
448 | 0 | break; |
449 | 0 | } |
450 | | |
451 | 0 | if (session->dh_handshake_state != DH_STATE_INIT_SENT) { |
452 | 0 | rc = SSH_PACKET_DENIED; |
453 | 0 | break; |
454 | 0 | } |
455 | 0 | } else { |
456 | | /* SSH2_MSG_KEX_DH_GEX_INIT */ |
457 | | /* Server only */ |
458 | | |
459 | | /* |
460 | | * States required: |
461 | | * - session_state == SSH_SESSION_STATE_DH |
462 | | * - dh_handshake_state == DH_STATE_GROUP_SENT |
463 | | * |
464 | | * Transitions: |
465 | | * - session->dh_handshake_state = DH_STATE_GROUP_SENT |
466 | | * then calls ssh_packet_server_dhgex_init which triggers: |
467 | | * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT |
468 | | * */ |
469 | |
|
470 | 0 | if (session->client) { |
471 | 0 | rc = SSH_PACKET_DENIED; |
472 | 0 | break; |
473 | 0 | } |
474 | | |
475 | 0 | if (session->session_state != SSH_SESSION_STATE_DH) { |
476 | 0 | rc = SSH_PACKET_DENIED; |
477 | 0 | break; |
478 | 0 | } |
479 | | |
480 | | /* Only allowed if dh_handshake_state is in initial state */ |
481 | 0 | if (session->dh_handshake_state != DH_STATE_GROUP_SENT) { |
482 | 0 | rc = SSH_PACKET_DENIED; |
483 | 0 | break; |
484 | 0 | } |
485 | 0 | } |
486 | 0 | rc = SSH_PACKET_ALLOWED; |
487 | 0 | break; |
488 | 0 | case SSH2_MSG_KEX_DH_GEX_REPLY: // 33 |
489 | | |
490 | | /* Client only */ |
491 | | |
492 | | /* |
493 | | * States required: |
494 | | * - session_state == SSH_SESSION_STATE_DH |
495 | | * - dh_handshake_state == DH_STATE_INIT_SENT |
496 | | * |
497 | | * Transitions: |
498 | | * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT |
499 | | * */ |
500 | |
|
501 | 0 | if (session->server) { |
502 | 0 | rc = SSH_PACKET_DENIED; |
503 | 0 | break; |
504 | 0 | } |
505 | | |
506 | 0 | if (session->session_state != SSH_SESSION_STATE_DH) { |
507 | 0 | rc = SSH_PACKET_DENIED; |
508 | 0 | break; |
509 | 0 | } |
510 | | |
511 | 0 | if (session->dh_handshake_state != DH_STATE_INIT_SENT) { |
512 | 0 | rc = SSH_PACKET_DENIED; |
513 | 0 | break; |
514 | 0 | } |
515 | | |
516 | 0 | rc = SSH_PACKET_ALLOWED; |
517 | 0 | break; |
518 | 0 | case SSH2_MSG_KEX_DH_GEX_REQUEST: // 34 |
519 | | |
520 | | /* Server only */ |
521 | | |
522 | | /* |
523 | | * States required: |
524 | | * - session_state == SSH_SESSION_STATE_DH |
525 | | * - dh_handshake_state == DH_STATE_INIT |
526 | | * |
527 | | * Transitions: |
528 | | * - session->dh_handshake_state = DH_STATE_INIT_SENT |
529 | | * then calls ssh_packet_server_dhgex_request which triggers: |
530 | | * - session->dh_handshake_state = DH_STATE_GROUP_SENT |
531 | | * */ |
532 | |
|
533 | 0 | if (session->client) { |
534 | 0 | rc = SSH_PACKET_DENIED; |
535 | 0 | break; |
536 | 0 | } |
537 | | |
538 | 0 | if (session->session_state != SSH_SESSION_STATE_DH) { |
539 | 0 | rc = SSH_PACKET_DENIED; |
540 | 0 | break; |
541 | 0 | } |
542 | | |
543 | | /* Only allowed if dh_handshake_state is in initial state */ |
544 | 0 | if (session->dh_handshake_state != DH_STATE_INIT) { |
545 | 0 | rc = SSH_PACKET_DENIED; |
546 | 0 | break; |
547 | 0 | } |
548 | | |
549 | 0 | rc = SSH_PACKET_ALLOWED; |
550 | 0 | break; |
551 | 0 | case SSH2_MSG_USERAUTH_REQUEST: // 50 |
552 | | /* Server only */ |
553 | | |
554 | | /* |
555 | | * States required: |
556 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
557 | | * - dh_handshake_state == DH_STATE_FINISHED |
558 | | * |
559 | | * Transitions: |
560 | | * - if authentication was successful: |
561 | | * - session_state = SSH_SESSION_STATE_AUTHENTICATED |
562 | | * */ |
563 | | |
564 | | /* If this is a client, reject the message */ |
565 | 0 | if (session->client) { |
566 | 0 | rc = SSH_PACKET_DENIED; |
567 | 0 | break; |
568 | 0 | } |
569 | | |
570 | 0 | if (session->dh_handshake_state != DH_STATE_FINISHED) { |
571 | 0 | rc = SSH_PACKET_DENIED; |
572 | 0 | break; |
573 | 0 | } |
574 | | |
575 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
576 | 0 | rc = SSH_PACKET_DENIED; |
577 | 0 | break; |
578 | 0 | } |
579 | | |
580 | 0 | rc = SSH_PACKET_ALLOWED; |
581 | 0 | break; |
582 | 0 | case SSH2_MSG_USERAUTH_FAILURE: // 51 |
583 | | /* |
584 | | * States required: |
585 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
586 | | * - dh_handshake_state == DH_STATE_FINISHED |
587 | | * - session->auth.state == SSH_AUTH_STATE_KBDINT_SENT |
588 | | * or session->auth.state == SSH_AUTH_STATE_PUBKEY_OFFER_SENT |
589 | | * or session->auth.state == SSH_AUTH_STATE_PUBKEY_AUTH_SENT |
590 | | * or session->auth.state == SSH_AUTH_STATE_PASSWORD_AUTH_SENT |
591 | | * or session->auth.state == SSH_AUTH_STATE_GSSAPI_MIC_SENT |
592 | | * |
593 | | * Transitions: |
594 | | * - if unpacking failed: |
595 | | * - session->auth.state = SSH_AUTH_ERROR |
596 | | * - if failure was partial: |
597 | | * - session->auth.state = SSH_AUTH_PARTIAL |
598 | | * - else: |
599 | | * - session->auth.state = SSH_AUTH_STATE_FAILED |
600 | | * */ |
601 | | |
602 | | /* If this is a server, reject the message */ |
603 | 0 | if (session->server) { |
604 | 0 | rc = SSH_PACKET_DENIED; |
605 | 0 | break; |
606 | 0 | } |
607 | | |
608 | 0 | if (session->dh_handshake_state != DH_STATE_FINISHED) { |
609 | 0 | rc = SSH_PACKET_DENIED; |
610 | 0 | break; |
611 | 0 | } |
612 | | |
613 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
614 | 0 | rc = SSH_PACKET_DENIED; |
615 | 0 | break; |
616 | 0 | } |
617 | | |
618 | 0 | rc = SSH_PACKET_ALLOWED; |
619 | 0 | break; |
620 | 0 | case SSH2_MSG_USERAUTH_SUCCESS: // 52 |
621 | | /* |
622 | | * States required: |
623 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
624 | | * - dh_handshake_state == DH_STATE_FINISHED |
625 | | * - session->auth.state == SSH_AUTH_STATE_KBDINT_SENT |
626 | | * or session->auth.state == SSH_AUTH_STATE_PUBKEY_AUTH_SENT |
627 | | * or session->auth.state == SSH_AUTH_STATE_PASSWORD_AUTH_SENT |
628 | | * or session->auth.state == SSH_AUTH_STATE_GSSAPI_MIC_SENT |
629 | | * or session->auth.state == SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT |
630 | | * or session->auth.state == SSH_AUTH_STATE_AUTH_NONE_SENT |
631 | | * |
632 | | * Transitions: |
633 | | * - session->auth.state = SSH_AUTH_STATE_SUCCESS |
634 | | * - session->session_state = SSH_SESSION_STATE_AUTHENTICATED |
635 | | * - session->flags |= SSH_SESSION_FLAG_AUTHENTICATED |
636 | | * - sessions->auth.current_method = SSH_AUTH_METHOD_UNKNOWN |
637 | | * */ |
638 | | |
639 | | /* If this is a server, reject the message */ |
640 | 0 | if (session->server) { |
641 | 0 | rc = SSH_PACKET_DENIED; |
642 | 0 | break; |
643 | 0 | } |
644 | | |
645 | 0 | if (session->dh_handshake_state != DH_STATE_FINISHED) { |
646 | 0 | rc = SSH_PACKET_DENIED; |
647 | 0 | break; |
648 | 0 | } |
649 | | |
650 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
651 | 0 | rc = SSH_PACKET_DENIED; |
652 | 0 | break; |
653 | 0 | } |
654 | | |
655 | 0 | if ((session->auth.state != SSH_AUTH_STATE_KBDINT_SENT) && |
656 | 0 | (session->auth.state != SSH_AUTH_STATE_PUBKEY_AUTH_SENT) && |
657 | 0 | (session->auth.state != SSH_AUTH_STATE_PASSWORD_AUTH_SENT) && |
658 | 0 | (session->auth.state != SSH_AUTH_STATE_GSSAPI_MIC_SENT) && |
659 | 0 | (session->auth.state != SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT) && |
660 | 0 | (session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT)) { |
661 | 0 | rc = SSH_PACKET_DENIED; |
662 | 0 | break; |
663 | 0 | } |
664 | | |
665 | 0 | rc = SSH_PACKET_ALLOWED; |
666 | 0 | break; |
667 | 0 | case SSH2_MSG_USERAUTH_BANNER: // 53 |
668 | | /* |
669 | | * States required: |
670 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
671 | | * |
672 | | * Transitions: |
673 | | * - None |
674 | | * */ |
675 | |
|
676 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
677 | 0 | rc = SSH_PACKET_DENIED; |
678 | 0 | break; |
679 | 0 | } |
680 | | |
681 | 0 | rc = SSH_PACKET_ALLOWED; |
682 | 0 | break; |
683 | 0 | case SSH2_MSG_USERAUTH_PK_OK: // 60 |
684 | | // SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ: // 60 |
685 | | // SSH2_MSG_USERAUTH_INFO_REQUEST: // 60 |
686 | | // SSH2_MSG_USERAUTH_GSSAPI_RESPONSE: // 60 |
687 | | |
688 | | /* |
689 | | * States required: |
690 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
691 | | * - session->auth.state == SSH_AUTH_STATE_KBDINT_SENT |
692 | | * or |
693 | | * session->auth.state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT |
694 | | * or |
695 | | * session->auth.state == SSH_AUTH_STATE_PUBKEY_OFFER_SENT |
696 | | * |
697 | | * Transitions: |
698 | | * Depending on the current state, the message is treated |
699 | | * differently: |
700 | | * - session->auth.state == SSH_AUTH_STATE_KBDINT_SENT |
701 | | * - session->auth.state = SSH_AUTH_STATE_INFO |
702 | | * - session->auth.state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT |
703 | | * - session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN |
704 | | * - session->auth.state == SSH_AUTH_STATE_PUBKEY_OFFER_SENT |
705 | | * - session->auth.state = SSH_AUTH_STATE_PK_OK |
706 | | * */ |
707 | |
|
708 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
709 | 0 | rc = SSH_PACKET_DENIED; |
710 | 0 | break; |
711 | 0 | } |
712 | | |
713 | 0 | if ((session->auth.state != SSH_AUTH_STATE_KBDINT_SENT) && |
714 | 0 | (session->auth.state != SSH_AUTH_STATE_PUBKEY_OFFER_SENT) && |
715 | 0 | (session->auth.state != SSH_AUTH_STATE_GSSAPI_REQUEST_SENT)) |
716 | 0 | { |
717 | 0 | rc = SSH_PACKET_DENIED; |
718 | 0 | break; |
719 | 0 | } |
720 | | |
721 | 0 | rc = SSH_PACKET_ALLOWED; |
722 | 0 | break; |
723 | 0 | case SSH2_MSG_USERAUTH_INFO_RESPONSE: // 61 |
724 | | // SSH2_MSG_USERAUTH_GSSAPI_TOKEN: // 61 |
725 | | |
726 | | /* |
727 | | * States required: |
728 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
729 | | * - session_state->auth.state == SSH_SESSION_STATE_GSSAPI_TOKEN |
730 | | * or |
731 | | * session_state->auth.state == SSH_SESSION_STATE_INFO |
732 | | * |
733 | | * Transitions: |
734 | | * - None |
735 | | * */ |
736 | |
|
737 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
738 | 0 | rc = SSH_PACKET_DENIED; |
739 | 0 | break; |
740 | 0 | } |
741 | | |
742 | 0 | if ((session->auth.state != SSH_AUTH_STATE_INFO) && |
743 | 0 | (session->auth.state != SSH_AUTH_STATE_GSSAPI_TOKEN)) |
744 | 0 | { |
745 | 0 | rc = SSH_PACKET_DENIED; |
746 | 0 | break; |
747 | 0 | } |
748 | | |
749 | 0 | rc = SSH_PACKET_ALLOWED; |
750 | 0 | break; |
751 | 0 | case SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE: // 63 |
752 | | /* Server only */ |
753 | | /* |
754 | | * States required: |
755 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
756 | | * - session->gssapi->state == SSH_GSSAPI_STATE_RCV_MIC |
757 | | * |
758 | | * Transitions: |
759 | | * - None |
760 | | */ |
761 | | #ifdef WITH_GSSAPI |
762 | | if (session->client) { |
763 | | rc = SSH_PACKET_DENIED; |
764 | | break; |
765 | | } |
766 | | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
767 | | rc = SSH_PACKET_DENIED; |
768 | | break; |
769 | | } |
770 | | if (session->gssapi == NULL) { |
771 | | rc = SSH_PACKET_DENIED; |
772 | | break; |
773 | | } |
774 | | if (session->gssapi->state != SSH_GSSAPI_STATE_RCV_MIC) { |
775 | | rc = SSH_PACKET_DENIED; |
776 | | break; |
777 | | } |
778 | | rc = SSH_PACKET_ALLOWED; |
779 | | break; |
780 | | #else |
781 | 0 | rc = SSH_PACKET_DENIED; |
782 | 0 | break; |
783 | 0 | #endif /* WITH_GSSAPI */ |
784 | 0 | case SSH2_MSG_USERAUTH_GSSAPI_ERROR: // 64 |
785 | | /* Client only */ |
786 | | /* |
787 | | * States required: |
788 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
789 | | * |
790 | | * Transitions: |
791 | | * - None |
792 | | */ |
793 | | #ifdef WITH_GSSAPI |
794 | | if (session->server) { |
795 | | rc = SSH_PACKET_DENIED; |
796 | | break; |
797 | | } |
798 | | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
799 | | rc = SSH_PACKET_DENIED; |
800 | | break; |
801 | | } |
802 | | |
803 | | rc = SSH_PACKET_ALLOWED; |
804 | | break; |
805 | | #else |
806 | 0 | rc = SSH_PACKET_DENIED; |
807 | 0 | break; |
808 | 0 | #endif /* WITH_GSSAPI */ |
809 | 0 | case SSH2_MSG_USERAUTH_GSSAPI_ERRTOK: // 65 |
810 | | /* |
811 | | * States required: |
812 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
813 | | * |
814 | | * Transitions: |
815 | | * - None |
816 | | */ |
817 | | #ifdef WITH_GSSAPI |
818 | | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
819 | | rc = SSH_PACKET_DENIED; |
820 | | break; |
821 | | } |
822 | | |
823 | | rc = SSH_PACKET_ALLOWED; |
824 | | break; |
825 | | #else |
826 | 0 | rc = SSH_PACKET_DENIED; |
827 | 0 | break; |
828 | 0 | #endif /* WITH_GSSAPI */ |
829 | 0 | case SSH2_MSG_USERAUTH_GSSAPI_MIC: // 66 |
830 | | /* Server only */ |
831 | | |
832 | | /* |
833 | | * States required: |
834 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATING |
835 | | * - session->gssapi->state == SSH_GSSAPI_STATE_RCV_MIC |
836 | | * |
837 | | * Transitions: |
838 | | * Depending on the result of the verification, the states are |
839 | | * changed: |
840 | | * - SSH_AUTH_SUCCESS: |
841 | | * - session->session_state = SSH_SESSION_STATE_AUTHENTICATED |
842 | | * - session->flags != SSH_SESSION_FLAG_AUTHENTICATED |
843 | | * - SSH_AUTH_PARTIAL: |
844 | | * - None |
845 | | * - any other case: |
846 | | * - None |
847 | | * */ |
848 | | #ifdef WITH_GSSAPI |
849 | | /* If this is a client, reject the message */ |
850 | | if (session->client) { |
851 | | rc = SSH_PACKET_DENIED; |
852 | | break; |
853 | | } |
854 | | |
855 | | if (session->dh_handshake_state != DH_STATE_FINISHED) { |
856 | | rc = SSH_PACKET_DENIED; |
857 | | break; |
858 | | } |
859 | | |
860 | | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { |
861 | | rc = SSH_PACKET_DENIED; |
862 | | break; |
863 | | } |
864 | | |
865 | | rc = SSH_PACKET_ALLOWED; |
866 | | break; |
867 | | #else |
868 | 0 | rc = SSH_PACKET_DENIED; |
869 | 0 | break; |
870 | 0 | #endif /* WITH_GSSAPI */ |
871 | 0 | case SSH2_MSG_GLOBAL_REQUEST: // 80 |
872 | | /* |
873 | | * States required: |
874 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
875 | | * |
876 | | * Transitions: |
877 | | * - None |
878 | | * */ |
879 | |
|
880 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
881 | 0 | rc = SSH_PACKET_DENIED; |
882 | 0 | break; |
883 | 0 | } |
884 | | |
885 | 0 | rc = SSH_PACKET_ALLOWED; |
886 | 0 | break; |
887 | 0 | case SSH2_MSG_REQUEST_SUCCESS: // 81 |
888 | | /* |
889 | | * States required: |
890 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
891 | | * |
892 | | * Transitions: |
893 | | * - From channel->request_state == SSH_CHANNEL_REQ_STATE_PENDING |
894 | | * - To channel->request_state = SSH_CHANNEL_REQ_STATE_ACCEPTED |
895 | | * |
896 | | * If not in a pending state, message is ignored in the callback handler. |
897 | | * */ |
898 | |
|
899 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
900 | 0 | rc = SSH_PACKET_DENIED; |
901 | 0 | break; |
902 | 0 | } |
903 | | |
904 | 0 | rc = SSH_PACKET_ALLOWED; |
905 | 0 | break; |
906 | 0 | case SSH2_MSG_REQUEST_FAILURE: // 82 |
907 | | /* |
908 | | * States required: |
909 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
910 | | * |
911 | | * Transitions: |
912 | | * - From channel->request_state == SSH_CHANNEL_REQ_STATE_PENDING |
913 | | * - To channel->request_state = SSH_CHANNEL_REQ_STATE_ACCEPTED |
914 | | * |
915 | | * If not in a pending state, message is ignored in the callback handler. |
916 | | * */ |
917 | |
|
918 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
919 | 0 | rc = SSH_PACKET_DENIED; |
920 | 0 | break; |
921 | 0 | } |
922 | | |
923 | 0 | rc = SSH_PACKET_ALLOWED; |
924 | 0 | break; |
925 | 0 | case SSH2_MSG_CHANNEL_OPEN: // 90 |
926 | | /* |
927 | | * States required: |
928 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
929 | | * |
930 | | * Transitions: |
931 | | * - None |
932 | | * */ |
933 | |
|
934 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
935 | 0 | rc = SSH_PACKET_DENIED; |
936 | 0 | break; |
937 | 0 | } |
938 | | |
939 | 0 | rc = SSH_PACKET_ALLOWED; |
940 | 0 | break; |
941 | 0 | case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: // 91 |
942 | | /* |
943 | | * States required: |
944 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
945 | | * |
946 | | * Transitions: |
947 | | * - channel->state = SSH_CHANNEL_STATE_OPEN |
948 | | * - channel->flags &= ~SSH_CHANNEL_FLAG_NOT_BOUND |
949 | | * */ |
950 | |
|
951 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
952 | 0 | rc = SSH_PACKET_DENIED; |
953 | 0 | break; |
954 | 0 | } |
955 | | |
956 | 0 | rc = SSH_PACKET_ALLOWED; |
957 | 0 | break; |
958 | 0 | case SSH2_MSG_CHANNEL_OPEN_FAILURE: // 92 |
959 | | /* |
960 | | * States required: |
961 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
962 | | * |
963 | | * Transitions: |
964 | | * - channel->state = SSH_CHANNEL_STATE_OPEN_DENIED |
965 | | * */ |
966 | |
|
967 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
968 | 0 | rc = SSH_PACKET_DENIED; |
969 | 0 | break; |
970 | 0 | } |
971 | | |
972 | 0 | rc = SSH_PACKET_ALLOWED; |
973 | 0 | break; |
974 | 0 | case SSH2_MSG_CHANNEL_WINDOW_ADJUST: // 93 |
975 | | /* |
976 | | * States required: |
977 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
978 | | * |
979 | | * Transitions: |
980 | | * - None |
981 | | * */ |
982 | |
|
983 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
984 | 0 | rc = SSH_PACKET_DENIED; |
985 | 0 | break; |
986 | 0 | } |
987 | | |
988 | 0 | rc = SSH_PACKET_ALLOWED; |
989 | 0 | break; |
990 | 0 | case SSH2_MSG_CHANNEL_DATA: // 94 |
991 | | /* |
992 | | * States required: |
993 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
994 | | * |
995 | | * Transitions: |
996 | | * - None |
997 | | * */ |
998 | |
|
999 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
1000 | 0 | rc = SSH_PACKET_DENIED; |
1001 | 0 | break; |
1002 | 0 | } |
1003 | | |
1004 | 0 | rc = SSH_PACKET_ALLOWED; |
1005 | 0 | break; |
1006 | 0 | case SSH2_MSG_CHANNEL_EXTENDED_DATA: // 95 |
1007 | | /* |
1008 | | * States required: |
1009 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
1010 | | * |
1011 | | * Transitions: |
1012 | | * - None |
1013 | | * */ |
1014 | |
|
1015 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
1016 | 0 | rc = SSH_PACKET_DENIED; |
1017 | 0 | break; |
1018 | 0 | } |
1019 | | |
1020 | 0 | rc = SSH_PACKET_ALLOWED; |
1021 | 0 | break; |
1022 | 0 | case SSH2_MSG_CHANNEL_EOF: // 96 |
1023 | | /* |
1024 | | * States required: |
1025 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
1026 | | * |
1027 | | * Transitions: |
1028 | | * - None |
1029 | | * */ |
1030 | |
|
1031 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
1032 | 0 | rc = SSH_PACKET_DENIED; |
1033 | 0 | break; |
1034 | 0 | } |
1035 | | |
1036 | 0 | rc = SSH_PACKET_ALLOWED; |
1037 | 0 | break; |
1038 | 0 | case SSH2_MSG_CHANNEL_CLOSE: // 97 |
1039 | | /* |
1040 | | * States required: |
1041 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
1042 | | * |
1043 | | * Transitions: |
1044 | | * - channel->state = SSH_CHANNEL_STATE_CLOSED |
1045 | | * - channel->flags |= SSH_CHANNEL_FLAG_CLOSED_REMOTE |
1046 | | * */ |
1047 | |
|
1048 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
1049 | 0 | rc = SSH_PACKET_DENIED; |
1050 | 0 | break; |
1051 | 0 | } |
1052 | | |
1053 | 0 | rc = SSH_PACKET_ALLOWED; |
1054 | 0 | break; |
1055 | 0 | case SSH2_MSG_CHANNEL_REQUEST: // 98 |
1056 | | /* |
1057 | | * States required: |
1058 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
1059 | | * |
1060 | | * Transitions: |
1061 | | * - Depends on the request |
1062 | | * */ |
1063 | |
|
1064 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
1065 | 0 | rc = SSH_PACKET_DENIED; |
1066 | 0 | break; |
1067 | 0 | } |
1068 | | |
1069 | 0 | rc = SSH_PACKET_ALLOWED; |
1070 | 0 | break; |
1071 | 0 | case SSH2_MSG_CHANNEL_SUCCESS: // 99 |
1072 | | /* |
1073 | | * States required: |
1074 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
1075 | | * |
1076 | | * Transitions: |
1077 | | * - From channel->request_state == SSH_CHANNEL_REQ_STATE_PENDING |
1078 | | * - To channel->request_state = SSH_CHANNEL_REQ_STATE_ACCEPTED |
1079 | | * |
1080 | | * If not in a pending state, message is ignored in the callback handler. |
1081 | | * */ |
1082 | |
|
1083 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
1084 | 0 | rc = SSH_PACKET_DENIED; |
1085 | 0 | break; |
1086 | 0 | } |
1087 | | |
1088 | 0 | rc = SSH_PACKET_ALLOWED; |
1089 | 0 | break; |
1090 | 0 | case SSH2_MSG_CHANNEL_FAILURE: // 100 |
1091 | | /* |
1092 | | * States required: |
1093 | | * - session_state == SSH_SESSION_STATE_AUTHENTICATED |
1094 | | * |
1095 | | * Transitions: |
1096 | | * - From channel->request_state == SSH_CHANNEL_REQ_STATE_PENDING |
1097 | | * - To channel->request_state = SSH_CHANNEL_REQ_STATE_ACCEPTED |
1098 | | * |
1099 | | * If not in a pending state, message is ignored in the callback handler. |
1100 | | * */ |
1101 | |
|
1102 | 0 | if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { |
1103 | 0 | rc = SSH_PACKET_DENIED; |
1104 | 0 | break; |
1105 | 0 | } |
1106 | | |
1107 | 0 | rc = SSH_PACKET_ALLOWED; |
1108 | 0 | break; |
1109 | 0 | default: |
1110 | | /* Unknown message, do not filter */ |
1111 | 0 | rc = SSH_PACKET_UNKNOWN; |
1112 | 0 | goto end; |
1113 | 0 | } |
1114 | | |
1115 | 0 | end: |
1116 | | #ifdef DEBUG_PACKET |
1117 | | if (rc == SSH_PACKET_DENIED) { |
1118 | | SSH_LOG(SSH_LOG_PACKET, "REJECTED packet type %d: ", |
1119 | | session->in_packet.type); |
1120 | | } |
1121 | | |
1122 | | if (rc == SSH_PACKET_UNKNOWN) { |
1123 | | SSH_LOG(SSH_LOG_PACKET, "UNKNOWN packet type %d", |
1124 | | session->in_packet.type); |
1125 | | } |
1126 | | #endif |
1127 | |
|
1128 | 0 | return rc; |
1129 | 0 | } |
1130 | | |
1131 | | /* Returns current_crypto structure from the session. |
1132 | | * During key exchange (or rekey), after one of the sides |
1133 | | * sending NEWKEYS packet, this might return next_crypto for one |
1134 | | * of the directions that is ahead to send already queued packets |
1135 | | */ |
1136 | | struct ssh_crypto_struct * |
1137 | | ssh_packet_get_current_crypto(ssh_session session, |
1138 | | enum ssh_crypto_direction_e direction) |
1139 | 0 | { |
1140 | 0 | struct ssh_crypto_struct *crypto = NULL; |
1141 | |
|
1142 | 0 | if (session == NULL) { |
1143 | 0 | return NULL; |
1144 | 0 | } |
1145 | | |
1146 | 0 | if (session->current_crypto != NULL && |
1147 | 0 | session->current_crypto->used & direction) { |
1148 | 0 | crypto = session->current_crypto; |
1149 | 0 | } else if (session->next_crypto != NULL && |
1150 | 0 | session->next_crypto->used & direction) { |
1151 | 0 | crypto = session->next_crypto; |
1152 | 0 | } else { |
1153 | 0 | return NULL; |
1154 | 0 | } |
1155 | | |
1156 | 0 | switch (direction) { |
1157 | 0 | case SSH_DIRECTION_IN: |
1158 | 0 | if (crypto->in_cipher != NULL) { |
1159 | 0 | return crypto; |
1160 | 0 | } |
1161 | 0 | break; |
1162 | 0 | case SSH_DIRECTION_OUT: |
1163 | 0 | if (crypto->out_cipher != NULL) { |
1164 | 0 | return crypto; |
1165 | 0 | } |
1166 | 0 | break; |
1167 | 0 | case SSH_DIRECTION_BOTH: |
1168 | 0 | if (crypto->in_cipher != NULL && |
1169 | 0 | crypto->out_cipher != NULL) { |
1170 | 0 | return crypto; |
1171 | 0 | } |
1172 | 0 | } |
1173 | | |
1174 | 0 | return NULL; |
1175 | 0 | } |
1176 | | |
1177 | 0 | #define MAX_PACKETS (1UL<<31) |
1178 | | |
1179 | | static bool ssh_packet_need_rekey(ssh_session session, |
1180 | | const uint32_t payloadsize) |
1181 | 0 | { |
1182 | 0 | bool data_rekey_needed = false; |
1183 | 0 | struct ssh_crypto_struct *crypto = NULL; |
1184 | 0 | struct ssh_cipher_struct *out_cipher = NULL, *in_cipher = NULL; |
1185 | 0 | uint32_t next_blocks; |
1186 | | |
1187 | | /* We can safely rekey only in authenticated state */ |
1188 | 0 | if ((session->flags & SSH_SESSION_FLAG_AUTHENTICATED) == 0) { |
1189 | 0 | return false; |
1190 | 0 | } |
1191 | | |
1192 | | /* Do not rekey if the rekey/key-exchange is in progress */ |
1193 | 0 | if (session->dh_handshake_state != DH_STATE_FINISHED) { |
1194 | 0 | return false; |
1195 | 0 | } |
1196 | | |
1197 | 0 | crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_BOTH); |
1198 | 0 | if (crypto == NULL) { |
1199 | 0 | return false; |
1200 | 0 | } |
1201 | | |
1202 | 0 | out_cipher = crypto->out_cipher; |
1203 | 0 | in_cipher = crypto->in_cipher; |
1204 | | |
1205 | | /* Make sure we can send at least something for very small limits */ |
1206 | 0 | if ((out_cipher->packets == 0) && (in_cipher->packets == 0)) { |
1207 | 0 | return false; |
1208 | 0 | } |
1209 | | |
1210 | | /* Time based rekeying */ |
1211 | 0 | if (session->opts.rekey_time != 0 && |
1212 | 0 | ssh_timeout_elapsed(&session->last_rekey_time, |
1213 | 0 | session->opts.rekey_time)) { |
1214 | 0 | return true; |
1215 | 0 | } |
1216 | | |
1217 | | /* RFC4344, Section 3.1 Recommends rekeying after 2^31 packets in either |
1218 | | * direction to avoid possible information leakage through the MAC tag |
1219 | | */ |
1220 | 0 | if (out_cipher->packets > MAX_PACKETS || |
1221 | 0 | in_cipher->packets > MAX_PACKETS) { |
1222 | 0 | return true; |
1223 | 0 | } |
1224 | | |
1225 | | /* Data-based rekeying: |
1226 | | * * For outgoing packets we can still delay them |
1227 | | * * Incoming packets need to be processed anyway, but we can |
1228 | | * signalize our intention to rekey |
1229 | | */ |
1230 | 0 | next_blocks = payloadsize / out_cipher->blocksize; |
1231 | 0 | data_rekey_needed = (out_cipher->max_blocks != 0 && |
1232 | 0 | out_cipher->blocks + next_blocks > out_cipher->max_blocks) || |
1233 | 0 | (in_cipher->max_blocks != 0 && |
1234 | 0 | in_cipher->blocks + next_blocks > in_cipher->max_blocks); |
1235 | |
|
1236 | 0 | SSH_LOG(SSH_LOG_PACKET, |
1237 | 0 | "rekey: [data_rekey_needed=%d, out_blocks=%" PRIu64 ", in_blocks=%" PRIu64 "]", |
1238 | 0 | data_rekey_needed, |
1239 | 0 | out_cipher->blocks + next_blocks, |
1240 | 0 | in_cipher->blocks + next_blocks); |
1241 | |
|
1242 | 0 | return data_rekey_needed; |
1243 | 0 | } |
1244 | | |
1245 | | /* in nonblocking mode, socket_read will read as much as it can, and return */ |
1246 | | /* SSH_OK if it has read at least len bytes, otherwise, SSH_AGAIN. */ |
1247 | | /* in blocking mode, it will read at least len bytes and will block until it's ok. */ |
1248 | | |
1249 | | /** @internal |
1250 | | * @handles a data received event. It then calls the handlers for the different packet types |
1251 | | * or and exception handler callback. |
1252 | | * @param user pointer to current ssh_session |
1253 | | * @param data pointer to the data received |
1254 | | * @len length of data received. It might not be enough for a complete packet |
1255 | | * @returns number of bytes read and processed. Zero means only partial packet |
1256 | | * received and negative value means error. |
1257 | | */ |
1258 | | size_t |
1259 | | ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user) |
1260 | 0 | { |
1261 | 0 | ssh_session session = (ssh_session)user; |
1262 | 0 | uint32_t blocksize = 8; |
1263 | 0 | uint32_t lenfield_blocksize = 8; |
1264 | 0 | size_t current_macsize = 0; |
1265 | 0 | uint8_t *ptr = NULL; |
1266 | 0 | ssize_t to_be_read; |
1267 | 0 | int rc; |
1268 | 0 | uint8_t *cleartext_packet = NULL; |
1269 | 0 | uint8_t *packet_second_block = NULL; |
1270 | 0 | uint8_t *mac = NULL; |
1271 | 0 | size_t packet_remaining, packet_offset; |
1272 | 0 | uint32_t packet_len, compsize, payloadsize; |
1273 | 0 | uint8_t padding; |
1274 | 0 | size_t processed = 0; /* number of bytes processed from the callback */ |
1275 | 0 | enum ssh_packet_filter_result_e filter_result; |
1276 | 0 | struct ssh_crypto_struct *crypto = NULL; |
1277 | 0 | bool etm = false; |
1278 | 0 | uint32_t etm_packet_offset = 0; |
1279 | 0 | bool ok; |
1280 | |
|
1281 | 0 | crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN); |
1282 | 0 | if (crypto != NULL) { |
1283 | 0 | current_macsize = hmac_digest_len(crypto->in_hmac); |
1284 | 0 | blocksize = crypto->in_cipher->blocksize; |
1285 | 0 | lenfield_blocksize = crypto->in_cipher->lenfield_blocksize; |
1286 | 0 | etm = crypto->in_hmac_etm; |
1287 | 0 | } |
1288 | |
|
1289 | 0 | if (etm) { |
1290 | | /* In EtM mode packet size is unencrypted. This means |
1291 | | * we need to use this offset and set the block size |
1292 | | * that is part of the encrypted part to 0. |
1293 | | */ |
1294 | 0 | etm_packet_offset = sizeof(uint32_t); |
1295 | 0 | lenfield_blocksize = 0; |
1296 | 0 | } else if (lenfield_blocksize == 0) { |
1297 | 0 | lenfield_blocksize = blocksize; |
1298 | 0 | } |
1299 | 0 | if (data == NULL) { |
1300 | 0 | goto error; |
1301 | 0 | } |
1302 | | |
1303 | 0 | if (session->session_state == SSH_SESSION_STATE_ERROR) { |
1304 | 0 | goto error; |
1305 | 0 | } |
1306 | | #ifdef DEBUG_PACKET |
1307 | | SSH_LOG(SSH_LOG_PACKET, |
1308 | | "rcv packet cb (len=%zu, state=%s)", |
1309 | | receivedlen, |
1310 | | session->packet_state == PACKET_STATE_INIT ? |
1311 | | "INIT" : |
1312 | | session->packet_state == PACKET_STATE_SIZEREAD ? |
1313 | | "SIZE_READ" : |
1314 | | session->packet_state == PACKET_STATE_PROCESSING ? |
1315 | | "PROCESSING" : "unknown"); |
1316 | | #endif |
1317 | 0 | switch (session->packet_state) { |
1318 | 0 | case PACKET_STATE_INIT: |
1319 | 0 | if (receivedlen < lenfield_blocksize + etm_packet_offset) { |
1320 | | /* |
1321 | | * We didn't receive enough data to read either at least one |
1322 | | * block size or the unencrypted length in EtM mode. |
1323 | | */ |
1324 | | #ifdef DEBUG_PACKET |
1325 | | SSH_LOG(SSH_LOG_PACKET, |
1326 | | "Waiting for more data (%zu < %u)", |
1327 | | receivedlen, |
1328 | | lenfield_blocksize); |
1329 | | #endif |
1330 | 0 | return 0; |
1331 | 0 | } |
1332 | | |
1333 | 0 | session->in_packet = (struct packet_struct) { |
1334 | 0 | .type = 0, |
1335 | 0 | }; |
1336 | |
|
1337 | 0 | if (session->in_buffer) { |
1338 | 0 | rc = ssh_buffer_reinit(session->in_buffer); |
1339 | 0 | if (rc < 0) { |
1340 | 0 | goto error; |
1341 | 0 | } |
1342 | 0 | } else { |
1343 | 0 | session->in_buffer = ssh_buffer_new(); |
1344 | 0 | if (session->in_buffer == NULL) { |
1345 | 0 | goto error; |
1346 | 0 | } |
1347 | 0 | } |
1348 | | |
1349 | 0 | if (!etm) { |
1350 | 0 | ptr = ssh_buffer_allocate(session->in_buffer, |
1351 | 0 | lenfield_blocksize); |
1352 | 0 | if (ptr == NULL) { |
1353 | 0 | goto error; |
1354 | 0 | } |
1355 | 0 | packet_len = ssh_packet_decrypt_len(session, ptr, |
1356 | 0 | (uint8_t *)data); |
1357 | 0 | to_be_read = packet_len - lenfield_blocksize + sizeof(uint32_t); |
1358 | 0 | } else { |
1359 | | /* Length is unencrypted in case of Encrypt-then-MAC */ |
1360 | 0 | packet_len = PULL_BE_U32(data, 0); |
1361 | 0 | to_be_read = packet_len - etm_packet_offset; |
1362 | 0 | } |
1363 | | |
1364 | 0 | processed += lenfield_blocksize + etm_packet_offset; |
1365 | 0 | if (packet_len > MAX_PACKET_LEN) { |
1366 | 0 | ssh_set_error(session, |
1367 | 0 | SSH_FATAL, |
1368 | 0 | "read_packet(): Packet len too high(%" PRIu32 " %.4" PRIx32 ")", |
1369 | 0 | packet_len, packet_len); |
1370 | 0 | goto error; |
1371 | 0 | } |
1372 | 0 | if (to_be_read < 0) { |
1373 | | /* remote sshd sends invalid sizes? */ |
1374 | 0 | ssh_set_error(session, |
1375 | 0 | SSH_FATAL, |
1376 | 0 | "Given numbers of bytes left to be read < 0 (%zd)!", |
1377 | 0 | to_be_read); |
1378 | 0 | goto error; |
1379 | 0 | } |
1380 | | |
1381 | 0 | session->in_packet.len = packet_len; |
1382 | 0 | session->packet_state = PACKET_STATE_SIZEREAD; |
1383 | 0 | FALL_THROUGH; |
1384 | 0 | case PACKET_STATE_SIZEREAD: |
1385 | 0 | packet_len = session->in_packet.len; |
1386 | 0 | packet_offset = processed = lenfield_blocksize + etm_packet_offset; |
1387 | 0 | to_be_read = packet_len + sizeof(uint32_t) + current_macsize; |
1388 | | /* if to_be_read is zero, the whole packet was blocksize bytes. */ |
1389 | 0 | if (to_be_read != 0) { |
1390 | 0 | if (receivedlen < (unsigned long)to_be_read) { |
1391 | | /* give up, not enough data in buffer */ |
1392 | 0 | SSH_LOG(SSH_LOG_PACKET, |
1393 | 0 | "packet: partial packet (read len) " |
1394 | 0 | "[len=%" PRIu32 ", receivedlen=%zu, to_be_read=%zd]", |
1395 | 0 | packet_len, |
1396 | 0 | receivedlen, |
1397 | 0 | to_be_read); |
1398 | 0 | return 0; |
1399 | 0 | } |
1400 | | |
1401 | 0 | packet_second_block = (uint8_t*)data + packet_offset; |
1402 | 0 | processed = to_be_read - current_macsize; |
1403 | 0 | } |
1404 | | |
1405 | | /* remaining encrypted bytes from the packet, MAC not included */ |
1406 | 0 | packet_remaining = packet_len - (packet_offset - sizeof(uint32_t)); |
1407 | 0 | cleartext_packet = ssh_buffer_allocate(session->in_buffer, |
1408 | 0 | (uint32_t)packet_remaining); |
1409 | 0 | if (cleartext_packet == NULL) { |
1410 | 0 | goto error; |
1411 | 0 | } |
1412 | | |
1413 | 0 | if (packet_second_block != NULL) { |
1414 | 0 | if (crypto != NULL) { |
1415 | 0 | mac = packet_second_block + packet_remaining; |
1416 | |
|
1417 | 0 | if (crypto->in_hmac != SSH_HMAC_NONE && etm) { |
1418 | 0 | rc = ssh_packet_hmac_verify(session, |
1419 | 0 | data, |
1420 | 0 | processed, |
1421 | 0 | mac, |
1422 | 0 | crypto->in_hmac); |
1423 | 0 | if (rc < 0) { |
1424 | 0 | ssh_set_error(session, SSH_FATAL, "HMAC error"); |
1425 | 0 | goto error; |
1426 | 0 | } |
1427 | 0 | } |
1428 | | /* |
1429 | | * Decrypt the packet. In case of EtM mode, the length is |
1430 | | * already known as it's unencrypted. In the other case, |
1431 | | * lenfield_blocksize bytes already have been decrypted. |
1432 | | */ |
1433 | 0 | if (packet_remaining > 0) { |
1434 | 0 | rc = ssh_packet_decrypt(session, |
1435 | 0 | cleartext_packet, |
1436 | 0 | (uint8_t *)data, |
1437 | 0 | packet_offset, |
1438 | 0 | processed - packet_offset); |
1439 | 0 | if (rc < 0) { |
1440 | 0 | ssh_set_error(session, |
1441 | 0 | SSH_FATAL, |
1442 | 0 | "Decryption error"); |
1443 | 0 | goto error; |
1444 | 0 | } |
1445 | 0 | } |
1446 | | |
1447 | 0 | if (crypto->in_hmac != SSH_HMAC_NONE && !etm) { |
1448 | 0 | ssh_buffer in = session->in_buffer; |
1449 | 0 | rc = ssh_packet_hmac_verify(session, |
1450 | 0 | ssh_buffer_get(in), |
1451 | 0 | ssh_buffer_get_len(in), |
1452 | 0 | mac, |
1453 | 0 | crypto->in_hmac); |
1454 | 0 | if (rc < 0) { |
1455 | 0 | ssh_set_error(session, SSH_FATAL, "HMAC error"); |
1456 | 0 | goto error; |
1457 | 0 | } |
1458 | 0 | } |
1459 | 0 | processed += current_macsize; |
1460 | 0 | } else { |
1461 | 0 | memcpy(cleartext_packet, |
1462 | 0 | packet_second_block, |
1463 | 0 | packet_remaining); |
1464 | 0 | } |
1465 | 0 | } |
1466 | | |
1467 | 0 | #ifdef WITH_PCAP |
1468 | 0 | if (session->pcap_ctx != NULL) { |
1469 | 0 | ssh_pcap_context_write(session->pcap_ctx, |
1470 | 0 | SSH_PCAP_DIR_IN, |
1471 | 0 | ssh_buffer_get(session->in_buffer), |
1472 | 0 | ssh_buffer_get_len(session->in_buffer), |
1473 | 0 | ssh_buffer_get_len(session->in_buffer)); |
1474 | 0 | } |
1475 | 0 | #endif |
1476 | |
|
1477 | 0 | if (!etm) { |
1478 | | /* skip the size field which has been processed before */ |
1479 | 0 | ssh_buffer_pass_bytes(session->in_buffer, sizeof(uint32_t)); |
1480 | 0 | } |
1481 | |
|
1482 | 0 | rc = ssh_buffer_get_u8(session->in_buffer, &padding); |
1483 | 0 | if (rc == 0) { |
1484 | 0 | ssh_set_error(session, |
1485 | 0 | SSH_FATAL, |
1486 | 0 | "Packet too short to read padding"); |
1487 | 0 | goto error; |
1488 | 0 | } |
1489 | | |
1490 | 0 | if (padding > ssh_buffer_get_len(session->in_buffer)) { |
1491 | 0 | ssh_set_error(session, |
1492 | 0 | SSH_FATAL, |
1493 | 0 | "Invalid padding: %d (%" PRIu32 " left)", |
1494 | 0 | padding, |
1495 | 0 | ssh_buffer_get_len(session->in_buffer)); |
1496 | 0 | goto error; |
1497 | 0 | } |
1498 | 0 | ssh_buffer_pass_bytes_end(session->in_buffer, padding); |
1499 | 0 | compsize = ssh_buffer_get_len(session->in_buffer); |
1500 | |
|
1501 | 0 | if (crypto && crypto->do_compress_in && |
1502 | 0 | ssh_buffer_get_len(session->in_buffer) > 0) { |
1503 | 0 | rc = decompress_buffer(session, session->in_buffer, |
1504 | 0 | MAX_PACKET_LEN); |
1505 | 0 | if (rc < 0) { |
1506 | 0 | goto error; |
1507 | 0 | } |
1508 | 0 | } |
1509 | 0 | payloadsize = ssh_buffer_get_len(session->in_buffer); |
1510 | 0 | if (session->recv_seq == UINT32_MAX) { |
1511 | | /* Overflowing sequence numbers is always fishy */ |
1512 | 0 | if (crypto == NULL) { |
1513 | | /* don't allow sequence number overflow when unencrypted */ |
1514 | 0 | ssh_set_error(session, |
1515 | 0 | SSH_FATAL, |
1516 | 0 | "Incoming sequence number overflow"); |
1517 | 0 | goto error; |
1518 | 0 | } else { |
1519 | 0 | SSH_LOG(SSH_LOG_WARNING, |
1520 | 0 | "Incoming sequence number overflow"); |
1521 | 0 | } |
1522 | 0 | } |
1523 | 0 | session->recv_seq++; |
1524 | 0 | if (crypto != NULL) { |
1525 | 0 | struct ssh_cipher_struct *cipher = NULL; |
1526 | |
|
1527 | 0 | cipher = crypto->in_cipher; |
1528 | 0 | cipher->packets++; |
1529 | 0 | cipher->blocks += payloadsize / cipher->blocksize; |
1530 | 0 | } |
1531 | 0 | if (session->raw_counter != NULL) { |
1532 | 0 | session->raw_counter->in_bytes += payloadsize; |
1533 | 0 | session->raw_counter->in_packets++; |
1534 | 0 | } |
1535 | | |
1536 | | /* |
1537 | | * We don't want to rewrite a new packet while still executing the |
1538 | | * packet callbacks |
1539 | | */ |
1540 | 0 | session->packet_state = PACKET_STATE_PROCESSING; |
1541 | 0 | ssh_packet_parse_type(session); |
1542 | 0 | SSH_LOG(SSH_LOG_PACKET, |
1543 | 0 | "packet: read type %hhd [len=%" PRIu32 ",padding=%hhd," |
1544 | 0 | "comp=%" PRIu32 ",payload=%" PRIu32 "]", |
1545 | 0 | session->in_packet.type, packet_len, padding, compsize, |
1546 | 0 | payloadsize); |
1547 | 0 | if (crypto == NULL) { |
1548 | | /* In strict kex, only a few packets are allowed. Taint the session |
1549 | | * if we received packets that are normally allowed but to be |
1550 | | * refused if we are in strict kex when KEX is over. |
1551 | | */ |
1552 | 0 | uint8_t type = session->in_packet.type; |
1553 | |
|
1554 | 0 | if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS && |
1555 | 0 | (type < SSH2_MSG_KEXDH_INIT || |
1556 | 0 | type > SSH2_MSG_KEX_DH_GEX_REQUEST)) { |
1557 | 0 | session->flags |= SSH_SESSION_FLAG_KEX_TAINTED; |
1558 | 0 | } |
1559 | 0 | } |
1560 | | /* Check if the packet is expected */ |
1561 | 0 | filter_result = ssh_packet_incoming_filter(session); |
1562 | |
|
1563 | 0 | switch (filter_result) { |
1564 | 0 | case SSH_PACKET_ALLOWED: |
1565 | | /* Execute callbacks */ |
1566 | 0 | ssh_packet_process(session, session->in_packet.type); |
1567 | 0 | break; |
1568 | 0 | case SSH_PACKET_DENIED: |
1569 | 0 | ssh_set_error(session, |
1570 | 0 | SSH_FATAL, |
1571 | 0 | "Packet filter: rejected packet (type %d)", |
1572 | 0 | session->in_packet.type); |
1573 | 0 | goto error; |
1574 | 0 | case SSH_PACKET_UNKNOWN: |
1575 | 0 | if (crypto == NULL) { |
1576 | 0 | session->flags |= SSH_SESSION_FLAG_KEX_TAINTED; |
1577 | 0 | } |
1578 | 0 | ssh_packet_send_unimplemented(session, session->recv_seq - 1); |
1579 | 0 | break; |
1580 | 0 | } |
1581 | | |
1582 | 0 | session->packet_state = PACKET_STATE_INIT; |
1583 | 0 | if (processed < receivedlen) { |
1584 | 0 | size_t num; |
1585 | | /* Handle a potential packet left in socket buffer */ |
1586 | 0 | SSH_LOG(SSH_LOG_PACKET, |
1587 | 0 | "Processing %zu bytes left in socket buffer", |
1588 | 0 | receivedlen-processed); |
1589 | |
|
1590 | 0 | ptr = ((uint8_t*)data) + processed; |
1591 | |
|
1592 | 0 | num = ssh_packet_socket_callback(ptr, |
1593 | 0 | receivedlen - processed, |
1594 | 0 | user); |
1595 | 0 | processed += num; |
1596 | 0 | } |
1597 | |
|
1598 | 0 | ok = ssh_packet_need_rekey(session, 0); |
1599 | 0 | if (ok) { |
1600 | 0 | SSH_LOG(SSH_LOG_PACKET, "Incoming packet triggered rekey"); |
1601 | 0 | rc = ssh_send_rekex(session); |
1602 | 0 | if (rc != SSH_OK) { |
1603 | 0 | SSH_LOG(SSH_LOG_PACKET, "Rekey failed: rc = %d", rc); |
1604 | 0 | return rc; |
1605 | 0 | } |
1606 | 0 | } |
1607 | | |
1608 | 0 | return processed; |
1609 | 0 | case PACKET_STATE_PROCESSING: |
1610 | 0 | SSH_LOG(SSH_LOG_PACKET, "Nested packet processing. Delaying."); |
1611 | 0 | return 0; |
1612 | 0 | } |
1613 | | |
1614 | 0 | ssh_set_error(session, |
1615 | 0 | SSH_FATAL, |
1616 | 0 | "Invalid state into packet_read2(): %d", |
1617 | 0 | session->packet_state); |
1618 | |
|
1619 | 0 | error: |
1620 | 0 | session->session_state = SSH_SESSION_STATE_ERROR; |
1621 | 0 | SSH_LOG(SSH_LOG_PACKET, "Packet: processed %zu bytes", processed); |
1622 | 0 | return processed; |
1623 | 0 | } |
1624 | | |
1625 | | static void ssh_packet_socket_controlflow_callback(int code, void *userdata) |
1626 | 0 | { |
1627 | 0 | ssh_session session = userdata; |
1628 | 0 | struct ssh_iterator *it = NULL; |
1629 | 0 | ssh_channel channel = NULL; |
1630 | |
|
1631 | 0 | if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) { |
1632 | 0 | SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback"); |
1633 | | |
1634 | | /* the out pipe is empty so we can forward this to channels */ |
1635 | 0 | it = ssh_list_get_iterator(session->channels); |
1636 | 0 | while (it != NULL) { |
1637 | 0 | channel = ssh_iterator_value(ssh_channel, it); |
1638 | 0 | ssh_callbacks_execute_list(channel->callbacks, |
1639 | 0 | ssh_channel_callbacks, |
1640 | 0 | channel_write_wontblock_function, |
1641 | 0 | session, |
1642 | 0 | channel, |
1643 | 0 | channel->remote_window); |
1644 | 0 | it = it->next; |
1645 | 0 | } |
1646 | 0 | } |
1647 | 0 | } |
1648 | | |
1649 | | void ssh_packet_register_socket_callback(ssh_session session, ssh_socket s) |
1650 | 0 | { |
1651 | 0 | struct ssh_socket_callbacks_struct *callbacks = &session->socket_callbacks; |
1652 | |
|
1653 | 0 | callbacks->data = ssh_packet_socket_callback; |
1654 | 0 | callbacks->connected = NULL; |
1655 | 0 | callbacks->controlflow = ssh_packet_socket_controlflow_callback; |
1656 | 0 | callbacks->userdata = session; |
1657 | 0 | ssh_socket_set_callbacks(s, callbacks); |
1658 | 0 | } |
1659 | | |
1660 | | /** @internal |
1661 | | * @brief sets the callbacks for the packet layer |
1662 | | */ |
1663 | | void |
1664 | | ssh_packet_set_callbacks(ssh_session session, ssh_packet_callbacks callbacks) |
1665 | 0 | { |
1666 | 0 | if (session->packet_callbacks == NULL) { |
1667 | 0 | session->packet_callbacks = ssh_list_new(); |
1668 | 0 | if (session->packet_callbacks == NULL) { |
1669 | 0 | ssh_set_error_oom(session); |
1670 | 0 | return; |
1671 | 0 | } |
1672 | 0 | } |
1673 | 0 | ssh_list_append(session->packet_callbacks, callbacks); |
1674 | 0 | } |
1675 | | |
1676 | | /** @internal |
1677 | | * @brief remove the callbacks from the packet layer |
1678 | | */ |
1679 | | void |
1680 | | ssh_packet_remove_callbacks(ssh_session session, ssh_packet_callbacks callbacks) |
1681 | 0 | { |
1682 | 0 | struct ssh_iterator *it = NULL; |
1683 | |
|
1684 | 0 | it = ssh_list_find(session->packet_callbacks, callbacks); |
1685 | 0 | if (it != NULL) { |
1686 | 0 | ssh_list_remove(session->packet_callbacks, it); |
1687 | 0 | } |
1688 | 0 | } |
1689 | | |
1690 | | /** @internal |
1691 | | * @brief sets the default packet handlers |
1692 | | */ |
1693 | | void ssh_packet_set_default_callbacks(ssh_session session) |
1694 | 0 | { |
1695 | 0 | struct ssh_packet_callbacks_struct *c = &session->default_packet_callbacks; |
1696 | |
|
1697 | 0 | c->start = 1; |
1698 | 0 | c->n_callbacks = sizeof(default_packet_handlers) / sizeof(ssh_packet_callback); |
1699 | 0 | c->user = session; |
1700 | 0 | c->callbacks = default_packet_handlers; |
1701 | 0 | ssh_packet_set_callbacks(session, c); |
1702 | 0 | } |
1703 | | |
1704 | | /** @internal |
1705 | | * @brief dispatch the call of packet handlers callbacks for a received packet |
1706 | | * @param type type of packet |
1707 | | */ |
1708 | | void ssh_packet_process(ssh_session session, uint8_t type) |
1709 | 0 | { |
1710 | 0 | struct ssh_iterator *i = NULL; |
1711 | 0 | int rc = SSH_PACKET_NOT_USED; |
1712 | 0 | ssh_packet_callbacks cb; |
1713 | |
|
1714 | 0 | SSH_LOG(SSH_LOG_PACKET, "Dispatching handler for packet type %d", type); |
1715 | 0 | if (session->packet_callbacks == NULL) { |
1716 | 0 | SSH_LOG(SSH_LOG_RARE, "Packet callback is not initialized !"); |
1717 | 0 | return; |
1718 | 0 | } |
1719 | | |
1720 | 0 | i = ssh_list_get_iterator(session->packet_callbacks); |
1721 | 0 | while (i != NULL) { |
1722 | 0 | cb = ssh_iterator_value(ssh_packet_callbacks, i); |
1723 | 0 | i = i->next; |
1724 | |
|
1725 | 0 | if (!cb) { |
1726 | 0 | continue; |
1727 | 0 | } |
1728 | | |
1729 | 0 | if (cb->start > type) { |
1730 | 0 | continue; |
1731 | 0 | } |
1732 | | |
1733 | 0 | if (cb->start + cb->n_callbacks <= type) { |
1734 | 0 | continue; |
1735 | 0 | } |
1736 | | |
1737 | 0 | if (cb->callbacks[type - cb->start] == NULL) { |
1738 | 0 | continue; |
1739 | 0 | } |
1740 | | |
1741 | 0 | rc = cb->callbacks[type - cb->start](session, type, session->in_buffer, |
1742 | 0 | cb->user); |
1743 | 0 | if (rc == SSH_PACKET_USED) { |
1744 | 0 | break; |
1745 | 0 | } |
1746 | 0 | } |
1747 | |
|
1748 | 0 | if (rc == SSH_PACKET_NOT_USED) { |
1749 | 0 | SSH_LOG(SSH_LOG_RARE, "Couldn't do anything with packet type %d", type); |
1750 | 0 | rc = ssh_packet_send_unimplemented(session, session->recv_seq - 1); |
1751 | 0 | if (rc != SSH_OK) { |
1752 | 0 | SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s", |
1753 | 0 | ssh_get_error(session)); |
1754 | 0 | } |
1755 | 0 | if (session->current_crypto == NULL) { |
1756 | 0 | session->flags |= SSH_SESSION_FLAG_KEX_TAINTED; |
1757 | 0 | } |
1758 | 0 | } |
1759 | 0 | } |
1760 | | |
1761 | | /** @internal |
1762 | | * @brief sends a SSH_MSG_NEWKEYS when enabling the new negotiated ciphers |
1763 | | * @param session the SSH session |
1764 | | * @return SSH_ERROR on error, else SSH_OK |
1765 | | */ |
1766 | | int ssh_packet_send_newkeys(ssh_session session) |
1767 | 0 | { |
1768 | 0 | int rc; |
1769 | | |
1770 | | /* Send the MSG_NEWKEYS */ |
1771 | 0 | rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS); |
1772 | 0 | if (rc < 0) { |
1773 | 0 | return rc; |
1774 | 0 | } |
1775 | | |
1776 | 0 | rc = ssh_packet_send(session); |
1777 | 0 | if (rc == SSH_ERROR) { |
1778 | 0 | return rc; |
1779 | 0 | } |
1780 | 0 | SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent"); |
1781 | 0 | return rc; |
1782 | 0 | } |
1783 | | |
1784 | | /** @internal |
1785 | | * @brief sends a SSH_MSG_UNIMPLEMENTED answer to an unhandled packet |
1786 | | * @param session the SSH session |
1787 | | * @param seqnum the sequence number of the unknown packet |
1788 | | * @return SSH_ERROR on error, else SSH_OK |
1789 | | */ |
1790 | 0 | int ssh_packet_send_unimplemented(ssh_session session, uint32_t seqnum){ |
1791 | 0 | int rc; |
1792 | |
|
1793 | 0 | rc = ssh_buffer_pack(session->out_buffer, |
1794 | 0 | "bd", |
1795 | 0 | SSH2_MSG_UNIMPLEMENTED, |
1796 | 0 | seqnum); |
1797 | 0 | if (rc != SSH_OK) { |
1798 | 0 | ssh_set_error_oom(session); |
1799 | 0 | return SSH_ERROR; |
1800 | 0 | } |
1801 | 0 | rc = ssh_packet_send(session); |
1802 | |
|
1803 | 0 | return rc; |
1804 | 0 | } |
1805 | | |
1806 | | /** @internal |
1807 | | * @brief handles a SSH_MSG_UNIMPLEMENTED packet |
1808 | | */ |
1809 | 0 | SSH_PACKET_CALLBACK(ssh_packet_unimplemented){ |
1810 | 0 | uint32_t seq; |
1811 | 0 | int rc; |
1812 | |
|
1813 | 0 | (void)session; /* unused */ |
1814 | 0 | (void)type; |
1815 | 0 | (void)user; |
1816 | |
|
1817 | 0 | rc = ssh_buffer_unpack(packet, "d", &seq); |
1818 | 0 | if (rc != SSH_OK) { |
1819 | 0 | SSH_LOG(SSH_LOG_TRACE, |
1820 | 0 | "Could not unpack SSH_MSG_UNIMPLEMENTED packet"); |
1821 | 0 | } |
1822 | |
|
1823 | 0 | SSH_LOG(SSH_LOG_RARE, |
1824 | 0 | "Received SSH_MSG_UNIMPLEMENTED (sequence number %" PRIu32 ")",seq); |
1825 | |
|
1826 | 0 | return SSH_PACKET_USED; |
1827 | 0 | } |
1828 | | |
1829 | | /** @internal |
1830 | | * @parse the "Type" header field of a packet and updates the session |
1831 | | */ |
1832 | | int ssh_packet_parse_type(struct ssh_session_struct *session) |
1833 | 0 | { |
1834 | 0 | session->in_packet = (struct packet_struct) { |
1835 | 0 | .type = 0, |
1836 | 0 | }; |
1837 | |
|
1838 | 0 | if (session->in_buffer == NULL) { |
1839 | 0 | return SSH_ERROR; |
1840 | 0 | } |
1841 | | |
1842 | 0 | if (ssh_buffer_get_u8(session->in_buffer, &session->in_packet.type) == 0) { |
1843 | 0 | ssh_set_error(session, SSH_FATAL, "Packet too short to read type"); |
1844 | 0 | return SSH_ERROR; |
1845 | 0 | } |
1846 | | |
1847 | 0 | session->in_packet.valid = 1; |
1848 | |
|
1849 | 0 | return SSH_OK; |
1850 | 0 | } |
1851 | | |
1852 | | /* |
1853 | | * This function places the outgoing packet buffer into an outgoing |
1854 | | * socket buffer |
1855 | | */ |
1856 | 0 | static int ssh_packet_write(ssh_session session) { |
1857 | 0 | int rc = SSH_ERROR; |
1858 | |
|
1859 | 0 | rc=ssh_socket_write(session->socket, |
1860 | 0 | ssh_buffer_get(session->out_buffer), |
1861 | 0 | ssh_buffer_get_len(session->out_buffer)); |
1862 | |
|
1863 | 0 | return rc; |
1864 | 0 | } |
1865 | | |
1866 | | static int packet_send2(ssh_session session) |
1867 | 0 | { |
1868 | 0 | unsigned int blocksize = 8; |
1869 | 0 | unsigned int lenfield_blocksize = 0; |
1870 | 0 | enum ssh_hmac_e hmac_type; |
1871 | 0 | uint32_t currentlen = ssh_buffer_get_len(session->out_buffer); |
1872 | 0 | struct ssh_crypto_struct *crypto = NULL; |
1873 | 0 | unsigned char *hmac = NULL; |
1874 | 0 | uint8_t padding_data[32] = { 0 }; |
1875 | 0 | uint8_t padding_size; |
1876 | 0 | uint32_t finallen, payloadsize, compsize; |
1877 | 0 | uint8_t header[5] = {0}; |
1878 | 0 | uint8_t type, *payload; |
1879 | 0 | int rc = SSH_ERROR; |
1880 | 0 | bool etm = false; |
1881 | 0 | int etm_packet_offset = 0; |
1882 | |
|
1883 | 0 | crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_OUT); |
1884 | 0 | if (crypto) { |
1885 | 0 | blocksize = crypto->out_cipher->blocksize; |
1886 | 0 | lenfield_blocksize = crypto->out_cipher->lenfield_blocksize; |
1887 | 0 | hmac_type = crypto->out_hmac; |
1888 | 0 | etm = crypto->out_hmac_etm; |
1889 | 0 | } else { |
1890 | 0 | hmac_type = session->next_crypto->out_hmac; |
1891 | 0 | } |
1892 | |
|
1893 | 0 | payload = (uint8_t *)ssh_buffer_get(session->out_buffer); |
1894 | 0 | type = payload[0]; /* type is the first byte of the packet now */ |
1895 | |
|
1896 | 0 | payloadsize = currentlen; |
1897 | 0 | if (etm) { |
1898 | 0 | etm_packet_offset = sizeof(uint32_t); |
1899 | 0 | lenfield_blocksize = 0; |
1900 | 0 | } |
1901 | |
|
1902 | 0 | if (crypto != NULL && crypto->do_compress_out && |
1903 | 0 | ssh_buffer_get_len(session->out_buffer) > 0) { |
1904 | 0 | rc = compress_buffer(session,session->out_buffer); |
1905 | 0 | if (rc < 0) { |
1906 | 0 | goto error; |
1907 | 0 | } |
1908 | 0 | currentlen = ssh_buffer_get_len(session->out_buffer); |
1909 | 0 | } |
1910 | 0 | compsize = currentlen; |
1911 | | /* compressed payload + packet len (4) + padding_size len (1) */ |
1912 | | /* totallen - lenfield_blocksize - etm_packet_offset must be equal to 0 (mod blocksize) */ |
1913 | 0 | padding_size = (blocksize - ((blocksize - lenfield_blocksize - etm_packet_offset + currentlen + 5) % blocksize)); |
1914 | 0 | if (padding_size < 4) { |
1915 | 0 | padding_size += blocksize; |
1916 | 0 | } |
1917 | |
|
1918 | 0 | if (crypto != NULL) { |
1919 | 0 | int ok; |
1920 | |
|
1921 | 0 | ok = ssh_get_random(padding_data, padding_size, 0); |
1922 | 0 | if (!ok) { |
1923 | 0 | ssh_set_error(session, SSH_FATAL, "PRNG error"); |
1924 | 0 | goto error; |
1925 | 0 | } |
1926 | 0 | } |
1927 | | |
1928 | 0 | finallen = currentlen - etm_packet_offset + padding_size + 1; |
1929 | |
|
1930 | 0 | PUSH_BE_U32(header, 0, finallen); |
1931 | 0 | PUSH_BE_U8(header, 4, padding_size); |
1932 | |
|
1933 | 0 | rc = ssh_buffer_prepend_data(session->out_buffer, |
1934 | 0 | header, |
1935 | 0 | sizeof(header)); |
1936 | 0 | if (rc < 0) { |
1937 | 0 | goto error; |
1938 | 0 | } |
1939 | | |
1940 | 0 | rc = ssh_buffer_add_data(session->out_buffer, padding_data, padding_size); |
1941 | 0 | if (rc < 0) { |
1942 | 0 | goto error; |
1943 | 0 | } |
1944 | | |
1945 | 0 | #ifdef WITH_PCAP |
1946 | 0 | if (session->pcap_ctx != NULL) { |
1947 | 0 | ssh_pcap_context_write(session->pcap_ctx, |
1948 | 0 | SSH_PCAP_DIR_OUT, |
1949 | 0 | ssh_buffer_get(session->out_buffer), |
1950 | 0 | ssh_buffer_get_len(session->out_buffer), |
1951 | 0 | ssh_buffer_get_len(session->out_buffer)); |
1952 | 0 | } |
1953 | 0 | #endif |
1954 | |
|
1955 | 0 | hmac = ssh_packet_encrypt(session, |
1956 | 0 | ssh_buffer_get(session->out_buffer), |
1957 | 0 | ssh_buffer_get_len(session->out_buffer)); |
1958 | | /* XXX This returns null before switching on crypto, with none MAC |
1959 | | * and on various errors. |
1960 | | * We should distinguish between these cases to avoid hiding errors. */ |
1961 | 0 | if (hmac != NULL) { |
1962 | 0 | rc = ssh_buffer_add_data(session->out_buffer, |
1963 | 0 | hmac, |
1964 | 0 | (uint32_t)hmac_digest_len(hmac_type)); |
1965 | 0 | if (rc < 0) { |
1966 | 0 | goto error; |
1967 | 0 | } |
1968 | 0 | } |
1969 | | |
1970 | 0 | rc = ssh_packet_write(session); |
1971 | 0 | if (rc == SSH_ERROR) { |
1972 | 0 | goto error; |
1973 | 0 | } |
1974 | 0 | session->send_seq++; |
1975 | 0 | if (crypto != NULL) { |
1976 | 0 | struct ssh_cipher_struct *cipher = NULL; |
1977 | |
|
1978 | 0 | cipher = crypto->out_cipher; |
1979 | 0 | cipher->packets++; |
1980 | 0 | cipher->blocks += payloadsize / cipher->blocksize; |
1981 | 0 | } |
1982 | 0 | if (session->raw_counter != NULL) { |
1983 | 0 | session->raw_counter->out_bytes += payloadsize; |
1984 | 0 | session->raw_counter->out_packets++; |
1985 | 0 | } |
1986 | |
|
1987 | 0 | SSH_LOG(SSH_LOG_PACKET, |
1988 | 0 | "packet: wrote [type=%u, len=%" PRIu32 ", padding_size=%hhd, comp=%" PRIu32 ", " |
1989 | 0 | "payload=%" PRIu32 "]", |
1990 | 0 | type, |
1991 | 0 | finallen, |
1992 | 0 | padding_size, |
1993 | 0 | compsize, |
1994 | 0 | payloadsize); |
1995 | |
|
1996 | 0 | rc = ssh_buffer_reinit(session->out_buffer); |
1997 | 0 | if (rc < 0) { |
1998 | 0 | rc = SSH_ERROR; |
1999 | 0 | goto error; |
2000 | 0 | } |
2001 | | |
2002 | | /* We sent the NEWKEYS so any further packet needs to be encrypted |
2003 | | * with the new keys. We can not switch both directions (need to decrypt |
2004 | | * peer NEWKEYS) and we do not want to wait for the peer NEWKEYS |
2005 | | * too, so we will switch only the OUT direction now. |
2006 | | */ |
2007 | 0 | if (type == SSH2_MSG_NEWKEYS) { |
2008 | 0 | rc = ssh_packet_set_newkeys(session, SSH_DIRECTION_OUT); |
2009 | 0 | } |
2010 | 0 | error: |
2011 | 0 | return rc; /* SSH_OK, AGAIN or ERROR */ |
2012 | 0 | } |
2013 | | |
2014 | | static bool |
2015 | | ssh_packet_is_kex(unsigned char type) |
2016 | 0 | { |
2017 | 0 | return type >= SSH2_MSG_DISCONNECT && |
2018 | 0 | type <= SSH2_MSG_KEX_DH_GEX_REQUEST && |
2019 | 0 | type != SSH2_MSG_SERVICE_REQUEST && |
2020 | 0 | type != SSH2_MSG_SERVICE_ACCEPT && |
2021 | 0 | type != SSH2_MSG_IGNORE && |
2022 | 0 | type != SSH2_MSG_EXT_INFO; |
2023 | 0 | } |
2024 | | |
2025 | | static bool |
2026 | | ssh_packet_in_rekey(ssh_session session) |
2027 | 0 | { |
2028 | | /* We know we are rekeying if we are authenticated and the DH |
2029 | | * status is not finished, but we only queue packets until we've |
2030 | | * sent our NEWKEYS. |
2031 | | */ |
2032 | 0 | return (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) && |
2033 | 0 | (session->dh_handshake_state != DH_STATE_FINISHED) && |
2034 | 0 | (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT); |
2035 | 0 | } |
2036 | | |
2037 | | int ssh_packet_send(ssh_session session) |
2038 | 0 | { |
2039 | 0 | uint32_t payloadsize; |
2040 | 0 | uint8_t type, *payload; |
2041 | 0 | bool need_rekey, in_rekey; |
2042 | 0 | int rc; |
2043 | |
|
2044 | 0 | payloadsize = ssh_buffer_get_len(session->out_buffer); |
2045 | 0 | if (payloadsize < 1) { |
2046 | 0 | return SSH_ERROR; |
2047 | 0 | } |
2048 | | |
2049 | 0 | payload = (uint8_t *)ssh_buffer_get(session->out_buffer); |
2050 | 0 | type = payload[0]; /* type is the first byte of the packet now */ |
2051 | 0 | need_rekey = ssh_packet_need_rekey(session, payloadsize); |
2052 | 0 | in_rekey = ssh_packet_in_rekey(session); |
2053 | | |
2054 | | /* The rekey is triggered here. After that, only the key exchange |
2055 | | * packets can be sent, until we send our NEWKEYS. |
2056 | | */ |
2057 | 0 | if (need_rekey || (in_rekey && !ssh_packet_is_kex(type))) { |
2058 | 0 | if (need_rekey) { |
2059 | 0 | SSH_LOG(SSH_LOG_PACKET, "Outgoing packet triggered rekey"); |
2060 | 0 | } |
2061 | | /* Queue the current packet -- we will send it after the rekey */ |
2062 | 0 | SSH_LOG(SSH_LOG_PACKET, "Queuing packet type %d", type); |
2063 | 0 | rc = ssh_list_append(session->out_queue, session->out_buffer); |
2064 | 0 | if (rc != SSH_OK) { |
2065 | 0 | return SSH_ERROR; |
2066 | 0 | } |
2067 | 0 | session->out_buffer = ssh_buffer_new(); |
2068 | 0 | if (session->out_buffer == NULL) { |
2069 | 0 | ssh_set_error_oom(session); |
2070 | 0 | return SSH_ERROR; |
2071 | 0 | } |
2072 | | |
2073 | 0 | if (need_rekey) { |
2074 | | /* Send the KEXINIT packet instead. |
2075 | | * This recursively calls the packet_send(), but it should |
2076 | | * not get into rekeying again. |
2077 | | * After that we need to handle the key exchange responses |
2078 | | * up to the point where we can send the rest of the queue. |
2079 | | */ |
2080 | 0 | return ssh_send_rekex(session); |
2081 | 0 | } |
2082 | 0 | return SSH_OK; |
2083 | 0 | } |
2084 | | |
2085 | | /* Send the packet normally */ |
2086 | 0 | rc = packet_send2(session); |
2087 | | |
2088 | | /* We finished the key exchange so we can try to send our queue now */ |
2089 | 0 | if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) { |
2090 | 0 | struct ssh_iterator *it = NULL; |
2091 | |
|
2092 | 0 | if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) { |
2093 | | /* reset packet sequence number when running in strict kex mode */ |
2094 | 0 | session->send_seq = 0; |
2095 | 0 | } |
2096 | 0 | for (it = ssh_list_get_iterator(session->out_queue); |
2097 | 0 | it != NULL; |
2098 | 0 | it = ssh_list_get_iterator(session->out_queue)) { |
2099 | 0 | struct ssh_buffer_struct *next_buffer = NULL; |
2100 | | |
2101 | | /* Peek only -- do not remove from queue yet */ |
2102 | 0 | next_buffer = (struct ssh_buffer_struct *)it->data; |
2103 | 0 | payloadsize = ssh_buffer_get_len(next_buffer); |
2104 | 0 | if (ssh_packet_need_rekey(session, payloadsize)) { |
2105 | | /* Sigh ... we still can not send this packet. Repeat. */ |
2106 | 0 | SSH_LOG(SSH_LOG_PACKET, "Queued packet triggered rekey"); |
2107 | 0 | return ssh_send_rekex(session); |
2108 | 0 | } |
2109 | 0 | SSH_BUFFER_FREE(session->out_buffer); |
2110 | 0 | session->out_buffer = ssh_list_pop_head(struct ssh_buffer_struct *, |
2111 | 0 | session->out_queue); |
2112 | 0 | payload = (uint8_t *)ssh_buffer_get(session->out_buffer); |
2113 | 0 | type = payload[0]; |
2114 | 0 | SSH_LOG(SSH_LOG_PACKET, "Dequeue packet type %d", type); |
2115 | 0 | rc = packet_send2(session); |
2116 | 0 | if (rc != SSH_OK) { |
2117 | 0 | return rc; |
2118 | 0 | } |
2119 | 0 | } |
2120 | 0 | } |
2121 | | |
2122 | 0 | return rc; |
2123 | 0 | } |
2124 | | |
2125 | | static void |
2126 | | ssh_init_rekey_state(struct ssh_session_struct *session, |
2127 | | struct ssh_cipher_struct *cipher) |
2128 | 0 | { |
2129 | | /* Reset the counters: should be NOOP */ |
2130 | 0 | cipher->packets = 0; |
2131 | 0 | cipher->blocks = 0; |
2132 | | |
2133 | | /* Default rekey limits for ciphers as specified in RFC4344, Section 3.2 */ |
2134 | 0 | if (cipher->blocksize >= 16) { |
2135 | | /* For larger block size (L bits) use maximum of 2**(L/4) blocks */ |
2136 | 0 | cipher->max_blocks = (uint64_t)1 << (cipher->blocksize*2); |
2137 | 0 | } else { |
2138 | | /* For smaller blocks use limit of 1 GB as recommended in RFC4253 */ |
2139 | 0 | cipher->max_blocks = ((uint64_t)1 << 30) / cipher->blocksize; |
2140 | 0 | } |
2141 | | /* If we have limit provided by user, use the smaller one */ |
2142 | 0 | if (session->opts.rekey_data != 0) { |
2143 | 0 | cipher->max_blocks = MIN(cipher->max_blocks, |
2144 | 0 | session->opts.rekey_data / cipher->blocksize); |
2145 | 0 | } |
2146 | |
|
2147 | 0 | SSH_LOG(SSH_LOG_DEBUG, |
2148 | 0 | "Set rekey after %" PRIu64 " blocks", |
2149 | 0 | cipher->max_blocks); |
2150 | 0 | } |
2151 | | |
2152 | | /* |
2153 | | * Once we got SSH2_MSG_NEWKEYS we can switch next_crypto and |
2154 | | * current_crypto for our desired direction |
2155 | | */ |
2156 | | int |
2157 | | ssh_packet_set_newkeys(ssh_session session, |
2158 | | enum ssh_crypto_direction_e direction) |
2159 | 0 | { |
2160 | 0 | struct ssh_cipher_struct *in_cipher = NULL, *out_cipher = NULL; |
2161 | 0 | int rc; |
2162 | |
|
2163 | 0 | SSH_LOG(SSH_LOG_TRACE, |
2164 | 0 | "called, direction =%s%s", |
2165 | 0 | direction & SSH_DIRECTION_IN ? " IN " : "", |
2166 | 0 | direction & SSH_DIRECTION_OUT ? " OUT " : ""); |
2167 | |
|
2168 | 0 | if (session->next_crypto == NULL) { |
2169 | 0 | return SSH_ERROR; |
2170 | 0 | } |
2171 | | |
2172 | 0 | session->next_crypto->used |= direction; |
2173 | 0 | if (session->current_crypto != NULL) { |
2174 | 0 | if (session->current_crypto->used & direction) { |
2175 | 0 | SSH_LOG(SSH_LOG_TRACE, "This direction isn't used anymore."); |
2176 | 0 | } |
2177 | | /* Mark the current requested direction unused */ |
2178 | 0 | session->current_crypto->used &= ~direction; |
2179 | 0 | } |
2180 | | |
2181 | | /* Both sides switched: do the actual switch now */ |
2182 | 0 | if (session->next_crypto->used == SSH_DIRECTION_BOTH) { |
2183 | 0 | size_t session_id_len; |
2184 | |
|
2185 | 0 | if (session->current_crypto != NULL) { |
2186 | 0 | crypto_free(session->current_crypto); |
2187 | 0 | session->current_crypto = NULL; |
2188 | 0 | } |
2189 | |
|
2190 | 0 | session->current_crypto = session->next_crypto; |
2191 | 0 | session->current_crypto->used = SSH_DIRECTION_BOTH; |
2192 | | |
2193 | | /* Initialize the next_crypto structure */ |
2194 | 0 | session->next_crypto = crypto_new(); |
2195 | 0 | if (session->next_crypto == NULL) { |
2196 | 0 | ssh_set_error_oom(session); |
2197 | 0 | return SSH_ERROR; |
2198 | 0 | } |
2199 | | |
2200 | 0 | session_id_len = session->current_crypto->session_id_len; |
2201 | 0 | session->next_crypto->session_id = malloc(session_id_len); |
2202 | 0 | if (session->next_crypto->session_id == NULL) { |
2203 | 0 | ssh_set_error_oom(session); |
2204 | 0 | return SSH_ERROR; |
2205 | 0 | } |
2206 | | |
2207 | 0 | memcpy(session->next_crypto->session_id, |
2208 | 0 | session->current_crypto->session_id, |
2209 | 0 | session_id_len); |
2210 | 0 | session->next_crypto->session_id_len = session_id_len; |
2211 | |
|
2212 | 0 | return SSH_OK; |
2213 | 0 | } |
2214 | | |
2215 | | /* Initialize common structures so the next context can be used in |
2216 | | * either direction */ |
2217 | 0 | if (session->client) { |
2218 | | /* The server has this part already done */ |
2219 | 0 | rc = ssh_make_sessionid(session); |
2220 | 0 | if (rc != SSH_OK) { |
2221 | 0 | return SSH_ERROR; |
2222 | 0 | } |
2223 | | |
2224 | | /* |
2225 | | * Set the cryptographic functions for the next crypto |
2226 | | * (it is needed for ssh_generate_session_keys for key lengths) |
2227 | | */ |
2228 | 0 | rc = crypt_set_algorithms_client(session); |
2229 | 0 | if (rc < 0) { |
2230 | 0 | return SSH_ERROR; |
2231 | 0 | } |
2232 | 0 | } |
2233 | | |
2234 | 0 | if (ssh_generate_session_keys(session) < 0) { |
2235 | 0 | return SSH_ERROR; |
2236 | 0 | } |
2237 | | |
2238 | 0 | in_cipher = session->next_crypto->in_cipher; |
2239 | 0 | out_cipher = session->next_crypto->out_cipher; |
2240 | 0 | if (in_cipher == NULL || out_cipher == NULL) { |
2241 | 0 | return SSH_ERROR; |
2242 | 0 | } |
2243 | | |
2244 | | /* Initialize rekeying states */ |
2245 | 0 | ssh_init_rekey_state(session, out_cipher); |
2246 | 0 | ssh_init_rekey_state(session, in_cipher); |
2247 | 0 | if (session->opts.rekey_time != 0) { |
2248 | 0 | ssh_timestamp_init(&session->last_rekey_time); |
2249 | 0 | SSH_LOG(SSH_LOG_DEBUG, "Set rekey after %" PRIu32 " seconds", |
2250 | 0 | session->opts.rekey_time/1000); |
2251 | 0 | } |
2252 | |
|
2253 | 0 | if (in_cipher->set_decrypt_key) { |
2254 | | /* Initialize the encryption and decryption keys in next_crypto */ |
2255 | 0 | rc = in_cipher->set_decrypt_key(in_cipher, |
2256 | 0 | session->next_crypto->decryptkey, |
2257 | 0 | session->next_crypto->decryptIV); |
2258 | 0 | if (rc < 0) { |
2259 | | /* On error, make sure it is not used */ |
2260 | 0 | session->next_crypto->used = 0; |
2261 | 0 | return SSH_ERROR; |
2262 | 0 | } |
2263 | 0 | } |
2264 | | |
2265 | 0 | if (out_cipher->set_encrypt_key) { |
2266 | 0 | rc = out_cipher->set_encrypt_key(out_cipher, |
2267 | 0 | session->next_crypto->encryptkey, |
2268 | 0 | session->next_crypto->encryptIV); |
2269 | 0 | if (rc < 0) { |
2270 | | /* On error, make sure it is not used */ |
2271 | 0 | session->next_crypto->used = 0; |
2272 | 0 | return SSH_ERROR; |
2273 | 0 | } |
2274 | 0 | } |
2275 | | |
2276 | 0 | return SSH_OK; |
2277 | 0 | } |