Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: packet.c,v 1.318 2025/02/18 08:02:12 djm Exp $ */ |
2 | | /* |
3 | | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | | * All rights reserved |
6 | | * This file contains code implementing the packet protocol and communication |
7 | | * with the other side. This same code is used both on client and server side. |
8 | | * |
9 | | * As far as I am concerned, the code I have written for this software |
10 | | * can be used freely for any purpose. Any derived versions of this |
11 | | * software must be clearly marked as such, and if the derived work is |
12 | | * incompatible with the protocol description in the RFC file, it must be |
13 | | * called by a name other than "ssh" or "Secure Shell". |
14 | | * |
15 | | * |
16 | | * SSH2 packet format added by Markus Friedl. |
17 | | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
18 | | * |
19 | | * Redistribution and use in source and binary forms, with or without |
20 | | * modification, are permitted provided that the following conditions |
21 | | * are met: |
22 | | * 1. Redistributions of source code must retain the above copyright |
23 | | * notice, this list of conditions and the following disclaimer. |
24 | | * 2. Redistributions in binary form must reproduce the above copyright |
25 | | * notice, this list of conditions and the following disclaimer in the |
26 | | * documentation and/or other materials provided with the distribution. |
27 | | * |
28 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
29 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
30 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
31 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
32 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
33 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
34 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
35 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
36 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
37 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
38 | | */ |
39 | | |
40 | | #include "includes.h" |
41 | | |
42 | | #include <sys/types.h> |
43 | | #include "openbsd-compat/sys-queue.h" |
44 | | #include <sys/socket.h> |
45 | | #ifdef HAVE_SYS_TIME_H |
46 | | # include <sys/time.h> |
47 | | #endif |
48 | | |
49 | | #include <netinet/in.h> |
50 | | #include <netinet/ip.h> |
51 | | #include <arpa/inet.h> |
52 | | |
53 | | #include <errno.h> |
54 | | #include <netdb.h> |
55 | | #include <stdarg.h> |
56 | | #include <stdio.h> |
57 | | #include <stdlib.h> |
58 | | #include <string.h> |
59 | | #include <unistd.h> |
60 | | #include <limits.h> |
61 | | #ifdef HAVE_POLL_H |
62 | | #include <poll.h> |
63 | | #endif |
64 | | #include <signal.h> |
65 | | #include <time.h> |
66 | | |
67 | | /* |
68 | | * Explicitly include OpenSSL before zlib as some versions of OpenSSL have |
69 | | * "free_func" in their headers, which zlib typedefs. |
70 | | */ |
71 | | #ifdef WITH_OPENSSL |
72 | | # include <openssl/bn.h> |
73 | | # include <openssl/evp.h> |
74 | | # ifdef OPENSSL_HAS_ECC |
75 | | # include <openssl/ec.h> |
76 | | # endif |
77 | | #endif |
78 | | |
79 | | #ifdef WITH_ZLIB |
80 | | #include <zlib.h> |
81 | | #endif |
82 | | |
83 | | #include "xmalloc.h" |
84 | | #include "compat.h" |
85 | | #include "ssh2.h" |
86 | | #include "cipher.h" |
87 | | #include "sshkey.h" |
88 | | #include "kex.h" |
89 | | #include "digest.h" |
90 | | #include "mac.h" |
91 | | #include "log.h" |
92 | | #include "canohost.h" |
93 | | #include "misc.h" |
94 | | #include "channels.h" |
95 | | #include "ssh.h" |
96 | | #include "packet.h" |
97 | | #include "ssherr.h" |
98 | | #include "sshbuf.h" |
99 | | |
100 | | #ifdef PACKET_DEBUG |
101 | | #define DBG(x) x |
102 | | #else |
103 | | #define DBG(x) |
104 | | #endif |
105 | | |
106 | 1.51M | #define PACKET_MAX_SIZE (256 * 1024) |
107 | | |
108 | | struct packet_state { |
109 | | u_int32_t seqnr; |
110 | | u_int32_t packets; |
111 | | u_int64_t blocks; |
112 | | u_int64_t bytes; |
113 | | }; |
114 | | |
115 | | struct packet { |
116 | | TAILQ_ENTRY(packet) next; |
117 | | u_char type; |
118 | | struct sshbuf *payload; |
119 | | }; |
120 | | |
121 | | struct session_state { |
122 | | /* |
123 | | * This variable contains the file descriptors used for |
124 | | * communicating with the other side. connection_in is used for |
125 | | * reading; connection_out for writing. These can be the same |
126 | | * descriptor, in which case it is assumed to be a socket. |
127 | | */ |
128 | | int connection_in; |
129 | | int connection_out; |
130 | | |
131 | | /* Protocol flags for the remote side. */ |
132 | | u_int remote_protocol_flags; |
133 | | |
134 | | /* Encryption context for receiving data. Only used for decryption. */ |
135 | | struct sshcipher_ctx *receive_context; |
136 | | |
137 | | /* Encryption context for sending data. Only used for encryption. */ |
138 | | struct sshcipher_ctx *send_context; |
139 | | |
140 | | /* Buffer for raw input data from the socket. */ |
141 | | struct sshbuf *input; |
142 | | |
143 | | /* Buffer for raw output data going to the socket. */ |
144 | | struct sshbuf *output; |
145 | | |
146 | | /* Buffer for the partial outgoing packet being constructed. */ |
147 | | struct sshbuf *outgoing_packet; |
148 | | |
149 | | /* Buffer for the incoming packet currently being processed. */ |
150 | | struct sshbuf *incoming_packet; |
151 | | |
152 | | /* Scratch buffer for packet compression/decompression. */ |
153 | | struct sshbuf *compression_buffer; |
154 | | |
155 | | #ifdef WITH_ZLIB |
156 | | /* Incoming/outgoing compression dictionaries */ |
157 | | z_stream compression_in_stream; |
158 | | z_stream compression_out_stream; |
159 | | #endif |
160 | | int compression_in_started; |
161 | | int compression_out_started; |
162 | | int compression_in_failures; |
163 | | int compression_out_failures; |
164 | | |
165 | | /* default maximum packet size */ |
166 | | u_int max_packet_size; |
167 | | |
168 | | /* Flag indicating whether this module has been initialized. */ |
169 | | int initialized; |
170 | | |
171 | | /* Set to true if the connection is interactive. */ |
172 | | int interactive_mode; |
173 | | |
174 | | /* Set to true if we are the server side. */ |
175 | | int server_side; |
176 | | |
177 | | /* Set to true if we are authenticated. */ |
178 | | int after_authentication; |
179 | | |
180 | | int keep_alive_timeouts; |
181 | | |
182 | | /* The maximum time that we will wait to send or receive a packet */ |
183 | | int packet_timeout_ms; |
184 | | |
185 | | /* Session key information for Encryption and MAC */ |
186 | | struct newkeys *newkeys[MODE_MAX]; |
187 | | struct packet_state p_read, p_send; |
188 | | |
189 | | /* Volume-based rekeying */ |
190 | | u_int64_t max_blocks_in, max_blocks_out, rekey_limit; |
191 | | |
192 | | /* Time-based rekeying */ |
193 | | u_int32_t rekey_interval; /* how often in seconds */ |
194 | | time_t rekey_time; /* time of last rekeying */ |
195 | | |
196 | | /* roundup current message to extra_pad bytes */ |
197 | | u_char extra_pad; |
198 | | |
199 | | /* XXX discard incoming data after MAC error */ |
200 | | u_int packet_discard; |
201 | | size_t packet_discard_mac_already; |
202 | | struct sshmac *packet_discard_mac; |
203 | | |
204 | | /* Used in packet_read_poll2() */ |
205 | | u_int packlen; |
206 | | |
207 | | /* Used in packet_send2 */ |
208 | | int rekeying; |
209 | | |
210 | | /* Used in ssh_packet_send_mux() */ |
211 | | int mux; |
212 | | |
213 | | /* Used in packet_set_interactive */ |
214 | | int set_interactive_called; |
215 | | |
216 | | /* Used in packet_set_maxsize */ |
217 | | int set_maxsize_called; |
218 | | |
219 | | /* One-off warning about weak ciphers */ |
220 | | int cipher_warning_done; |
221 | | |
222 | | /* Hook for fuzzing inbound packets */ |
223 | | ssh_packet_hook_fn *hook_in; |
224 | | void *hook_in_ctx; |
225 | | |
226 | | TAILQ_HEAD(, packet) outgoing; |
227 | | }; |
228 | | |
229 | | struct ssh * |
230 | | ssh_alloc_session_state(void) |
231 | 179k | { |
232 | 179k | struct ssh *ssh = NULL; |
233 | 179k | struct session_state *state = NULL; |
234 | | |
235 | 179k | if ((ssh = calloc(1, sizeof(*ssh))) == NULL || |
236 | 179k | (state = calloc(1, sizeof(*state))) == NULL || |
237 | 179k | (ssh->kex = kex_new()) == NULL || |
238 | 179k | (state->input = sshbuf_new()) == NULL || |
239 | 179k | (state->output = sshbuf_new()) == NULL || |
240 | 179k | (state->outgoing_packet = sshbuf_new()) == NULL || |
241 | 179k | (state->incoming_packet = sshbuf_new()) == NULL) |
242 | 0 | goto fail; |
243 | 179k | TAILQ_INIT(&state->outgoing); |
244 | 179k | TAILQ_INIT(&ssh->private_keys); |
245 | 179k | TAILQ_INIT(&ssh->public_keys); |
246 | 179k | state->connection_in = -1; |
247 | 179k | state->connection_out = -1; |
248 | 179k | state->max_packet_size = 32768; |
249 | 179k | state->packet_timeout_ms = -1; |
250 | 179k | state->p_send.packets = state->p_read.packets = 0; |
251 | 179k | state->initialized = 1; |
252 | | /* |
253 | | * ssh_packet_send2() needs to queue packets until |
254 | | * we've done the initial key exchange. |
255 | | */ |
256 | 179k | state->rekeying = 1; |
257 | 179k | ssh->state = state; |
258 | 179k | return ssh; |
259 | 0 | fail: |
260 | 0 | if (ssh) { |
261 | 0 | kex_free(ssh->kex); |
262 | 0 | free(ssh); |
263 | 0 | } |
264 | 0 | if (state) { |
265 | 0 | sshbuf_free(state->input); |
266 | 0 | sshbuf_free(state->output); |
267 | 0 | sshbuf_free(state->incoming_packet); |
268 | 0 | sshbuf_free(state->outgoing_packet); |
269 | 0 | free(state); |
270 | 0 | } |
271 | 0 | return NULL; |
272 | 179k | } |
273 | | |
274 | | void |
275 | | ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx) |
276 | 0 | { |
277 | 0 | ssh->state->hook_in = hook; |
278 | 0 | ssh->state->hook_in_ctx = ctx; |
279 | 0 | } |
280 | | |
281 | | /* Returns nonzero if rekeying is in progress */ |
282 | | int |
283 | | ssh_packet_is_rekeying(struct ssh *ssh) |
284 | 3.85k | { |
285 | 3.85k | return ssh->state->rekeying || |
286 | 3.85k | (ssh->kex != NULL && ssh->kex->done == 0); |
287 | 3.85k | } |
288 | | |
289 | | /* |
290 | | * Sets the descriptors used for communication. |
291 | | */ |
292 | | struct ssh * |
293 | | ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
294 | 179k | { |
295 | 179k | struct session_state *state; |
296 | 179k | const struct sshcipher *none = cipher_by_name("none"); |
297 | 179k | int r; |
298 | | |
299 | 179k | if (none == NULL) { |
300 | 0 | error_f("cannot load cipher 'none'"); |
301 | 0 | return NULL; |
302 | 0 | } |
303 | 179k | if (ssh == NULL) |
304 | 179k | ssh = ssh_alloc_session_state(); |
305 | 179k | if (ssh == NULL) { |
306 | 0 | error_f("could not allocate state"); |
307 | 0 | return NULL; |
308 | 0 | } |
309 | 179k | state = ssh->state; |
310 | 179k | state->connection_in = fd_in; |
311 | 179k | state->connection_out = fd_out; |
312 | 179k | if ((r = cipher_init(&state->send_context, none, |
313 | 179k | (const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 || |
314 | 179k | (r = cipher_init(&state->receive_context, none, |
315 | 179k | (const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0) { |
316 | 0 | error_fr(r, "cipher_init failed"); |
317 | 0 | free(ssh); /* XXX need ssh_free_session_state? */ |
318 | 0 | return NULL; |
319 | 0 | } |
320 | 179k | state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL; |
321 | | /* |
322 | | * Cache the IP address of the remote connection for use in error |
323 | | * messages that might be generated after the connection has closed. |
324 | | */ |
325 | 179k | (void)ssh_remote_ipaddr(ssh); |
326 | 179k | return ssh; |
327 | 179k | } |
328 | | |
329 | | void |
330 | | ssh_packet_set_timeout(struct ssh *ssh, int timeout, int count) |
331 | 0 | { |
332 | 0 | struct session_state *state = ssh->state; |
333 | |
|
334 | 0 | if (timeout <= 0 || count <= 0) { |
335 | 0 | state->packet_timeout_ms = -1; |
336 | 0 | return; |
337 | 0 | } |
338 | 0 | if ((INT_MAX / 1000) / count < timeout) |
339 | 0 | state->packet_timeout_ms = INT_MAX; |
340 | 0 | else |
341 | 0 | state->packet_timeout_ms = timeout * count * 1000; |
342 | 0 | } |
343 | | |
344 | | void |
345 | | ssh_packet_set_mux(struct ssh *ssh) |
346 | 0 | { |
347 | 0 | ssh->state->mux = 1; |
348 | 0 | ssh->state->rekeying = 0; |
349 | 0 | kex_free(ssh->kex); |
350 | 0 | ssh->kex = NULL; |
351 | 0 | } |
352 | | |
353 | | int |
354 | | ssh_packet_get_mux(struct ssh *ssh) |
355 | 0 | { |
356 | 0 | return ssh->state->mux; |
357 | 0 | } |
358 | | |
359 | | int |
360 | | ssh_packet_set_log_preamble(struct ssh *ssh, const char *fmt, ...) |
361 | 0 | { |
362 | 0 | va_list args; |
363 | 0 | int r; |
364 | |
|
365 | 0 | free(ssh->log_preamble); |
366 | 0 | if (fmt == NULL) |
367 | 0 | ssh->log_preamble = NULL; |
368 | 0 | else { |
369 | 0 | va_start(args, fmt); |
370 | 0 | r = vasprintf(&ssh->log_preamble, fmt, args); |
371 | 0 | va_end(args); |
372 | 0 | if (r < 0 || ssh->log_preamble == NULL) |
373 | 0 | return SSH_ERR_ALLOC_FAIL; |
374 | 0 | } |
375 | 0 | return 0; |
376 | 0 | } |
377 | | |
378 | | int |
379 | | ssh_packet_stop_discard(struct ssh *ssh) |
380 | 0 | { |
381 | 0 | struct session_state *state = ssh->state; |
382 | 0 | int r; |
383 | |
|
384 | 0 | if (state->packet_discard_mac) { |
385 | 0 | char buf[1024]; |
386 | 0 | size_t dlen = PACKET_MAX_SIZE; |
387 | |
|
388 | 0 | if (dlen > state->packet_discard_mac_already) |
389 | 0 | dlen -= state->packet_discard_mac_already; |
390 | 0 | memset(buf, 'a', sizeof(buf)); |
391 | 0 | while (sshbuf_len(state->incoming_packet) < dlen) |
392 | 0 | if ((r = sshbuf_put(state->incoming_packet, buf, |
393 | 0 | sizeof(buf))) != 0) |
394 | 0 | return r; |
395 | 0 | (void) mac_compute(state->packet_discard_mac, |
396 | 0 | state->p_read.seqnr, |
397 | 0 | sshbuf_ptr(state->incoming_packet), dlen, |
398 | 0 | NULL, 0); |
399 | 0 | } |
400 | 0 | logit("Finished discarding for %.200s port %d", |
401 | 0 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); |
402 | 0 | return SSH_ERR_MAC_INVALID; |
403 | 0 | } |
404 | | |
405 | | static int |
406 | | ssh_packet_start_discard(struct ssh *ssh, struct sshenc *enc, |
407 | | struct sshmac *mac, size_t mac_already, u_int discard) |
408 | 8.81k | { |
409 | 8.81k | struct session_state *state = ssh->state; |
410 | 8.81k | int r; |
411 | | |
412 | 8.81k | if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) { |
413 | 8.81k | if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) |
414 | 0 | return r; |
415 | 8.81k | return SSH_ERR_MAC_INVALID; |
416 | 8.81k | } |
417 | | /* |
418 | | * Record number of bytes over which the mac has already |
419 | | * been computed in order to minimize timing attacks. |
420 | | */ |
421 | 0 | if (mac && mac->enabled) { |
422 | 0 | state->packet_discard_mac = mac; |
423 | 0 | state->packet_discard_mac_already = mac_already; |
424 | 0 | } |
425 | 0 | if (sshbuf_len(state->input) >= discard) |
426 | 0 | return ssh_packet_stop_discard(ssh); |
427 | 0 | state->packet_discard = discard - sshbuf_len(state->input); |
428 | 0 | return 0; |
429 | 0 | } |
430 | | |
431 | | /* Returns 1 if remote host is connected via socket, 0 if not. */ |
432 | | |
433 | | int |
434 | | ssh_packet_connection_is_on_socket(struct ssh *ssh) |
435 | 179k | { |
436 | 179k | struct session_state *state; |
437 | 179k | struct sockaddr_storage from, to; |
438 | 179k | socklen_t fromlen, tolen; |
439 | | |
440 | 179k | if (ssh == NULL || ssh->state == NULL) |
441 | 0 | return 0; |
442 | | |
443 | 179k | state = ssh->state; |
444 | 179k | if (state->connection_in == -1 || state->connection_out == -1) |
445 | 179k | return 0; |
446 | | /* filedescriptors in and out are the same, so it's a socket */ |
447 | 0 | if (state->connection_in == state->connection_out) |
448 | 0 | return 1; |
449 | 0 | fromlen = sizeof(from); |
450 | 0 | memset(&from, 0, sizeof(from)); |
451 | 0 | if (getpeername(state->connection_in, (struct sockaddr *)&from, |
452 | 0 | &fromlen) == -1) |
453 | 0 | return 0; |
454 | 0 | tolen = sizeof(to); |
455 | 0 | memset(&to, 0, sizeof(to)); |
456 | 0 | if (getpeername(state->connection_out, (struct sockaddr *)&to, |
457 | 0 | &tolen) == -1) |
458 | 0 | return 0; |
459 | 0 | if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0) |
460 | 0 | return 0; |
461 | 0 | if (from.ss_family != AF_INET && from.ss_family != AF_INET6) |
462 | 0 | return 0; |
463 | 0 | return 1; |
464 | 0 | } |
465 | | |
466 | | void |
467 | | ssh_packet_get_bytes(struct ssh *ssh, u_int64_t *ibytes, u_int64_t *obytes) |
468 | 0 | { |
469 | 0 | if (ibytes) |
470 | 0 | *ibytes = ssh->state->p_read.bytes; |
471 | 0 | if (obytes) |
472 | 0 | *obytes = ssh->state->p_send.bytes; |
473 | 0 | } |
474 | | |
475 | | int |
476 | | ssh_packet_connection_af(struct ssh *ssh) |
477 | 0 | { |
478 | 0 | return get_sock_af(ssh->state->connection_out); |
479 | 0 | } |
480 | | |
481 | | /* Sets the connection into non-blocking mode. */ |
482 | | |
483 | | void |
484 | | ssh_packet_set_nonblocking(struct ssh *ssh) |
485 | 0 | { |
486 | | /* Set the socket into non-blocking mode. */ |
487 | 0 | set_nonblock(ssh->state->connection_in); |
488 | |
|
489 | 0 | if (ssh->state->connection_out != ssh->state->connection_in) |
490 | 0 | set_nonblock(ssh->state->connection_out); |
491 | 0 | } |
492 | | |
493 | | /* Returns the socket used for reading. */ |
494 | | |
495 | | int |
496 | | ssh_packet_get_connection_in(struct ssh *ssh) |
497 | 0 | { |
498 | 0 | return ssh->state->connection_in; |
499 | 0 | } |
500 | | |
501 | | /* Returns the descriptor used for writing. */ |
502 | | |
503 | | int |
504 | | ssh_packet_get_connection_out(struct ssh *ssh) |
505 | 0 | { |
506 | 0 | return ssh->state->connection_out; |
507 | 0 | } |
508 | | |
509 | | /* |
510 | | * Returns the IP-address of the remote host as a string. The returned |
511 | | * string must not be freed. |
512 | | */ |
513 | | |
514 | | const char * |
515 | | ssh_remote_ipaddr(struct ssh *ssh) |
516 | 179k | { |
517 | 179k | int sock; |
518 | | |
519 | | /* Check whether we have cached the ipaddr. */ |
520 | 179k | if (ssh->remote_ipaddr == NULL) { |
521 | 179k | if (ssh_packet_connection_is_on_socket(ssh)) { |
522 | 0 | sock = ssh->state->connection_in; |
523 | 0 | ssh->remote_ipaddr = get_peer_ipaddr(sock); |
524 | 0 | ssh->remote_port = get_peer_port(sock); |
525 | 0 | ssh->local_ipaddr = get_local_ipaddr(sock); |
526 | 0 | ssh->local_port = get_local_port(sock); |
527 | 179k | } else { |
528 | 179k | ssh->remote_ipaddr = xstrdup("UNKNOWN"); |
529 | 179k | ssh->remote_port = 65535; |
530 | 179k | ssh->local_ipaddr = xstrdup("UNKNOWN"); |
531 | 179k | ssh->local_port = 65535; |
532 | 179k | } |
533 | 179k | } |
534 | 179k | return ssh->remote_ipaddr; |
535 | 179k | } |
536 | | |
537 | | /* |
538 | | * Returns the remote DNS hostname as a string. The returned string must not |
539 | | * be freed. NB. this will usually trigger a DNS query. Return value is on |
540 | | * heap and no caching is performed. |
541 | | * This function does additional checks on the hostname to mitigate some |
542 | | * attacks based on conflation of hostnames and addresses and will |
543 | | * fall back to returning an address on error. |
544 | | */ |
545 | | |
546 | | char * |
547 | | ssh_remote_hostname(struct ssh *ssh) |
548 | 0 | { |
549 | 0 | struct sockaddr_storage from; |
550 | 0 | socklen_t fromlen; |
551 | 0 | struct addrinfo hints, *ai, *aitop; |
552 | 0 | char name[NI_MAXHOST], ntop2[NI_MAXHOST]; |
553 | 0 | const char *ntop = ssh_remote_ipaddr(ssh); |
554 | | |
555 | | /* Get IP address of client. */ |
556 | 0 | fromlen = sizeof(from); |
557 | 0 | memset(&from, 0, sizeof(from)); |
558 | 0 | if (getpeername(ssh_packet_get_connection_in(ssh), |
559 | 0 | (struct sockaddr *)&from, &fromlen) == -1) { |
560 | 0 | debug_f("getpeername failed: %.100s", strerror(errno)); |
561 | 0 | return xstrdup(ntop); |
562 | 0 | } |
563 | | |
564 | 0 | ipv64_normalise_mapped(&from, &fromlen); |
565 | 0 | if (from.ss_family == AF_INET6) |
566 | 0 | fromlen = sizeof(struct sockaddr_in6); |
567 | |
|
568 | 0 | debug3("trying to reverse map address %.100s.", ntop); |
569 | | /* Map the IP address to a host name. */ |
570 | 0 | if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), |
571 | 0 | NULL, 0, NI_NAMEREQD) != 0) { |
572 | | /* Host name not found. Use ip address. */ |
573 | 0 | return xstrdup(ntop); |
574 | 0 | } |
575 | | |
576 | | /* |
577 | | * if reverse lookup result looks like a numeric hostname, |
578 | | * someone is trying to trick us by PTR record like following: |
579 | | * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 |
580 | | */ |
581 | 0 | memset(&hints, 0, sizeof(hints)); |
582 | 0 | hints.ai_socktype = SOCK_DGRAM; /*dummy*/ |
583 | 0 | hints.ai_flags = AI_NUMERICHOST; |
584 | 0 | if (getaddrinfo(name, NULL, &hints, &ai) == 0) { |
585 | 0 | logit("Nasty PTR record \"%s\" is set up for %s, ignoring", |
586 | 0 | name, ntop); |
587 | 0 | freeaddrinfo(ai); |
588 | 0 | return xstrdup(ntop); |
589 | 0 | } |
590 | | |
591 | | /* Names are stored in lowercase. */ |
592 | 0 | lowercase(name); |
593 | | |
594 | | /* |
595 | | * Map it back to an IP address and check that the given |
596 | | * address actually is an address of this host. This is |
597 | | * necessary because anyone with access to a name server can |
598 | | * define arbitrary names for an IP address. Mapping from |
599 | | * name to IP address can be trusted better (but can still be |
600 | | * fooled if the intruder has access to the name server of |
601 | | * the domain). |
602 | | */ |
603 | 0 | memset(&hints, 0, sizeof(hints)); |
604 | 0 | hints.ai_family = from.ss_family; |
605 | 0 | hints.ai_socktype = SOCK_STREAM; |
606 | 0 | if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { |
607 | 0 | logit("reverse mapping checking getaddrinfo for %.700s " |
608 | 0 | "[%s] failed.", name, ntop); |
609 | 0 | return xstrdup(ntop); |
610 | 0 | } |
611 | | /* Look for the address from the list of addresses. */ |
612 | 0 | for (ai = aitop; ai; ai = ai->ai_next) { |
613 | 0 | if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, |
614 | 0 | sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && |
615 | 0 | (strcmp(ntop, ntop2) == 0)) |
616 | 0 | break; |
617 | 0 | } |
618 | 0 | freeaddrinfo(aitop); |
619 | | /* If we reached the end of the list, the address was not there. */ |
620 | 0 | if (ai == NULL) { |
621 | | /* Address not found for the host name. */ |
622 | 0 | logit("Address %.100s maps to %.600s, but this does not " |
623 | 0 | "map back to the address.", ntop, name); |
624 | 0 | return xstrdup(ntop); |
625 | 0 | } |
626 | 0 | return xstrdup(name); |
627 | 0 | } |
628 | | |
629 | | /* Returns the port number of the remote host. */ |
630 | | |
631 | | int |
632 | | ssh_remote_port(struct ssh *ssh) |
633 | 0 | { |
634 | 0 | (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
635 | 0 | return ssh->remote_port; |
636 | 0 | } |
637 | | |
638 | | /* |
639 | | * Returns the IP-address of the local host as a string. The returned |
640 | | * string must not be freed. |
641 | | */ |
642 | | |
643 | | const char * |
644 | | ssh_local_ipaddr(struct ssh *ssh) |
645 | 0 | { |
646 | 0 | (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
647 | 0 | return ssh->local_ipaddr; |
648 | 0 | } |
649 | | |
650 | | /* Returns the port number of the local host. */ |
651 | | |
652 | | int |
653 | | ssh_local_port(struct ssh *ssh) |
654 | 0 | { |
655 | 0 | (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
656 | 0 | return ssh->local_port; |
657 | 0 | } |
658 | | |
659 | | /* Returns the routing domain of the input socket, or NULL if unavailable */ |
660 | | const char * |
661 | | ssh_packet_rdomain_in(struct ssh *ssh) |
662 | 0 | { |
663 | 0 | if (ssh->rdomain_in != NULL) |
664 | 0 | return ssh->rdomain_in; |
665 | 0 | if (!ssh_packet_connection_is_on_socket(ssh)) |
666 | 0 | return NULL; |
667 | 0 | ssh->rdomain_in = get_rdomain(ssh->state->connection_in); |
668 | 0 | return ssh->rdomain_in; |
669 | 0 | } |
670 | | |
671 | | /* Closes the connection and clears and frees internal data structures. */ |
672 | | |
673 | | static void |
674 | | ssh_packet_close_internal(struct ssh *ssh, int do_close) |
675 | 179k | { |
676 | 179k | struct session_state *state = ssh->state; |
677 | 179k | u_int mode; |
678 | | |
679 | 179k | if (!state->initialized) |
680 | 0 | return; |
681 | 179k | state->initialized = 0; |
682 | 179k | if (do_close) { |
683 | 179k | if (state->connection_in == state->connection_out) { |
684 | 179k | close(state->connection_out); |
685 | 179k | } else { |
686 | 0 | close(state->connection_in); |
687 | 0 | close(state->connection_out); |
688 | 0 | } |
689 | 179k | } |
690 | 179k | sshbuf_free(state->input); |
691 | 179k | sshbuf_free(state->output); |
692 | 179k | sshbuf_free(state->outgoing_packet); |
693 | 179k | sshbuf_free(state->incoming_packet); |
694 | 537k | for (mode = 0; mode < MODE_MAX; mode++) { |
695 | 358k | kex_free_newkeys(state->newkeys[mode]); /* current keys */ |
696 | 358k | state->newkeys[mode] = NULL; |
697 | 358k | ssh_clear_newkeys(ssh, mode); /* next keys */ |
698 | 358k | } |
699 | 179k | #ifdef WITH_ZLIB |
700 | | /* compression state is in shared mem, so we can only release it once */ |
701 | 179k | if (do_close && state->compression_buffer) { |
702 | 0 | sshbuf_free(state->compression_buffer); |
703 | 0 | if (state->compression_out_started) { |
704 | 0 | z_streamp stream = &state->compression_out_stream; |
705 | 0 | debug("compress outgoing: " |
706 | 0 | "raw data %llu, compressed %llu, factor %.2f", |
707 | 0 | (unsigned long long)stream->total_in, |
708 | 0 | (unsigned long long)stream->total_out, |
709 | 0 | stream->total_in == 0 ? 0.0 : |
710 | 0 | (double) stream->total_out / stream->total_in); |
711 | 0 | if (state->compression_out_failures == 0) |
712 | 0 | deflateEnd(stream); |
713 | 0 | } |
714 | 0 | if (state->compression_in_started) { |
715 | 0 | z_streamp stream = &state->compression_in_stream; |
716 | 0 | debug("compress incoming: " |
717 | 0 | "raw data %llu, compressed %llu, factor %.2f", |
718 | 0 | (unsigned long long)stream->total_out, |
719 | 0 | (unsigned long long)stream->total_in, |
720 | 0 | stream->total_out == 0 ? 0.0 : |
721 | 0 | (double) stream->total_in / stream->total_out); |
722 | 0 | if (state->compression_in_failures == 0) |
723 | 0 | inflateEnd(stream); |
724 | 0 | } |
725 | 0 | } |
726 | 179k | #endif /* WITH_ZLIB */ |
727 | 179k | cipher_free(state->send_context); |
728 | 179k | cipher_free(state->receive_context); |
729 | 179k | state->send_context = state->receive_context = NULL; |
730 | 179k | if (do_close) { |
731 | 179k | free(ssh->local_ipaddr); |
732 | 179k | ssh->local_ipaddr = NULL; |
733 | 179k | free(ssh->remote_ipaddr); |
734 | 179k | ssh->remote_ipaddr = NULL; |
735 | 179k | free(ssh->state); |
736 | 179k | ssh->state = NULL; |
737 | 179k | kex_free(ssh->kex); |
738 | 179k | ssh->kex = NULL; |
739 | 179k | } |
740 | 179k | } |
741 | | |
742 | | void |
743 | | ssh_packet_close(struct ssh *ssh) |
744 | 179k | { |
745 | 179k | ssh_packet_close_internal(ssh, 1); |
746 | 179k | } |
747 | | |
748 | | void |
749 | | ssh_packet_clear_keys(struct ssh *ssh) |
750 | 0 | { |
751 | 0 | ssh_packet_close_internal(ssh, 0); |
752 | 0 | } |
753 | | |
754 | | /* Sets remote side protocol flags. */ |
755 | | |
756 | | void |
757 | | ssh_packet_set_protocol_flags(struct ssh *ssh, u_int protocol_flags) |
758 | 0 | { |
759 | 0 | ssh->state->remote_protocol_flags = protocol_flags; |
760 | 0 | } |
761 | | |
762 | | /* Returns the remote protocol flags set earlier by the above function. */ |
763 | | |
764 | | u_int |
765 | | ssh_packet_get_protocol_flags(struct ssh *ssh) |
766 | 0 | { |
767 | 0 | return ssh->state->remote_protocol_flags; |
768 | 0 | } |
769 | | |
770 | | /* |
771 | | * Starts packet compression from the next packet on in both directions. |
772 | | * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip. |
773 | | */ |
774 | | |
775 | | static int |
776 | | ssh_packet_init_compression(struct ssh *ssh) |
777 | 0 | { |
778 | 0 | if (!ssh->state->compression_buffer && |
779 | 0 | ((ssh->state->compression_buffer = sshbuf_new()) == NULL)) |
780 | 0 | return SSH_ERR_ALLOC_FAIL; |
781 | 0 | return 0; |
782 | 0 | } |
783 | | |
784 | | #ifdef WITH_ZLIB |
785 | | static int |
786 | | start_compression_out(struct ssh *ssh, int level) |
787 | 0 | { |
788 | 0 | if (level < 1 || level > 9) |
789 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
790 | 0 | debug("Enabling compression at level %d.", level); |
791 | 0 | if (ssh->state->compression_out_started == 1) |
792 | 0 | deflateEnd(&ssh->state->compression_out_stream); |
793 | 0 | switch (deflateInit(&ssh->state->compression_out_stream, level)) { |
794 | 0 | case Z_OK: |
795 | 0 | ssh->state->compression_out_started = 1; |
796 | 0 | break; |
797 | 0 | case Z_MEM_ERROR: |
798 | 0 | return SSH_ERR_ALLOC_FAIL; |
799 | 0 | default: |
800 | 0 | return SSH_ERR_INTERNAL_ERROR; |
801 | 0 | } |
802 | 0 | return 0; |
803 | 0 | } |
804 | | |
805 | | static int |
806 | | start_compression_in(struct ssh *ssh) |
807 | 0 | { |
808 | 0 | if (ssh->state->compression_in_started == 1) |
809 | 0 | inflateEnd(&ssh->state->compression_in_stream); |
810 | 0 | switch (inflateInit(&ssh->state->compression_in_stream)) { |
811 | 0 | case Z_OK: |
812 | 0 | ssh->state->compression_in_started = 1; |
813 | 0 | break; |
814 | 0 | case Z_MEM_ERROR: |
815 | 0 | return SSH_ERR_ALLOC_FAIL; |
816 | 0 | default: |
817 | 0 | return SSH_ERR_INTERNAL_ERROR; |
818 | 0 | } |
819 | 0 | return 0; |
820 | 0 | } |
821 | | |
822 | | /* XXX remove need for separate compression buffer */ |
823 | | static int |
824 | | compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
825 | 0 | { |
826 | 0 | u_char buf[4096]; |
827 | 0 | int r, status; |
828 | |
|
829 | 0 | if (ssh->state->compression_out_started != 1) |
830 | 0 | return SSH_ERR_INTERNAL_ERROR; |
831 | | |
832 | | /* This case is not handled below. */ |
833 | 0 | if (sshbuf_len(in) == 0) |
834 | 0 | return 0; |
835 | | |
836 | | /* Input is the contents of the input buffer. */ |
837 | 0 | if ((ssh->state->compression_out_stream.next_in = |
838 | 0 | sshbuf_mutable_ptr(in)) == NULL) |
839 | 0 | return SSH_ERR_INTERNAL_ERROR; |
840 | 0 | ssh->state->compression_out_stream.avail_in = sshbuf_len(in); |
841 | | |
842 | | /* Loop compressing until deflate() returns with avail_out != 0. */ |
843 | 0 | do { |
844 | | /* Set up fixed-size output buffer. */ |
845 | 0 | ssh->state->compression_out_stream.next_out = buf; |
846 | 0 | ssh->state->compression_out_stream.avail_out = sizeof(buf); |
847 | | |
848 | | /* Compress as much data into the buffer as possible. */ |
849 | 0 | status = deflate(&ssh->state->compression_out_stream, |
850 | 0 | Z_PARTIAL_FLUSH); |
851 | 0 | switch (status) { |
852 | 0 | case Z_MEM_ERROR: |
853 | 0 | return SSH_ERR_ALLOC_FAIL; |
854 | 0 | case Z_OK: |
855 | | /* Append compressed data to output_buffer. */ |
856 | 0 | if ((r = sshbuf_put(out, buf, sizeof(buf) - |
857 | 0 | ssh->state->compression_out_stream.avail_out)) != 0) |
858 | 0 | return r; |
859 | 0 | break; |
860 | 0 | case Z_STREAM_ERROR: |
861 | 0 | default: |
862 | 0 | ssh->state->compression_out_failures++; |
863 | 0 | return SSH_ERR_INVALID_FORMAT; |
864 | 0 | } |
865 | 0 | } while (ssh->state->compression_out_stream.avail_out == 0); |
866 | 0 | return 0; |
867 | 0 | } |
868 | | |
869 | | static int |
870 | | uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
871 | 0 | { |
872 | 0 | u_char buf[4096]; |
873 | 0 | int r, status; |
874 | |
|
875 | 0 | if (ssh->state->compression_in_started != 1) |
876 | 0 | return SSH_ERR_INTERNAL_ERROR; |
877 | | |
878 | 0 | if ((ssh->state->compression_in_stream.next_in = |
879 | 0 | sshbuf_mutable_ptr(in)) == NULL) |
880 | 0 | return SSH_ERR_INTERNAL_ERROR; |
881 | 0 | ssh->state->compression_in_stream.avail_in = sshbuf_len(in); |
882 | |
|
883 | 0 | for (;;) { |
884 | | /* Set up fixed-size output buffer. */ |
885 | 0 | ssh->state->compression_in_stream.next_out = buf; |
886 | 0 | ssh->state->compression_in_stream.avail_out = sizeof(buf); |
887 | |
|
888 | 0 | status = inflate(&ssh->state->compression_in_stream, |
889 | 0 | Z_SYNC_FLUSH); |
890 | 0 | switch (status) { |
891 | 0 | case Z_OK: |
892 | 0 | if ((r = sshbuf_put(out, buf, sizeof(buf) - |
893 | 0 | ssh->state->compression_in_stream.avail_out)) != 0) |
894 | 0 | return r; |
895 | 0 | break; |
896 | 0 | case Z_BUF_ERROR: |
897 | | /* |
898 | | * Comments in zlib.h say that we should keep calling |
899 | | * inflate() until we get an error. This appears to |
900 | | * be the error that we get. |
901 | | */ |
902 | 0 | return 0; |
903 | 0 | case Z_DATA_ERROR: |
904 | 0 | return SSH_ERR_INVALID_FORMAT; |
905 | 0 | case Z_MEM_ERROR: |
906 | 0 | return SSH_ERR_ALLOC_FAIL; |
907 | 0 | case Z_STREAM_ERROR: |
908 | 0 | default: |
909 | 0 | ssh->state->compression_in_failures++; |
910 | 0 | return SSH_ERR_INTERNAL_ERROR; |
911 | 0 | } |
912 | 0 | } |
913 | | /* NOTREACHED */ |
914 | 0 | } |
915 | | |
916 | | #else /* WITH_ZLIB */ |
917 | | |
918 | | static int |
919 | | start_compression_out(struct ssh *ssh, int level) |
920 | | { |
921 | | return SSH_ERR_INTERNAL_ERROR; |
922 | | } |
923 | | |
924 | | static int |
925 | | start_compression_in(struct ssh *ssh) |
926 | | { |
927 | | return SSH_ERR_INTERNAL_ERROR; |
928 | | } |
929 | | |
930 | | static int |
931 | | compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
932 | | { |
933 | | return SSH_ERR_INTERNAL_ERROR; |
934 | | } |
935 | | |
936 | | static int |
937 | | uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
938 | | { |
939 | | return SSH_ERR_INTERNAL_ERROR; |
940 | | } |
941 | | #endif /* WITH_ZLIB */ |
942 | | |
943 | | void |
944 | | ssh_clear_newkeys(struct ssh *ssh, int mode) |
945 | 358k | { |
946 | 358k | if (ssh->kex && ssh->kex->newkeys[mode]) { |
947 | 24.7k | kex_free_newkeys(ssh->kex->newkeys[mode]); |
948 | 24.7k | ssh->kex->newkeys[mode] = NULL; |
949 | 24.7k | } |
950 | 358k | } |
951 | | |
952 | | int |
953 | | ssh_set_newkeys(struct ssh *ssh, int mode) |
954 | 1.04k | { |
955 | 1.04k | struct session_state *state = ssh->state; |
956 | 1.04k | struct sshenc *enc; |
957 | 1.04k | struct sshmac *mac; |
958 | 1.04k | struct sshcomp *comp; |
959 | 1.04k | struct sshcipher_ctx **ccp; |
960 | 1.04k | struct packet_state *ps; |
961 | 1.04k | u_int64_t *max_blocks; |
962 | 1.04k | const char *wmsg; |
963 | 1.04k | int r, crypt_type; |
964 | 1.04k | const char *dir = mode == MODE_OUT ? "out" : "in"; |
965 | | |
966 | 1.04k | debug2_f("mode %d", mode); |
967 | | |
968 | 1.04k | if (mode == MODE_OUT) { |
969 | 744 | ccp = &state->send_context; |
970 | 744 | crypt_type = CIPHER_ENCRYPT; |
971 | 744 | ps = &state->p_send; |
972 | 744 | max_blocks = &state->max_blocks_out; |
973 | 744 | } else { |
974 | 302 | ccp = &state->receive_context; |
975 | 302 | crypt_type = CIPHER_DECRYPT; |
976 | 302 | ps = &state->p_read; |
977 | 302 | max_blocks = &state->max_blocks_in; |
978 | 302 | } |
979 | 1.04k | if (state->newkeys[mode] != NULL) { |
980 | 0 | debug_f("rekeying %s, input %llu bytes %llu blocks, " |
981 | 0 | "output %llu bytes %llu blocks", dir, |
982 | 0 | (unsigned long long)state->p_read.bytes, |
983 | 0 | (unsigned long long)state->p_read.blocks, |
984 | 0 | (unsigned long long)state->p_send.bytes, |
985 | 0 | (unsigned long long)state->p_send.blocks); |
986 | 0 | kex_free_newkeys(state->newkeys[mode]); |
987 | 0 | state->newkeys[mode] = NULL; |
988 | 0 | } |
989 | | /* note that both bytes and the seqnr are not reset */ |
990 | 1.04k | ps->packets = ps->blocks = 0; |
991 | | /* move newkeys from kex to state */ |
992 | 1.04k | if ((state->newkeys[mode] = ssh->kex->newkeys[mode]) == NULL) |
993 | 0 | return SSH_ERR_INTERNAL_ERROR; |
994 | 1.04k | ssh->kex->newkeys[mode] = NULL; |
995 | 1.04k | enc = &state->newkeys[mode]->enc; |
996 | 1.04k | mac = &state->newkeys[mode]->mac; |
997 | 1.04k | comp = &state->newkeys[mode]->comp; |
998 | 1.04k | if (cipher_authlen(enc->cipher) == 0) { |
999 | 1.04k | if ((r = mac_init(mac)) != 0) |
1000 | 0 | return r; |
1001 | 1.04k | } |
1002 | 1.04k | mac->enabled = 1; |
1003 | 1.04k | DBG(debug_f("cipher_init: %s", dir)); |
1004 | 1.04k | cipher_free(*ccp); |
1005 | 1.04k | *ccp = NULL; |
1006 | 1.04k | if ((r = cipher_init(ccp, enc->cipher, enc->key, enc->key_len, |
1007 | 1.04k | enc->iv, enc->iv_len, crypt_type)) != 0) |
1008 | 0 | return r; |
1009 | 1.04k | if (!state->cipher_warning_done && |
1010 | 1.04k | (wmsg = cipher_warning_message(*ccp)) != NULL) { |
1011 | 0 | error("Warning: %s", wmsg); |
1012 | 0 | state->cipher_warning_done = 1; |
1013 | 0 | } |
1014 | | /* Deleting the keys does not gain extra security */ |
1015 | | /* explicit_bzero(enc->iv, enc->block_size); |
1016 | | explicit_bzero(enc->key, enc->key_len); |
1017 | | explicit_bzero(mac->key, mac->key_len); */ |
1018 | 1.04k | if (((comp->type == COMP_DELAYED && state->after_authentication)) && |
1019 | 1.04k | comp->enabled == 0) { |
1020 | 0 | if ((r = ssh_packet_init_compression(ssh)) < 0) |
1021 | 0 | return r; |
1022 | 0 | if (mode == MODE_OUT) { |
1023 | 0 | if ((r = start_compression_out(ssh, 6)) != 0) |
1024 | 0 | return r; |
1025 | 0 | } else { |
1026 | 0 | if ((r = start_compression_in(ssh)) != 0) |
1027 | 0 | return r; |
1028 | 0 | } |
1029 | 0 | comp->enabled = 1; |
1030 | 0 | } |
1031 | | /* |
1032 | | * The 2^(blocksize*2) limit is too expensive for 3DES, |
1033 | | * so enforce a 1GB limit for small blocksizes. |
1034 | | * See RFC4344 section 3.2. |
1035 | | */ |
1036 | 1.04k | if (enc->block_size >= 16) |
1037 | 0 | *max_blocks = (u_int64_t)1 << (enc->block_size*2); |
1038 | 1.04k | else |
1039 | 1.04k | *max_blocks = ((u_int64_t)1 << 30) / enc->block_size; |
1040 | 1.04k | if (state->rekey_limit) |
1041 | 0 | *max_blocks = MINIMUM(*max_blocks, |
1042 | 1.04k | state->rekey_limit / enc->block_size); |
1043 | 1.04k | debug("rekey %s after %llu blocks", dir, |
1044 | 1.04k | (unsigned long long)*max_blocks); |
1045 | 1.04k | return 0; |
1046 | 1.04k | } |
1047 | | |
1048 | 0 | #define MAX_PACKETS (1U<<31) |
1049 | | static int |
1050 | | ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
1051 | 1.49M | { |
1052 | 1.49M | struct session_state *state = ssh->state; |
1053 | 1.49M | u_int32_t out_blocks; |
1054 | | |
1055 | | /* XXX client can't cope with rekeying pre-auth */ |
1056 | 1.49M | if (!state->after_authentication) |
1057 | 1.49M | return 0; |
1058 | | |
1059 | | /* Haven't keyed yet or KEX in progress. */ |
1060 | 3.85k | if (ssh_packet_is_rekeying(ssh)) |
1061 | 3.85k | return 0; |
1062 | | |
1063 | | /* Peer can't rekey */ |
1064 | 0 | if (ssh->compat & SSH_BUG_NOREKEY) |
1065 | 0 | return 0; |
1066 | | |
1067 | | /* |
1068 | | * Permit one packet in or out per rekey - this allows us to |
1069 | | * make progress when rekey limits are very small. |
1070 | | */ |
1071 | 0 | if (state->p_send.packets == 0 && state->p_read.packets == 0) |
1072 | 0 | return 0; |
1073 | | |
1074 | | /* Time-based rekeying */ |
1075 | 0 | if (state->rekey_interval != 0 && |
1076 | 0 | (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
1077 | 0 | return 1; |
1078 | | |
1079 | | /* |
1080 | | * Always rekey when MAX_PACKETS sent in either direction |
1081 | | * As per RFC4344 section 3.1 we do this after 2^31 packets. |
1082 | | */ |
1083 | 0 | if (state->p_send.packets > MAX_PACKETS || |
1084 | 0 | state->p_read.packets > MAX_PACKETS) |
1085 | 0 | return 1; |
1086 | | |
1087 | | /* Rekey after (cipher-specific) maximum blocks */ |
1088 | 0 | out_blocks = ROUNDUP(outbound_packet_len, |
1089 | 0 | state->newkeys[MODE_OUT]->enc.block_size); |
1090 | 0 | return (state->max_blocks_out && |
1091 | 0 | (state->p_send.blocks + out_blocks > state->max_blocks_out)) || |
1092 | 0 | (state->max_blocks_in && |
1093 | 0 | (state->p_read.blocks > state->max_blocks_in)); |
1094 | 0 | } |
1095 | | |
1096 | | int |
1097 | | ssh_packet_check_rekey(struct ssh *ssh) |
1098 | 1.49M | { |
1099 | 1.49M | if (!ssh_packet_need_rekeying(ssh, 0)) |
1100 | 1.49M | return 0; |
1101 | 0 | debug3_f("rekex triggered"); |
1102 | 0 | return kex_start_rekex(ssh); |
1103 | 1.49M | } |
1104 | | |
1105 | | /* |
1106 | | * Delayed compression for SSH2 is enabled after authentication: |
1107 | | * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent, |
1108 | | * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received. |
1109 | | */ |
1110 | | static int |
1111 | | ssh_packet_enable_delayed_compress(struct ssh *ssh) |
1112 | 273 | { |
1113 | 273 | struct session_state *state = ssh->state; |
1114 | 273 | struct sshcomp *comp = NULL; |
1115 | 273 | int r, mode; |
1116 | | |
1117 | | /* |
1118 | | * Remember that we are past the authentication step, so rekeying |
1119 | | * with COMP_DELAYED will turn on compression immediately. |
1120 | | */ |
1121 | 273 | state->after_authentication = 1; |
1122 | 819 | for (mode = 0; mode < MODE_MAX; mode++) { |
1123 | | /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ |
1124 | 546 | if (state->newkeys[mode] == NULL) |
1125 | 546 | continue; |
1126 | 0 | comp = &state->newkeys[mode]->comp; |
1127 | 0 | if (comp && !comp->enabled && comp->type == COMP_DELAYED) { |
1128 | 0 | if ((r = ssh_packet_init_compression(ssh)) != 0) |
1129 | 0 | return r; |
1130 | 0 | if (mode == MODE_OUT) { |
1131 | 0 | if ((r = start_compression_out(ssh, 6)) != 0) |
1132 | 0 | return r; |
1133 | 0 | } else { |
1134 | 0 | if ((r = start_compression_in(ssh)) != 0) |
1135 | 0 | return r; |
1136 | 0 | } |
1137 | 0 | comp->enabled = 1; |
1138 | 0 | } |
1139 | 0 | } |
1140 | 273 | return 0; |
1141 | 273 | } |
1142 | | |
1143 | | /* Used to mute debug logging for noisy packet types */ |
1144 | | int |
1145 | | ssh_packet_log_type(u_char type) |
1146 | 3.01M | { |
1147 | 3.01M | switch (type) { |
1148 | 190 | case SSH2_MSG_PING: |
1149 | 335 | case SSH2_MSG_PONG: |
1150 | 450 | case SSH2_MSG_CHANNEL_DATA: |
1151 | 565 | case SSH2_MSG_CHANNEL_EXTENDED_DATA: |
1152 | 800 | case SSH2_MSG_CHANNEL_WINDOW_ADJUST: |
1153 | 800 | return 0; |
1154 | 3.01M | default: |
1155 | 3.01M | return 1; |
1156 | 3.01M | } |
1157 | 3.01M | } |
1158 | | |
1159 | | /* |
1160 | | * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) |
1161 | | */ |
1162 | | int |
1163 | | ssh_packet_send2_wrapped(struct ssh *ssh) |
1164 | 1.51M | { |
1165 | 1.51M | struct session_state *state = ssh->state; |
1166 | 1.51M | u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH]; |
1167 | 1.51M | u_char tmp, padlen, pad = 0; |
1168 | 1.51M | u_int authlen = 0, aadlen = 0; |
1169 | 1.51M | u_int len; |
1170 | 1.51M | struct sshenc *enc = NULL; |
1171 | 1.51M | struct sshmac *mac = NULL; |
1172 | 1.51M | struct sshcomp *comp = NULL; |
1173 | 1.51M | int r, block_size; |
1174 | | |
1175 | 1.51M | if (state->newkeys[MODE_OUT] != NULL) { |
1176 | 660k | enc = &state->newkeys[MODE_OUT]->enc; |
1177 | 660k | mac = &state->newkeys[MODE_OUT]->mac; |
1178 | 660k | comp = &state->newkeys[MODE_OUT]->comp; |
1179 | | /* disable mac for authenticated encryption */ |
1180 | 660k | if ((authlen = cipher_authlen(enc->cipher)) != 0) |
1181 | 0 | mac = NULL; |
1182 | 660k | } |
1183 | 1.51M | block_size = enc ? enc->block_size : 8; |
1184 | 1.51M | aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; |
1185 | | |
1186 | 1.51M | type = (sshbuf_ptr(state->outgoing_packet))[5]; |
1187 | 1.51M | if (ssh_packet_log_type(type)) |
1188 | 1.51M | debug3("send packet: type %u", type); |
1189 | | #ifdef PACKET_DEBUG |
1190 | | fprintf(stderr, "plain: "); |
1191 | | sshbuf_dump(state->outgoing_packet, stderr); |
1192 | | #endif |
1193 | | |
1194 | 1.51M | if (comp && comp->enabled) { |
1195 | 0 | len = sshbuf_len(state->outgoing_packet); |
1196 | | /* skip header, compress only payload */ |
1197 | 0 | if ((r = sshbuf_consume(state->outgoing_packet, 5)) != 0) |
1198 | 0 | goto out; |
1199 | 0 | sshbuf_reset(state->compression_buffer); |
1200 | 0 | if ((r = compress_buffer(ssh, state->outgoing_packet, |
1201 | 0 | state->compression_buffer)) != 0) |
1202 | 0 | goto out; |
1203 | 0 | sshbuf_reset(state->outgoing_packet); |
1204 | 0 | if ((r = sshbuf_put(state->outgoing_packet, |
1205 | 0 | "\0\0\0\0\0", 5)) != 0 || |
1206 | 0 | (r = sshbuf_putb(state->outgoing_packet, |
1207 | 0 | state->compression_buffer)) != 0) |
1208 | 0 | goto out; |
1209 | 0 | DBG(debug("compression: raw %d compressed %zd", len, |
1210 | 0 | sshbuf_len(state->outgoing_packet))); |
1211 | 0 | } |
1212 | | |
1213 | | /* sizeof (packet_len + pad_len + payload) */ |
1214 | 1.51M | len = sshbuf_len(state->outgoing_packet); |
1215 | | |
1216 | | /* |
1217 | | * calc size of padding, alloc space, get random data, |
1218 | | * minimum padding is 4 bytes |
1219 | | */ |
1220 | 1.51M | len -= aadlen; /* packet length is not encrypted for EtM modes */ |
1221 | 1.51M | padlen = block_size - (len % block_size); |
1222 | 1.51M | if (padlen < 4) |
1223 | 397k | padlen += block_size; |
1224 | 1.51M | if (state->extra_pad) { |
1225 | 0 | tmp = state->extra_pad; |
1226 | 0 | state->extra_pad = |
1227 | 0 | ROUNDUP(state->extra_pad, block_size); |
1228 | | /* check if roundup overflowed */ |
1229 | 0 | if (state->extra_pad < tmp) |
1230 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
1231 | 0 | tmp = (len + padlen) % state->extra_pad; |
1232 | | /* Check whether pad calculation below will underflow */ |
1233 | 0 | if (tmp > state->extra_pad) |
1234 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
1235 | 0 | pad = state->extra_pad - tmp; |
1236 | 0 | DBG(debug3_f("adding %d (len %d padlen %d extra_pad %d)", |
1237 | 0 | pad, len, padlen, state->extra_pad)); |
1238 | 0 | tmp = padlen; |
1239 | 0 | padlen += pad; |
1240 | | /* Check whether padlen calculation overflowed */ |
1241 | 0 | if (padlen < tmp) |
1242 | 0 | return SSH_ERR_INVALID_ARGUMENT; /* overflow */ |
1243 | 0 | state->extra_pad = 0; |
1244 | 0 | } |
1245 | 1.51M | if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0) |
1246 | 0 | goto out; |
1247 | 1.51M | if (enc && !cipher_ctx_is_plaintext(state->send_context)) { |
1248 | | /* random padding */ |
1249 | 0 | arc4random_buf(cp, padlen); |
1250 | 1.51M | } else { |
1251 | | /* clear padding */ |
1252 | 1.51M | explicit_bzero(cp, padlen); |
1253 | 1.51M | } |
1254 | | /* sizeof (packet_len + pad_len + payload + padding) */ |
1255 | 1.51M | len = sshbuf_len(state->outgoing_packet); |
1256 | 1.51M | cp = sshbuf_mutable_ptr(state->outgoing_packet); |
1257 | 1.51M | if (cp == NULL) { |
1258 | 0 | r = SSH_ERR_INTERNAL_ERROR; |
1259 | 0 | goto out; |
1260 | 0 | } |
1261 | | /* packet_length includes payload, padding and padding length field */ |
1262 | 1.51M | POKE_U32(cp, len - 4); |
1263 | 1.51M | cp[4] = padlen; |
1264 | 1.51M | DBG(debug("send: len %d (includes padlen %d, aadlen %d)", |
1265 | 1.51M | len, padlen, aadlen)); |
1266 | | |
1267 | | /* compute MAC over seqnr and packet(length fields, payload, padding) */ |
1268 | 1.51M | if (mac && mac->enabled && !mac->etm) { |
1269 | 276k | if ((r = mac_compute(mac, state->p_send.seqnr, |
1270 | 276k | sshbuf_ptr(state->outgoing_packet), len, |
1271 | 276k | macbuf, sizeof(macbuf))) != 0) |
1272 | 0 | goto out; |
1273 | 276k | DBG(debug("done calc MAC out #%d", state->p_send.seqnr)); |
1274 | 276k | } |
1275 | | /* encrypt packet and append to output buffer. */ |
1276 | 1.51M | if ((r = sshbuf_reserve(state->output, |
1277 | 1.51M | sshbuf_len(state->outgoing_packet) + authlen, &cp)) != 0) |
1278 | 0 | goto out; |
1279 | 1.51M | if ((r = cipher_crypt(state->send_context, state->p_send.seqnr, cp, |
1280 | 1.51M | sshbuf_ptr(state->outgoing_packet), |
1281 | 1.51M | len - aadlen, aadlen, authlen)) != 0) |
1282 | 0 | goto out; |
1283 | | /* append unencrypted MAC */ |
1284 | 1.51M | if (mac && mac->enabled) { |
1285 | 660k | if (mac->etm) { |
1286 | | /* EtM: compute mac over aadlen + cipher text */ |
1287 | 384k | if ((r = mac_compute(mac, state->p_send.seqnr, |
1288 | 384k | cp, len, macbuf, sizeof(macbuf))) != 0) |
1289 | 0 | goto out; |
1290 | 384k | DBG(debug("done calc MAC(EtM) out #%d", |
1291 | 384k | state->p_send.seqnr)); |
1292 | 384k | } |
1293 | 660k | if ((r = sshbuf_put(state->output, macbuf, mac->mac_len)) != 0) |
1294 | 0 | goto out; |
1295 | 660k | } |
1296 | | #ifdef PACKET_DEBUG |
1297 | | fprintf(stderr, "encrypted: "); |
1298 | | sshbuf_dump(state->output, stderr); |
1299 | | #endif |
1300 | | /* increment sequence number for outgoing packets */ |
1301 | 1.51M | if (++state->p_send.seqnr == 0) { |
1302 | 0 | if ((ssh->kex->flags & KEX_INITIAL) != 0) { |
1303 | 0 | ssh_packet_disconnect(ssh, "outgoing sequence number " |
1304 | 0 | "wrapped during initial key exchange"); |
1305 | 0 | } |
1306 | 0 | logit("outgoing seqnr wraps around"); |
1307 | 0 | } |
1308 | 1.51M | if (++state->p_send.packets == 0) |
1309 | 0 | if (!(ssh->compat & SSH_BUG_NOREKEY)) |
1310 | 0 | return SSH_ERR_NEED_REKEY; |
1311 | 1.51M | state->p_send.blocks += len / block_size; |
1312 | 1.51M | state->p_send.bytes += len; |
1313 | 1.51M | sshbuf_reset(state->outgoing_packet); |
1314 | | |
1315 | 1.51M | if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { |
1316 | 104 | debug_f("resetting send seqnr %u", state->p_send.seqnr); |
1317 | 104 | state->p_send.seqnr = 0; |
1318 | 104 | } |
1319 | | |
1320 | 1.51M | if (type == SSH2_MSG_NEWKEYS) |
1321 | 744 | r = ssh_set_newkeys(ssh, MODE_OUT); |
1322 | 1.51M | else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) |
1323 | 0 | r = ssh_packet_enable_delayed_compress(ssh); |
1324 | 1.51M | else |
1325 | 1.51M | r = 0; |
1326 | 1.51M | out: |
1327 | 1.51M | return r; |
1328 | 1.51M | } |
1329 | | |
1330 | | /* returns non-zero if the specified packet type is usec by KEX */ |
1331 | | static int |
1332 | | ssh_packet_type_is_kex(u_char type) |
1333 | 2.36M | { |
1334 | 2.36M | return |
1335 | 2.36M | type >= SSH2_MSG_TRANSPORT_MIN && |
1336 | 2.36M | type <= SSH2_MSG_TRANSPORT_MAX && |
1337 | 2.36M | type != SSH2_MSG_SERVICE_REQUEST && |
1338 | 2.36M | type != SSH2_MSG_SERVICE_ACCEPT && |
1339 | 2.36M | type != SSH2_MSG_EXT_INFO; |
1340 | 2.36M | } |
1341 | | |
1342 | | int |
1343 | | ssh_packet_send2(struct ssh *ssh) |
1344 | 1.51M | { |
1345 | 1.51M | struct session_state *state = ssh->state; |
1346 | 1.51M | struct packet *p; |
1347 | 1.51M | u_char type; |
1348 | 1.51M | int r, need_rekey; |
1349 | | |
1350 | 1.51M | if (sshbuf_len(state->outgoing_packet) < 6) |
1351 | 0 | return SSH_ERR_INTERNAL_ERROR; |
1352 | 1.51M | type = sshbuf_ptr(state->outgoing_packet)[5]; |
1353 | 1.51M | need_rekey = !ssh_packet_type_is_kex(type) && |
1354 | 1.51M | ssh_packet_need_rekeying(ssh, sshbuf_len(state->outgoing_packet)); |
1355 | | |
1356 | | /* |
1357 | | * During rekeying we can only send key exchange messages. |
1358 | | * Queue everything else. |
1359 | | */ |
1360 | 1.51M | if ((need_rekey || state->rekeying) && !ssh_packet_type_is_kex(type)) { |
1361 | 0 | if (need_rekey) |
1362 | 0 | debug3_f("rekex triggered"); |
1363 | 0 | debug("enqueue packet: %u", type); |
1364 | 0 | p = calloc(1, sizeof(*p)); |
1365 | 0 | if (p == NULL) |
1366 | 0 | return SSH_ERR_ALLOC_FAIL; |
1367 | 0 | p->type = type; |
1368 | 0 | p->payload = state->outgoing_packet; |
1369 | 0 | TAILQ_INSERT_TAIL(&state->outgoing, p, next); |
1370 | 0 | state->outgoing_packet = sshbuf_new(); |
1371 | 0 | if (state->outgoing_packet == NULL) |
1372 | 0 | return SSH_ERR_ALLOC_FAIL; |
1373 | 0 | if (need_rekey) { |
1374 | | /* |
1375 | | * This packet triggered a rekey, so send the |
1376 | | * KEXINIT now. |
1377 | | * NB. reenters this function via kex_start_rekex(). |
1378 | | */ |
1379 | 0 | return kex_start_rekex(ssh); |
1380 | 0 | } |
1381 | 0 | return 0; |
1382 | 0 | } |
1383 | | |
1384 | | /* rekeying starts with sending KEXINIT */ |
1385 | 1.51M | if (type == SSH2_MSG_KEXINIT) |
1386 | 87.5k | state->rekeying = 1; |
1387 | | |
1388 | 1.51M | if ((r = ssh_packet_send2_wrapped(ssh)) != 0) |
1389 | 0 | return r; |
1390 | | |
1391 | | /* after a NEWKEYS message we can send the complete queue */ |
1392 | 1.51M | if (type == SSH2_MSG_NEWKEYS) { |
1393 | 744 | state->rekeying = 0; |
1394 | 744 | state->rekey_time = monotime(); |
1395 | 744 | while ((p = TAILQ_FIRST(&state->outgoing))) { |
1396 | 0 | type = p->type; |
1397 | | /* |
1398 | | * If this packet triggers a rekex, then skip the |
1399 | | * remaining packets in the queue for now. |
1400 | | * NB. re-enters this function via kex_start_rekex. |
1401 | | */ |
1402 | 0 | if (ssh_packet_need_rekeying(ssh, |
1403 | 0 | sshbuf_len(p->payload))) { |
1404 | 0 | debug3_f("queued packet triggered rekex"); |
1405 | 0 | return kex_start_rekex(ssh); |
1406 | 0 | } |
1407 | 0 | debug("dequeue packet: %u", type); |
1408 | 0 | sshbuf_free(state->outgoing_packet); |
1409 | 0 | state->outgoing_packet = p->payload; |
1410 | 0 | TAILQ_REMOVE(&state->outgoing, p, next); |
1411 | 0 | memset(p, 0, sizeof(*p)); |
1412 | 0 | free(p); |
1413 | 0 | if ((r = ssh_packet_send2_wrapped(ssh)) != 0) |
1414 | 0 | return r; |
1415 | 0 | } |
1416 | 744 | } |
1417 | 1.51M | return 0; |
1418 | 1.51M | } |
1419 | | |
1420 | | /* |
1421 | | * Waits until a packet has been received, and returns its type. Note that |
1422 | | * no other data is processed until this returns, so this function should not |
1423 | | * be used during the interactive session. |
1424 | | */ |
1425 | | |
1426 | | int |
1427 | | ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1428 | 0 | { |
1429 | 0 | struct session_state *state = ssh->state; |
1430 | 0 | int len, r, ms_remain = 0; |
1431 | 0 | struct pollfd pfd; |
1432 | 0 | char buf[8192]; |
1433 | 0 | struct timeval start; |
1434 | 0 | struct timespec timespec, *timespecp = NULL; |
1435 | |
|
1436 | 0 | DBG(debug("packet_read()")); |
1437 | | |
1438 | | /* |
1439 | | * Since we are blocking, ensure that all written packets have |
1440 | | * been sent. |
1441 | | */ |
1442 | 0 | if ((r = ssh_packet_write_wait(ssh)) != 0) |
1443 | 0 | goto out; |
1444 | | |
1445 | | /* Stay in the loop until we have received a complete packet. */ |
1446 | 0 | for (;;) { |
1447 | | /* Try to read a packet from the buffer. */ |
1448 | 0 | if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0) |
1449 | 0 | break; |
1450 | | /* If we got a packet, return it. */ |
1451 | 0 | if (*typep != SSH_MSG_NONE) |
1452 | 0 | break; |
1453 | | /* |
1454 | | * Otherwise, wait for some data to arrive, add it to the |
1455 | | * buffer, and try again. |
1456 | | */ |
1457 | 0 | pfd.fd = state->connection_in; |
1458 | 0 | pfd.events = POLLIN; |
1459 | |
|
1460 | 0 | if (state->packet_timeout_ms > 0) { |
1461 | 0 | ms_remain = state->packet_timeout_ms; |
1462 | 0 | timespecp = ×pec; |
1463 | 0 | } |
1464 | | /* Wait for some data to arrive. */ |
1465 | 0 | for (;;) { |
1466 | 0 | if (state->packet_timeout_ms > 0) { |
1467 | 0 | ms_to_timespec(×pec, ms_remain); |
1468 | 0 | monotime_tv(&start); |
1469 | 0 | } |
1470 | 0 | if ((r = ppoll(&pfd, 1, timespecp, NULL)) >= 0) |
1471 | 0 | break; |
1472 | 0 | if (errno != EAGAIN && errno != EINTR && |
1473 | 0 | errno != EWOULDBLOCK) { |
1474 | 0 | r = SSH_ERR_SYSTEM_ERROR; |
1475 | 0 | goto out; |
1476 | 0 | } |
1477 | 0 | if (state->packet_timeout_ms <= 0) |
1478 | 0 | continue; |
1479 | 0 | ms_subtract_diff(&start, &ms_remain); |
1480 | 0 | if (ms_remain <= 0) { |
1481 | 0 | r = 0; |
1482 | 0 | break; |
1483 | 0 | } |
1484 | 0 | } |
1485 | 0 | if (r == 0) { |
1486 | 0 | r = SSH_ERR_CONN_TIMEOUT; |
1487 | 0 | goto out; |
1488 | 0 | } |
1489 | | /* Read data from the socket. */ |
1490 | 0 | len = read(state->connection_in, buf, sizeof(buf)); |
1491 | 0 | if (len == 0) { |
1492 | 0 | r = SSH_ERR_CONN_CLOSED; |
1493 | 0 | goto out; |
1494 | 0 | } |
1495 | 0 | if (len == -1) { |
1496 | 0 | r = SSH_ERR_SYSTEM_ERROR; |
1497 | 0 | goto out; |
1498 | 0 | } |
1499 | | |
1500 | | /* Append it to the buffer. */ |
1501 | 0 | if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0) |
1502 | 0 | goto out; |
1503 | 0 | } |
1504 | 0 | out: |
1505 | 0 | return r; |
1506 | 0 | } |
1507 | | |
1508 | | int |
1509 | | ssh_packet_read(struct ssh *ssh) |
1510 | 0 | { |
1511 | 0 | u_char type; |
1512 | 0 | int r; |
1513 | |
|
1514 | 0 | if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0) |
1515 | 0 | fatal_fr(r, "read"); |
1516 | 0 | return type; |
1517 | 0 | } |
1518 | | |
1519 | | static int |
1520 | | ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1521 | 0 | { |
1522 | 0 | struct session_state *state = ssh->state; |
1523 | 0 | const u_char *cp; |
1524 | 0 | size_t need; |
1525 | 0 | int r; |
1526 | |
|
1527 | 0 | if (ssh->kex) |
1528 | 0 | return SSH_ERR_INTERNAL_ERROR; |
1529 | 0 | *typep = SSH_MSG_NONE; |
1530 | 0 | cp = sshbuf_ptr(state->input); |
1531 | 0 | if (state->packlen == 0) { |
1532 | 0 | if (sshbuf_len(state->input) < 4 + 1) |
1533 | 0 | return 0; /* packet is incomplete */ |
1534 | 0 | state->packlen = PEEK_U32(cp); |
1535 | 0 | if (state->packlen < 4 + 1 || |
1536 | 0 | state->packlen > PACKET_MAX_SIZE) |
1537 | 0 | return SSH_ERR_MESSAGE_INCOMPLETE; |
1538 | 0 | } |
1539 | 0 | need = state->packlen + 4; |
1540 | 0 | if (sshbuf_len(state->input) < need) |
1541 | 0 | return 0; /* packet is incomplete */ |
1542 | 0 | sshbuf_reset(state->incoming_packet); |
1543 | 0 | if ((r = sshbuf_put(state->incoming_packet, cp + 4, |
1544 | 0 | state->packlen)) != 0 || |
1545 | 0 | (r = sshbuf_consume(state->input, need)) != 0 || |
1546 | 0 | (r = sshbuf_get_u8(state->incoming_packet, NULL)) != 0 || |
1547 | 0 | (r = sshbuf_get_u8(state->incoming_packet, typep)) != 0) |
1548 | 0 | return r; |
1549 | 0 | if (ssh_packet_log_type(*typep)) |
1550 | 0 | debug3_f("type %u", *typep); |
1551 | | /* sshbuf_dump(state->incoming_packet, stderr); */ |
1552 | | /* reset for next packet */ |
1553 | 0 | state->packlen = 0; |
1554 | 0 | return r; |
1555 | 0 | } |
1556 | | |
1557 | | int |
1558 | | ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1559 | 1.52M | { |
1560 | 1.52M | struct session_state *state = ssh->state; |
1561 | 1.52M | u_int padlen, need; |
1562 | 1.52M | u_char *cp; |
1563 | 1.52M | u_int maclen, aadlen = 0, authlen = 0, block_size; |
1564 | 1.52M | struct sshenc *enc = NULL; |
1565 | 1.52M | struct sshmac *mac = NULL; |
1566 | 1.52M | struct sshcomp *comp = NULL; |
1567 | 1.52M | int r; |
1568 | | |
1569 | 1.52M | if (state->mux) |
1570 | 0 | return ssh_packet_read_poll2_mux(ssh, typep, seqnr_p); |
1571 | | |
1572 | 1.52M | *typep = SSH_MSG_NONE; |
1573 | | |
1574 | 1.52M | if (state->packet_discard) |
1575 | 0 | return 0; |
1576 | | |
1577 | 1.52M | if (state->newkeys[MODE_IN] != NULL) { |
1578 | 335 | enc = &state->newkeys[MODE_IN]->enc; |
1579 | 335 | mac = &state->newkeys[MODE_IN]->mac; |
1580 | 335 | comp = &state->newkeys[MODE_IN]->comp; |
1581 | | /* disable mac for authenticated encryption */ |
1582 | 335 | if ((authlen = cipher_authlen(enc->cipher)) != 0) |
1583 | 0 | mac = NULL; |
1584 | 335 | } |
1585 | 1.52M | maclen = mac && mac->enabled ? mac->mac_len : 0; |
1586 | 1.52M | block_size = enc ? enc->block_size : 8; |
1587 | 1.52M | aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; |
1588 | | |
1589 | 1.52M | if (aadlen && state->packlen == 0) { |
1590 | 172 | if (cipher_get_length(state->receive_context, |
1591 | 172 | &state->packlen, state->p_read.seqnr, |
1592 | 172 | sshbuf_ptr(state->input), sshbuf_len(state->input)) != 0) |
1593 | 0 | return 0; |
1594 | 172 | if (state->packlen < 1 + 4 || |
1595 | 172 | state->packlen > PACKET_MAX_SIZE) { |
1596 | | #ifdef PACKET_DEBUG |
1597 | | sshbuf_dump(state->input, stderr); |
1598 | | #endif |
1599 | 49 | logit("Bad packet length %u.", state->packlen); |
1600 | 49 | if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) |
1601 | 0 | return r; |
1602 | 49 | return SSH_ERR_CONN_CORRUPT; |
1603 | 49 | } |
1604 | 123 | sshbuf_reset(state->incoming_packet); |
1605 | 1.52M | } else if (state->packlen == 0) { |
1606 | | /* |
1607 | | * check if input size is less than the cipher block size, |
1608 | | * decrypt first block and extract length of incoming packet |
1609 | | */ |
1610 | 1.52M | if (sshbuf_len(state->input) < block_size) |
1611 | 17.0k | return 0; |
1612 | 1.51M | sshbuf_reset(state->incoming_packet); |
1613 | 1.51M | if ((r = sshbuf_reserve(state->incoming_packet, block_size, |
1614 | 1.51M | &cp)) != 0) |
1615 | 0 | goto out; |
1616 | 1.51M | if ((r = cipher_crypt(state->receive_context, |
1617 | 1.51M | state->p_send.seqnr, cp, sshbuf_ptr(state->input), |
1618 | 1.51M | block_size, 0, 0)) != 0) |
1619 | 0 | goto out; |
1620 | 1.51M | state->packlen = PEEK_U32(sshbuf_ptr(state->incoming_packet)); |
1621 | 1.51M | if (state->packlen < 1 + 4 || |
1622 | 1.51M | state->packlen > PACKET_MAX_SIZE) { |
1623 | | #ifdef PACKET_DEBUG |
1624 | | fprintf(stderr, "input: \n"); |
1625 | | sshbuf_dump(state->input, stderr); |
1626 | | fprintf(stderr, "incoming_packet: \n"); |
1627 | | sshbuf_dump(state->incoming_packet, stderr); |
1628 | | #endif |
1629 | 7.95k | logit("Bad packet length %u.", state->packlen); |
1630 | 7.95k | return ssh_packet_start_discard(ssh, enc, mac, 0, |
1631 | 7.95k | PACKET_MAX_SIZE); |
1632 | 7.95k | } |
1633 | 1.50M | if ((r = sshbuf_consume(state->input, block_size)) != 0) |
1634 | 0 | goto out; |
1635 | 1.50M | } |
1636 | 1.50M | DBG(debug("input: packet len %u", state->packlen+4)); |
1637 | | |
1638 | 1.50M | if (aadlen) { |
1639 | | /* only the payload is encrypted */ |
1640 | 149 | need = state->packlen; |
1641 | 1.50M | } else { |
1642 | | /* |
1643 | | * the payload size and the payload are encrypted, but we |
1644 | | * have a partial packet of block_size bytes |
1645 | | */ |
1646 | 1.50M | need = 4 + state->packlen - block_size; |
1647 | 1.50M | } |
1648 | 1.50M | DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d," |
1649 | 1.50M | " aadlen %d", block_size, need, maclen, authlen, aadlen)); |
1650 | 1.50M | if (need % block_size != 0) { |
1651 | 742 | logit("padding error: need %d block %d mod %d", |
1652 | 742 | need, block_size, need % block_size); |
1653 | 742 | return ssh_packet_start_discard(ssh, enc, mac, 0, |
1654 | 742 | PACKET_MAX_SIZE - block_size); |
1655 | 742 | } |
1656 | | /* |
1657 | | * check if the entire packet has been received and |
1658 | | * decrypt into incoming_packet: |
1659 | | * 'aadlen' bytes are unencrypted, but authenticated. |
1660 | | * 'need' bytes are encrypted, followed by either |
1661 | | * 'authlen' bytes of authentication tag or |
1662 | | * 'maclen' bytes of message authentication code. |
1663 | | */ |
1664 | 1.50M | if (sshbuf_len(state->input) < aadlen + need + authlen + maclen) |
1665 | 3.67k | return 0; /* packet is incomplete */ |
1666 | | #ifdef PACKET_DEBUG |
1667 | | fprintf(stderr, "read_poll enc/full: "); |
1668 | | sshbuf_dump(state->input, stderr); |
1669 | | #endif |
1670 | | /* EtM: check mac over encrypted input */ |
1671 | 1.50M | if (mac && mac->enabled && mac->etm) { |
1672 | 90 | if ((r = mac_check(mac, state->p_read.seqnr, |
1673 | 90 | sshbuf_ptr(state->input), aadlen + need, |
1674 | 90 | sshbuf_ptr(state->input) + aadlen + need + authlen, |
1675 | 90 | maclen)) != 0) { |
1676 | 90 | if (r == SSH_ERR_MAC_INVALID) |
1677 | 90 | logit("Corrupted MAC on input."); |
1678 | 90 | goto out; |
1679 | 90 | } |
1680 | 90 | } |
1681 | 1.50M | if ((r = sshbuf_reserve(state->incoming_packet, aadlen + need, |
1682 | 1.50M | &cp)) != 0) |
1683 | 0 | goto out; |
1684 | 1.50M | if ((r = cipher_crypt(state->receive_context, state->p_read.seqnr, cp, |
1685 | 1.50M | sshbuf_ptr(state->input), need, aadlen, authlen)) != 0) |
1686 | 0 | goto out; |
1687 | 1.50M | if ((r = sshbuf_consume(state->input, aadlen + need + authlen)) != 0) |
1688 | 0 | goto out; |
1689 | 1.50M | if (mac && mac->enabled) { |
1690 | | /* Not EtM: check MAC over cleartext */ |
1691 | 121 | if (!mac->etm && (r = mac_check(mac, state->p_read.seqnr, |
1692 | 121 | sshbuf_ptr(state->incoming_packet), |
1693 | 121 | sshbuf_len(state->incoming_packet), |
1694 | 121 | sshbuf_ptr(state->input), maclen)) != 0) { |
1695 | 121 | if (r != SSH_ERR_MAC_INVALID) |
1696 | 0 | goto out; |
1697 | 121 | logit("Corrupted MAC on input."); |
1698 | 121 | if (need + block_size > PACKET_MAX_SIZE) |
1699 | 0 | return SSH_ERR_INTERNAL_ERROR; |
1700 | 121 | return ssh_packet_start_discard(ssh, enc, mac, |
1701 | 121 | sshbuf_len(state->incoming_packet), |
1702 | 121 | PACKET_MAX_SIZE - need - block_size); |
1703 | 121 | } |
1704 | | /* Remove MAC from input buffer */ |
1705 | 0 | DBG(debug("MAC #%d ok", state->p_read.seqnr)); |
1706 | 0 | if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) |
1707 | 0 | goto out; |
1708 | 0 | } |
1709 | | |
1710 | 1.50M | if (seqnr_p != NULL) |
1711 | 1.50M | *seqnr_p = state->p_read.seqnr; |
1712 | 1.50M | if (++state->p_read.seqnr == 0) { |
1713 | 0 | if ((ssh->kex->flags & KEX_INITIAL) != 0) { |
1714 | 0 | ssh_packet_disconnect(ssh, "incoming sequence number " |
1715 | 0 | "wrapped during initial key exchange"); |
1716 | 0 | } |
1717 | 0 | logit("incoming seqnr wraps around"); |
1718 | 0 | } |
1719 | 1.50M | if (++state->p_read.packets == 0) |
1720 | 0 | if (!(ssh->compat & SSH_BUG_NOREKEY)) |
1721 | 0 | return SSH_ERR_NEED_REKEY; |
1722 | 1.50M | state->p_read.blocks += (state->packlen + 4) / block_size; |
1723 | 1.50M | state->p_read.bytes += state->packlen + 4; |
1724 | | |
1725 | | /* get padlen */ |
1726 | 1.50M | padlen = sshbuf_ptr(state->incoming_packet)[4]; |
1727 | 1.50M | DBG(debug("input: padlen %d", padlen)); |
1728 | 1.50M | if (padlen < 4) { |
1729 | 252 | if ((r = sshpkt_disconnect(ssh, |
1730 | 252 | "Corrupted padlen %d on input.", padlen)) != 0 || |
1731 | 252 | (r = ssh_packet_write_wait(ssh)) != 0) |
1732 | 252 | return r; |
1733 | 0 | return SSH_ERR_CONN_CORRUPT; |
1734 | 252 | } |
1735 | | |
1736 | | /* skip packet size + padlen, discard padding */ |
1737 | 1.50M | if ((r = sshbuf_consume(state->incoming_packet, 4 + 1)) != 0 || |
1738 | 1.50M | ((r = sshbuf_consume_end(state->incoming_packet, padlen)) != 0)) |
1739 | 79 | goto out; |
1740 | | |
1741 | 1.49M | DBG(debug("input: len before de-compress %zd", |
1742 | 1.49M | sshbuf_len(state->incoming_packet))); |
1743 | 1.49M | if (comp && comp->enabled) { |
1744 | 0 | sshbuf_reset(state->compression_buffer); |
1745 | 0 | if ((r = uncompress_buffer(ssh, state->incoming_packet, |
1746 | 0 | state->compression_buffer)) != 0) |
1747 | 0 | goto out; |
1748 | 0 | sshbuf_reset(state->incoming_packet); |
1749 | 0 | if ((r = sshbuf_putb(state->incoming_packet, |
1750 | 0 | state->compression_buffer)) != 0) |
1751 | 0 | goto out; |
1752 | 0 | DBG(debug("input: len after de-compress %zd", |
1753 | 0 | sshbuf_len(state->incoming_packet))); |
1754 | 0 | } |
1755 | | /* |
1756 | | * get packet type, implies consume. |
1757 | | * return length of payload (without type field) |
1758 | | */ |
1759 | 1.49M | if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0) |
1760 | 50 | goto out; |
1761 | 1.49M | if (ssh_packet_log_type(*typep)) |
1762 | 1.49M | debug3("receive packet: type %u", *typep); |
1763 | 1.49M | if (*typep < SSH2_MSG_MIN) { |
1764 | 124 | if ((r = sshpkt_disconnect(ssh, |
1765 | 124 | "Invalid ssh2 packet type: %d", *typep)) != 0 || |
1766 | 124 | (r = ssh_packet_write_wait(ssh)) != 0) |
1767 | 124 | return r; |
1768 | 0 | return SSH_ERR_PROTOCOL_ERROR; |
1769 | 124 | } |
1770 | 1.49M | if (state->hook_in != NULL && |
1771 | 1.49M | (r = state->hook_in(ssh, state->incoming_packet, typep, |
1772 | 0 | state->hook_in_ctx)) != 0) |
1773 | 0 | return r; |
1774 | 1.49M | if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) |
1775 | 273 | r = ssh_packet_enable_delayed_compress(ssh); |
1776 | 1.49M | else |
1777 | 1.49M | r = 0; |
1778 | | #ifdef PACKET_DEBUG |
1779 | | fprintf(stderr, "read/plain[%d]:\r\n", *typep); |
1780 | | sshbuf_dump(state->incoming_packet, stderr); |
1781 | | #endif |
1782 | | /* reset for next packet */ |
1783 | 1.49M | state->packlen = 0; |
1784 | 1.49M | if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { |
1785 | 0 | debug_f("resetting read seqnr %u", state->p_read.seqnr); |
1786 | 0 | state->p_read.seqnr = 0; |
1787 | 0 | } |
1788 | | |
1789 | 1.49M | if ((r = ssh_packet_check_rekey(ssh)) != 0) |
1790 | 0 | return r; |
1791 | 1.49M | out: |
1792 | 1.49M | return r; |
1793 | 1.49M | } |
1794 | | |
1795 | | int |
1796 | | ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1797 | 0 | { |
1798 | 0 | struct session_state *state = ssh->state; |
1799 | 0 | u_int reason, seqnr; |
1800 | 0 | int r; |
1801 | 0 | u_char *msg; |
1802 | 0 | const u_char *d; |
1803 | 0 | size_t len; |
1804 | |
|
1805 | 0 | for (;;) { |
1806 | 0 | msg = NULL; |
1807 | 0 | r = ssh_packet_read_poll2(ssh, typep, seqnr_p); |
1808 | 0 | if (r != 0) |
1809 | 0 | return r; |
1810 | 0 | if (*typep == 0) { |
1811 | | /* no message ready */ |
1812 | 0 | return 0; |
1813 | 0 | } |
1814 | 0 | state->keep_alive_timeouts = 0; |
1815 | 0 | DBG(debug("received packet type %d", *typep)); |
1816 | | |
1817 | | /* Always process disconnect messages */ |
1818 | 0 | if (*typep == SSH2_MSG_DISCONNECT) { |
1819 | 0 | if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || |
1820 | 0 | (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) |
1821 | 0 | return r; |
1822 | | /* Ignore normal client exit notifications */ |
1823 | 0 | do_log2(ssh->state->server_side && |
1824 | 0 | reason == SSH2_DISCONNECT_BY_APPLICATION ? |
1825 | 0 | SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, |
1826 | 0 | "Received disconnect from %s port %d:" |
1827 | 0 | "%u: %.400s", ssh_remote_ipaddr(ssh), |
1828 | 0 | ssh_remote_port(ssh), reason, msg); |
1829 | 0 | free(msg); |
1830 | 0 | return SSH_ERR_DISCONNECTED; |
1831 | 0 | } |
1832 | | |
1833 | | /* |
1834 | | * Do not implicitly handle any messages here during initial |
1835 | | * KEX when in strict mode. They will be need to be allowed |
1836 | | * explicitly by the KEX dispatch table or they will generate |
1837 | | * protocol errors. |
1838 | | */ |
1839 | 0 | if (ssh->kex != NULL && |
1840 | 0 | (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) |
1841 | 0 | return 0; |
1842 | | /* Implicitly handle transport-level messages */ |
1843 | 0 | switch (*typep) { |
1844 | 0 | case SSH2_MSG_IGNORE: |
1845 | 0 | debug3("Received SSH2_MSG_IGNORE"); |
1846 | 0 | break; |
1847 | 0 | case SSH2_MSG_DEBUG: |
1848 | 0 | if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || |
1849 | 0 | (r = sshpkt_get_string(ssh, &msg, NULL)) != 0 || |
1850 | 0 | (r = sshpkt_get_string(ssh, NULL, NULL)) != 0) { |
1851 | 0 | free(msg); |
1852 | 0 | return r; |
1853 | 0 | } |
1854 | 0 | debug("Remote: %.900s", msg); |
1855 | 0 | free(msg); |
1856 | 0 | break; |
1857 | 0 | case SSH2_MSG_UNIMPLEMENTED: |
1858 | 0 | if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) |
1859 | 0 | return r; |
1860 | 0 | debug("Received SSH2_MSG_UNIMPLEMENTED for %u", |
1861 | 0 | seqnr); |
1862 | 0 | break; |
1863 | 0 | case SSH2_MSG_PING: |
1864 | 0 | if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0) |
1865 | 0 | return r; |
1866 | 0 | DBG(debug("Received SSH2_MSG_PING len %zu", len)); |
1867 | 0 | if (!ssh->state->after_authentication) { |
1868 | 0 | DBG(debug("Won't reply to PING in preauth")); |
1869 | 0 | break; |
1870 | 0 | } |
1871 | 0 | if (ssh_packet_is_rekeying(ssh)) { |
1872 | 0 | DBG(debug("Won't reply to PING during KEX")); |
1873 | 0 | break; |
1874 | 0 | } |
1875 | 0 | if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 || |
1876 | 0 | (r = sshpkt_put_string(ssh, d, len)) != 0 || |
1877 | 0 | (r = sshpkt_send(ssh)) != 0) |
1878 | 0 | return r; |
1879 | 0 | break; |
1880 | 0 | case SSH2_MSG_PONG: |
1881 | 0 | if ((r = sshpkt_get_string_direct(ssh, |
1882 | 0 | NULL, &len)) != 0) |
1883 | 0 | return r; |
1884 | 0 | DBG(debug("Received SSH2_MSG_PONG len %zu", len)); |
1885 | 0 | break; |
1886 | 0 | default: |
1887 | 0 | return 0; |
1888 | 0 | } |
1889 | 0 | } |
1890 | 0 | } |
1891 | | |
1892 | | /* |
1893 | | * Buffers the supplied input data. This is intended to be used together |
1894 | | * with packet_read_poll(). |
1895 | | */ |
1896 | | int |
1897 | | ssh_packet_process_incoming(struct ssh *ssh, const char *buf, u_int len) |
1898 | 0 | { |
1899 | 0 | struct session_state *state = ssh->state; |
1900 | 0 | int r; |
1901 | |
|
1902 | 0 | if (state->packet_discard) { |
1903 | 0 | state->keep_alive_timeouts = 0; /* ?? */ |
1904 | 0 | if (len >= state->packet_discard) { |
1905 | 0 | if ((r = ssh_packet_stop_discard(ssh)) != 0) |
1906 | 0 | return r; |
1907 | 0 | } |
1908 | 0 | state->packet_discard -= len; |
1909 | 0 | return 0; |
1910 | 0 | } |
1911 | 0 | if ((r = sshbuf_put(state->input, buf, len)) != 0) |
1912 | 0 | return r; |
1913 | | |
1914 | 0 | return 0; |
1915 | 0 | } |
1916 | | |
1917 | | /* Reads and buffers data from the specified fd */ |
1918 | | int |
1919 | | ssh_packet_process_read(struct ssh *ssh, int fd) |
1920 | 0 | { |
1921 | 0 | struct session_state *state = ssh->state; |
1922 | 0 | int r; |
1923 | 0 | size_t rlen; |
1924 | |
|
1925 | 0 | if ((r = sshbuf_read(fd, state->input, PACKET_MAX_SIZE, &rlen)) != 0) |
1926 | 0 | return r; |
1927 | | |
1928 | 0 | if (state->packet_discard) { |
1929 | 0 | if ((r = sshbuf_consume_end(state->input, rlen)) != 0) |
1930 | 0 | return r; |
1931 | 0 | state->keep_alive_timeouts = 0; /* ?? */ |
1932 | 0 | if (rlen >= state->packet_discard) { |
1933 | 0 | if ((r = ssh_packet_stop_discard(ssh)) != 0) |
1934 | 0 | return r; |
1935 | 0 | } |
1936 | 0 | state->packet_discard -= rlen; |
1937 | 0 | return 0; |
1938 | 0 | } |
1939 | 0 | return 0; |
1940 | 0 | } |
1941 | | |
1942 | | int |
1943 | | ssh_packet_remaining(struct ssh *ssh) |
1944 | 0 | { |
1945 | 0 | return sshbuf_len(ssh->state->incoming_packet); |
1946 | 0 | } |
1947 | | |
1948 | | /* |
1949 | | * Sends a diagnostic message from the server to the client. This message |
1950 | | * can be sent at any time (but not while constructing another message). The |
1951 | | * message is printed immediately, but only if the client is being executed |
1952 | | * in verbose mode. These messages are primarily intended to ease debugging |
1953 | | * authentication problems. The length of the formatted message must not |
1954 | | * exceed 1024 bytes. This will automatically call ssh_packet_write_wait. |
1955 | | */ |
1956 | | void |
1957 | | ssh_packet_send_debug(struct ssh *ssh, const char *fmt,...) |
1958 | 0 | { |
1959 | 0 | char buf[1024]; |
1960 | 0 | va_list args; |
1961 | 0 | int r; |
1962 | |
|
1963 | 0 | if ((ssh->compat & SSH_BUG_DEBUG)) |
1964 | 0 | return; |
1965 | | |
1966 | 0 | va_start(args, fmt); |
1967 | 0 | vsnprintf(buf, sizeof(buf), fmt, args); |
1968 | 0 | va_end(args); |
1969 | |
|
1970 | 0 | debug3("sending debug message: %s", buf); |
1971 | |
|
1972 | 0 | if ((r = sshpkt_start(ssh, SSH2_MSG_DEBUG)) != 0 || |
1973 | 0 | (r = sshpkt_put_u8(ssh, 0)) != 0 || /* always display */ |
1974 | 0 | (r = sshpkt_put_cstring(ssh, buf)) != 0 || |
1975 | 0 | (r = sshpkt_put_cstring(ssh, "")) != 0 || |
1976 | 0 | (r = sshpkt_send(ssh)) != 0 || |
1977 | 0 | (r = ssh_packet_write_wait(ssh)) != 0) |
1978 | 0 | fatal_fr(r, "send DEBUG"); |
1979 | 0 | } |
1980 | | |
1981 | | void |
1982 | | sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l) |
1983 | 0 | { |
1984 | 0 | snprintf(s, l, "%.200s%s%s port %d", |
1985 | 0 | ssh->log_preamble ? ssh->log_preamble : "", |
1986 | 0 | ssh->log_preamble ? " " : "", |
1987 | 0 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); |
1988 | 0 | } |
1989 | | |
1990 | | /* |
1991 | | * Pretty-print connection-terminating errors and exit. |
1992 | | */ |
1993 | | static void |
1994 | | sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, va_list ap) |
1995 | 0 | { |
1996 | 0 | char *tag = NULL, remote_id[512]; |
1997 | 0 | int oerrno = errno; |
1998 | |
|
1999 | 0 | sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); |
2000 | |
|
2001 | 0 | switch (r) { |
2002 | 0 | case SSH_ERR_CONN_CLOSED: |
2003 | 0 | ssh_packet_clear_keys(ssh); |
2004 | 0 | logdie("Connection closed by %s", remote_id); |
2005 | 0 | case SSH_ERR_CONN_TIMEOUT: |
2006 | 0 | ssh_packet_clear_keys(ssh); |
2007 | 0 | logdie("Connection %s %s timed out", |
2008 | 0 | ssh->state->server_side ? "from" : "to", remote_id); |
2009 | 0 | case SSH_ERR_DISCONNECTED: |
2010 | 0 | ssh_packet_clear_keys(ssh); |
2011 | 0 | logdie("Disconnected from %s", remote_id); |
2012 | 0 | case SSH_ERR_SYSTEM_ERROR: |
2013 | 0 | if (errno == ECONNRESET) { |
2014 | 0 | ssh_packet_clear_keys(ssh); |
2015 | 0 | logdie("Connection reset by %s", remote_id); |
2016 | 0 | } |
2017 | | /* FALLTHROUGH */ |
2018 | 0 | case SSH_ERR_NO_CIPHER_ALG_MATCH: |
2019 | 0 | case SSH_ERR_NO_MAC_ALG_MATCH: |
2020 | 0 | case SSH_ERR_NO_COMPRESS_ALG_MATCH: |
2021 | 0 | case SSH_ERR_NO_KEX_ALG_MATCH: |
2022 | 0 | case SSH_ERR_NO_HOSTKEY_ALG_MATCH: |
2023 | 0 | if (ssh->kex && ssh->kex->failed_choice) { |
2024 | 0 | ssh_packet_clear_keys(ssh); |
2025 | 0 | errno = oerrno; |
2026 | 0 | logdie("Unable to negotiate with %s: %s. " |
2027 | 0 | "Their offer: %s", remote_id, ssh_err(r), |
2028 | 0 | ssh->kex->failed_choice); |
2029 | 0 | } |
2030 | | /* FALLTHROUGH */ |
2031 | 0 | default: |
2032 | 0 | if (vasprintf(&tag, fmt, ap) == -1) { |
2033 | 0 | ssh_packet_clear_keys(ssh); |
2034 | 0 | logdie_f("could not allocate failure message"); |
2035 | 0 | } |
2036 | 0 | ssh_packet_clear_keys(ssh); |
2037 | 0 | errno = oerrno; |
2038 | 0 | logdie_r(r, "%s%sConnection %s %s", |
2039 | 0 | tag != NULL ? tag : "", tag != NULL ? ": " : "", |
2040 | 0 | ssh->state->server_side ? "from" : "to", remote_id); |
2041 | 0 | } |
2042 | 0 | } |
2043 | | |
2044 | | void |
2045 | | sshpkt_fatal(struct ssh *ssh, int r, const char *fmt, ...) |
2046 | 0 | { |
2047 | 0 | va_list ap; |
2048 | |
|
2049 | 0 | va_start(ap, fmt); |
2050 | 0 | sshpkt_vfatal(ssh, r, fmt, ap); |
2051 | | /* NOTREACHED */ |
2052 | 0 | va_end(ap); |
2053 | 0 | logdie_f("should have exited"); |
2054 | 0 | } |
2055 | | |
2056 | | /* |
2057 | | * Logs the error plus constructs and sends a disconnect packet, closes the |
2058 | | * connection, and exits. This function never returns. The error message |
2059 | | * should not contain a newline. The length of the formatted message must |
2060 | | * not exceed 1024 bytes. |
2061 | | */ |
2062 | | void |
2063 | | ssh_packet_disconnect(struct ssh *ssh, const char *fmt,...) |
2064 | 0 | { |
2065 | 0 | char buf[1024], remote_id[512]; |
2066 | 0 | va_list args; |
2067 | 0 | static int disconnecting = 0; |
2068 | 0 | int r; |
2069 | |
|
2070 | 0 | if (disconnecting) /* Guard against recursive invocations. */ |
2071 | 0 | fatal("packet_disconnect called recursively."); |
2072 | 0 | disconnecting = 1; |
2073 | | |
2074 | | /* |
2075 | | * Format the message. Note that the caller must make sure the |
2076 | | * message is of limited size. |
2077 | | */ |
2078 | 0 | sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); |
2079 | 0 | va_start(args, fmt); |
2080 | 0 | vsnprintf(buf, sizeof(buf), fmt, args); |
2081 | 0 | va_end(args); |
2082 | | |
2083 | | /* Display the error locally */ |
2084 | 0 | logit("Disconnecting %s: %.100s", remote_id, buf); |
2085 | | |
2086 | | /* |
2087 | | * Send the disconnect message to the other side, and wait |
2088 | | * for it to get sent. |
2089 | | */ |
2090 | 0 | if ((r = sshpkt_disconnect(ssh, "%s", buf)) != 0) |
2091 | 0 | sshpkt_fatal(ssh, r, "%s", __func__); |
2092 | | |
2093 | 0 | if ((r = ssh_packet_write_wait(ssh)) != 0) |
2094 | 0 | sshpkt_fatal(ssh, r, "%s", __func__); |
2095 | | |
2096 | | /* Close the connection. */ |
2097 | 0 | ssh_packet_close(ssh); |
2098 | 0 | cleanup_exit(255); |
2099 | 0 | } |
2100 | | |
2101 | | /* |
2102 | | * Checks if there is any buffered output, and tries to write some of |
2103 | | * the output. |
2104 | | */ |
2105 | | int |
2106 | | ssh_packet_write_poll(struct ssh *ssh) |
2107 | 376 | { |
2108 | 376 | struct session_state *state = ssh->state; |
2109 | 376 | int len = sshbuf_len(state->output); |
2110 | 376 | int r; |
2111 | | |
2112 | 376 | if (len > 0) { |
2113 | 376 | len = write(state->connection_out, |
2114 | 376 | sshbuf_ptr(state->output), len); |
2115 | 376 | if (len == -1) { |
2116 | 376 | if (errno == EINTR || errno == EAGAIN || |
2117 | 376 | errno == EWOULDBLOCK) |
2118 | 0 | return 0; |
2119 | 376 | return SSH_ERR_SYSTEM_ERROR; |
2120 | 376 | } |
2121 | 0 | if (len == 0) |
2122 | 0 | return SSH_ERR_CONN_CLOSED; |
2123 | 0 | if ((r = sshbuf_consume(state->output, len)) != 0) |
2124 | 0 | return r; |
2125 | 0 | } |
2126 | 0 | return 0; |
2127 | 376 | } |
2128 | | |
2129 | | /* |
2130 | | * Calls packet_write_poll repeatedly until all pending output data has been |
2131 | | * written. |
2132 | | */ |
2133 | | int |
2134 | | ssh_packet_write_wait(struct ssh *ssh) |
2135 | 376 | { |
2136 | 376 | int ret, r, ms_remain = 0; |
2137 | 376 | struct timeval start; |
2138 | 376 | struct timespec timespec, *timespecp = NULL; |
2139 | 376 | struct session_state *state = ssh->state; |
2140 | 376 | struct pollfd pfd; |
2141 | | |
2142 | 376 | if ((r = ssh_packet_write_poll(ssh)) != 0) |
2143 | 376 | return r; |
2144 | 0 | while (ssh_packet_have_data_to_write(ssh)) { |
2145 | 0 | pfd.fd = state->connection_out; |
2146 | 0 | pfd.events = POLLOUT; |
2147 | |
|
2148 | 0 | if (state->packet_timeout_ms > 0) { |
2149 | 0 | ms_remain = state->packet_timeout_ms; |
2150 | 0 | timespecp = ×pec; |
2151 | 0 | } |
2152 | 0 | for (;;) { |
2153 | 0 | if (state->packet_timeout_ms > 0) { |
2154 | 0 | ms_to_timespec(×pec, ms_remain); |
2155 | 0 | monotime_tv(&start); |
2156 | 0 | } |
2157 | 0 | if ((ret = ppoll(&pfd, 1, timespecp, NULL)) >= 0) |
2158 | 0 | break; |
2159 | 0 | if (errno != EAGAIN && errno != EINTR && |
2160 | 0 | errno != EWOULDBLOCK) |
2161 | 0 | break; |
2162 | 0 | if (state->packet_timeout_ms <= 0) |
2163 | 0 | continue; |
2164 | 0 | ms_subtract_diff(&start, &ms_remain); |
2165 | 0 | if (ms_remain <= 0) { |
2166 | 0 | ret = 0; |
2167 | 0 | break; |
2168 | 0 | } |
2169 | 0 | } |
2170 | 0 | if (ret == 0) |
2171 | 0 | return SSH_ERR_CONN_TIMEOUT; |
2172 | 0 | if ((r = ssh_packet_write_poll(ssh)) != 0) |
2173 | 0 | return r; |
2174 | 0 | } |
2175 | 0 | return 0; |
2176 | 0 | } |
2177 | | |
2178 | | /* Returns true if there is buffered data to write to the connection. */ |
2179 | | |
2180 | | int |
2181 | | ssh_packet_have_data_to_write(struct ssh *ssh) |
2182 | 0 | { |
2183 | 0 | return sshbuf_len(ssh->state->output) != 0; |
2184 | 0 | } |
2185 | | |
2186 | | /* Returns true if there is not too much data to write to the connection. */ |
2187 | | |
2188 | | int |
2189 | | ssh_packet_not_very_much_data_to_write(struct ssh *ssh) |
2190 | 0 | { |
2191 | 0 | if (ssh->state->interactive_mode) |
2192 | 0 | return sshbuf_len(ssh->state->output) < 16384; |
2193 | 0 | else |
2194 | 0 | return sshbuf_len(ssh->state->output) < 128 * 1024; |
2195 | 0 | } |
2196 | | |
2197 | | /* |
2198 | | * returns true when there are at most a few keystrokes of data to write |
2199 | | * and the connection is in interactive mode. |
2200 | | */ |
2201 | | |
2202 | | int |
2203 | | ssh_packet_interactive_data_to_write(struct ssh *ssh) |
2204 | 0 | { |
2205 | 0 | return ssh->state->interactive_mode && |
2206 | 0 | sshbuf_len(ssh->state->output) < 256; |
2207 | 0 | } |
2208 | | |
2209 | | void |
2210 | | ssh_packet_set_tos(struct ssh *ssh, int tos) |
2211 | 0 | { |
2212 | 0 | if (!ssh_packet_connection_is_on_socket(ssh) || tos == INT_MAX) |
2213 | 0 | return; |
2214 | 0 | set_sock_tos(ssh->state->connection_in, tos); |
2215 | 0 | } |
2216 | | |
2217 | | /* Informs that the current session is interactive. Sets IP flags for that. */ |
2218 | | |
2219 | | void |
2220 | | ssh_packet_set_interactive(struct ssh *ssh, int interactive, int qos_interactive, int qos_bulk) |
2221 | 0 | { |
2222 | 0 | struct session_state *state = ssh->state; |
2223 | |
|
2224 | 0 | if (state->set_interactive_called) |
2225 | 0 | return; |
2226 | 0 | state->set_interactive_called = 1; |
2227 | | |
2228 | | /* Record that we are in interactive mode. */ |
2229 | 0 | state->interactive_mode = interactive; |
2230 | | |
2231 | | /* Only set socket options if using a socket. */ |
2232 | 0 | if (!ssh_packet_connection_is_on_socket(ssh)) |
2233 | 0 | return; |
2234 | 0 | set_nodelay(state->connection_in); |
2235 | 0 | ssh_packet_set_tos(ssh, interactive ? qos_interactive : qos_bulk); |
2236 | 0 | } |
2237 | | |
2238 | | /* Returns true if the current connection is interactive. */ |
2239 | | |
2240 | | int |
2241 | | ssh_packet_is_interactive(struct ssh *ssh) |
2242 | 0 | { |
2243 | 0 | return ssh->state->interactive_mode; |
2244 | 0 | } |
2245 | | |
2246 | | int |
2247 | | ssh_packet_set_maxsize(struct ssh *ssh, u_int s) |
2248 | 0 | { |
2249 | 0 | struct session_state *state = ssh->state; |
2250 | |
|
2251 | 0 | if (state->set_maxsize_called) { |
2252 | 0 | logit_f("called twice: old %d new %d", |
2253 | 0 | state->max_packet_size, s); |
2254 | 0 | return -1; |
2255 | 0 | } |
2256 | 0 | if (s < 4 * 1024 || s > 1024 * 1024) { |
2257 | 0 | logit_f("bad size %d", s); |
2258 | 0 | return -1; |
2259 | 0 | } |
2260 | 0 | state->set_maxsize_called = 1; |
2261 | 0 | debug_f("setting to %d", s); |
2262 | 0 | state->max_packet_size = s; |
2263 | 0 | return s; |
2264 | 0 | } |
2265 | | |
2266 | | int |
2267 | | ssh_packet_inc_alive_timeouts(struct ssh *ssh) |
2268 | 0 | { |
2269 | 0 | return ++ssh->state->keep_alive_timeouts; |
2270 | 0 | } |
2271 | | |
2272 | | void |
2273 | | ssh_packet_set_alive_timeouts(struct ssh *ssh, int ka) |
2274 | 0 | { |
2275 | 0 | ssh->state->keep_alive_timeouts = ka; |
2276 | 0 | } |
2277 | | |
2278 | | u_int |
2279 | | ssh_packet_get_maxsize(struct ssh *ssh) |
2280 | 0 | { |
2281 | 0 | return ssh->state->max_packet_size; |
2282 | 0 | } |
2283 | | |
2284 | | void |
2285 | | ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, u_int32_t seconds) |
2286 | 0 | { |
2287 | 0 | debug3("rekey after %llu bytes, %u seconds", (unsigned long long)bytes, |
2288 | 0 | (unsigned int)seconds); |
2289 | 0 | ssh->state->rekey_limit = bytes; |
2290 | 0 | ssh->state->rekey_interval = seconds; |
2291 | 0 | } |
2292 | | |
2293 | | time_t |
2294 | | ssh_packet_get_rekey_timeout(struct ssh *ssh) |
2295 | 0 | { |
2296 | 0 | time_t seconds; |
2297 | |
|
2298 | 0 | seconds = ssh->state->rekey_time + ssh->state->rekey_interval - |
2299 | 0 | monotime(); |
2300 | 0 | return (seconds <= 0 ? 1 : seconds); |
2301 | 0 | } |
2302 | | |
2303 | | void |
2304 | | ssh_packet_set_server(struct ssh *ssh) |
2305 | 89.6k | { |
2306 | 89.6k | ssh->state->server_side = 1; |
2307 | 89.6k | ssh->kex->server = 1; /* XXX unify? */ |
2308 | 89.6k | } |
2309 | | |
2310 | | void |
2311 | | ssh_packet_set_authenticated(struct ssh *ssh) |
2312 | 0 | { |
2313 | 0 | ssh->state->after_authentication = 1; |
2314 | 0 | } |
2315 | | |
2316 | | void * |
2317 | | ssh_packet_get_input(struct ssh *ssh) |
2318 | 357k | { |
2319 | 357k | return (void *)ssh->state->input; |
2320 | 357k | } |
2321 | | |
2322 | | void * |
2323 | | ssh_packet_get_output(struct ssh *ssh) |
2324 | 475k | { |
2325 | 475k | return (void *)ssh->state->output; |
2326 | 475k | } |
2327 | | |
2328 | | /* Reset after_authentication and reset compression in post-auth privsep */ |
2329 | | static int |
2330 | | ssh_packet_set_postauth(struct ssh *ssh) |
2331 | 0 | { |
2332 | 0 | int r; |
2333 | |
|
2334 | 0 | debug_f("called"); |
2335 | | /* This was set in net child, but is not visible in user child */ |
2336 | 0 | ssh->state->after_authentication = 1; |
2337 | 0 | ssh->state->rekeying = 0; |
2338 | 0 | if ((r = ssh_packet_enable_delayed_compress(ssh)) != 0) |
2339 | 0 | return r; |
2340 | 0 | return 0; |
2341 | 0 | } |
2342 | | |
2343 | | /* Packet state (de-)serialization for privsep */ |
2344 | | |
2345 | | /* turn kex into a blob for packet state serialization */ |
2346 | | static int |
2347 | | kex_to_blob(struct sshbuf *m, struct kex *kex) |
2348 | 0 | { |
2349 | 0 | int r; |
2350 | |
|
2351 | 0 | if ((r = sshbuf_put_u32(m, kex->we_need)) != 0 || |
2352 | 0 | (r = sshbuf_put_cstring(m, kex->hostkey_alg)) != 0 || |
2353 | 0 | (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || |
2354 | 0 | (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 || |
2355 | 0 | (r = sshbuf_put_u32(m, kex->kex_type)) != 0 || |
2356 | 0 | (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 || |
2357 | 0 | (r = sshbuf_put_stringb(m, kex->my)) != 0 || |
2358 | 0 | (r = sshbuf_put_stringb(m, kex->peer)) != 0 || |
2359 | 0 | (r = sshbuf_put_stringb(m, kex->client_version)) != 0 || |
2360 | 0 | (r = sshbuf_put_stringb(m, kex->server_version)) != 0 || |
2361 | 0 | (r = sshbuf_put_stringb(m, kex->session_id)) != 0 || |
2362 | 0 | (r = sshbuf_put_u32(m, kex->flags)) != 0) |
2363 | 0 | return r; |
2364 | 0 | return 0; |
2365 | 0 | } |
2366 | | |
2367 | | /* turn key exchange results into a blob for packet state serialization */ |
2368 | | static int |
2369 | | newkeys_to_blob(struct sshbuf *m, struct ssh *ssh, int mode) |
2370 | 0 | { |
2371 | 0 | struct sshbuf *b; |
2372 | 0 | struct sshcipher_ctx *cc; |
2373 | 0 | struct sshcomp *comp; |
2374 | 0 | struct sshenc *enc; |
2375 | 0 | struct sshmac *mac; |
2376 | 0 | struct newkeys *newkey; |
2377 | 0 | int r; |
2378 | |
|
2379 | 0 | if ((newkey = ssh->state->newkeys[mode]) == NULL) |
2380 | 0 | return SSH_ERR_INTERNAL_ERROR; |
2381 | 0 | enc = &newkey->enc; |
2382 | 0 | mac = &newkey->mac; |
2383 | 0 | comp = &newkey->comp; |
2384 | 0 | cc = (mode == MODE_OUT) ? ssh->state->send_context : |
2385 | 0 | ssh->state->receive_context; |
2386 | 0 | if ((r = cipher_get_keyiv(cc, enc->iv, enc->iv_len)) != 0) |
2387 | 0 | return r; |
2388 | 0 | if ((b = sshbuf_new()) == NULL) |
2389 | 0 | return SSH_ERR_ALLOC_FAIL; |
2390 | 0 | if ((r = sshbuf_put_cstring(b, enc->name)) != 0 || |
2391 | 0 | (r = sshbuf_put_u32(b, enc->enabled)) != 0 || |
2392 | 0 | (r = sshbuf_put_u32(b, enc->block_size)) != 0 || |
2393 | 0 | (r = sshbuf_put_string(b, enc->key, enc->key_len)) != 0 || |
2394 | 0 | (r = sshbuf_put_string(b, enc->iv, enc->iv_len)) != 0) |
2395 | 0 | goto out; |
2396 | 0 | if (cipher_authlen(enc->cipher) == 0) { |
2397 | 0 | if ((r = sshbuf_put_cstring(b, mac->name)) != 0 || |
2398 | 0 | (r = sshbuf_put_u32(b, mac->enabled)) != 0 || |
2399 | 0 | (r = sshbuf_put_string(b, mac->key, mac->key_len)) != 0) |
2400 | 0 | goto out; |
2401 | 0 | } |
2402 | 0 | if ((r = sshbuf_put_u32(b, comp->type)) != 0 || |
2403 | 0 | (r = sshbuf_put_cstring(b, comp->name)) != 0) |
2404 | 0 | goto out; |
2405 | 0 | r = sshbuf_put_stringb(m, b); |
2406 | 0 | out: |
2407 | 0 | sshbuf_free(b); |
2408 | 0 | return r; |
2409 | 0 | } |
2410 | | |
2411 | | /* serialize packet state into a blob */ |
2412 | | int |
2413 | | ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) |
2414 | 0 | { |
2415 | 0 | struct session_state *state = ssh->state; |
2416 | 0 | int r; |
2417 | |
|
2418 | 0 | if ((r = kex_to_blob(m, ssh->kex)) != 0 || |
2419 | 0 | (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 || |
2420 | 0 | (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 || |
2421 | 0 | (r = sshbuf_put_u64(m, state->rekey_limit)) != 0 || |
2422 | 0 | (r = sshbuf_put_u32(m, state->rekey_interval)) != 0 || |
2423 | 0 | (r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 || |
2424 | 0 | (r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 || |
2425 | 0 | (r = sshbuf_put_u32(m, state->p_send.packets)) != 0 || |
2426 | 0 | (r = sshbuf_put_u64(m, state->p_send.bytes)) != 0 || |
2427 | 0 | (r = sshbuf_put_u32(m, state->p_read.seqnr)) != 0 || |
2428 | 0 | (r = sshbuf_put_u64(m, state->p_read.blocks)) != 0 || |
2429 | 0 | (r = sshbuf_put_u32(m, state->p_read.packets)) != 0 || |
2430 | 0 | (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 || |
2431 | 0 | (r = sshbuf_put_stringb(m, state->input)) != 0 || |
2432 | 0 | (r = sshbuf_put_stringb(m, state->output)) != 0) |
2433 | 0 | return r; |
2434 | | |
2435 | 0 | return 0; |
2436 | 0 | } |
2437 | | |
2438 | | /* restore key exchange results from blob for packet state de-serialization */ |
2439 | | static int |
2440 | | newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode) |
2441 | 0 | { |
2442 | 0 | struct sshbuf *b = NULL; |
2443 | 0 | struct sshcomp *comp; |
2444 | 0 | struct sshenc *enc; |
2445 | 0 | struct sshmac *mac; |
2446 | 0 | struct newkeys *newkey = NULL; |
2447 | 0 | size_t keylen, ivlen, maclen; |
2448 | 0 | int r; |
2449 | |
|
2450 | 0 | if ((newkey = calloc(1, sizeof(*newkey))) == NULL) { |
2451 | 0 | r = SSH_ERR_ALLOC_FAIL; |
2452 | 0 | goto out; |
2453 | 0 | } |
2454 | 0 | if ((r = sshbuf_froms(m, &b)) != 0) |
2455 | 0 | goto out; |
2456 | | #ifdef DEBUG_PK |
2457 | | sshbuf_dump(b, stderr); |
2458 | | #endif |
2459 | 0 | enc = &newkey->enc; |
2460 | 0 | mac = &newkey->mac; |
2461 | 0 | comp = &newkey->comp; |
2462 | |
|
2463 | 0 | if ((r = sshbuf_get_cstring(b, &enc->name, NULL)) != 0 || |
2464 | 0 | (r = sshbuf_get_u32(b, (u_int *)&enc->enabled)) != 0 || |
2465 | 0 | (r = sshbuf_get_u32(b, &enc->block_size)) != 0 || |
2466 | 0 | (r = sshbuf_get_string(b, &enc->key, &keylen)) != 0 || |
2467 | 0 | (r = sshbuf_get_string(b, &enc->iv, &ivlen)) != 0) |
2468 | 0 | goto out; |
2469 | 0 | if ((enc->cipher = cipher_by_name(enc->name)) == NULL) { |
2470 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2471 | 0 | goto out; |
2472 | 0 | } |
2473 | 0 | if (cipher_authlen(enc->cipher) == 0) { |
2474 | 0 | if ((r = sshbuf_get_cstring(b, &mac->name, NULL)) != 0) |
2475 | 0 | goto out; |
2476 | 0 | if ((r = mac_setup(mac, mac->name)) != 0) |
2477 | 0 | goto out; |
2478 | 0 | if ((r = sshbuf_get_u32(b, (u_int *)&mac->enabled)) != 0 || |
2479 | 0 | (r = sshbuf_get_string(b, &mac->key, &maclen)) != 0) |
2480 | 0 | goto out; |
2481 | 0 | if (maclen > mac->key_len) { |
2482 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2483 | 0 | goto out; |
2484 | 0 | } |
2485 | 0 | mac->key_len = maclen; |
2486 | 0 | } |
2487 | 0 | if ((r = sshbuf_get_u32(b, &comp->type)) != 0 || |
2488 | 0 | (r = sshbuf_get_cstring(b, &comp->name, NULL)) != 0) |
2489 | 0 | goto out; |
2490 | 0 | if (sshbuf_len(b) != 0) { |
2491 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2492 | 0 | goto out; |
2493 | 0 | } |
2494 | 0 | enc->key_len = keylen; |
2495 | 0 | enc->iv_len = ivlen; |
2496 | 0 | ssh->kex->newkeys[mode] = newkey; |
2497 | 0 | newkey = NULL; |
2498 | 0 | r = 0; |
2499 | 0 | out: |
2500 | 0 | free(newkey); |
2501 | 0 | sshbuf_free(b); |
2502 | 0 | return r; |
2503 | 0 | } |
2504 | | |
2505 | | /* restore kex from blob for packet state de-serialization */ |
2506 | | static int |
2507 | | kex_from_blob(struct sshbuf *m, struct kex **kexp) |
2508 | 0 | { |
2509 | 0 | struct kex *kex; |
2510 | 0 | int r; |
2511 | |
|
2512 | 0 | if ((kex = kex_new()) == NULL) |
2513 | 0 | return SSH_ERR_ALLOC_FAIL; |
2514 | 0 | if ((r = sshbuf_get_u32(m, &kex->we_need)) != 0 || |
2515 | 0 | (r = sshbuf_get_cstring(m, &kex->hostkey_alg, NULL)) != 0 || |
2516 | 0 | (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || |
2517 | 0 | (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 || |
2518 | 0 | (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || |
2519 | 0 | (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 || |
2520 | 0 | (r = sshbuf_get_stringb(m, kex->my)) != 0 || |
2521 | 0 | (r = sshbuf_get_stringb(m, kex->peer)) != 0 || |
2522 | 0 | (r = sshbuf_get_stringb(m, kex->client_version)) != 0 || |
2523 | 0 | (r = sshbuf_get_stringb(m, kex->server_version)) != 0 || |
2524 | 0 | (r = sshbuf_get_stringb(m, kex->session_id)) != 0 || |
2525 | 0 | (r = sshbuf_get_u32(m, &kex->flags)) != 0) |
2526 | 0 | goto out; |
2527 | 0 | kex->server = 1; |
2528 | 0 | kex->done = 1; |
2529 | 0 | r = 0; |
2530 | 0 | out: |
2531 | 0 | if (r != 0 || kexp == NULL) { |
2532 | 0 | kex_free(kex); |
2533 | 0 | if (kexp != NULL) |
2534 | 0 | *kexp = NULL; |
2535 | 0 | } else { |
2536 | 0 | kex_free(*kexp); |
2537 | 0 | *kexp = kex; |
2538 | 0 | } |
2539 | 0 | return r; |
2540 | 0 | } |
2541 | | |
2542 | | /* |
2543 | | * Restore packet state from content of blob 'm' (de-serialization). |
2544 | | * Note that 'm' will be partially consumed on parsing or any other errors. |
2545 | | */ |
2546 | | int |
2547 | | ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) |
2548 | 0 | { |
2549 | 0 | struct session_state *state = ssh->state; |
2550 | 0 | const u_char *input, *output; |
2551 | 0 | size_t ilen, olen; |
2552 | 0 | int r; |
2553 | |
|
2554 | 0 | if ((r = kex_from_blob(m, &ssh->kex)) != 0 || |
2555 | 0 | (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 || |
2556 | 0 | (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 || |
2557 | 0 | (r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 || |
2558 | 0 | (r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 || |
2559 | 0 | (r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 || |
2560 | 0 | (r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 || |
2561 | 0 | (r = sshbuf_get_u32(m, &state->p_send.packets)) != 0 || |
2562 | 0 | (r = sshbuf_get_u64(m, &state->p_send.bytes)) != 0 || |
2563 | 0 | (r = sshbuf_get_u32(m, &state->p_read.seqnr)) != 0 || |
2564 | 0 | (r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 || |
2565 | 0 | (r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 || |
2566 | 0 | (r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0) |
2567 | 0 | return r; |
2568 | | /* |
2569 | | * We set the time here so that in post-auth privsep child we |
2570 | | * count from the completion of the authentication. |
2571 | | */ |
2572 | 0 | state->rekey_time = monotime(); |
2573 | | /* XXX ssh_set_newkeys overrides p_read.packets? XXX */ |
2574 | 0 | if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 || |
2575 | 0 | (r = ssh_set_newkeys(ssh, MODE_OUT)) != 0) |
2576 | 0 | return r; |
2577 | | |
2578 | 0 | if ((r = ssh_packet_set_postauth(ssh)) != 0) |
2579 | 0 | return r; |
2580 | | |
2581 | 0 | sshbuf_reset(state->input); |
2582 | 0 | sshbuf_reset(state->output); |
2583 | 0 | if ((r = sshbuf_get_string_direct(m, &input, &ilen)) != 0 || |
2584 | 0 | (r = sshbuf_get_string_direct(m, &output, &olen)) != 0 || |
2585 | 0 | (r = sshbuf_put(state->input, input, ilen)) != 0 || |
2586 | 0 | (r = sshbuf_put(state->output, output, olen)) != 0) |
2587 | 0 | return r; |
2588 | | |
2589 | 0 | if (sshbuf_len(m)) |
2590 | 0 | return SSH_ERR_INVALID_FORMAT; |
2591 | 0 | debug3_f("done"); |
2592 | 0 | return 0; |
2593 | 0 | } |
2594 | | |
2595 | | /* NEW API */ |
2596 | | |
2597 | | /* put data to the outgoing packet */ |
2598 | | |
2599 | | int |
2600 | | sshpkt_put(struct ssh *ssh, const void *v, size_t len) |
2601 | 0 | { |
2602 | 0 | return sshbuf_put(ssh->state->outgoing_packet, v, len); |
2603 | 0 | } |
2604 | | |
2605 | | int |
2606 | | sshpkt_putb(struct ssh *ssh, const struct sshbuf *b) |
2607 | 87.6k | { |
2608 | 87.6k | return sshbuf_putb(ssh->state->outgoing_packet, b); |
2609 | 87.6k | } |
2610 | | |
2611 | | int |
2612 | | sshpkt_put_u8(struct ssh *ssh, u_char val) |
2613 | 0 | { |
2614 | 0 | return sshbuf_put_u8(ssh->state->outgoing_packet, val); |
2615 | 0 | } |
2616 | | |
2617 | | int |
2618 | | sshpkt_put_u32(struct ssh *ssh, u_int32_t val) |
2619 | 1.42M | { |
2620 | 1.42M | return sshbuf_put_u32(ssh->state->outgoing_packet, val); |
2621 | 1.42M | } |
2622 | | |
2623 | | int |
2624 | | sshpkt_put_u64(struct ssh *ssh, u_int64_t val) |
2625 | 0 | { |
2626 | 0 | return sshbuf_put_u64(ssh->state->outgoing_packet, val); |
2627 | 0 | } |
2628 | | |
2629 | | int |
2630 | | sshpkt_put_string(struct ssh *ssh, const void *v, size_t len) |
2631 | 744 | { |
2632 | 744 | return sshbuf_put_string(ssh->state->outgoing_packet, v, len); |
2633 | 744 | } |
2634 | | |
2635 | | int |
2636 | | sshpkt_put_cstring(struct ssh *ssh, const void *v) |
2637 | 18.4k | { |
2638 | 18.4k | return sshbuf_put_cstring(ssh->state->outgoing_packet, v); |
2639 | 18.4k | } |
2640 | | |
2641 | | int |
2642 | | sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v) |
2643 | 6.32k | { |
2644 | 6.32k | return sshbuf_put_stringb(ssh->state->outgoing_packet, v); |
2645 | 6.32k | } |
2646 | | |
2647 | | #ifdef WITH_OPENSSL |
2648 | | #ifdef OPENSSL_HAS_ECC |
2649 | | int |
2650 | | sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g) |
2651 | 0 | { |
2652 | 0 | return sshbuf_put_ec(ssh->state->outgoing_packet, v, g); |
2653 | 0 | } |
2654 | | |
2655 | | int |
2656 | | sshpkt_put_ec_pkey(struct ssh *ssh, EVP_PKEY *pkey) |
2657 | 0 | { |
2658 | 0 | return sshbuf_put_ec_pkey(ssh->state->outgoing_packet, pkey); |
2659 | 0 | } |
2660 | | #endif /* OPENSSL_HAS_ECC */ |
2661 | | |
2662 | | int |
2663 | | sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v) |
2664 | 460 | { |
2665 | 460 | return sshbuf_put_bignum2(ssh->state->outgoing_packet, v); |
2666 | 460 | } |
2667 | | #endif /* WITH_OPENSSL */ |
2668 | | |
2669 | | /* fetch data from the incoming packet */ |
2670 | | |
2671 | | int |
2672 | | sshpkt_get(struct ssh *ssh, void *valp, size_t len) |
2673 | 0 | { |
2674 | 0 | return sshbuf_get(ssh->state->incoming_packet, valp, len); |
2675 | 0 | } |
2676 | | |
2677 | | int |
2678 | | sshpkt_get_u8(struct ssh *ssh, u_char *valp) |
2679 | 1.32M | { |
2680 | 1.32M | return sshbuf_get_u8(ssh->state->incoming_packet, valp); |
2681 | 1.32M | } |
2682 | | |
2683 | | int |
2684 | | sshpkt_get_u32(struct ssh *ssh, u_int32_t *valp) |
2685 | 76.5k | { |
2686 | 76.5k | return sshbuf_get_u32(ssh->state->incoming_packet, valp); |
2687 | 76.5k | } |
2688 | | |
2689 | | int |
2690 | | sshpkt_get_u64(struct ssh *ssh, u_int64_t *valp) |
2691 | 0 | { |
2692 | 0 | return sshbuf_get_u64(ssh->state->incoming_packet, valp); |
2693 | 0 | } |
2694 | | |
2695 | | int |
2696 | | sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp) |
2697 | 761k | { |
2698 | 761k | return sshbuf_get_string(ssh->state->incoming_packet, valp, lenp); |
2699 | 761k | } |
2700 | | |
2701 | | int |
2702 | | sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp) |
2703 | 0 | { |
2704 | 0 | return sshbuf_get_string_direct(ssh->state->incoming_packet, valp, lenp); |
2705 | 0 | } |
2706 | | |
2707 | | int |
2708 | | sshpkt_peek_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp) |
2709 | 0 | { |
2710 | 0 | return sshbuf_peek_string_direct(ssh->state->incoming_packet, valp, lenp); |
2711 | 0 | } |
2712 | | |
2713 | | int |
2714 | | sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp) |
2715 | 0 | { |
2716 | 0 | return sshbuf_get_cstring(ssh->state->incoming_packet, valp, lenp); |
2717 | 0 | } |
2718 | | |
2719 | | int |
2720 | | sshpkt_getb_froms(struct ssh *ssh, struct sshbuf **valp) |
2721 | 2.35k | { |
2722 | 2.35k | return sshbuf_froms(ssh->state->incoming_packet, valp); |
2723 | 2.35k | } |
2724 | | |
2725 | | #ifdef WITH_OPENSSL |
2726 | | #ifdef OPENSSL_HAS_ECC |
2727 | | int |
2728 | | sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g) |
2729 | 0 | { |
2730 | 0 | return sshbuf_get_ec(ssh->state->incoming_packet, v, g); |
2731 | 0 | } |
2732 | | #endif /* OPENSSL_HAS_ECC */ |
2733 | | |
2734 | | int |
2735 | | sshpkt_get_bignum2(struct ssh *ssh, BIGNUM **valp) |
2736 | 230 | { |
2737 | 230 | return sshbuf_get_bignum2(ssh->state->incoming_packet, valp); |
2738 | 230 | } |
2739 | | #endif /* WITH_OPENSSL */ |
2740 | | |
2741 | | int |
2742 | | sshpkt_get_end(struct ssh *ssh) |
2743 | 77.4k | { |
2744 | 77.4k | if (sshbuf_len(ssh->state->incoming_packet) > 0) |
2745 | 441 | return SSH_ERR_UNEXPECTED_TRAILING_DATA; |
2746 | 77.0k | return 0; |
2747 | 77.4k | } |
2748 | | |
2749 | | const u_char * |
2750 | | sshpkt_ptr(struct ssh *ssh, size_t *lenp) |
2751 | 78.1k | { |
2752 | 78.1k | if (lenp != NULL) |
2753 | 78.1k | *lenp = sshbuf_len(ssh->state->incoming_packet); |
2754 | 78.1k | return sshbuf_ptr(ssh->state->incoming_packet); |
2755 | 78.1k | } |
2756 | | |
2757 | | /* start a new packet */ |
2758 | | |
2759 | | int |
2760 | | sshpkt_start(struct ssh *ssh, u_char type) |
2761 | 1.51M | { |
2762 | 1.51M | u_char buf[6]; /* u32 packet length, u8 pad len, u8 type */ |
2763 | | |
2764 | 1.51M | DBG(debug("packet_start[%d]", type)); |
2765 | 1.51M | memset(buf, 0, sizeof(buf)); |
2766 | 1.51M | buf[sizeof(buf) - 1] = type; |
2767 | 1.51M | sshbuf_reset(ssh->state->outgoing_packet); |
2768 | 1.51M | return sshbuf_put(ssh->state->outgoing_packet, buf, sizeof(buf)); |
2769 | 1.51M | } |
2770 | | |
2771 | | static int |
2772 | | ssh_packet_send_mux(struct ssh *ssh) |
2773 | 0 | { |
2774 | 0 | struct session_state *state = ssh->state; |
2775 | 0 | u_char type, *cp; |
2776 | 0 | size_t len; |
2777 | 0 | int r; |
2778 | |
|
2779 | 0 | if (ssh->kex) |
2780 | 0 | return SSH_ERR_INTERNAL_ERROR; |
2781 | 0 | len = sshbuf_len(state->outgoing_packet); |
2782 | 0 | if (len < 6) |
2783 | 0 | return SSH_ERR_INTERNAL_ERROR; |
2784 | 0 | cp = sshbuf_mutable_ptr(state->outgoing_packet); |
2785 | 0 | type = cp[5]; |
2786 | 0 | if (ssh_packet_log_type(type)) |
2787 | 0 | debug3_f("type %u", type); |
2788 | | /* drop everything, but the connection protocol */ |
2789 | 0 | if (type >= SSH2_MSG_CONNECTION_MIN && |
2790 | 0 | type <= SSH2_MSG_CONNECTION_MAX) { |
2791 | 0 | POKE_U32(cp, len - 4); |
2792 | 0 | if ((r = sshbuf_putb(state->output, |
2793 | 0 | state->outgoing_packet)) != 0) |
2794 | 0 | return r; |
2795 | | /* sshbuf_dump(state->output, stderr); */ |
2796 | 0 | } |
2797 | 0 | sshbuf_reset(state->outgoing_packet); |
2798 | 0 | return 0; |
2799 | 0 | } |
2800 | | |
2801 | | /* |
2802 | | * 9.2. Ignored Data Message |
2803 | | * |
2804 | | * byte SSH_MSG_IGNORE |
2805 | | * string data |
2806 | | * |
2807 | | * All implementations MUST understand (and ignore) this message at any |
2808 | | * time (after receiving the protocol version). No implementation is |
2809 | | * required to send them. This message can be used as an additional |
2810 | | * protection measure against advanced traffic analysis techniques. |
2811 | | */ |
2812 | | int |
2813 | | sshpkt_msg_ignore(struct ssh *ssh, u_int nbytes) |
2814 | 0 | { |
2815 | 0 | u_int32_t rnd = 0; |
2816 | 0 | int r; |
2817 | 0 | u_int i; |
2818 | |
|
2819 | 0 | if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE)) != 0 || |
2820 | 0 | (r = sshpkt_put_u32(ssh, nbytes)) != 0) |
2821 | 0 | return r; |
2822 | 0 | for (i = 0; i < nbytes; i++) { |
2823 | 0 | if (i % 4 == 0) |
2824 | 0 | rnd = arc4random(); |
2825 | 0 | if ((r = sshpkt_put_u8(ssh, (u_char)rnd & 0xff)) != 0) |
2826 | 0 | return r; |
2827 | 0 | rnd >>= 8; |
2828 | 0 | } |
2829 | 0 | return 0; |
2830 | 0 | } |
2831 | | |
2832 | | /* send it */ |
2833 | | |
2834 | | int |
2835 | | sshpkt_send(struct ssh *ssh) |
2836 | 1.51M | { |
2837 | 1.51M | if (ssh->state && ssh->state->mux) |
2838 | 0 | return ssh_packet_send_mux(ssh); |
2839 | 1.51M | return ssh_packet_send2(ssh); |
2840 | 1.51M | } |
2841 | | |
2842 | | int |
2843 | | sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) |
2844 | 9.24k | { |
2845 | 9.24k | char buf[1024]; |
2846 | 9.24k | va_list args; |
2847 | 9.24k | int r; |
2848 | | |
2849 | 9.24k | va_start(args, fmt); |
2850 | 9.24k | vsnprintf(buf, sizeof(buf), fmt, args); |
2851 | 9.24k | va_end(args); |
2852 | | |
2853 | 9.24k | debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf); |
2854 | 9.24k | if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || |
2855 | 9.24k | (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || |
2856 | 9.24k | (r = sshpkt_put_cstring(ssh, buf)) != 0 || |
2857 | 9.24k | (r = sshpkt_put_cstring(ssh, "")) != 0 || |
2858 | 9.24k | (r = sshpkt_send(ssh)) != 0) |
2859 | 0 | return r; |
2860 | 9.24k | return 0; |
2861 | 9.24k | } |
2862 | | |
2863 | | /* roundup current message to pad bytes */ |
2864 | | int |
2865 | | sshpkt_add_padding(struct ssh *ssh, u_char pad) |
2866 | 0 | { |
2867 | 0 | ssh->state->extra_pad = pad; |
2868 | 0 | return 0; |
2869 | 0 | } |