Coverage Report

Created: 2025-06-20 06:24

/src/openssh/packet.c
Line
Count
Source (jump to first uncovered line)
1
/* $OpenBSD: packet.c,v 1.318 2025/02/18 08:02:12 djm Exp $ */
2
/*
3
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5
 *                    All rights reserved
6
 * This file contains code implementing the packet protocol and communication
7
 * with the other side.  This same code is used both on client and server side.
8
 *
9
 * As far as I am concerned, the code I have written for this software
10
 * can be used freely for any purpose.  Any derived versions of this
11
 * software must be clearly marked as such, and if the derived work is
12
 * incompatible with the protocol description in the RFC file, it must be
13
 * called by a name other than "ssh" or "Secure Shell".
14
 *
15
 *
16
 * SSH2 packet format added by Markus Friedl.
17
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
18
 *
19
 * Redistribution and use in source and binary forms, with or without
20
 * modification, are permitted provided that the following conditions
21
 * are met:
22
 * 1. Redistributions of source code must retain the above copyright
23
 *    notice, this list of conditions and the following disclaimer.
24
 * 2. Redistributions in binary form must reproduce the above copyright
25
 *    notice, this list of conditions and the following disclaimer in the
26
 *    documentation and/or other materials provided with the distribution.
27
 *
28
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38
 */
39
40
#include "includes.h"
41
42
#include <sys/types.h>
43
#include "openbsd-compat/sys-queue.h"
44
#include <sys/socket.h>
45
#ifdef HAVE_SYS_TIME_H
46
# include <sys/time.h>
47
#endif
48
49
#include <netinet/in.h>
50
#include <netinet/ip.h>
51
#include <arpa/inet.h>
52
53
#include <errno.h>
54
#include <netdb.h>
55
#include <stdarg.h>
56
#include <stdio.h>
57
#include <stdlib.h>
58
#include <string.h>
59
#include <unistd.h>
60
#include <limits.h>
61
#ifdef HAVE_POLL_H
62
#include <poll.h>
63
#endif
64
#include <signal.h>
65
#include <time.h>
66
67
/*
68
 * Explicitly include OpenSSL before zlib as some versions of OpenSSL have
69
 * "free_func" in their headers, which zlib typedefs.
70
 */
71
#ifdef WITH_OPENSSL
72
# include <openssl/bn.h>
73
# include <openssl/evp.h>
74
# ifdef OPENSSL_HAS_ECC
75
#  include <openssl/ec.h>
76
# endif
77
#endif
78
79
#ifdef WITH_ZLIB
80
#include <zlib.h>
81
#endif
82
83
#include "xmalloc.h"
84
#include "compat.h"
85
#include "ssh2.h"
86
#include "cipher.h"
87
#include "sshkey.h"
88
#include "kex.h"
89
#include "digest.h"
90
#include "mac.h"
91
#include "log.h"
92
#include "canohost.h"
93
#include "misc.h"
94
#include "channels.h"
95
#include "ssh.h"
96
#include "packet.h"
97
#include "ssherr.h"
98
#include "sshbuf.h"
99
100
#ifdef PACKET_DEBUG
101
#define DBG(x) x
102
#else
103
#define DBG(x)
104
#endif
105
106
1.51M
#define PACKET_MAX_SIZE (256 * 1024)
107
108
struct packet_state {
109
  u_int32_t seqnr;
110
  u_int32_t packets;
111
  u_int64_t blocks;
112
  u_int64_t bytes;
113
};
114
115
struct packet {
116
  TAILQ_ENTRY(packet) next;
117
  u_char type;
118
  struct sshbuf *payload;
119
};
120
121
struct session_state {
122
  /*
123
   * This variable contains the file descriptors used for
124
   * communicating with the other side.  connection_in is used for
125
   * reading; connection_out for writing.  These can be the same
126
   * descriptor, in which case it is assumed to be a socket.
127
   */
128
  int connection_in;
129
  int connection_out;
130
131
  /* Protocol flags for the remote side. */
132
  u_int remote_protocol_flags;
133
134
  /* Encryption context for receiving data.  Only used for decryption. */
135
  struct sshcipher_ctx *receive_context;
136
137
  /* Encryption context for sending data.  Only used for encryption. */
138
  struct sshcipher_ctx *send_context;
139
140
  /* Buffer for raw input data from the socket. */
141
  struct sshbuf *input;
142
143
  /* Buffer for raw output data going to the socket. */
144
  struct sshbuf *output;
145
146
  /* Buffer for the partial outgoing packet being constructed. */
147
  struct sshbuf *outgoing_packet;
148
149
  /* Buffer for the incoming packet currently being processed. */
150
  struct sshbuf *incoming_packet;
151
152
  /* Scratch buffer for packet compression/decompression. */
153
  struct sshbuf *compression_buffer;
154
155
#ifdef WITH_ZLIB
156
  /* Incoming/outgoing compression dictionaries */
157
  z_stream compression_in_stream;
158
  z_stream compression_out_stream;
159
#endif
160
  int compression_in_started;
161
  int compression_out_started;
162
  int compression_in_failures;
163
  int compression_out_failures;
164
165
  /* default maximum packet size */
166
  u_int max_packet_size;
167
168
  /* Flag indicating whether this module has been initialized. */
169
  int initialized;
170
171
  /* Set to true if the connection is interactive. */
172
  int interactive_mode;
173
174
  /* Set to true if we are the server side. */
175
  int server_side;
176
177
  /* Set to true if we are authenticated. */
178
  int after_authentication;
179
180
  int keep_alive_timeouts;
181
182
  /* The maximum time that we will wait to send or receive a packet */
183
  int packet_timeout_ms;
184
185
  /* Session key information for Encryption and MAC */
186
  struct newkeys *newkeys[MODE_MAX];
187
  struct packet_state p_read, p_send;
188
189
  /* Volume-based rekeying */
190
  u_int64_t max_blocks_in, max_blocks_out, rekey_limit;
191
192
  /* Time-based rekeying */
193
  u_int32_t rekey_interval; /* how often in seconds */
194
  time_t rekey_time;  /* time of last rekeying */
195
196
  /* roundup current message to extra_pad bytes */
197
  u_char extra_pad;
198
199
  /* XXX discard incoming data after MAC error */
200
  u_int packet_discard;
201
  size_t packet_discard_mac_already;
202
  struct sshmac *packet_discard_mac;
203
204
  /* Used in packet_read_poll2() */
205
  u_int packlen;
206
207
  /* Used in packet_send2 */
208
  int rekeying;
209
210
  /* Used in ssh_packet_send_mux() */
211
  int mux;
212
213
  /* Used in packet_set_interactive */
214
  int set_interactive_called;
215
216
  /* Used in packet_set_maxsize */
217
  int set_maxsize_called;
218
219
  /* One-off warning about weak ciphers */
220
  int cipher_warning_done;
221
222
  /* Hook for fuzzing inbound packets */
223
  ssh_packet_hook_fn *hook_in;
224
  void *hook_in_ctx;
225
226
  TAILQ_HEAD(, packet) outgoing;
227
};
228
229
struct ssh *
230
ssh_alloc_session_state(void)
231
179k
{
232
179k
  struct ssh *ssh = NULL;
233
179k
  struct session_state *state = NULL;
234
235
179k
  if ((ssh = calloc(1, sizeof(*ssh))) == NULL ||
236
179k
      (state = calloc(1, sizeof(*state))) == NULL ||
237
179k
      (ssh->kex = kex_new()) == NULL ||
238
179k
      (state->input = sshbuf_new()) == NULL ||
239
179k
      (state->output = sshbuf_new()) == NULL ||
240
179k
      (state->outgoing_packet = sshbuf_new()) == NULL ||
241
179k
      (state->incoming_packet = sshbuf_new()) == NULL)
242
0
    goto fail;
243
179k
  TAILQ_INIT(&state->outgoing);
244
179k
  TAILQ_INIT(&ssh->private_keys);
245
179k
  TAILQ_INIT(&ssh->public_keys);
246
179k
  state->connection_in = -1;
247
179k
  state->connection_out = -1;
248
179k
  state->max_packet_size = 32768;
249
179k
  state->packet_timeout_ms = -1;
250
179k
  state->p_send.packets = state->p_read.packets = 0;
251
179k
  state->initialized = 1;
252
  /*
253
   * ssh_packet_send2() needs to queue packets until
254
   * we've done the initial key exchange.
255
   */
256
179k
  state->rekeying = 1;
257
179k
  ssh->state = state;
258
179k
  return ssh;
259
0
 fail:
260
0
  if (ssh) {
261
0
    kex_free(ssh->kex);
262
0
    free(ssh);
263
0
  }
264
0
  if (state) {
265
0
    sshbuf_free(state->input);
266
0
    sshbuf_free(state->output);
267
0
    sshbuf_free(state->incoming_packet);
268
0
    sshbuf_free(state->outgoing_packet);
269
0
    free(state);
270
0
  }
271
0
  return NULL;
272
179k
}
273
274
void
275
ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx)
276
0
{
277
0
  ssh->state->hook_in = hook;
278
0
  ssh->state->hook_in_ctx = ctx;
279
0
}
280
281
/* Returns nonzero if rekeying is in progress */
282
int
283
ssh_packet_is_rekeying(struct ssh *ssh)
284
3.85k
{
285
3.85k
  return ssh->state->rekeying ||
286
3.85k
      (ssh->kex != NULL && ssh->kex->done == 0);
287
3.85k
}
288
289
/*
290
 * Sets the descriptors used for communication.
291
 */
292
struct ssh *
293
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
294
179k
{
295
179k
  struct session_state *state;
296
179k
  const struct sshcipher *none = cipher_by_name("none");
297
179k
  int r;
298
299
179k
  if (none == NULL) {
300
0
    error_f("cannot load cipher 'none'");
301
0
    return NULL;
302
0
  }
303
179k
  if (ssh == NULL)
304
179k
    ssh = ssh_alloc_session_state();
305
179k
  if (ssh == NULL) {
306
0
    error_f("could not allocate state");
307
0
    return NULL;
308
0
  }
309
179k
  state = ssh->state;
310
179k
  state->connection_in = fd_in;
311
179k
  state->connection_out = fd_out;
312
179k
  if ((r = cipher_init(&state->send_context, none,
313
179k
      (const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
314
179k
      (r = cipher_init(&state->receive_context, none,
315
179k
      (const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0) {
316
0
    error_fr(r, "cipher_init failed");
317
0
    free(ssh); /* XXX need ssh_free_session_state? */
318
0
    return NULL;
319
0
  }
320
179k
  state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL;
321
  /*
322
   * Cache the IP address of the remote connection for use in error
323
   * messages that might be generated after the connection has closed.
324
   */
325
179k
  (void)ssh_remote_ipaddr(ssh);
326
179k
  return ssh;
327
179k
}
328
329
void
330
ssh_packet_set_timeout(struct ssh *ssh, int timeout, int count)
331
0
{
332
0
  struct session_state *state = ssh->state;
333
334
0
  if (timeout <= 0 || count <= 0) {
335
0
    state->packet_timeout_ms = -1;
336
0
    return;
337
0
  }
338
0
  if ((INT_MAX / 1000) / count < timeout)
339
0
    state->packet_timeout_ms = INT_MAX;
340
0
  else
341
0
    state->packet_timeout_ms = timeout * count * 1000;
342
0
}
343
344
void
345
ssh_packet_set_mux(struct ssh *ssh)
346
0
{
347
0
  ssh->state->mux = 1;
348
0
  ssh->state->rekeying = 0;
349
0
  kex_free(ssh->kex);
350
0
  ssh->kex = NULL;
351
0
}
352
353
int
354
ssh_packet_get_mux(struct ssh *ssh)
355
0
{
356
0
  return ssh->state->mux;
357
0
}
358
359
int
360
ssh_packet_set_log_preamble(struct ssh *ssh, const char *fmt, ...)
361
0
{
362
0
  va_list args;
363
0
  int r;
364
365
0
  free(ssh->log_preamble);
366
0
  if (fmt == NULL)
367
0
    ssh->log_preamble = NULL;
368
0
  else {
369
0
    va_start(args, fmt);
370
0
    r = vasprintf(&ssh->log_preamble, fmt, args);
371
0
    va_end(args);
372
0
    if (r < 0 || ssh->log_preamble == NULL)
373
0
      return SSH_ERR_ALLOC_FAIL;
374
0
  }
375
0
  return 0;
376
0
}
377
378
int
379
ssh_packet_stop_discard(struct ssh *ssh)
380
0
{
381
0
  struct session_state *state = ssh->state;
382
0
  int r;
383
384
0
  if (state->packet_discard_mac) {
385
0
    char buf[1024];
386
0
    size_t dlen = PACKET_MAX_SIZE;
387
388
0
    if (dlen > state->packet_discard_mac_already)
389
0
      dlen -= state->packet_discard_mac_already;
390
0
    memset(buf, 'a', sizeof(buf));
391
0
    while (sshbuf_len(state->incoming_packet) < dlen)
392
0
      if ((r = sshbuf_put(state->incoming_packet, buf,
393
0
          sizeof(buf))) != 0)
394
0
        return r;
395
0
    (void) mac_compute(state->packet_discard_mac,
396
0
        state->p_read.seqnr,
397
0
        sshbuf_ptr(state->incoming_packet), dlen,
398
0
        NULL, 0);
399
0
  }
400
0
  logit("Finished discarding for %.200s port %d",
401
0
      ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
402
0
  return SSH_ERR_MAC_INVALID;
403
0
}
404
405
static int
406
ssh_packet_start_discard(struct ssh *ssh, struct sshenc *enc,
407
    struct sshmac *mac, size_t mac_already, u_int discard)
408
8.81k
{
409
8.81k
  struct session_state *state = ssh->state;
410
8.81k
  int r;
411
412
8.81k
  if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) {
413
8.81k
    if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
414
0
      return r;
415
8.81k
    return SSH_ERR_MAC_INVALID;
416
8.81k
  }
417
  /*
418
   * Record number of bytes over which the mac has already
419
   * been computed in order to minimize timing attacks.
420
   */
421
0
  if (mac && mac->enabled) {
422
0
    state->packet_discard_mac = mac;
423
0
    state->packet_discard_mac_already = mac_already;
424
0
  }
425
0
  if (sshbuf_len(state->input) >= discard)
426
0
    return ssh_packet_stop_discard(ssh);
427
0
  state->packet_discard = discard - sshbuf_len(state->input);
428
0
  return 0;
429
0
}
430
431
/* Returns 1 if remote host is connected via socket, 0 if not. */
432
433
int
434
ssh_packet_connection_is_on_socket(struct ssh *ssh)
435
179k
{
436
179k
  struct session_state *state;
437
179k
  struct sockaddr_storage from, to;
438
179k
  socklen_t fromlen, tolen;
439
440
179k
  if (ssh == NULL || ssh->state == NULL)
441
0
    return 0;
442
443
179k
  state = ssh->state;
444
179k
  if (state->connection_in == -1 || state->connection_out == -1)
445
179k
    return 0;
446
  /* filedescriptors in and out are the same, so it's a socket */
447
0
  if (state->connection_in == state->connection_out)
448
0
    return 1;
449
0
  fromlen = sizeof(from);
450
0
  memset(&from, 0, sizeof(from));
451
0
  if (getpeername(state->connection_in, (struct sockaddr *)&from,
452
0
      &fromlen) == -1)
453
0
    return 0;
454
0
  tolen = sizeof(to);
455
0
  memset(&to, 0, sizeof(to));
456
0
  if (getpeername(state->connection_out, (struct sockaddr *)&to,
457
0
      &tolen) == -1)
458
0
    return 0;
459
0
  if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
460
0
    return 0;
461
0
  if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
462
0
    return 0;
463
0
  return 1;
464
0
}
465
466
void
467
ssh_packet_get_bytes(struct ssh *ssh, u_int64_t *ibytes, u_int64_t *obytes)
468
0
{
469
0
  if (ibytes)
470
0
    *ibytes = ssh->state->p_read.bytes;
471
0
  if (obytes)
472
0
    *obytes = ssh->state->p_send.bytes;
473
0
}
474
475
int
476
ssh_packet_connection_af(struct ssh *ssh)
477
0
{
478
0
  return get_sock_af(ssh->state->connection_out);
479
0
}
480
481
/* Sets the connection into non-blocking mode. */
482
483
void
484
ssh_packet_set_nonblocking(struct ssh *ssh)
485
0
{
486
  /* Set the socket into non-blocking mode. */
487
0
  set_nonblock(ssh->state->connection_in);
488
489
0
  if (ssh->state->connection_out != ssh->state->connection_in)
490
0
    set_nonblock(ssh->state->connection_out);
491
0
}
492
493
/* Returns the socket used for reading. */
494
495
int
496
ssh_packet_get_connection_in(struct ssh *ssh)
497
0
{
498
0
  return ssh->state->connection_in;
499
0
}
500
501
/* Returns the descriptor used for writing. */
502
503
int
504
ssh_packet_get_connection_out(struct ssh *ssh)
505
0
{
506
0
  return ssh->state->connection_out;
507
0
}
508
509
/*
510
 * Returns the IP-address of the remote host as a string.  The returned
511
 * string must not be freed.
512
 */
513
514
const char *
515
ssh_remote_ipaddr(struct ssh *ssh)
516
179k
{
517
179k
  int sock;
518
519
  /* Check whether we have cached the ipaddr. */
520
179k
  if (ssh->remote_ipaddr == NULL) {
521
179k
    if (ssh_packet_connection_is_on_socket(ssh)) {
522
0
      sock = ssh->state->connection_in;
523
0
      ssh->remote_ipaddr = get_peer_ipaddr(sock);
524
0
      ssh->remote_port = get_peer_port(sock);
525
0
      ssh->local_ipaddr = get_local_ipaddr(sock);
526
0
      ssh->local_port = get_local_port(sock);
527
179k
    } else {
528
179k
      ssh->remote_ipaddr = xstrdup("UNKNOWN");
529
179k
      ssh->remote_port = 65535;
530
179k
      ssh->local_ipaddr = xstrdup("UNKNOWN");
531
179k
      ssh->local_port = 65535;
532
179k
    }
533
179k
  }
534
179k
  return ssh->remote_ipaddr;
535
179k
}
536
537
/*
538
 * Returns the remote DNS hostname as a string. The returned string must not
539
 * be freed. NB. this will usually trigger a DNS query. Return value is on
540
 * heap and no caching is performed.
541
 * This function does additional checks on the hostname to mitigate some
542
 * attacks based on conflation of hostnames and addresses and will
543
 * fall back to returning an address on error.
544
 */
545
546
char *
547
ssh_remote_hostname(struct ssh *ssh)
548
0
{
549
0
  struct sockaddr_storage from;
550
0
  socklen_t fromlen;
551
0
  struct addrinfo hints, *ai, *aitop;
552
0
  char name[NI_MAXHOST], ntop2[NI_MAXHOST];
553
0
  const char *ntop = ssh_remote_ipaddr(ssh);
554
555
  /* Get IP address of client. */
556
0
  fromlen = sizeof(from);
557
0
  memset(&from, 0, sizeof(from));
558
0
  if (getpeername(ssh_packet_get_connection_in(ssh),
559
0
      (struct sockaddr *)&from, &fromlen) == -1) {
560
0
    debug_f("getpeername failed: %.100s", strerror(errno));
561
0
    return xstrdup(ntop);
562
0
  }
563
564
0
  ipv64_normalise_mapped(&from, &fromlen);
565
0
  if (from.ss_family == AF_INET6)
566
0
    fromlen = sizeof(struct sockaddr_in6);
567
568
0
  debug3("trying to reverse map address %.100s.", ntop);
569
  /* Map the IP address to a host name. */
570
0
  if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
571
0
      NULL, 0, NI_NAMEREQD) != 0) {
572
    /* Host name not found.  Use ip address. */
573
0
    return xstrdup(ntop);
574
0
  }
575
576
  /*
577
   * if reverse lookup result looks like a numeric hostname,
578
   * someone is trying to trick us by PTR record like following:
579
   *  1.1.1.10.in-addr.arpa.  IN PTR  2.3.4.5
580
   */
581
0
  memset(&hints, 0, sizeof(hints));
582
0
  hints.ai_socktype = SOCK_DGRAM; /*dummy*/
583
0
  hints.ai_flags = AI_NUMERICHOST;
584
0
  if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
585
0
    logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
586
0
        name, ntop);
587
0
    freeaddrinfo(ai);
588
0
    return xstrdup(ntop);
589
0
  }
590
591
  /* Names are stored in lowercase. */
592
0
  lowercase(name);
593
594
  /*
595
   * Map it back to an IP address and check that the given
596
   * address actually is an address of this host.  This is
597
   * necessary because anyone with access to a name server can
598
   * define arbitrary names for an IP address. Mapping from
599
   * name to IP address can be trusted better (but can still be
600
   * fooled if the intruder has access to the name server of
601
   * the domain).
602
   */
603
0
  memset(&hints, 0, sizeof(hints));
604
0
  hints.ai_family = from.ss_family;
605
0
  hints.ai_socktype = SOCK_STREAM;
606
0
  if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
607
0
    logit("reverse mapping checking getaddrinfo for %.700s "
608
0
        "[%s] failed.", name, ntop);
609
0
    return xstrdup(ntop);
610
0
  }
611
  /* Look for the address from the list of addresses. */
612
0
  for (ai = aitop; ai; ai = ai->ai_next) {
613
0
    if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
614
0
        sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
615
0
        (strcmp(ntop, ntop2) == 0))
616
0
        break;
617
0
  }
618
0
  freeaddrinfo(aitop);
619
  /* If we reached the end of the list, the address was not there. */
620
0
  if (ai == NULL) {
621
    /* Address not found for the host name. */
622
0
    logit("Address %.100s maps to %.600s, but this does not "
623
0
        "map back to the address.", ntop, name);
624
0
    return xstrdup(ntop);
625
0
  }
626
0
  return xstrdup(name);
627
0
}
628
629
/* Returns the port number of the remote host. */
630
631
int
632
ssh_remote_port(struct ssh *ssh)
633
0
{
634
0
  (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
635
0
  return ssh->remote_port;
636
0
}
637
638
/*
639
 * Returns the IP-address of the local host as a string.  The returned
640
 * string must not be freed.
641
 */
642
643
const char *
644
ssh_local_ipaddr(struct ssh *ssh)
645
0
{
646
0
  (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
647
0
  return ssh->local_ipaddr;
648
0
}
649
650
/* Returns the port number of the local host. */
651
652
int
653
ssh_local_port(struct ssh *ssh)
654
0
{
655
0
  (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
656
0
  return ssh->local_port;
657
0
}
658
659
/* Returns the routing domain of the input socket, or NULL if unavailable */
660
const char *
661
ssh_packet_rdomain_in(struct ssh *ssh)
662
0
{
663
0
  if (ssh->rdomain_in != NULL)
664
0
    return ssh->rdomain_in;
665
0
  if (!ssh_packet_connection_is_on_socket(ssh))
666
0
    return NULL;
667
0
  ssh->rdomain_in = get_rdomain(ssh->state->connection_in);
668
0
  return ssh->rdomain_in;
669
0
}
670
671
/* Closes the connection and clears and frees internal data structures. */
672
673
static void
674
ssh_packet_close_internal(struct ssh *ssh, int do_close)
675
179k
{
676
179k
  struct session_state *state = ssh->state;
677
179k
  u_int mode;
678
679
179k
  if (!state->initialized)
680
0
    return;
681
179k
  state->initialized = 0;
682
179k
  if (do_close) {
683
179k
    if (state->connection_in == state->connection_out) {
684
179k
      close(state->connection_out);
685
179k
    } else {
686
0
      close(state->connection_in);
687
0
      close(state->connection_out);
688
0
    }
689
179k
  }
690
179k
  sshbuf_free(state->input);
691
179k
  sshbuf_free(state->output);
692
179k
  sshbuf_free(state->outgoing_packet);
693
179k
  sshbuf_free(state->incoming_packet);
694
537k
  for (mode = 0; mode < MODE_MAX; mode++) {
695
358k
    kex_free_newkeys(state->newkeys[mode]); /* current keys */
696
358k
    state->newkeys[mode] = NULL;
697
358k
    ssh_clear_newkeys(ssh, mode);   /* next keys */
698
358k
  }
699
179k
#ifdef WITH_ZLIB
700
  /* compression state is in shared mem, so we can only release it once */
701
179k
  if (do_close && state->compression_buffer) {
702
0
    sshbuf_free(state->compression_buffer);
703
0
    if (state->compression_out_started) {
704
0
      z_streamp stream = &state->compression_out_stream;
705
0
      debug("compress outgoing: "
706
0
          "raw data %llu, compressed %llu, factor %.2f",
707
0
        (unsigned long long)stream->total_in,
708
0
        (unsigned long long)stream->total_out,
709
0
        stream->total_in == 0 ? 0.0 :
710
0
        (double) stream->total_out / stream->total_in);
711
0
      if (state->compression_out_failures == 0)
712
0
        deflateEnd(stream);
713
0
    }
714
0
    if (state->compression_in_started) {
715
0
      z_streamp stream = &state->compression_in_stream;
716
0
      debug("compress incoming: "
717
0
          "raw data %llu, compressed %llu, factor %.2f",
718
0
          (unsigned long long)stream->total_out,
719
0
          (unsigned long long)stream->total_in,
720
0
          stream->total_out == 0 ? 0.0 :
721
0
          (double) stream->total_in / stream->total_out);
722
0
      if (state->compression_in_failures == 0)
723
0
        inflateEnd(stream);
724
0
    }
725
0
  }
726
179k
#endif  /* WITH_ZLIB */
727
179k
  cipher_free(state->send_context);
728
179k
  cipher_free(state->receive_context);
729
179k
  state->send_context = state->receive_context = NULL;
730
179k
  if (do_close) {
731
179k
    free(ssh->local_ipaddr);
732
179k
    ssh->local_ipaddr = NULL;
733
179k
    free(ssh->remote_ipaddr);
734
179k
    ssh->remote_ipaddr = NULL;
735
179k
    free(ssh->state);
736
179k
    ssh->state = NULL;
737
179k
    kex_free(ssh->kex);
738
179k
    ssh->kex = NULL;
739
179k
  }
740
179k
}
741
742
void
743
ssh_packet_close(struct ssh *ssh)
744
179k
{
745
179k
  ssh_packet_close_internal(ssh, 1);
746
179k
}
747
748
void
749
ssh_packet_clear_keys(struct ssh *ssh)
750
0
{
751
0
  ssh_packet_close_internal(ssh, 0);
752
0
}
753
754
/* Sets remote side protocol flags. */
755
756
void
757
ssh_packet_set_protocol_flags(struct ssh *ssh, u_int protocol_flags)
758
0
{
759
0
  ssh->state->remote_protocol_flags = protocol_flags;
760
0
}
761
762
/* Returns the remote protocol flags set earlier by the above function. */
763
764
u_int
765
ssh_packet_get_protocol_flags(struct ssh *ssh)
766
0
{
767
0
  return ssh->state->remote_protocol_flags;
768
0
}
769
770
/*
771
 * Starts packet compression from the next packet on in both directions.
772
 * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
773
 */
774
775
static int
776
ssh_packet_init_compression(struct ssh *ssh)
777
0
{
778
0
  if (!ssh->state->compression_buffer &&
779
0
      ((ssh->state->compression_buffer = sshbuf_new()) == NULL))
780
0
    return SSH_ERR_ALLOC_FAIL;
781
0
  return 0;
782
0
}
783
784
#ifdef WITH_ZLIB
785
static int
786
start_compression_out(struct ssh *ssh, int level)
787
0
{
788
0
  if (level < 1 || level > 9)
789
0
    return SSH_ERR_INVALID_ARGUMENT;
790
0
  debug("Enabling compression at level %d.", level);
791
0
  if (ssh->state->compression_out_started == 1)
792
0
    deflateEnd(&ssh->state->compression_out_stream);
793
0
  switch (deflateInit(&ssh->state->compression_out_stream, level)) {
794
0
  case Z_OK:
795
0
    ssh->state->compression_out_started = 1;
796
0
    break;
797
0
  case Z_MEM_ERROR:
798
0
    return SSH_ERR_ALLOC_FAIL;
799
0
  default:
800
0
    return SSH_ERR_INTERNAL_ERROR;
801
0
  }
802
0
  return 0;
803
0
}
804
805
static int
806
start_compression_in(struct ssh *ssh)
807
0
{
808
0
  if (ssh->state->compression_in_started == 1)
809
0
    inflateEnd(&ssh->state->compression_in_stream);
810
0
  switch (inflateInit(&ssh->state->compression_in_stream)) {
811
0
  case Z_OK:
812
0
    ssh->state->compression_in_started = 1;
813
0
    break;
814
0
  case Z_MEM_ERROR:
815
0
    return SSH_ERR_ALLOC_FAIL;
816
0
  default:
817
0
    return SSH_ERR_INTERNAL_ERROR;
818
0
  }
819
0
  return 0;
820
0
}
821
822
/* XXX remove need for separate compression buffer */
823
static int
824
compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
825
0
{
826
0
  u_char buf[4096];
827
0
  int r, status;
828
829
0
  if (ssh->state->compression_out_started != 1)
830
0
    return SSH_ERR_INTERNAL_ERROR;
831
832
  /* This case is not handled below. */
833
0
  if (sshbuf_len(in) == 0)
834
0
    return 0;
835
836
  /* Input is the contents of the input buffer. */
837
0
  if ((ssh->state->compression_out_stream.next_in =
838
0
      sshbuf_mutable_ptr(in)) == NULL)
839
0
    return SSH_ERR_INTERNAL_ERROR;
840
0
  ssh->state->compression_out_stream.avail_in = sshbuf_len(in);
841
842
  /* Loop compressing until deflate() returns with avail_out != 0. */
843
0
  do {
844
    /* Set up fixed-size output buffer. */
845
0
    ssh->state->compression_out_stream.next_out = buf;
846
0
    ssh->state->compression_out_stream.avail_out = sizeof(buf);
847
848
    /* Compress as much data into the buffer as possible. */
849
0
    status = deflate(&ssh->state->compression_out_stream,
850
0
        Z_PARTIAL_FLUSH);
851
0
    switch (status) {
852
0
    case Z_MEM_ERROR:
853
0
      return SSH_ERR_ALLOC_FAIL;
854
0
    case Z_OK:
855
      /* Append compressed data to output_buffer. */
856
0
      if ((r = sshbuf_put(out, buf, sizeof(buf) -
857
0
          ssh->state->compression_out_stream.avail_out)) != 0)
858
0
        return r;
859
0
      break;
860
0
    case Z_STREAM_ERROR:
861
0
    default:
862
0
      ssh->state->compression_out_failures++;
863
0
      return SSH_ERR_INVALID_FORMAT;
864
0
    }
865
0
  } while (ssh->state->compression_out_stream.avail_out == 0);
866
0
  return 0;
867
0
}
868
869
static int
870
uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
871
0
{
872
0
  u_char buf[4096];
873
0
  int r, status;
874
875
0
  if (ssh->state->compression_in_started != 1)
876
0
    return SSH_ERR_INTERNAL_ERROR;
877
878
0
  if ((ssh->state->compression_in_stream.next_in =
879
0
      sshbuf_mutable_ptr(in)) == NULL)
880
0
    return SSH_ERR_INTERNAL_ERROR;
881
0
  ssh->state->compression_in_stream.avail_in = sshbuf_len(in);
882
883
0
  for (;;) {
884
    /* Set up fixed-size output buffer. */
885
0
    ssh->state->compression_in_stream.next_out = buf;
886
0
    ssh->state->compression_in_stream.avail_out = sizeof(buf);
887
888
0
    status = inflate(&ssh->state->compression_in_stream,
889
0
        Z_SYNC_FLUSH);
890
0
    switch (status) {
891
0
    case Z_OK:
892
0
      if ((r = sshbuf_put(out, buf, sizeof(buf) -
893
0
          ssh->state->compression_in_stream.avail_out)) != 0)
894
0
        return r;
895
0
      break;
896
0
    case Z_BUF_ERROR:
897
      /*
898
       * Comments in zlib.h say that we should keep calling
899
       * inflate() until we get an error.  This appears to
900
       * be the error that we get.
901
       */
902
0
      return 0;
903
0
    case Z_DATA_ERROR:
904
0
      return SSH_ERR_INVALID_FORMAT;
905
0
    case Z_MEM_ERROR:
906
0
      return SSH_ERR_ALLOC_FAIL;
907
0
    case Z_STREAM_ERROR:
908
0
    default:
909
0
      ssh->state->compression_in_failures++;
910
0
      return SSH_ERR_INTERNAL_ERROR;
911
0
    }
912
0
  }
913
  /* NOTREACHED */
914
0
}
915
916
#else /* WITH_ZLIB */
917
918
static int
919
start_compression_out(struct ssh *ssh, int level)
920
{
921
  return SSH_ERR_INTERNAL_ERROR;
922
}
923
924
static int
925
start_compression_in(struct ssh *ssh)
926
{
927
  return SSH_ERR_INTERNAL_ERROR;
928
}
929
930
static int
931
compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
932
{
933
  return SSH_ERR_INTERNAL_ERROR;
934
}
935
936
static int
937
uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
938
{
939
  return SSH_ERR_INTERNAL_ERROR;
940
}
941
#endif  /* WITH_ZLIB */
942
943
void
944
ssh_clear_newkeys(struct ssh *ssh, int mode)
945
358k
{
946
358k
  if (ssh->kex && ssh->kex->newkeys[mode]) {
947
24.7k
    kex_free_newkeys(ssh->kex->newkeys[mode]);
948
24.7k
    ssh->kex->newkeys[mode] = NULL;
949
24.7k
  }
950
358k
}
951
952
int
953
ssh_set_newkeys(struct ssh *ssh, int mode)
954
1.04k
{
955
1.04k
  struct session_state *state = ssh->state;
956
1.04k
  struct sshenc *enc;
957
1.04k
  struct sshmac *mac;
958
1.04k
  struct sshcomp *comp;
959
1.04k
  struct sshcipher_ctx **ccp;
960
1.04k
  struct packet_state *ps;
961
1.04k
  u_int64_t *max_blocks;
962
1.04k
  const char *wmsg;
963
1.04k
  int r, crypt_type;
964
1.04k
  const char *dir = mode == MODE_OUT ? "out" : "in";
965
966
1.04k
  debug2_f("mode %d", mode);
967
968
1.04k
  if (mode == MODE_OUT) {
969
744
    ccp = &state->send_context;
970
744
    crypt_type = CIPHER_ENCRYPT;
971
744
    ps = &state->p_send;
972
744
    max_blocks = &state->max_blocks_out;
973
744
  } else {
974
302
    ccp = &state->receive_context;
975
302
    crypt_type = CIPHER_DECRYPT;
976
302
    ps = &state->p_read;
977
302
    max_blocks = &state->max_blocks_in;
978
302
  }
979
1.04k
  if (state->newkeys[mode] != NULL) {
980
0
    debug_f("rekeying %s, input %llu bytes %llu blocks, "
981
0
        "output %llu bytes %llu blocks", dir,
982
0
        (unsigned long long)state->p_read.bytes,
983
0
        (unsigned long long)state->p_read.blocks,
984
0
        (unsigned long long)state->p_send.bytes,
985
0
        (unsigned long long)state->p_send.blocks);
986
0
    kex_free_newkeys(state->newkeys[mode]);
987
0
    state->newkeys[mode] = NULL;
988
0
  }
989
  /* note that both bytes and the seqnr are not reset */
990
1.04k
  ps->packets = ps->blocks = 0;
991
  /* move newkeys from kex to state */
992
1.04k
  if ((state->newkeys[mode] = ssh->kex->newkeys[mode]) == NULL)
993
0
    return SSH_ERR_INTERNAL_ERROR;
994
1.04k
  ssh->kex->newkeys[mode] = NULL;
995
1.04k
  enc  = &state->newkeys[mode]->enc;
996
1.04k
  mac  = &state->newkeys[mode]->mac;
997
1.04k
  comp = &state->newkeys[mode]->comp;
998
1.04k
  if (cipher_authlen(enc->cipher) == 0) {
999
1.04k
    if ((r = mac_init(mac)) != 0)
1000
0
      return r;
1001
1.04k
  }
1002
1.04k
  mac->enabled = 1;
1003
1.04k
  DBG(debug_f("cipher_init: %s", dir));
1004
1.04k
  cipher_free(*ccp);
1005
1.04k
  *ccp = NULL;
1006
1.04k
  if ((r = cipher_init(ccp, enc->cipher, enc->key, enc->key_len,
1007
1.04k
      enc->iv, enc->iv_len, crypt_type)) != 0)
1008
0
    return r;
1009
1.04k
  if (!state->cipher_warning_done &&
1010
1.04k
      (wmsg = cipher_warning_message(*ccp)) != NULL) {
1011
0
    error("Warning: %s", wmsg);
1012
0
    state->cipher_warning_done = 1;
1013
0
  }
1014
  /* Deleting the keys does not gain extra security */
1015
  /* explicit_bzero(enc->iv,  enc->block_size);
1016
     explicit_bzero(enc->key, enc->key_len);
1017
     explicit_bzero(mac->key, mac->key_len); */
1018
1.04k
  if (((comp->type == COMP_DELAYED && state->after_authentication)) &&
1019
1.04k
      comp->enabled == 0) {
1020
0
    if ((r = ssh_packet_init_compression(ssh)) < 0)
1021
0
      return r;
1022
0
    if (mode == MODE_OUT) {
1023
0
      if ((r = start_compression_out(ssh, 6)) != 0)
1024
0
        return r;
1025
0
    } else {
1026
0
      if ((r = start_compression_in(ssh)) != 0)
1027
0
        return r;
1028
0
    }
1029
0
    comp->enabled = 1;
1030
0
  }
1031
  /*
1032
   * The 2^(blocksize*2) limit is too expensive for 3DES,
1033
   * so enforce a 1GB limit for small blocksizes.
1034
   * See RFC4344 section 3.2.
1035
   */
1036
1.04k
  if (enc->block_size >= 16)
1037
0
    *max_blocks = (u_int64_t)1 << (enc->block_size*2);
1038
1.04k
  else
1039
1.04k
    *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
1040
1.04k
  if (state->rekey_limit)
1041
0
    *max_blocks = MINIMUM(*max_blocks,
1042
1.04k
        state->rekey_limit / enc->block_size);
1043
1.04k
  debug("rekey %s after %llu blocks", dir,
1044
1.04k
      (unsigned long long)*max_blocks);
1045
1.04k
  return 0;
1046
1.04k
}
1047
1048
0
#define MAX_PACKETS (1U<<31)
1049
static int
1050
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
1051
1.49M
{
1052
1.49M
  struct session_state *state = ssh->state;
1053
1.49M
  u_int32_t out_blocks;
1054
1055
  /* XXX client can't cope with rekeying pre-auth */
1056
1.49M
  if (!state->after_authentication)
1057
1.49M
    return 0;
1058
1059
  /* Haven't keyed yet or KEX in progress. */
1060
3.85k
  if (ssh_packet_is_rekeying(ssh))
1061
3.85k
    return 0;
1062
1063
  /* Peer can't rekey */
1064
0
  if (ssh->compat & SSH_BUG_NOREKEY)
1065
0
    return 0;
1066
1067
  /*
1068
   * Permit one packet in or out per rekey - this allows us to
1069
   * make progress when rekey limits are very small.
1070
   */
1071
0
  if (state->p_send.packets == 0 && state->p_read.packets == 0)
1072
0
    return 0;
1073
1074
  /* Time-based rekeying */
1075
0
  if (state->rekey_interval != 0 &&
1076
0
      (int64_t)state->rekey_time + state->rekey_interval <= monotime())
1077
0
    return 1;
1078
1079
  /*
1080
   * Always rekey when MAX_PACKETS sent in either direction
1081
   * As per RFC4344 section 3.1 we do this after 2^31 packets.
1082
   */
1083
0
  if (state->p_send.packets > MAX_PACKETS ||
1084
0
      state->p_read.packets > MAX_PACKETS)
1085
0
    return 1;
1086
1087
  /* Rekey after (cipher-specific) maximum blocks */
1088
0
  out_blocks = ROUNDUP(outbound_packet_len,
1089
0
      state->newkeys[MODE_OUT]->enc.block_size);
1090
0
  return (state->max_blocks_out &&
1091
0
      (state->p_send.blocks + out_blocks > state->max_blocks_out)) ||
1092
0
      (state->max_blocks_in &&
1093
0
      (state->p_read.blocks > state->max_blocks_in));
1094
0
}
1095
1096
int
1097
ssh_packet_check_rekey(struct ssh *ssh)
1098
1.49M
{
1099
1.49M
  if (!ssh_packet_need_rekeying(ssh, 0))
1100
1.49M
    return 0;
1101
0
  debug3_f("rekex triggered");
1102
0
  return kex_start_rekex(ssh);
1103
1.49M
}
1104
1105
/*
1106
 * Delayed compression for SSH2 is enabled after authentication:
1107
 * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
1108
 * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
1109
 */
1110
static int
1111
ssh_packet_enable_delayed_compress(struct ssh *ssh)
1112
273
{
1113
273
  struct session_state *state = ssh->state;
1114
273
  struct sshcomp *comp = NULL;
1115
273
  int r, mode;
1116
1117
  /*
1118
   * Remember that we are past the authentication step, so rekeying
1119
   * with COMP_DELAYED will turn on compression immediately.
1120
   */
1121
273
  state->after_authentication = 1;
1122
819
  for (mode = 0; mode < MODE_MAX; mode++) {
1123
    /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
1124
546
    if (state->newkeys[mode] == NULL)
1125
546
      continue;
1126
0
    comp = &state->newkeys[mode]->comp;
1127
0
    if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
1128
0
      if ((r = ssh_packet_init_compression(ssh)) != 0)
1129
0
        return r;
1130
0
      if (mode == MODE_OUT) {
1131
0
        if ((r = start_compression_out(ssh, 6)) != 0)
1132
0
          return r;
1133
0
      } else {
1134
0
        if ((r = start_compression_in(ssh)) != 0)
1135
0
          return r;
1136
0
      }
1137
0
      comp->enabled = 1;
1138
0
    }
1139
0
  }
1140
273
  return 0;
1141
273
}
1142
1143
/* Used to mute debug logging for noisy packet types */
1144
int
1145
ssh_packet_log_type(u_char type)
1146
3.01M
{
1147
3.01M
  switch (type) {
1148
190
  case SSH2_MSG_PING:
1149
335
  case SSH2_MSG_PONG:
1150
450
  case SSH2_MSG_CHANNEL_DATA:
1151
565
  case SSH2_MSG_CHANNEL_EXTENDED_DATA:
1152
800
  case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
1153
800
    return 0;
1154
3.01M
  default:
1155
3.01M
    return 1;
1156
3.01M
  }
1157
3.01M
}
1158
1159
/*
1160
 * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
1161
 */
1162
int
1163
ssh_packet_send2_wrapped(struct ssh *ssh)
1164
1.51M
{
1165
1.51M
  struct session_state *state = ssh->state;
1166
1.51M
  u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH];
1167
1.51M
  u_char tmp, padlen, pad = 0;
1168
1.51M
  u_int authlen = 0, aadlen = 0;
1169
1.51M
  u_int len;
1170
1.51M
  struct sshenc *enc   = NULL;
1171
1.51M
  struct sshmac *mac   = NULL;
1172
1.51M
  struct sshcomp *comp = NULL;
1173
1.51M
  int r, block_size;
1174
1175
1.51M
  if (state->newkeys[MODE_OUT] != NULL) {
1176
660k
    enc  = &state->newkeys[MODE_OUT]->enc;
1177
660k
    mac  = &state->newkeys[MODE_OUT]->mac;
1178
660k
    comp = &state->newkeys[MODE_OUT]->comp;
1179
    /* disable mac for authenticated encryption */
1180
660k
    if ((authlen = cipher_authlen(enc->cipher)) != 0)
1181
0
      mac = NULL;
1182
660k
  }
1183
1.51M
  block_size = enc ? enc->block_size : 8;
1184
1.51M
  aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
1185
1186
1.51M
  type = (sshbuf_ptr(state->outgoing_packet))[5];
1187
1.51M
  if (ssh_packet_log_type(type))
1188
1.51M
    debug3("send packet: type %u", type);
1189
#ifdef PACKET_DEBUG
1190
  fprintf(stderr, "plain:     ");
1191
  sshbuf_dump(state->outgoing_packet, stderr);
1192
#endif
1193
1194
1.51M
  if (comp && comp->enabled) {
1195
0
    len = sshbuf_len(state->outgoing_packet);
1196
    /* skip header, compress only payload */
1197
0
    if ((r = sshbuf_consume(state->outgoing_packet, 5)) != 0)
1198
0
      goto out;
1199
0
    sshbuf_reset(state->compression_buffer);
1200
0
    if ((r = compress_buffer(ssh, state->outgoing_packet,
1201
0
        state->compression_buffer)) != 0)
1202
0
      goto out;
1203
0
    sshbuf_reset(state->outgoing_packet);
1204
0
    if ((r = sshbuf_put(state->outgoing_packet,
1205
0
        "\0\0\0\0\0", 5)) != 0 ||
1206
0
        (r = sshbuf_putb(state->outgoing_packet,
1207
0
        state->compression_buffer)) != 0)
1208
0
      goto out;
1209
0
    DBG(debug("compression: raw %d compressed %zd", len,
1210
0
        sshbuf_len(state->outgoing_packet)));
1211
0
  }
1212
1213
  /* sizeof (packet_len + pad_len + payload) */
1214
1.51M
  len = sshbuf_len(state->outgoing_packet);
1215
1216
  /*
1217
   * calc size of padding, alloc space, get random data,
1218
   * minimum padding is 4 bytes
1219
   */
1220
1.51M
  len -= aadlen; /* packet length is not encrypted for EtM modes */
1221
1.51M
  padlen = block_size - (len % block_size);
1222
1.51M
  if (padlen < 4)
1223
397k
    padlen += block_size;
1224
1.51M
  if (state->extra_pad) {
1225
0
    tmp = state->extra_pad;
1226
0
    state->extra_pad =
1227
0
        ROUNDUP(state->extra_pad, block_size);
1228
    /* check if roundup overflowed */
1229
0
    if (state->extra_pad < tmp)
1230
0
      return SSH_ERR_INVALID_ARGUMENT;
1231
0
    tmp = (len + padlen) % state->extra_pad;
1232
    /* Check whether pad calculation below will underflow */
1233
0
    if (tmp > state->extra_pad)
1234
0
      return SSH_ERR_INVALID_ARGUMENT;
1235
0
    pad = state->extra_pad - tmp;
1236
0
    DBG(debug3_f("adding %d (len %d padlen %d extra_pad %d)",
1237
0
        pad, len, padlen, state->extra_pad));
1238
0
    tmp = padlen;
1239
0
    padlen += pad;
1240
    /* Check whether padlen calculation overflowed */
1241
0
    if (padlen < tmp)
1242
0
      return SSH_ERR_INVALID_ARGUMENT; /* overflow */
1243
0
    state->extra_pad = 0;
1244
0
  }
1245
1.51M
  if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0)
1246
0
    goto out;
1247
1.51M
  if (enc && !cipher_ctx_is_plaintext(state->send_context)) {
1248
    /* random padding */
1249
0
    arc4random_buf(cp, padlen);
1250
1.51M
  } else {
1251
    /* clear padding */
1252
1.51M
    explicit_bzero(cp, padlen);
1253
1.51M
  }
1254
  /* sizeof (packet_len + pad_len + payload + padding) */
1255
1.51M
  len = sshbuf_len(state->outgoing_packet);
1256
1.51M
  cp = sshbuf_mutable_ptr(state->outgoing_packet);
1257
1.51M
  if (cp == NULL) {
1258
0
    r = SSH_ERR_INTERNAL_ERROR;
1259
0
    goto out;
1260
0
  }
1261
  /* packet_length includes payload, padding and padding length field */
1262
1.51M
  POKE_U32(cp, len - 4);
1263
1.51M
  cp[4] = padlen;
1264
1.51M
  DBG(debug("send: len %d (includes padlen %d, aadlen %d)",
1265
1.51M
      len, padlen, aadlen));
1266
1267
  /* compute MAC over seqnr and packet(length fields, payload, padding) */
1268
1.51M
  if (mac && mac->enabled && !mac->etm) {
1269
276k
    if ((r = mac_compute(mac, state->p_send.seqnr,
1270
276k
        sshbuf_ptr(state->outgoing_packet), len,
1271
276k
        macbuf, sizeof(macbuf))) != 0)
1272
0
      goto out;
1273
276k
    DBG(debug("done calc MAC out #%d", state->p_send.seqnr));
1274
276k
  }
1275
  /* encrypt packet and append to output buffer. */
1276
1.51M
  if ((r = sshbuf_reserve(state->output,
1277
1.51M
      sshbuf_len(state->outgoing_packet) + authlen, &cp)) != 0)
1278
0
    goto out;
1279
1.51M
  if ((r = cipher_crypt(state->send_context, state->p_send.seqnr, cp,
1280
1.51M
      sshbuf_ptr(state->outgoing_packet),
1281
1.51M
      len - aadlen, aadlen, authlen)) != 0)
1282
0
    goto out;
1283
  /* append unencrypted MAC */
1284
1.51M
  if (mac && mac->enabled) {
1285
660k
    if (mac->etm) {
1286
      /* EtM: compute mac over aadlen + cipher text */
1287
384k
      if ((r = mac_compute(mac, state->p_send.seqnr,
1288
384k
          cp, len, macbuf, sizeof(macbuf))) != 0)
1289
0
        goto out;
1290
384k
      DBG(debug("done calc MAC(EtM) out #%d",
1291
384k
          state->p_send.seqnr));
1292
384k
    }
1293
660k
    if ((r = sshbuf_put(state->output, macbuf, mac->mac_len)) != 0)
1294
0
      goto out;
1295
660k
  }
1296
#ifdef PACKET_DEBUG
1297
  fprintf(stderr, "encrypted: ");
1298
  sshbuf_dump(state->output, stderr);
1299
#endif
1300
  /* increment sequence number for outgoing packets */
1301
1.51M
  if (++state->p_send.seqnr == 0) {
1302
0
    if ((ssh->kex->flags & KEX_INITIAL) != 0) {
1303
0
      ssh_packet_disconnect(ssh, "outgoing sequence number "
1304
0
          "wrapped during initial key exchange");
1305
0
    }
1306
0
    logit("outgoing seqnr wraps around");
1307
0
  }
1308
1.51M
  if (++state->p_send.packets == 0)
1309
0
    if (!(ssh->compat & SSH_BUG_NOREKEY))
1310
0
      return SSH_ERR_NEED_REKEY;
1311
1.51M
  state->p_send.blocks += len / block_size;
1312
1.51M
  state->p_send.bytes += len;
1313
1.51M
  sshbuf_reset(state->outgoing_packet);
1314
1315
1.51M
  if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
1316
104
    debug_f("resetting send seqnr %u", state->p_send.seqnr);
1317
104
    state->p_send.seqnr = 0;
1318
104
  }
1319
1320
1.51M
  if (type == SSH2_MSG_NEWKEYS)
1321
744
    r = ssh_set_newkeys(ssh, MODE_OUT);
1322
1.51M
  else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
1323
0
    r = ssh_packet_enable_delayed_compress(ssh);
1324
1.51M
  else
1325
1.51M
    r = 0;
1326
1.51M
 out:
1327
1.51M
  return r;
1328
1.51M
}
1329
1330
/* returns non-zero if the specified packet type is usec by KEX */
1331
static int
1332
ssh_packet_type_is_kex(u_char type)
1333
2.36M
{
1334
2.36M
  return
1335
2.36M
      type >= SSH2_MSG_TRANSPORT_MIN &&
1336
2.36M
      type <= SSH2_MSG_TRANSPORT_MAX &&
1337
2.36M
      type != SSH2_MSG_SERVICE_REQUEST &&
1338
2.36M
      type != SSH2_MSG_SERVICE_ACCEPT &&
1339
2.36M
      type != SSH2_MSG_EXT_INFO;
1340
2.36M
}
1341
1342
int
1343
ssh_packet_send2(struct ssh *ssh)
1344
1.51M
{
1345
1.51M
  struct session_state *state = ssh->state;
1346
1.51M
  struct packet *p;
1347
1.51M
  u_char type;
1348
1.51M
  int r, need_rekey;
1349
1350
1.51M
  if (sshbuf_len(state->outgoing_packet) < 6)
1351
0
    return SSH_ERR_INTERNAL_ERROR;
1352
1.51M
  type = sshbuf_ptr(state->outgoing_packet)[5];
1353
1.51M
  need_rekey = !ssh_packet_type_is_kex(type) &&
1354
1.51M
      ssh_packet_need_rekeying(ssh, sshbuf_len(state->outgoing_packet));
1355
1356
  /*
1357
   * During rekeying we can only send key exchange messages.
1358
   * Queue everything else.
1359
   */
1360
1.51M
  if ((need_rekey || state->rekeying) && !ssh_packet_type_is_kex(type)) {
1361
0
    if (need_rekey)
1362
0
      debug3_f("rekex triggered");
1363
0
    debug("enqueue packet: %u", type);
1364
0
    p = calloc(1, sizeof(*p));
1365
0
    if (p == NULL)
1366
0
      return SSH_ERR_ALLOC_FAIL;
1367
0
    p->type = type;
1368
0
    p->payload = state->outgoing_packet;
1369
0
    TAILQ_INSERT_TAIL(&state->outgoing, p, next);
1370
0
    state->outgoing_packet = sshbuf_new();
1371
0
    if (state->outgoing_packet == NULL)
1372
0
      return SSH_ERR_ALLOC_FAIL;
1373
0
    if (need_rekey) {
1374
      /*
1375
       * This packet triggered a rekey, so send the
1376
       * KEXINIT now.
1377
       * NB. reenters this function via kex_start_rekex().
1378
       */
1379
0
      return kex_start_rekex(ssh);
1380
0
    }
1381
0
    return 0;
1382
0
  }
1383
1384
  /* rekeying starts with sending KEXINIT */
1385
1.51M
  if (type == SSH2_MSG_KEXINIT)
1386
87.5k
    state->rekeying = 1;
1387
1388
1.51M
  if ((r = ssh_packet_send2_wrapped(ssh)) != 0)
1389
0
    return r;
1390
1391
  /* after a NEWKEYS message we can send the complete queue */
1392
1.51M
  if (type == SSH2_MSG_NEWKEYS) {
1393
744
    state->rekeying = 0;
1394
744
    state->rekey_time = monotime();
1395
744
    while ((p = TAILQ_FIRST(&state->outgoing))) {
1396
0
      type = p->type;
1397
      /*
1398
       * If this packet triggers a rekex, then skip the
1399
       * remaining packets in the queue for now.
1400
       * NB. re-enters this function via kex_start_rekex.
1401
       */
1402
0
      if (ssh_packet_need_rekeying(ssh,
1403
0
          sshbuf_len(p->payload))) {
1404
0
        debug3_f("queued packet triggered rekex");
1405
0
        return kex_start_rekex(ssh);
1406
0
      }
1407
0
      debug("dequeue packet: %u", type);
1408
0
      sshbuf_free(state->outgoing_packet);
1409
0
      state->outgoing_packet = p->payload;
1410
0
      TAILQ_REMOVE(&state->outgoing, p, next);
1411
0
      memset(p, 0, sizeof(*p));
1412
0
      free(p);
1413
0
      if ((r = ssh_packet_send2_wrapped(ssh)) != 0)
1414
0
        return r;
1415
0
    }
1416
744
  }
1417
1.51M
  return 0;
1418
1.51M
}
1419
1420
/*
1421
 * Waits until a packet has been received, and returns its type.  Note that
1422
 * no other data is processed until this returns, so this function should not
1423
 * be used during the interactive session.
1424
 */
1425
1426
int
1427
ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1428
0
{
1429
0
  struct session_state *state = ssh->state;
1430
0
  int len, r, ms_remain = 0;
1431
0
  struct pollfd pfd;
1432
0
  char buf[8192];
1433
0
  struct timeval start;
1434
0
  struct timespec timespec, *timespecp = NULL;
1435
1436
0
  DBG(debug("packet_read()"));
1437
1438
  /*
1439
   * Since we are blocking, ensure that all written packets have
1440
   * been sent.
1441
   */
1442
0
  if ((r = ssh_packet_write_wait(ssh)) != 0)
1443
0
    goto out;
1444
1445
  /* Stay in the loop until we have received a complete packet. */
1446
0
  for (;;) {
1447
    /* Try to read a packet from the buffer. */
1448
0
    if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
1449
0
      break;
1450
    /* If we got a packet, return it. */
1451
0
    if (*typep != SSH_MSG_NONE)
1452
0
      break;
1453
    /*
1454
     * Otherwise, wait for some data to arrive, add it to the
1455
     * buffer, and try again.
1456
     */
1457
0
    pfd.fd = state->connection_in;
1458
0
    pfd.events = POLLIN;
1459
1460
0
    if (state->packet_timeout_ms > 0) {
1461
0
      ms_remain = state->packet_timeout_ms;
1462
0
      timespecp = &timespec;
1463
0
    }
1464
    /* Wait for some data to arrive. */
1465
0
    for (;;) {
1466
0
      if (state->packet_timeout_ms > 0) {
1467
0
        ms_to_timespec(&timespec, ms_remain);
1468
0
        monotime_tv(&start);
1469
0
      }
1470
0
      if ((r = ppoll(&pfd, 1, timespecp, NULL)) >= 0)
1471
0
        break;
1472
0
      if (errno != EAGAIN && errno != EINTR &&
1473
0
          errno != EWOULDBLOCK) {
1474
0
        r = SSH_ERR_SYSTEM_ERROR;
1475
0
        goto out;
1476
0
      }
1477
0
      if (state->packet_timeout_ms <= 0)
1478
0
        continue;
1479
0
      ms_subtract_diff(&start, &ms_remain);
1480
0
      if (ms_remain <= 0) {
1481
0
        r = 0;
1482
0
        break;
1483
0
      }
1484
0
    }
1485
0
    if (r == 0) {
1486
0
      r = SSH_ERR_CONN_TIMEOUT;
1487
0
      goto out;
1488
0
    }
1489
    /* Read data from the socket. */
1490
0
    len = read(state->connection_in, buf, sizeof(buf));
1491
0
    if (len == 0) {
1492
0
      r = SSH_ERR_CONN_CLOSED;
1493
0
      goto out;
1494
0
    }
1495
0
    if (len == -1) {
1496
0
      r = SSH_ERR_SYSTEM_ERROR;
1497
0
      goto out;
1498
0
    }
1499
1500
    /* Append it to the buffer. */
1501
0
    if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0)
1502
0
      goto out;
1503
0
  }
1504
0
 out:
1505
0
  return r;
1506
0
}
1507
1508
int
1509
ssh_packet_read(struct ssh *ssh)
1510
0
{
1511
0
  u_char type;
1512
0
  int r;
1513
1514
0
  if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
1515
0
    fatal_fr(r, "read");
1516
0
  return type;
1517
0
}
1518
1519
static int
1520
ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1521
0
{
1522
0
  struct session_state *state = ssh->state;
1523
0
  const u_char *cp;
1524
0
  size_t need;
1525
0
  int r;
1526
1527
0
  if (ssh->kex)
1528
0
    return SSH_ERR_INTERNAL_ERROR;
1529
0
  *typep = SSH_MSG_NONE;
1530
0
  cp = sshbuf_ptr(state->input);
1531
0
  if (state->packlen == 0) {
1532
0
    if (sshbuf_len(state->input) < 4 + 1)
1533
0
      return 0; /* packet is incomplete */
1534
0
    state->packlen = PEEK_U32(cp);
1535
0
    if (state->packlen < 4 + 1 ||
1536
0
        state->packlen > PACKET_MAX_SIZE)
1537
0
      return SSH_ERR_MESSAGE_INCOMPLETE;
1538
0
  }
1539
0
  need = state->packlen + 4;
1540
0
  if (sshbuf_len(state->input) < need)
1541
0
    return 0; /* packet is incomplete */
1542
0
  sshbuf_reset(state->incoming_packet);
1543
0
  if ((r = sshbuf_put(state->incoming_packet, cp + 4,
1544
0
      state->packlen)) != 0 ||
1545
0
      (r = sshbuf_consume(state->input, need)) != 0 ||
1546
0
      (r = sshbuf_get_u8(state->incoming_packet, NULL)) != 0 ||
1547
0
      (r = sshbuf_get_u8(state->incoming_packet, typep)) != 0)
1548
0
    return r;
1549
0
  if (ssh_packet_log_type(*typep))
1550
0
    debug3_f("type %u", *typep);
1551
  /* sshbuf_dump(state->incoming_packet, stderr); */
1552
  /* reset for next packet */
1553
0
  state->packlen = 0;
1554
0
  return r;
1555
0
}
1556
1557
int
1558
ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1559
1.52M
{
1560
1.52M
  struct session_state *state = ssh->state;
1561
1.52M
  u_int padlen, need;
1562
1.52M
  u_char *cp;
1563
1.52M
  u_int maclen, aadlen = 0, authlen = 0, block_size;
1564
1.52M
  struct sshenc *enc   = NULL;
1565
1.52M
  struct sshmac *mac   = NULL;
1566
1.52M
  struct sshcomp *comp = NULL;
1567
1.52M
  int r;
1568
1569
1.52M
  if (state->mux)
1570
0
    return ssh_packet_read_poll2_mux(ssh, typep, seqnr_p);
1571
1572
1.52M
  *typep = SSH_MSG_NONE;
1573
1574
1.52M
  if (state->packet_discard)
1575
0
    return 0;
1576
1577
1.52M
  if (state->newkeys[MODE_IN] != NULL) {
1578
335
    enc  = &state->newkeys[MODE_IN]->enc;
1579
335
    mac  = &state->newkeys[MODE_IN]->mac;
1580
335
    comp = &state->newkeys[MODE_IN]->comp;
1581
    /* disable mac for authenticated encryption */
1582
335
    if ((authlen = cipher_authlen(enc->cipher)) != 0)
1583
0
      mac = NULL;
1584
335
  }
1585
1.52M
  maclen = mac && mac->enabled ? mac->mac_len : 0;
1586
1.52M
  block_size = enc ? enc->block_size : 8;
1587
1.52M
  aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
1588
1589
1.52M
  if (aadlen && state->packlen == 0) {
1590
172
    if (cipher_get_length(state->receive_context,
1591
172
        &state->packlen, state->p_read.seqnr,
1592
172
        sshbuf_ptr(state->input), sshbuf_len(state->input)) != 0)
1593
0
      return 0;
1594
172
    if (state->packlen < 1 + 4 ||
1595
172
        state->packlen > PACKET_MAX_SIZE) {
1596
#ifdef PACKET_DEBUG
1597
      sshbuf_dump(state->input, stderr);
1598
#endif
1599
49
      logit("Bad packet length %u.", state->packlen);
1600
49
      if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
1601
0
        return r;
1602
49
      return SSH_ERR_CONN_CORRUPT;
1603
49
    }
1604
123
    sshbuf_reset(state->incoming_packet);
1605
1.52M
  } else if (state->packlen == 0) {
1606
    /*
1607
     * check if input size is less than the cipher block size,
1608
     * decrypt first block and extract length of incoming packet
1609
     */
1610
1.52M
    if (sshbuf_len(state->input) < block_size)
1611
17.0k
      return 0;
1612
1.51M
    sshbuf_reset(state->incoming_packet);
1613
1.51M
    if ((r = sshbuf_reserve(state->incoming_packet, block_size,
1614
1.51M
        &cp)) != 0)
1615
0
      goto out;
1616
1.51M
    if ((r = cipher_crypt(state->receive_context,
1617
1.51M
        state->p_send.seqnr, cp, sshbuf_ptr(state->input),
1618
1.51M
        block_size, 0, 0)) != 0)
1619
0
      goto out;
1620
1.51M
    state->packlen = PEEK_U32(sshbuf_ptr(state->incoming_packet));
1621
1.51M
    if (state->packlen < 1 + 4 ||
1622
1.51M
        state->packlen > PACKET_MAX_SIZE) {
1623
#ifdef PACKET_DEBUG
1624
      fprintf(stderr, "input: \n");
1625
      sshbuf_dump(state->input, stderr);
1626
      fprintf(stderr, "incoming_packet: \n");
1627
      sshbuf_dump(state->incoming_packet, stderr);
1628
#endif
1629
7.95k
      logit("Bad packet length %u.", state->packlen);
1630
7.95k
      return ssh_packet_start_discard(ssh, enc, mac, 0,
1631
7.95k
          PACKET_MAX_SIZE);
1632
7.95k
    }
1633
1.50M
    if ((r = sshbuf_consume(state->input, block_size)) != 0)
1634
0
      goto out;
1635
1.50M
  }
1636
1.50M
  DBG(debug("input: packet len %u", state->packlen+4));
1637
1638
1.50M
  if (aadlen) {
1639
    /* only the payload is encrypted */
1640
149
    need = state->packlen;
1641
1.50M
  } else {
1642
    /*
1643
     * the payload size and the payload are encrypted, but we
1644
     * have a partial packet of block_size bytes
1645
     */
1646
1.50M
    need = 4 + state->packlen - block_size;
1647
1.50M
  }
1648
1.50M
  DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d,"
1649
1.50M
      " aadlen %d", block_size, need, maclen, authlen, aadlen));
1650
1.50M
  if (need % block_size != 0) {
1651
742
    logit("padding error: need %d block %d mod %d",
1652
742
        need, block_size, need % block_size);
1653
742
    return ssh_packet_start_discard(ssh, enc, mac, 0,
1654
742
        PACKET_MAX_SIZE - block_size);
1655
742
  }
1656
  /*
1657
   * check if the entire packet has been received and
1658
   * decrypt into incoming_packet:
1659
   * 'aadlen' bytes are unencrypted, but authenticated.
1660
   * 'need' bytes are encrypted, followed by either
1661
   * 'authlen' bytes of authentication tag or
1662
   * 'maclen' bytes of message authentication code.
1663
   */
1664
1.50M
  if (sshbuf_len(state->input) < aadlen + need + authlen + maclen)
1665
3.67k
    return 0; /* packet is incomplete */
1666
#ifdef PACKET_DEBUG
1667
  fprintf(stderr, "read_poll enc/full: ");
1668
  sshbuf_dump(state->input, stderr);
1669
#endif
1670
  /* EtM: check mac over encrypted input */
1671
1.50M
  if (mac && mac->enabled && mac->etm) {
1672
90
    if ((r = mac_check(mac, state->p_read.seqnr,
1673
90
        sshbuf_ptr(state->input), aadlen + need,
1674
90
        sshbuf_ptr(state->input) + aadlen + need + authlen,
1675
90
        maclen)) != 0) {
1676
90
      if (r == SSH_ERR_MAC_INVALID)
1677
90
        logit("Corrupted MAC on input.");
1678
90
      goto out;
1679
90
    }
1680
90
  }
1681
1.50M
  if ((r = sshbuf_reserve(state->incoming_packet, aadlen + need,
1682
1.50M
      &cp)) != 0)
1683
0
    goto out;
1684
1.50M
  if ((r = cipher_crypt(state->receive_context, state->p_read.seqnr, cp,
1685
1.50M
      sshbuf_ptr(state->input), need, aadlen, authlen)) != 0)
1686
0
    goto out;
1687
1.50M
  if ((r = sshbuf_consume(state->input, aadlen + need + authlen)) != 0)
1688
0
    goto out;
1689
1.50M
  if (mac && mac->enabled) {
1690
    /* Not EtM: check MAC over cleartext */
1691
121
    if (!mac->etm && (r = mac_check(mac, state->p_read.seqnr,
1692
121
        sshbuf_ptr(state->incoming_packet),
1693
121
        sshbuf_len(state->incoming_packet),
1694
121
        sshbuf_ptr(state->input), maclen)) != 0) {
1695
121
      if (r != SSH_ERR_MAC_INVALID)
1696
0
        goto out;
1697
121
      logit("Corrupted MAC on input.");
1698
121
      if (need + block_size > PACKET_MAX_SIZE)
1699
0
        return SSH_ERR_INTERNAL_ERROR;
1700
121
      return ssh_packet_start_discard(ssh, enc, mac,
1701
121
          sshbuf_len(state->incoming_packet),
1702
121
          PACKET_MAX_SIZE - need - block_size);
1703
121
    }
1704
    /* Remove MAC from input buffer */
1705
0
    DBG(debug("MAC #%d ok", state->p_read.seqnr));
1706
0
    if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
1707
0
      goto out;
1708
0
  }
1709
1710
1.50M
  if (seqnr_p != NULL)
1711
1.50M
    *seqnr_p = state->p_read.seqnr;
1712
1.50M
  if (++state->p_read.seqnr == 0) {
1713
0
    if ((ssh->kex->flags & KEX_INITIAL) != 0) {
1714
0
      ssh_packet_disconnect(ssh, "incoming sequence number "
1715
0
          "wrapped during initial key exchange");
1716
0
    }
1717
0
    logit("incoming seqnr wraps around");
1718
0
  }
1719
1.50M
  if (++state->p_read.packets == 0)
1720
0
    if (!(ssh->compat & SSH_BUG_NOREKEY))
1721
0
      return SSH_ERR_NEED_REKEY;
1722
1.50M
  state->p_read.blocks += (state->packlen + 4) / block_size;
1723
1.50M
  state->p_read.bytes += state->packlen + 4;
1724
1725
  /* get padlen */
1726
1.50M
  padlen = sshbuf_ptr(state->incoming_packet)[4];
1727
1.50M
  DBG(debug("input: padlen %d", padlen));
1728
1.50M
  if (padlen < 4)  {
1729
252
    if ((r = sshpkt_disconnect(ssh,
1730
252
        "Corrupted padlen %d on input.", padlen)) != 0 ||
1731
252
        (r = ssh_packet_write_wait(ssh)) != 0)
1732
252
      return r;
1733
0
    return SSH_ERR_CONN_CORRUPT;
1734
252
  }
1735
1736
  /* skip packet size + padlen, discard padding */
1737
1.50M
  if ((r = sshbuf_consume(state->incoming_packet, 4 + 1)) != 0 ||
1738
1.50M
      ((r = sshbuf_consume_end(state->incoming_packet, padlen)) != 0))
1739
79
    goto out;
1740
1741
1.49M
  DBG(debug("input: len before de-compress %zd",
1742
1.49M
      sshbuf_len(state->incoming_packet)));
1743
1.49M
  if (comp && comp->enabled) {
1744
0
    sshbuf_reset(state->compression_buffer);
1745
0
    if ((r = uncompress_buffer(ssh, state->incoming_packet,
1746
0
        state->compression_buffer)) != 0)
1747
0
      goto out;
1748
0
    sshbuf_reset(state->incoming_packet);
1749
0
    if ((r = sshbuf_putb(state->incoming_packet,
1750
0
        state->compression_buffer)) != 0)
1751
0
      goto out;
1752
0
    DBG(debug("input: len after de-compress %zd",
1753
0
        sshbuf_len(state->incoming_packet)));
1754
0
  }
1755
  /*
1756
   * get packet type, implies consume.
1757
   * return length of payload (without type field)
1758
   */
1759
1.49M
  if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0)
1760
50
    goto out;
1761
1.49M
  if (ssh_packet_log_type(*typep))
1762
1.49M
    debug3("receive packet: type %u", *typep);
1763
1.49M
  if (*typep < SSH2_MSG_MIN) {
1764
124
    if ((r = sshpkt_disconnect(ssh,
1765
124
        "Invalid ssh2 packet type: %d", *typep)) != 0 ||
1766
124
        (r = ssh_packet_write_wait(ssh)) != 0)
1767
124
      return r;
1768
0
    return SSH_ERR_PROTOCOL_ERROR;
1769
124
  }
1770
1.49M
  if (state->hook_in != NULL &&
1771
1.49M
      (r = state->hook_in(ssh, state->incoming_packet, typep,
1772
0
      state->hook_in_ctx)) != 0)
1773
0
    return r;
1774
1.49M
  if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
1775
273
    r = ssh_packet_enable_delayed_compress(ssh);
1776
1.49M
  else
1777
1.49M
    r = 0;
1778
#ifdef PACKET_DEBUG
1779
  fprintf(stderr, "read/plain[%d]:\r\n", *typep);
1780
  sshbuf_dump(state->incoming_packet, stderr);
1781
#endif
1782
  /* reset for next packet */
1783
1.49M
  state->packlen = 0;
1784
1.49M
  if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
1785
0
    debug_f("resetting read seqnr %u", state->p_read.seqnr);
1786
0
    state->p_read.seqnr = 0;
1787
0
  }
1788
1789
1.49M
  if ((r = ssh_packet_check_rekey(ssh)) != 0)
1790
0
    return r;
1791
1.49M
 out:
1792
1.49M
  return r;
1793
1.49M
}
1794
1795
int
1796
ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1797
0
{
1798
0
  struct session_state *state = ssh->state;
1799
0
  u_int reason, seqnr;
1800
0
  int r;
1801
0
  u_char *msg;
1802
0
  const u_char *d;
1803
0
  size_t len;
1804
1805
0
  for (;;) {
1806
0
    msg = NULL;
1807
0
    r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
1808
0
    if (r != 0)
1809
0
      return r;
1810
0
    if (*typep == 0) {
1811
      /* no message ready */
1812
0
      return 0;
1813
0
    }
1814
0
    state->keep_alive_timeouts = 0;
1815
0
    DBG(debug("received packet type %d", *typep));
1816
1817
    /* Always process disconnect messages */
1818
0
    if (*typep == SSH2_MSG_DISCONNECT) {
1819
0
      if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
1820
0
          (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
1821
0
        return r;
1822
      /* Ignore normal client exit notifications */
1823
0
      do_log2(ssh->state->server_side &&
1824
0
          reason == SSH2_DISCONNECT_BY_APPLICATION ?
1825
0
          SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
1826
0
          "Received disconnect from %s port %d:"
1827
0
          "%u: %.400s", ssh_remote_ipaddr(ssh),
1828
0
          ssh_remote_port(ssh), reason, msg);
1829
0
      free(msg);
1830
0
      return SSH_ERR_DISCONNECTED;
1831
0
    }
1832
1833
    /*
1834
     * Do not implicitly handle any messages here during initial
1835
     * KEX when in strict mode. They will be need to be allowed
1836
     * explicitly by the KEX dispatch table or they will generate
1837
     * protocol errors.
1838
     */
1839
0
    if (ssh->kex != NULL &&
1840
0
        (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
1841
0
      return 0;
1842
    /* Implicitly handle transport-level messages */
1843
0
    switch (*typep) {
1844
0
    case SSH2_MSG_IGNORE:
1845
0
      debug3("Received SSH2_MSG_IGNORE");
1846
0
      break;
1847
0
    case SSH2_MSG_DEBUG:
1848
0
      if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||
1849
0
          (r = sshpkt_get_string(ssh, &msg, NULL)) != 0 ||
1850
0
          (r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
1851
0
        free(msg);
1852
0
        return r;
1853
0
      }
1854
0
      debug("Remote: %.900s", msg);
1855
0
      free(msg);
1856
0
      break;
1857
0
    case SSH2_MSG_UNIMPLEMENTED:
1858
0
      if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
1859
0
        return r;
1860
0
      debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
1861
0
          seqnr);
1862
0
      break;
1863
0
    case SSH2_MSG_PING:
1864
0
      if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
1865
0
        return r;
1866
0
      DBG(debug("Received SSH2_MSG_PING len %zu", len));
1867
0
      if (!ssh->state->after_authentication) {
1868
0
        DBG(debug("Won't reply to PING in preauth"));
1869
0
        break;
1870
0
      }
1871
0
      if (ssh_packet_is_rekeying(ssh)) {
1872
0
        DBG(debug("Won't reply to PING during KEX"));
1873
0
        break;
1874
0
      }
1875
0
      if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
1876
0
          (r = sshpkt_put_string(ssh, d, len)) != 0 ||
1877
0
          (r = sshpkt_send(ssh)) != 0)
1878
0
        return r;
1879
0
      break;
1880
0
    case SSH2_MSG_PONG:
1881
0
      if ((r = sshpkt_get_string_direct(ssh,
1882
0
          NULL, &len)) != 0)
1883
0
        return r;
1884
0
      DBG(debug("Received SSH2_MSG_PONG len %zu", len));
1885
0
      break;
1886
0
    default:
1887
0
      return 0;
1888
0
    }
1889
0
  }
1890
0
}
1891
1892
/*
1893
 * Buffers the supplied input data. This is intended to be used together
1894
 * with packet_read_poll().
1895
 */
1896
int
1897
ssh_packet_process_incoming(struct ssh *ssh, const char *buf, u_int len)
1898
0
{
1899
0
  struct session_state *state = ssh->state;
1900
0
  int r;
1901
1902
0
  if (state->packet_discard) {
1903
0
    state->keep_alive_timeouts = 0; /* ?? */
1904
0
    if (len >= state->packet_discard) {
1905
0
      if ((r = ssh_packet_stop_discard(ssh)) != 0)
1906
0
        return r;
1907
0
    }
1908
0
    state->packet_discard -= len;
1909
0
    return 0;
1910
0
  }
1911
0
  if ((r = sshbuf_put(state->input, buf, len)) != 0)
1912
0
    return r;
1913
1914
0
  return 0;
1915
0
}
1916
1917
/* Reads and buffers data from the specified fd */
1918
int
1919
ssh_packet_process_read(struct ssh *ssh, int fd)
1920
0
{
1921
0
  struct session_state *state = ssh->state;
1922
0
  int r;
1923
0
  size_t rlen;
1924
1925
0
  if ((r = sshbuf_read(fd, state->input, PACKET_MAX_SIZE, &rlen)) != 0)
1926
0
    return r;
1927
1928
0
  if (state->packet_discard) {
1929
0
    if ((r = sshbuf_consume_end(state->input, rlen)) != 0)
1930
0
      return r;
1931
0
    state->keep_alive_timeouts = 0; /* ?? */
1932
0
    if (rlen >= state->packet_discard) {
1933
0
      if ((r = ssh_packet_stop_discard(ssh)) != 0)
1934
0
        return r;
1935
0
    }
1936
0
    state->packet_discard -= rlen;
1937
0
    return 0;
1938
0
  }
1939
0
  return 0;
1940
0
}
1941
1942
int
1943
ssh_packet_remaining(struct ssh *ssh)
1944
0
{
1945
0
  return sshbuf_len(ssh->state->incoming_packet);
1946
0
}
1947
1948
/*
1949
 * Sends a diagnostic message from the server to the client.  This message
1950
 * can be sent at any time (but not while constructing another message). The
1951
 * message is printed immediately, but only if the client is being executed
1952
 * in verbose mode.  These messages are primarily intended to ease debugging
1953
 * authentication problems.   The length of the formatted message must not
1954
 * exceed 1024 bytes.  This will automatically call ssh_packet_write_wait.
1955
 */
1956
void
1957
ssh_packet_send_debug(struct ssh *ssh, const char *fmt,...)
1958
0
{
1959
0
  char buf[1024];
1960
0
  va_list args;
1961
0
  int r;
1962
1963
0
  if ((ssh->compat & SSH_BUG_DEBUG))
1964
0
    return;
1965
1966
0
  va_start(args, fmt);
1967
0
  vsnprintf(buf, sizeof(buf), fmt, args);
1968
0
  va_end(args);
1969
1970
0
  debug3("sending debug message: %s", buf);
1971
1972
0
  if ((r = sshpkt_start(ssh, SSH2_MSG_DEBUG)) != 0 ||
1973
0
      (r = sshpkt_put_u8(ssh, 0)) != 0 || /* always display */
1974
0
      (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
1975
0
      (r = sshpkt_put_cstring(ssh, "")) != 0 ||
1976
0
      (r = sshpkt_send(ssh)) != 0 ||
1977
0
      (r = ssh_packet_write_wait(ssh)) != 0)
1978
0
    fatal_fr(r, "send DEBUG");
1979
0
}
1980
1981
void
1982
sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l)
1983
0
{
1984
0
  snprintf(s, l, "%.200s%s%s port %d",
1985
0
      ssh->log_preamble ? ssh->log_preamble : "",
1986
0
      ssh->log_preamble ? " " : "",
1987
0
      ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
1988
0
}
1989
1990
/*
1991
 * Pretty-print connection-terminating errors and exit.
1992
 */
1993
static void
1994
sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, va_list ap)
1995
0
{
1996
0
  char *tag = NULL, remote_id[512];
1997
0
  int oerrno = errno;
1998
1999
0
  sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
2000
2001
0
  switch (r) {
2002
0
  case SSH_ERR_CONN_CLOSED:
2003
0
    ssh_packet_clear_keys(ssh);
2004
0
    logdie("Connection closed by %s", remote_id);
2005
0
  case SSH_ERR_CONN_TIMEOUT:
2006
0
    ssh_packet_clear_keys(ssh);
2007
0
    logdie("Connection %s %s timed out",
2008
0
        ssh->state->server_side ? "from" : "to", remote_id);
2009
0
  case SSH_ERR_DISCONNECTED:
2010
0
    ssh_packet_clear_keys(ssh);
2011
0
    logdie("Disconnected from %s", remote_id);
2012
0
  case SSH_ERR_SYSTEM_ERROR:
2013
0
    if (errno == ECONNRESET) {
2014
0
      ssh_packet_clear_keys(ssh);
2015
0
      logdie("Connection reset by %s", remote_id);
2016
0
    }
2017
    /* FALLTHROUGH */
2018
0
  case SSH_ERR_NO_CIPHER_ALG_MATCH:
2019
0
  case SSH_ERR_NO_MAC_ALG_MATCH:
2020
0
  case SSH_ERR_NO_COMPRESS_ALG_MATCH:
2021
0
  case SSH_ERR_NO_KEX_ALG_MATCH:
2022
0
  case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
2023
0
    if (ssh->kex && ssh->kex->failed_choice) {
2024
0
      ssh_packet_clear_keys(ssh);
2025
0
      errno = oerrno;
2026
0
      logdie("Unable to negotiate with %s: %s. "
2027
0
          "Their offer: %s", remote_id, ssh_err(r),
2028
0
          ssh->kex->failed_choice);
2029
0
    }
2030
    /* FALLTHROUGH */
2031
0
  default:
2032
0
    if (vasprintf(&tag, fmt, ap) == -1) {
2033
0
      ssh_packet_clear_keys(ssh);
2034
0
      logdie_f("could not allocate failure message");
2035
0
    }
2036
0
    ssh_packet_clear_keys(ssh);
2037
0
    errno = oerrno;
2038
0
    logdie_r(r, "%s%sConnection %s %s",
2039
0
        tag != NULL ? tag : "", tag != NULL ? ": " : "",
2040
0
        ssh->state->server_side ? "from" : "to", remote_id);
2041
0
  }
2042
0
}
2043
2044
void
2045
sshpkt_fatal(struct ssh *ssh, int r, const char *fmt, ...)
2046
0
{
2047
0
  va_list ap;
2048
2049
0
  va_start(ap, fmt);
2050
0
  sshpkt_vfatal(ssh, r, fmt, ap);
2051
  /* NOTREACHED */
2052
0
  va_end(ap);
2053
0
  logdie_f("should have exited");
2054
0
}
2055
2056
/*
2057
 * Logs the error plus constructs and sends a disconnect packet, closes the
2058
 * connection, and exits.  This function never returns. The error message
2059
 * should not contain a newline.  The length of the formatted message must
2060
 * not exceed 1024 bytes.
2061
 */
2062
void
2063
ssh_packet_disconnect(struct ssh *ssh, const char *fmt,...)
2064
0
{
2065
0
  char buf[1024], remote_id[512];
2066
0
  va_list args;
2067
0
  static int disconnecting = 0;
2068
0
  int r;
2069
2070
0
  if (disconnecting) /* Guard against recursive invocations. */
2071
0
    fatal("packet_disconnect called recursively.");
2072
0
  disconnecting = 1;
2073
2074
  /*
2075
   * Format the message.  Note that the caller must make sure the
2076
   * message is of limited size.
2077
   */
2078
0
  sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
2079
0
  va_start(args, fmt);
2080
0
  vsnprintf(buf, sizeof(buf), fmt, args);
2081
0
  va_end(args);
2082
2083
  /* Display the error locally */
2084
0
  logit("Disconnecting %s: %.100s", remote_id, buf);
2085
2086
  /*
2087
   * Send the disconnect message to the other side, and wait
2088
   * for it to get sent.
2089
   */
2090
0
  if ((r = sshpkt_disconnect(ssh, "%s", buf)) != 0)
2091
0
    sshpkt_fatal(ssh, r, "%s", __func__);
2092
2093
0
  if ((r = ssh_packet_write_wait(ssh)) != 0)
2094
0
    sshpkt_fatal(ssh, r, "%s", __func__);
2095
2096
  /* Close the connection. */
2097
0
  ssh_packet_close(ssh);
2098
0
  cleanup_exit(255);
2099
0
}
2100
2101
/*
2102
 * Checks if there is any buffered output, and tries to write some of
2103
 * the output.
2104
 */
2105
int
2106
ssh_packet_write_poll(struct ssh *ssh)
2107
376
{
2108
376
  struct session_state *state = ssh->state;
2109
376
  int len = sshbuf_len(state->output);
2110
376
  int r;
2111
2112
376
  if (len > 0) {
2113
376
    len = write(state->connection_out,
2114
376
        sshbuf_ptr(state->output), len);
2115
376
    if (len == -1) {
2116
376
      if (errno == EINTR || errno == EAGAIN ||
2117
376
          errno == EWOULDBLOCK)
2118
0
        return 0;
2119
376
      return SSH_ERR_SYSTEM_ERROR;
2120
376
    }
2121
0
    if (len == 0)
2122
0
      return SSH_ERR_CONN_CLOSED;
2123
0
    if ((r = sshbuf_consume(state->output, len)) != 0)
2124
0
      return r;
2125
0
  }
2126
0
  return 0;
2127
376
}
2128
2129
/*
2130
 * Calls packet_write_poll repeatedly until all pending output data has been
2131
 * written.
2132
 */
2133
int
2134
ssh_packet_write_wait(struct ssh *ssh)
2135
376
{
2136
376
  int ret, r, ms_remain = 0;
2137
376
  struct timeval start;
2138
376
  struct timespec timespec, *timespecp = NULL;
2139
376
  struct session_state *state = ssh->state;
2140
376
  struct pollfd pfd;
2141
2142
376
  if ((r = ssh_packet_write_poll(ssh)) != 0)
2143
376
    return r;
2144
0
  while (ssh_packet_have_data_to_write(ssh)) {
2145
0
    pfd.fd = state->connection_out;
2146
0
    pfd.events = POLLOUT;
2147
2148
0
    if (state->packet_timeout_ms > 0) {
2149
0
      ms_remain = state->packet_timeout_ms;
2150
0
      timespecp = &timespec;
2151
0
    }
2152
0
    for (;;) {
2153
0
      if (state->packet_timeout_ms > 0) {
2154
0
        ms_to_timespec(&timespec, ms_remain);
2155
0
        monotime_tv(&start);
2156
0
      }
2157
0
      if ((ret = ppoll(&pfd, 1, timespecp, NULL)) >= 0)
2158
0
        break;
2159
0
      if (errno != EAGAIN && errno != EINTR &&
2160
0
          errno != EWOULDBLOCK)
2161
0
        break;
2162
0
      if (state->packet_timeout_ms <= 0)
2163
0
        continue;
2164
0
      ms_subtract_diff(&start, &ms_remain);
2165
0
      if (ms_remain <= 0) {
2166
0
        ret = 0;
2167
0
        break;
2168
0
      }
2169
0
    }
2170
0
    if (ret == 0)
2171
0
      return SSH_ERR_CONN_TIMEOUT;
2172
0
    if ((r = ssh_packet_write_poll(ssh)) != 0)
2173
0
      return r;
2174
0
  }
2175
0
  return 0;
2176
0
}
2177
2178
/* Returns true if there is buffered data to write to the connection. */
2179
2180
int
2181
ssh_packet_have_data_to_write(struct ssh *ssh)
2182
0
{
2183
0
  return sshbuf_len(ssh->state->output) != 0;
2184
0
}
2185
2186
/* Returns true if there is not too much data to write to the connection. */
2187
2188
int
2189
ssh_packet_not_very_much_data_to_write(struct ssh *ssh)
2190
0
{
2191
0
  if (ssh->state->interactive_mode)
2192
0
    return sshbuf_len(ssh->state->output) < 16384;
2193
0
  else
2194
0
    return sshbuf_len(ssh->state->output) < 128 * 1024;
2195
0
}
2196
2197
/*
2198
 * returns true when there are at most a few keystrokes of data to write
2199
 * and the connection is in interactive mode.
2200
 */
2201
2202
int
2203
ssh_packet_interactive_data_to_write(struct ssh *ssh)
2204
0
{
2205
0
  return ssh->state->interactive_mode &&
2206
0
      sshbuf_len(ssh->state->output) < 256;
2207
0
}
2208
2209
void
2210
ssh_packet_set_tos(struct ssh *ssh, int tos)
2211
0
{
2212
0
  if (!ssh_packet_connection_is_on_socket(ssh) || tos == INT_MAX)
2213
0
    return;
2214
0
  set_sock_tos(ssh->state->connection_in, tos);
2215
0
}
2216
2217
/* Informs that the current session is interactive.  Sets IP flags for that. */
2218
2219
void
2220
ssh_packet_set_interactive(struct ssh *ssh, int interactive, int qos_interactive, int qos_bulk)
2221
0
{
2222
0
  struct session_state *state = ssh->state;
2223
2224
0
  if (state->set_interactive_called)
2225
0
    return;
2226
0
  state->set_interactive_called = 1;
2227
2228
  /* Record that we are in interactive mode. */
2229
0
  state->interactive_mode = interactive;
2230
2231
  /* Only set socket options if using a socket.  */
2232
0
  if (!ssh_packet_connection_is_on_socket(ssh))
2233
0
    return;
2234
0
  set_nodelay(state->connection_in);
2235
0
  ssh_packet_set_tos(ssh, interactive ? qos_interactive : qos_bulk);
2236
0
}
2237
2238
/* Returns true if the current connection is interactive. */
2239
2240
int
2241
ssh_packet_is_interactive(struct ssh *ssh)
2242
0
{
2243
0
  return ssh->state->interactive_mode;
2244
0
}
2245
2246
int
2247
ssh_packet_set_maxsize(struct ssh *ssh, u_int s)
2248
0
{
2249
0
  struct session_state *state = ssh->state;
2250
2251
0
  if (state->set_maxsize_called) {
2252
0
    logit_f("called twice: old %d new %d",
2253
0
        state->max_packet_size, s);
2254
0
    return -1;
2255
0
  }
2256
0
  if (s < 4 * 1024 || s > 1024 * 1024) {
2257
0
    logit_f("bad size %d", s);
2258
0
    return -1;
2259
0
  }
2260
0
  state->set_maxsize_called = 1;
2261
0
  debug_f("setting to %d", s);
2262
0
  state->max_packet_size = s;
2263
0
  return s;
2264
0
}
2265
2266
int
2267
ssh_packet_inc_alive_timeouts(struct ssh *ssh)
2268
0
{
2269
0
  return ++ssh->state->keep_alive_timeouts;
2270
0
}
2271
2272
void
2273
ssh_packet_set_alive_timeouts(struct ssh *ssh, int ka)
2274
0
{
2275
0
  ssh->state->keep_alive_timeouts = ka;
2276
0
}
2277
2278
u_int
2279
ssh_packet_get_maxsize(struct ssh *ssh)
2280
0
{
2281
0
  return ssh->state->max_packet_size;
2282
0
}
2283
2284
void
2285
ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, u_int32_t seconds)
2286
0
{
2287
0
  debug3("rekey after %llu bytes, %u seconds", (unsigned long long)bytes,
2288
0
      (unsigned int)seconds);
2289
0
  ssh->state->rekey_limit = bytes;
2290
0
  ssh->state->rekey_interval = seconds;
2291
0
}
2292
2293
time_t
2294
ssh_packet_get_rekey_timeout(struct ssh *ssh)
2295
0
{
2296
0
  time_t seconds;
2297
2298
0
  seconds = ssh->state->rekey_time + ssh->state->rekey_interval -
2299
0
      monotime();
2300
0
  return (seconds <= 0 ? 1 : seconds);
2301
0
}
2302
2303
void
2304
ssh_packet_set_server(struct ssh *ssh)
2305
89.6k
{
2306
89.6k
  ssh->state->server_side = 1;
2307
89.6k
  ssh->kex->server = 1; /* XXX unify? */
2308
89.6k
}
2309
2310
void
2311
ssh_packet_set_authenticated(struct ssh *ssh)
2312
0
{
2313
0
  ssh->state->after_authentication = 1;
2314
0
}
2315
2316
void *
2317
ssh_packet_get_input(struct ssh *ssh)
2318
357k
{
2319
357k
  return (void *)ssh->state->input;
2320
357k
}
2321
2322
void *
2323
ssh_packet_get_output(struct ssh *ssh)
2324
475k
{
2325
475k
  return (void *)ssh->state->output;
2326
475k
}
2327
2328
/* Reset after_authentication and reset compression in post-auth privsep */
2329
static int
2330
ssh_packet_set_postauth(struct ssh *ssh)
2331
0
{
2332
0
  int r;
2333
2334
0
  debug_f("called");
2335
  /* This was set in net child, but is not visible in user child */
2336
0
  ssh->state->after_authentication = 1;
2337
0
  ssh->state->rekeying = 0;
2338
0
  if ((r = ssh_packet_enable_delayed_compress(ssh)) != 0)
2339
0
    return r;
2340
0
  return 0;
2341
0
}
2342
2343
/* Packet state (de-)serialization for privsep */
2344
2345
/* turn kex into a blob for packet state serialization */
2346
static int
2347
kex_to_blob(struct sshbuf *m, struct kex *kex)
2348
0
{
2349
0
  int r;
2350
2351
0
  if ((r = sshbuf_put_u32(m, kex->we_need)) != 0 ||
2352
0
      (r = sshbuf_put_cstring(m, kex->hostkey_alg)) != 0 ||
2353
0
      (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
2354
0
      (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
2355
0
      (r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
2356
0
      (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
2357
0
      (r = sshbuf_put_stringb(m, kex->my)) != 0 ||
2358
0
      (r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
2359
0
      (r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
2360
0
      (r = sshbuf_put_stringb(m, kex->server_version)) != 0 ||
2361
0
      (r = sshbuf_put_stringb(m, kex->session_id)) != 0 ||
2362
0
      (r = sshbuf_put_u32(m, kex->flags)) != 0)
2363
0
    return r;
2364
0
  return 0;
2365
0
}
2366
2367
/* turn key exchange results into a blob for packet state serialization */
2368
static int
2369
newkeys_to_blob(struct sshbuf *m, struct ssh *ssh, int mode)
2370
0
{
2371
0
  struct sshbuf *b;
2372
0
  struct sshcipher_ctx *cc;
2373
0
  struct sshcomp *comp;
2374
0
  struct sshenc *enc;
2375
0
  struct sshmac *mac;
2376
0
  struct newkeys *newkey;
2377
0
  int r;
2378
2379
0
  if ((newkey = ssh->state->newkeys[mode]) == NULL)
2380
0
    return SSH_ERR_INTERNAL_ERROR;
2381
0
  enc = &newkey->enc;
2382
0
  mac = &newkey->mac;
2383
0
  comp = &newkey->comp;
2384
0
  cc = (mode == MODE_OUT) ? ssh->state->send_context :
2385
0
      ssh->state->receive_context;
2386
0
  if ((r = cipher_get_keyiv(cc, enc->iv, enc->iv_len)) != 0)
2387
0
    return r;
2388
0
  if ((b = sshbuf_new()) == NULL)
2389
0
    return SSH_ERR_ALLOC_FAIL;
2390
0
  if ((r = sshbuf_put_cstring(b, enc->name)) != 0 ||
2391
0
      (r = sshbuf_put_u32(b, enc->enabled)) != 0 ||
2392
0
      (r = sshbuf_put_u32(b, enc->block_size)) != 0 ||
2393
0
      (r = sshbuf_put_string(b, enc->key, enc->key_len)) != 0 ||
2394
0
      (r = sshbuf_put_string(b, enc->iv, enc->iv_len)) != 0)
2395
0
    goto out;
2396
0
  if (cipher_authlen(enc->cipher) == 0) {
2397
0
    if ((r = sshbuf_put_cstring(b, mac->name)) != 0 ||
2398
0
        (r = sshbuf_put_u32(b, mac->enabled)) != 0 ||
2399
0
        (r = sshbuf_put_string(b, mac->key, mac->key_len)) != 0)
2400
0
      goto out;
2401
0
  }
2402
0
  if ((r = sshbuf_put_u32(b, comp->type)) != 0 ||
2403
0
      (r = sshbuf_put_cstring(b, comp->name)) != 0)
2404
0
    goto out;
2405
0
  r = sshbuf_put_stringb(m, b);
2406
0
 out:
2407
0
  sshbuf_free(b);
2408
0
  return r;
2409
0
}
2410
2411
/* serialize packet state into a blob */
2412
int
2413
ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m)
2414
0
{
2415
0
  struct session_state *state = ssh->state;
2416
0
  int r;
2417
2418
0
  if ((r = kex_to_blob(m, ssh->kex)) != 0 ||
2419
0
      (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 ||
2420
0
      (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 ||
2421
0
      (r = sshbuf_put_u64(m, state->rekey_limit)) != 0 ||
2422
0
      (r = sshbuf_put_u32(m, state->rekey_interval)) != 0 ||
2423
0
      (r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 ||
2424
0
      (r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 ||
2425
0
      (r = sshbuf_put_u32(m, state->p_send.packets)) != 0 ||
2426
0
      (r = sshbuf_put_u64(m, state->p_send.bytes)) != 0 ||
2427
0
      (r = sshbuf_put_u32(m, state->p_read.seqnr)) != 0 ||
2428
0
      (r = sshbuf_put_u64(m, state->p_read.blocks)) != 0 ||
2429
0
      (r = sshbuf_put_u32(m, state->p_read.packets)) != 0 ||
2430
0
      (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 ||
2431
0
      (r = sshbuf_put_stringb(m, state->input)) != 0 ||
2432
0
      (r = sshbuf_put_stringb(m, state->output)) != 0)
2433
0
    return r;
2434
2435
0
  return 0;
2436
0
}
2437
2438
/* restore key exchange results from blob for packet state de-serialization */
2439
static int
2440
newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode)
2441
0
{
2442
0
  struct sshbuf *b = NULL;
2443
0
  struct sshcomp *comp;
2444
0
  struct sshenc *enc;
2445
0
  struct sshmac *mac;
2446
0
  struct newkeys *newkey = NULL;
2447
0
  size_t keylen, ivlen, maclen;
2448
0
  int r;
2449
2450
0
  if ((newkey = calloc(1, sizeof(*newkey))) == NULL) {
2451
0
    r = SSH_ERR_ALLOC_FAIL;
2452
0
    goto out;
2453
0
  }
2454
0
  if ((r = sshbuf_froms(m, &b)) != 0)
2455
0
    goto out;
2456
#ifdef DEBUG_PK
2457
  sshbuf_dump(b, stderr);
2458
#endif
2459
0
  enc = &newkey->enc;
2460
0
  mac = &newkey->mac;
2461
0
  comp = &newkey->comp;
2462
2463
0
  if ((r = sshbuf_get_cstring(b, &enc->name, NULL)) != 0 ||
2464
0
      (r = sshbuf_get_u32(b, (u_int *)&enc->enabled)) != 0 ||
2465
0
      (r = sshbuf_get_u32(b, &enc->block_size)) != 0 ||
2466
0
      (r = sshbuf_get_string(b, &enc->key, &keylen)) != 0 ||
2467
0
      (r = sshbuf_get_string(b, &enc->iv, &ivlen)) != 0)
2468
0
    goto out;
2469
0
  if ((enc->cipher = cipher_by_name(enc->name)) == NULL) {
2470
0
    r = SSH_ERR_INVALID_FORMAT;
2471
0
    goto out;
2472
0
  }
2473
0
  if (cipher_authlen(enc->cipher) == 0) {
2474
0
    if ((r = sshbuf_get_cstring(b, &mac->name, NULL)) != 0)
2475
0
      goto out;
2476
0
    if ((r = mac_setup(mac, mac->name)) != 0)
2477
0
      goto out;
2478
0
    if ((r = sshbuf_get_u32(b, (u_int *)&mac->enabled)) != 0 ||
2479
0
        (r = sshbuf_get_string(b, &mac->key, &maclen)) != 0)
2480
0
      goto out;
2481
0
    if (maclen > mac->key_len) {
2482
0
      r = SSH_ERR_INVALID_FORMAT;
2483
0
      goto out;
2484
0
    }
2485
0
    mac->key_len = maclen;
2486
0
  }
2487
0
  if ((r = sshbuf_get_u32(b, &comp->type)) != 0 ||
2488
0
      (r = sshbuf_get_cstring(b, &comp->name, NULL)) != 0)
2489
0
    goto out;
2490
0
  if (sshbuf_len(b) != 0) {
2491
0
    r = SSH_ERR_INVALID_FORMAT;
2492
0
    goto out;
2493
0
  }
2494
0
  enc->key_len = keylen;
2495
0
  enc->iv_len = ivlen;
2496
0
  ssh->kex->newkeys[mode] = newkey;
2497
0
  newkey = NULL;
2498
0
  r = 0;
2499
0
 out:
2500
0
  free(newkey);
2501
0
  sshbuf_free(b);
2502
0
  return r;
2503
0
}
2504
2505
/* restore kex from blob for packet state de-serialization */
2506
static int
2507
kex_from_blob(struct sshbuf *m, struct kex **kexp)
2508
0
{
2509
0
  struct kex *kex;
2510
0
  int r;
2511
2512
0
  if ((kex = kex_new()) == NULL)
2513
0
    return SSH_ERR_ALLOC_FAIL;
2514
0
  if ((r = sshbuf_get_u32(m, &kex->we_need)) != 0 ||
2515
0
      (r = sshbuf_get_cstring(m, &kex->hostkey_alg, NULL)) != 0 ||
2516
0
      (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
2517
0
      (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
2518
0
      (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
2519
0
      (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
2520
0
      (r = sshbuf_get_stringb(m, kex->my)) != 0 ||
2521
0
      (r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
2522
0
      (r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
2523
0
      (r = sshbuf_get_stringb(m, kex->server_version)) != 0 ||
2524
0
      (r = sshbuf_get_stringb(m, kex->session_id)) != 0 ||
2525
0
      (r = sshbuf_get_u32(m, &kex->flags)) != 0)
2526
0
    goto out;
2527
0
  kex->server = 1;
2528
0
  kex->done = 1;
2529
0
  r = 0;
2530
0
 out:
2531
0
  if (r != 0 || kexp == NULL) {
2532
0
    kex_free(kex);
2533
0
    if (kexp != NULL)
2534
0
      *kexp = NULL;
2535
0
  } else {
2536
0
    kex_free(*kexp);
2537
0
    *kexp = kex;
2538
0
  }
2539
0
  return r;
2540
0
}
2541
2542
/*
2543
 * Restore packet state from content of blob 'm' (de-serialization).
2544
 * Note that 'm' will be partially consumed on parsing or any other errors.
2545
 */
2546
int
2547
ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m)
2548
0
{
2549
0
  struct session_state *state = ssh->state;
2550
0
  const u_char *input, *output;
2551
0
  size_t ilen, olen;
2552
0
  int r;
2553
2554
0
  if ((r = kex_from_blob(m, &ssh->kex)) != 0 ||
2555
0
      (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 ||
2556
0
      (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 ||
2557
0
      (r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 ||
2558
0
      (r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 ||
2559
0
      (r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 ||
2560
0
      (r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 ||
2561
0
      (r = sshbuf_get_u32(m, &state->p_send.packets)) != 0 ||
2562
0
      (r = sshbuf_get_u64(m, &state->p_send.bytes)) != 0 ||
2563
0
      (r = sshbuf_get_u32(m, &state->p_read.seqnr)) != 0 ||
2564
0
      (r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 ||
2565
0
      (r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 ||
2566
0
      (r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0)
2567
0
    return r;
2568
  /*
2569
   * We set the time here so that in post-auth privsep child we
2570
   * count from the completion of the authentication.
2571
   */
2572
0
  state->rekey_time = monotime();
2573
  /* XXX ssh_set_newkeys overrides p_read.packets? XXX */
2574
0
  if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 ||
2575
0
      (r = ssh_set_newkeys(ssh, MODE_OUT)) != 0)
2576
0
    return r;
2577
2578
0
  if ((r = ssh_packet_set_postauth(ssh)) != 0)
2579
0
    return r;
2580
2581
0
  sshbuf_reset(state->input);
2582
0
  sshbuf_reset(state->output);
2583
0
  if ((r = sshbuf_get_string_direct(m, &input, &ilen)) != 0 ||
2584
0
      (r = sshbuf_get_string_direct(m, &output, &olen)) != 0 ||
2585
0
      (r = sshbuf_put(state->input, input, ilen)) != 0 ||
2586
0
      (r = sshbuf_put(state->output, output, olen)) != 0)
2587
0
    return r;
2588
2589
0
  if (sshbuf_len(m))
2590
0
    return SSH_ERR_INVALID_FORMAT;
2591
0
  debug3_f("done");
2592
0
  return 0;
2593
0
}
2594
2595
/* NEW API */
2596
2597
/* put data to the outgoing packet */
2598
2599
int
2600
sshpkt_put(struct ssh *ssh, const void *v, size_t len)
2601
0
{
2602
0
  return sshbuf_put(ssh->state->outgoing_packet, v, len);
2603
0
}
2604
2605
int
2606
sshpkt_putb(struct ssh *ssh, const struct sshbuf *b)
2607
87.6k
{
2608
87.6k
  return sshbuf_putb(ssh->state->outgoing_packet, b);
2609
87.6k
}
2610
2611
int
2612
sshpkt_put_u8(struct ssh *ssh, u_char val)
2613
0
{
2614
0
  return sshbuf_put_u8(ssh->state->outgoing_packet, val);
2615
0
}
2616
2617
int
2618
sshpkt_put_u32(struct ssh *ssh, u_int32_t val)
2619
1.42M
{
2620
1.42M
  return sshbuf_put_u32(ssh->state->outgoing_packet, val);
2621
1.42M
}
2622
2623
int
2624
sshpkt_put_u64(struct ssh *ssh, u_int64_t val)
2625
0
{
2626
0
  return sshbuf_put_u64(ssh->state->outgoing_packet, val);
2627
0
}
2628
2629
int
2630
sshpkt_put_string(struct ssh *ssh, const void *v, size_t len)
2631
744
{
2632
744
  return sshbuf_put_string(ssh->state->outgoing_packet, v, len);
2633
744
}
2634
2635
int
2636
sshpkt_put_cstring(struct ssh *ssh, const void *v)
2637
18.4k
{
2638
18.4k
  return sshbuf_put_cstring(ssh->state->outgoing_packet, v);
2639
18.4k
}
2640
2641
int
2642
sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v)
2643
6.32k
{
2644
6.32k
  return sshbuf_put_stringb(ssh->state->outgoing_packet, v);
2645
6.32k
}
2646
2647
#ifdef WITH_OPENSSL
2648
#ifdef OPENSSL_HAS_ECC
2649
int
2650
sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g)
2651
0
{
2652
0
  return sshbuf_put_ec(ssh->state->outgoing_packet, v, g);
2653
0
}
2654
2655
int
2656
sshpkt_put_ec_pkey(struct ssh *ssh, EVP_PKEY *pkey)
2657
0
{
2658
0
  return sshbuf_put_ec_pkey(ssh->state->outgoing_packet, pkey);
2659
0
}
2660
#endif /* OPENSSL_HAS_ECC */
2661
2662
int
2663
sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v)
2664
460
{
2665
460
  return sshbuf_put_bignum2(ssh->state->outgoing_packet, v);
2666
460
}
2667
#endif /* WITH_OPENSSL */
2668
2669
/* fetch data from the incoming packet */
2670
2671
int
2672
sshpkt_get(struct ssh *ssh, void *valp, size_t len)
2673
0
{
2674
0
  return sshbuf_get(ssh->state->incoming_packet, valp, len);
2675
0
}
2676
2677
int
2678
sshpkt_get_u8(struct ssh *ssh, u_char *valp)
2679
1.32M
{
2680
1.32M
  return sshbuf_get_u8(ssh->state->incoming_packet, valp);
2681
1.32M
}
2682
2683
int
2684
sshpkt_get_u32(struct ssh *ssh, u_int32_t *valp)
2685
76.5k
{
2686
76.5k
  return sshbuf_get_u32(ssh->state->incoming_packet, valp);
2687
76.5k
}
2688
2689
int
2690
sshpkt_get_u64(struct ssh *ssh, u_int64_t *valp)
2691
0
{
2692
0
  return sshbuf_get_u64(ssh->state->incoming_packet, valp);
2693
0
}
2694
2695
int
2696
sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp)
2697
761k
{
2698
761k
  return sshbuf_get_string(ssh->state->incoming_packet, valp, lenp);
2699
761k
}
2700
2701
int
2702
sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp)
2703
0
{
2704
0
  return sshbuf_get_string_direct(ssh->state->incoming_packet, valp, lenp);
2705
0
}
2706
2707
int
2708
sshpkt_peek_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp)
2709
0
{
2710
0
  return sshbuf_peek_string_direct(ssh->state->incoming_packet, valp, lenp);
2711
0
}
2712
2713
int
2714
sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp)
2715
0
{
2716
0
  return sshbuf_get_cstring(ssh->state->incoming_packet, valp, lenp);
2717
0
}
2718
2719
int
2720
sshpkt_getb_froms(struct ssh *ssh, struct sshbuf **valp)
2721
2.35k
{
2722
2.35k
  return sshbuf_froms(ssh->state->incoming_packet, valp);
2723
2.35k
}
2724
2725
#ifdef WITH_OPENSSL
2726
#ifdef OPENSSL_HAS_ECC
2727
int
2728
sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g)
2729
0
{
2730
0
  return sshbuf_get_ec(ssh->state->incoming_packet, v, g);
2731
0
}
2732
#endif /* OPENSSL_HAS_ECC */
2733
2734
int
2735
sshpkt_get_bignum2(struct ssh *ssh, BIGNUM **valp)
2736
230
{
2737
230
  return sshbuf_get_bignum2(ssh->state->incoming_packet, valp);
2738
230
}
2739
#endif /* WITH_OPENSSL */
2740
2741
int
2742
sshpkt_get_end(struct ssh *ssh)
2743
77.4k
{
2744
77.4k
  if (sshbuf_len(ssh->state->incoming_packet) > 0)
2745
441
    return SSH_ERR_UNEXPECTED_TRAILING_DATA;
2746
77.0k
  return 0;
2747
77.4k
}
2748
2749
const u_char *
2750
sshpkt_ptr(struct ssh *ssh, size_t *lenp)
2751
78.1k
{
2752
78.1k
  if (lenp != NULL)
2753
78.1k
    *lenp = sshbuf_len(ssh->state->incoming_packet);
2754
78.1k
  return sshbuf_ptr(ssh->state->incoming_packet);
2755
78.1k
}
2756
2757
/* start a new packet */
2758
2759
int
2760
sshpkt_start(struct ssh *ssh, u_char type)
2761
1.51M
{
2762
1.51M
  u_char buf[6]; /* u32 packet length, u8 pad len, u8 type */
2763
2764
1.51M
  DBG(debug("packet_start[%d]", type));
2765
1.51M
  memset(buf, 0, sizeof(buf));
2766
1.51M
  buf[sizeof(buf) - 1] = type;
2767
1.51M
  sshbuf_reset(ssh->state->outgoing_packet);
2768
1.51M
  return sshbuf_put(ssh->state->outgoing_packet, buf, sizeof(buf));
2769
1.51M
}
2770
2771
static int
2772
ssh_packet_send_mux(struct ssh *ssh)
2773
0
{
2774
0
  struct session_state *state = ssh->state;
2775
0
  u_char type, *cp;
2776
0
  size_t len;
2777
0
  int r;
2778
2779
0
  if (ssh->kex)
2780
0
    return SSH_ERR_INTERNAL_ERROR;
2781
0
  len = sshbuf_len(state->outgoing_packet);
2782
0
  if (len < 6)
2783
0
    return SSH_ERR_INTERNAL_ERROR;
2784
0
  cp = sshbuf_mutable_ptr(state->outgoing_packet);
2785
0
  type = cp[5];
2786
0
  if (ssh_packet_log_type(type))
2787
0
    debug3_f("type %u", type);
2788
  /* drop everything, but the connection protocol */
2789
0
  if (type >= SSH2_MSG_CONNECTION_MIN &&
2790
0
      type <= SSH2_MSG_CONNECTION_MAX) {
2791
0
    POKE_U32(cp, len - 4);
2792
0
    if ((r = sshbuf_putb(state->output,
2793
0
        state->outgoing_packet)) != 0)
2794
0
      return r;
2795
    /* sshbuf_dump(state->output, stderr); */
2796
0
  }
2797
0
  sshbuf_reset(state->outgoing_packet);
2798
0
  return 0;
2799
0
}
2800
2801
/*
2802
 * 9.2.  Ignored Data Message
2803
 *
2804
 *   byte      SSH_MSG_IGNORE
2805
 *   string    data
2806
 *
2807
 * All implementations MUST understand (and ignore) this message at any
2808
 * time (after receiving the protocol version). No implementation is
2809
 * required to send them. This message can be used as an additional
2810
 * protection measure against advanced traffic analysis techniques.
2811
 */
2812
int
2813
sshpkt_msg_ignore(struct ssh *ssh, u_int nbytes)
2814
0
{
2815
0
  u_int32_t rnd = 0;
2816
0
  int r;
2817
0
  u_int i;
2818
2819
0
  if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE)) != 0 ||
2820
0
      (r = sshpkt_put_u32(ssh, nbytes)) != 0)
2821
0
    return r;
2822
0
  for (i = 0; i < nbytes; i++) {
2823
0
    if (i % 4 == 0)
2824
0
      rnd = arc4random();
2825
0
    if ((r = sshpkt_put_u8(ssh, (u_char)rnd & 0xff)) != 0)
2826
0
      return r;
2827
0
    rnd >>= 8;
2828
0
  }
2829
0
  return 0;
2830
0
}
2831
2832
/* send it */
2833
2834
int
2835
sshpkt_send(struct ssh *ssh)
2836
1.51M
{
2837
1.51M
  if (ssh->state && ssh->state->mux)
2838
0
    return ssh_packet_send_mux(ssh);
2839
1.51M
  return ssh_packet_send2(ssh);
2840
1.51M
}
2841
2842
int
2843
sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
2844
9.24k
{
2845
9.24k
  char buf[1024];
2846
9.24k
  va_list args;
2847
9.24k
  int r;
2848
2849
9.24k
  va_start(args, fmt);
2850
9.24k
  vsnprintf(buf, sizeof(buf), fmt, args);
2851
9.24k
  va_end(args);
2852
2853
9.24k
  debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);
2854
9.24k
  if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
2855
9.24k
      (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
2856
9.24k
      (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
2857
9.24k
      (r = sshpkt_put_cstring(ssh, "")) != 0 ||
2858
9.24k
      (r = sshpkt_send(ssh)) != 0)
2859
0
    return r;
2860
9.24k
  return 0;
2861
9.24k
}
2862
2863
/* roundup current message to pad bytes */
2864
int
2865
sshpkt_add_padding(struct ssh *ssh, u_char pad)
2866
0
{
2867
0
  ssh->state->extra_pad = pad;
2868
0
  return 0;
2869
0
}