1 /* $OpenBSD: packet.c,v 1.264 2017/09/12 06:32:07 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * This file contains code implementing the packet protocol and communication
7 * with the other side. This same code is used both on client and server side.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
16 * SSH2 packet format added by Markus Friedl.
17 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
22 * 1. Redistributions of source code must retain the above copyright
23 * notice, this list of conditions and the following disclaimer.
24 * 2. Redistributions in binary form must reproduce the above copyright
25 * notice, this list of conditions and the following disclaimer in the
26 * documentation and/or other materials provided with the distribution.
28 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42 #include <sys/types.h>
43 #include "openbsd-compat/sys-queue.h"
44 #include <sys/socket.h>
45 #ifdef HAVE_SYS_TIME_H
46 # include <sys/time.h>
49 #include <netinet/in.h>
50 #include <netinet/ip.h>
51 #include <arpa/inet.h>
66 #include "buffer.h" /* typedefs XXX */
67 #include "key.h" /* typedefs XXX */
93 #define PACKET_MAX_SIZE (256 * 1024)
103 TAILQ_ENTRY(packet
) next
;
105 struct sshbuf
*payload
;
108 struct session_state
{
110 * This variable contains the file descriptors used for
111 * communicating with the other side. connection_in is used for
112 * reading; connection_out for writing. These can be the same
113 * descriptor, in which case it is assumed to be a socket.
118 /* Protocol flags for the remote side. */
119 u_int remote_protocol_flags
;
121 /* Encryption context for receiving data. Only used for decryption. */
122 struct sshcipher_ctx
*receive_context
;
124 /* Encryption context for sending data. Only used for encryption. */
125 struct sshcipher_ctx
*send_context
;
127 /* Buffer for raw input data from the socket. */
128 struct sshbuf
*input
;
130 /* Buffer for raw output data going to the socket. */
131 struct sshbuf
*output
;
133 /* Buffer for the partial outgoing packet being constructed. */
134 struct sshbuf
*outgoing_packet
;
136 /* Buffer for the incoming packet currently being processed. */
137 struct sshbuf
*incoming_packet
;
139 /* Scratch buffer for packet compression/decompression. */
140 struct sshbuf
*compression_buffer
;
142 /* Incoming/outgoing compression dictionaries */
143 z_stream compression_in_stream
;
144 z_stream compression_out_stream
;
145 int compression_in_started
;
146 int compression_out_started
;
147 int compression_in_failures
;
148 int compression_out_failures
;
151 * Flag indicating whether packet compression/decompression is
154 int packet_compression
;
156 /* default maximum packet size */
157 u_int max_packet_size
;
159 /* Flag indicating whether this module has been initialized. */
162 /* Set to true if the connection is interactive. */
163 int interactive_mode
;
165 /* Set to true if we are the server side. */
168 /* Set to true if we are authenticated. */
169 int after_authentication
;
171 int keep_alive_timeouts
;
173 /* The maximum time that we will wait to send or receive a packet */
174 int packet_timeout_ms
;
176 /* Session key information for Encryption and MAC */
177 struct newkeys
*newkeys
[MODE_MAX
];
178 struct packet_state p_read
, p_send
;
180 /* Volume-based rekeying */
181 u_int64_t max_blocks_in
, max_blocks_out
, rekey_limit
;
183 /* Time-based rekeying */
184 u_int32_t rekey_interval
; /* how often in seconds */
185 time_t rekey_time
; /* time of last rekeying */
187 /* roundup current message to extra_pad bytes */
190 /* XXX discard incoming data after MAC error */
191 u_int packet_discard
;
192 size_t packet_discard_mac_already
;
193 struct sshmac
*packet_discard_mac
;
195 /* Used in packet_read_poll2() */
198 /* Used in packet_send2 */
201 /* Used in ssh_packet_send_mux() */
204 /* Used in packet_set_interactive */
205 int set_interactive_called
;
207 /* Used in packet_set_maxsize */
208 int set_maxsize_called
;
210 /* One-off warning about weak ciphers */
211 int cipher_warning_done
;
213 /* Hook for fuzzing inbound packets */
214 ssh_packet_hook_fn
*hook_in
;
217 TAILQ_HEAD(, packet
) outgoing
;
221 ssh_alloc_session_state(void)
223 struct ssh
*ssh
= NULL
;
224 struct session_state
*state
= NULL
;
226 if ((ssh
= calloc(1, sizeof(*ssh
))) == NULL
||
227 (state
= calloc(1, sizeof(*state
))) == NULL
||
228 (state
->input
= sshbuf_new()) == NULL
||
229 (state
->output
= sshbuf_new()) == NULL
||
230 (state
->outgoing_packet
= sshbuf_new()) == NULL
||
231 (state
->incoming_packet
= sshbuf_new()) == NULL
)
233 TAILQ_INIT(&state
->outgoing
);
234 TAILQ_INIT(&ssh
->private_keys
);
235 TAILQ_INIT(&ssh
->public_keys
);
236 state
->connection_in
= -1;
237 state
->connection_out
= -1;
238 state
->max_packet_size
= 32768;
239 state
->packet_timeout_ms
= -1;
240 state
->p_send
.packets
= state
->p_read
.packets
= 0;
241 state
->initialized
= 1;
243 * ssh_packet_send2() needs to queue packets until
244 * we've done the initial key exchange.
251 sshbuf_free(state
->input
);
252 sshbuf_free(state
->output
);
253 sshbuf_free(state
->incoming_packet
);
254 sshbuf_free(state
->outgoing_packet
);
262 ssh_packet_set_input_hook(struct ssh
*ssh
, ssh_packet_hook_fn
*hook
, void *ctx
)
264 ssh
->state
->hook_in
= hook
;
265 ssh
->state
->hook_in_ctx
= ctx
;
268 /* Returns nonzero if rekeying is in progress */
270 ssh_packet_is_rekeying(struct ssh
*ssh
)
272 return ssh
->state
->rekeying
||
273 (ssh
->kex
!= NULL
&& ssh
->kex
->done
== 0);
277 * Sets the descriptors used for communication.
280 ssh_packet_set_connection(struct ssh
*ssh
, int fd_in
, int fd_out
)
282 struct session_state
*state
;
283 const struct sshcipher
*none
= cipher_by_name("none");
287 error("%s: cannot load cipher 'none'", __func__
);
291 ssh
= ssh_alloc_session_state();
293 error("%s: cound not allocate state", __func__
);
297 state
->connection_in
= fd_in
;
298 state
->connection_out
= fd_out
;
299 if ((r
= cipher_init(&state
->send_context
, none
,
300 (const u_char
*)"", 0, NULL
, 0, CIPHER_ENCRYPT
)) != 0 ||
301 (r
= cipher_init(&state
->receive_context
, none
,
302 (const u_char
*)"", 0, NULL
, 0, CIPHER_DECRYPT
)) != 0) {
303 error("%s: cipher_init failed: %s", __func__
, ssh_err(r
));
304 free(ssh
); /* XXX need ssh_free_session_state? */
307 state
->newkeys
[MODE_IN
] = state
->newkeys
[MODE_OUT
] = NULL
;
309 * Cache the IP address of the remote connection for use in error
310 * messages that might be generated after the connection has closed.
312 (void)ssh_remote_ipaddr(ssh
);
317 ssh_packet_set_timeout(struct ssh
*ssh
, int timeout
, int count
)
319 struct session_state
*state
= ssh
->state
;
321 if (timeout
<= 0 || count
<= 0) {
322 state
->packet_timeout_ms
= -1;
325 if ((INT_MAX
/ 1000) / count
< timeout
)
326 state
->packet_timeout_ms
= INT_MAX
;
328 state
->packet_timeout_ms
= timeout
* count
* 1000;
332 ssh_packet_set_mux(struct ssh
*ssh
)
335 ssh
->state
->rekeying
= 0;
339 ssh_packet_get_mux(struct ssh
*ssh
)
341 return ssh
->state
->mux
;
345 ssh_packet_set_log_preamble(struct ssh
*ssh
, const char *fmt
, ...)
350 free(ssh
->log_preamble
);
352 ssh
->log_preamble
= NULL
;
355 r
= vasprintf(&ssh
->log_preamble
, fmt
, args
);
357 if (r
< 0 || ssh
->log_preamble
== NULL
)
358 return SSH_ERR_ALLOC_FAIL
;
364 ssh_packet_stop_discard(struct ssh
*ssh
)
366 struct session_state
*state
= ssh
->state
;
369 if (state
->packet_discard_mac
) {
371 size_t dlen
= PACKET_MAX_SIZE
;
373 if (dlen
> state
->packet_discard_mac_already
)
374 dlen
-= state
->packet_discard_mac_already
;
375 memset(buf
, 'a', sizeof(buf
));
376 while (sshbuf_len(state
->incoming_packet
) < dlen
)
377 if ((r
= sshbuf_put(state
->incoming_packet
, buf
,
380 (void) mac_compute(state
->packet_discard_mac
,
382 sshbuf_ptr(state
->incoming_packet
), dlen
,
385 logit("Finished discarding for %.200s port %d",
386 ssh_remote_ipaddr(ssh
), ssh_remote_port(ssh
));
387 return SSH_ERR_MAC_INVALID
;
391 ssh_packet_start_discard(struct ssh
*ssh
, struct sshenc
*enc
,
392 struct sshmac
*mac
, size_t mac_already
, u_int discard
)
394 struct session_state
*state
= ssh
->state
;
397 if (enc
== NULL
|| !cipher_is_cbc(enc
->cipher
) || (mac
&& mac
->etm
)) {
398 if ((r
= sshpkt_disconnect(ssh
, "Packet corrupt")) != 0)
400 return SSH_ERR_MAC_INVALID
;
403 * Record number of bytes over which the mac has already
404 * been computed in order to minimize timing attacks.
406 if (mac
&& mac
->enabled
) {
407 state
->packet_discard_mac
= mac
;
408 state
->packet_discard_mac_already
= mac_already
;
410 if (sshbuf_len(state
->input
) >= discard
)
411 return ssh_packet_stop_discard(ssh
);
412 state
->packet_discard
= discard
- sshbuf_len(state
->input
);
416 /* Returns 1 if remote host is connected via socket, 0 if not. */
419 ssh_packet_connection_is_on_socket(struct ssh
*ssh
)
421 struct session_state
*state
= ssh
->state
;
422 struct sockaddr_storage from
, to
;
423 socklen_t fromlen
, tolen
;
425 if (state
->connection_in
== -1 || state
->connection_out
== -1)
428 /* filedescriptors in and out are the same, so it's a socket */
429 if (state
->connection_in
== state
->connection_out
)
431 fromlen
= sizeof(from
);
432 memset(&from
, 0, sizeof(from
));
433 if (getpeername(state
->connection_in
, (struct sockaddr
*)&from
,
437 memset(&to
, 0, sizeof(to
));
438 if (getpeername(state
->connection_out
, (struct sockaddr
*)&to
,
441 if (fromlen
!= tolen
|| memcmp(&from
, &to
, fromlen
) != 0)
443 if (from
.ss_family
!= AF_INET
&& from
.ss_family
!= AF_INET6
)
449 ssh_packet_get_bytes(struct ssh
*ssh
, u_int64_t
*ibytes
, u_int64_t
*obytes
)
452 *ibytes
= ssh
->state
->p_read
.bytes
;
454 *obytes
= ssh
->state
->p_send
.bytes
;
458 ssh_packet_connection_af(struct ssh
*ssh
)
460 struct sockaddr_storage to
;
461 socklen_t tolen
= sizeof(to
);
463 memset(&to
, 0, sizeof(to
));
464 if (getsockname(ssh
->state
->connection_out
, (struct sockaddr
*)&to
,
468 if (to
.ss_family
== AF_INET6
&&
469 IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6
*)&to
)->sin6_addr
))
475 /* Sets the connection into non-blocking mode. */
478 ssh_packet_set_nonblocking(struct ssh
*ssh
)
480 /* Set the socket into non-blocking mode. */
481 set_nonblock(ssh
->state
->connection_in
);
483 if (ssh
->state
->connection_out
!= ssh
->state
->connection_in
)
484 set_nonblock(ssh
->state
->connection_out
);
487 /* Returns the socket used for reading. */
490 ssh_packet_get_connection_in(struct ssh
*ssh
)
492 return ssh
->state
->connection_in
;
495 /* Returns the descriptor used for writing. */
498 ssh_packet_get_connection_out(struct ssh
*ssh
)
500 return ssh
->state
->connection_out
;
504 * Returns the IP-address of the remote host as a string. The returned
505 * string must not be freed.
509 ssh_remote_ipaddr(struct ssh
*ssh
)
511 const int sock
= ssh
->state
->connection_in
;
513 /* Check whether we have cached the ipaddr. */
514 if (ssh
->remote_ipaddr
== NULL
) {
515 if (ssh_packet_connection_is_on_socket(ssh
)) {
516 ssh
->remote_ipaddr
= get_peer_ipaddr(sock
);
517 ssh
->remote_port
= get_peer_port(sock
);
518 ssh
->local_ipaddr
= get_local_ipaddr(sock
);
519 ssh
->local_port
= get_local_port(sock
);
521 ssh
->remote_ipaddr
= strdup("UNKNOWN");
522 ssh
->remote_port
= 65535;
523 ssh
->local_ipaddr
= strdup("UNKNOWN");
524 ssh
->local_port
= 65535;
527 return ssh
->remote_ipaddr
;
530 /* Returns the port number of the remote host. */
533 ssh_remote_port(struct ssh
*ssh
)
535 (void)ssh_remote_ipaddr(ssh
); /* Will lookup and cache. */
536 return ssh
->remote_port
;
540 * Returns the IP-address of the local host as a string. The returned
541 * string must not be freed.
545 ssh_local_ipaddr(struct ssh
*ssh
)
547 (void)ssh_remote_ipaddr(ssh
); /* Will lookup and cache. */
548 return ssh
->local_ipaddr
;
551 /* Returns the port number of the local host. */
554 ssh_local_port(struct ssh
*ssh
)
556 (void)ssh_remote_ipaddr(ssh
); /* Will lookup and cache. */
557 return ssh
->local_port
;
560 /* Closes the connection and clears and frees internal data structures. */
563 ssh_packet_close_internal(struct ssh
*ssh
, int do_close
)
565 struct session_state
*state
= ssh
->state
;
568 if (!state
->initialized
)
570 state
->initialized
= 0;
572 if (state
->connection_in
== state
->connection_out
) {
573 close(state
->connection_out
);
575 close(state
->connection_in
);
576 close(state
->connection_out
);
579 sshbuf_free(state
->input
);
580 sshbuf_free(state
->output
);
581 sshbuf_free(state
->outgoing_packet
);
582 sshbuf_free(state
->incoming_packet
);
583 for (mode
= 0; mode
< MODE_MAX
; mode
++) {
584 kex_free_newkeys(state
->newkeys
[mode
]); /* current keys */
585 state
->newkeys
[mode
] = NULL
;
586 ssh_clear_newkeys(ssh
, mode
); /* next keys */
588 /* comression state is in shared mem, so we can only release it once */
589 if (do_close
&& state
->compression_buffer
) {
590 sshbuf_free(state
->compression_buffer
);
591 if (state
->compression_out_started
) {
592 z_streamp stream
= &state
->compression_out_stream
;
593 debug("compress outgoing: "
594 "raw data %llu, compressed %llu, factor %.2f",
595 (unsigned long long)stream
->total_in
,
596 (unsigned long long)stream
->total_out
,
597 stream
->total_in
== 0 ? 0.0 :
598 (double) stream
->total_out
/ stream
->total_in
);
599 if (state
->compression_out_failures
== 0)
602 if (state
->compression_in_started
) {
603 z_streamp stream
= &state
->compression_in_stream
;
604 debug("compress incoming: "
605 "raw data %llu, compressed %llu, factor %.2f",
606 (unsigned long long)stream
->total_out
,
607 (unsigned long long)stream
->total_in
,
608 stream
->total_out
== 0 ? 0.0 :
609 (double) stream
->total_in
/ stream
->total_out
);
610 if (state
->compression_in_failures
== 0)
614 cipher_free(state
->send_context
);
615 cipher_free(state
->receive_context
);
616 state
->send_context
= state
->receive_context
= NULL
;
618 free(ssh
->remote_ipaddr
);
619 ssh
->remote_ipaddr
= NULL
;
626 ssh_packet_close(struct ssh
*ssh
)
628 ssh_packet_close_internal(ssh
, 1);
632 ssh_packet_clear_keys(struct ssh
*ssh
)
634 ssh_packet_close_internal(ssh
, 0);
637 /* Sets remote side protocol flags. */
640 ssh_packet_set_protocol_flags(struct ssh
*ssh
, u_int protocol_flags
)
642 ssh
->state
->remote_protocol_flags
= protocol_flags
;
645 /* Returns the remote protocol flags set earlier by the above function. */
648 ssh_packet_get_protocol_flags(struct ssh
*ssh
)
650 return ssh
->state
->remote_protocol_flags
;
654 * Starts packet compression from the next packet on in both directions.
655 * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
659 ssh_packet_init_compression(struct ssh
*ssh
)
661 if (!ssh
->state
->compression_buffer
&&
662 ((ssh
->state
->compression_buffer
= sshbuf_new()) == NULL
))
663 return SSH_ERR_ALLOC_FAIL
;
668 start_compression_out(struct ssh
*ssh
, int level
)
670 if (level
< 1 || level
> 9)
671 return SSH_ERR_INVALID_ARGUMENT
;
672 debug("Enabling compression at level %d.", level
);
673 if (ssh
->state
->compression_out_started
== 1)
674 deflateEnd(&ssh
->state
->compression_out_stream
);
675 switch (deflateInit(&ssh
->state
->compression_out_stream
, level
)) {
677 ssh
->state
->compression_out_started
= 1;
680 return SSH_ERR_ALLOC_FAIL
;
682 return SSH_ERR_INTERNAL_ERROR
;
688 start_compression_in(struct ssh
*ssh
)
690 if (ssh
->state
->compression_in_started
== 1)
691 inflateEnd(&ssh
->state
->compression_in_stream
);
692 switch (inflateInit(&ssh
->state
->compression_in_stream
)) {
694 ssh
->state
->compression_in_started
= 1;
697 return SSH_ERR_ALLOC_FAIL
;
699 return SSH_ERR_INTERNAL_ERROR
;
705 ssh_packet_start_compression(struct ssh
*ssh
, int level
)
709 if (ssh
->state
->packet_compression
)
710 return SSH_ERR_INTERNAL_ERROR
;
711 ssh
->state
->packet_compression
= 1;
712 if ((r
= ssh_packet_init_compression(ssh
)) != 0 ||
713 (r
= start_compression_in(ssh
)) != 0 ||
714 (r
= start_compression_out(ssh
, level
)) != 0)
719 /* XXX remove need for separate compression buffer */
721 compress_buffer(struct ssh
*ssh
, struct sshbuf
*in
, struct sshbuf
*out
)
726 if (ssh
->state
->compression_out_started
!= 1)
727 return SSH_ERR_INTERNAL_ERROR
;
729 /* This case is not handled below. */
730 if (sshbuf_len(in
) == 0)
733 /* Input is the contents of the input buffer. */
734 if ((ssh
->state
->compression_out_stream
.next_in
=
735 sshbuf_mutable_ptr(in
)) == NULL
)
736 return SSH_ERR_INTERNAL_ERROR
;
737 ssh
->state
->compression_out_stream
.avail_in
= sshbuf_len(in
);
739 /* Loop compressing until deflate() returns with avail_out != 0. */
741 /* Set up fixed-size output buffer. */
742 ssh
->state
->compression_out_stream
.next_out
= buf
;
743 ssh
->state
->compression_out_stream
.avail_out
= sizeof(buf
);
745 /* Compress as much data into the buffer as possible. */
746 status
= deflate(&ssh
->state
->compression_out_stream
,
750 return SSH_ERR_ALLOC_FAIL
;
752 /* Append compressed data to output_buffer. */
753 if ((r
= sshbuf_put(out
, buf
, sizeof(buf
) -
754 ssh
->state
->compression_out_stream
.avail_out
)) != 0)
759 ssh
->state
->compression_out_failures
++;
760 return SSH_ERR_INVALID_FORMAT
;
762 } while (ssh
->state
->compression_out_stream
.avail_out
== 0);
767 uncompress_buffer(struct ssh
*ssh
, struct sshbuf
*in
, struct sshbuf
*out
)
772 if (ssh
->state
->compression_in_started
!= 1)
773 return SSH_ERR_INTERNAL_ERROR
;
775 if ((ssh
->state
->compression_in_stream
.next_in
=
776 sshbuf_mutable_ptr(in
)) == NULL
)
777 return SSH_ERR_INTERNAL_ERROR
;
778 ssh
->state
->compression_in_stream
.avail_in
= sshbuf_len(in
);
781 /* Set up fixed-size output buffer. */
782 ssh
->state
->compression_in_stream
.next_out
= buf
;
783 ssh
->state
->compression_in_stream
.avail_out
= sizeof(buf
);
785 status
= inflate(&ssh
->state
->compression_in_stream
,
789 if ((r
= sshbuf_put(out
, buf
, sizeof(buf
) -
790 ssh
->state
->compression_in_stream
.avail_out
)) != 0)
795 * Comments in zlib.h say that we should keep calling
796 * inflate() until we get an error. This appears to
797 * be the error that we get.
801 return SSH_ERR_INVALID_FORMAT
;
803 return SSH_ERR_ALLOC_FAIL
;
806 ssh
->state
->compression_in_failures
++;
807 return SSH_ERR_INTERNAL_ERROR
;
814 ssh_clear_newkeys(struct ssh
*ssh
, int mode
)
816 if (ssh
->kex
&& ssh
->kex
->newkeys
[mode
]) {
817 kex_free_newkeys(ssh
->kex
->newkeys
[mode
]);
818 ssh
->kex
->newkeys
[mode
] = NULL
;
823 ssh_set_newkeys(struct ssh
*ssh
, int mode
)
825 struct session_state
*state
= ssh
->state
;
828 struct sshcomp
*comp
;
829 struct sshcipher_ctx
**ccp
;
830 struct packet_state
*ps
;
831 u_int64_t
*max_blocks
;
835 debug2("set_newkeys: mode %d", mode
);
837 if (mode
== MODE_OUT
) {
838 ccp
= &state
->send_context
;
839 crypt_type
= CIPHER_ENCRYPT
;
841 max_blocks
= &state
->max_blocks_out
;
843 ccp
= &state
->receive_context
;
844 crypt_type
= CIPHER_DECRYPT
;
846 max_blocks
= &state
->max_blocks_in
;
848 if (state
->newkeys
[mode
] != NULL
) {
849 debug("set_newkeys: rekeying, input %llu bytes %llu blocks, "
850 "output %llu bytes %llu blocks",
851 (unsigned long long)state
->p_read
.bytes
,
852 (unsigned long long)state
->p_read
.blocks
,
853 (unsigned long long)state
->p_send
.bytes
,
854 (unsigned long long)state
->p_send
.blocks
);
857 kex_free_newkeys(state
->newkeys
[mode
]);
858 state
->newkeys
[mode
] = NULL
;
860 /* note that both bytes and the seqnr are not reset */
861 ps
->packets
= ps
->blocks
= 0;
862 /* move newkeys from kex to state */
863 if ((state
->newkeys
[mode
] = ssh
->kex
->newkeys
[mode
]) == NULL
)
864 return SSH_ERR_INTERNAL_ERROR
;
865 ssh
->kex
->newkeys
[mode
] = NULL
;
866 enc
= &state
->newkeys
[mode
]->enc
;
867 mac
= &state
->newkeys
[mode
]->mac
;
868 comp
= &state
->newkeys
[mode
]->comp
;
869 if (cipher_authlen(enc
->cipher
) == 0) {
870 if ((r
= mac_init(mac
)) != 0)
874 DBG(debug("cipher_init_context: %d", mode
));
875 if ((r
= cipher_init(ccp
, enc
->cipher
, enc
->key
, enc
->key_len
,
876 enc
->iv
, enc
->iv_len
, crypt_type
)) != 0)
878 if (!state
->cipher_warning_done
&&
879 (wmsg
= cipher_warning_message(*ccp
)) != NULL
) {
880 error("Warning: %s", wmsg
);
881 state
->cipher_warning_done
= 1;
883 /* Deleting the keys does not gain extra security */
884 /* explicit_bzero(enc->iv, enc->block_size);
885 explicit_bzero(enc->key, enc->key_len);
886 explicit_bzero(mac->key, mac->key_len); */
887 if ((comp
->type
== COMP_ZLIB
||
888 (comp
->type
== COMP_DELAYED
&&
889 state
->after_authentication
)) && comp
->enabled
== 0) {
890 if ((r
= ssh_packet_init_compression(ssh
)) < 0)
892 if (mode
== MODE_OUT
) {
893 if ((r
= start_compression_out(ssh
, 6)) != 0)
896 if ((r
= start_compression_in(ssh
)) != 0)
902 * The 2^(blocksize*2) limit is too expensive for 3DES,
903 * so enforce a 1GB limit for small blocksizes.
904 * See RFC4344 section 3.2.
906 if (enc
->block_size
>= 16)
907 *max_blocks
= (u_int64_t
)1 << (enc
->block_size
*2);
909 *max_blocks
= ((u_int64_t
)1 << 30) / enc
->block_size
;
910 if (state
->rekey_limit
)
911 *max_blocks
= MINIMUM(*max_blocks
,
912 state
->rekey_limit
/ enc
->block_size
);
913 debug("rekey after %llu blocks", (unsigned long long)*max_blocks
);
917 #define MAX_PACKETS (1U<<31)
919 ssh_packet_need_rekeying(struct ssh
*ssh
, u_int outbound_packet_len
)
921 struct session_state
*state
= ssh
->state
;
922 u_int32_t out_blocks
;
924 /* XXX client can't cope with rekeying pre-auth */
925 if (!state
->after_authentication
)
928 /* Haven't keyed yet or KEX in progress. */
929 if (ssh
->kex
== NULL
|| ssh_packet_is_rekeying(ssh
))
932 /* Peer can't rekey */
933 if (ssh
->compat
& SSH_BUG_NOREKEY
)
937 * Permit one packet in or out per rekey - this allows us to
938 * make progress when rekey limits are very small.
940 if (state
->p_send
.packets
== 0 && state
->p_read
.packets
== 0)
943 /* Time-based rekeying */
944 if (state
->rekey_interval
!= 0 &&
945 (int64_t)state
->rekey_time
+ state
->rekey_interval
<= monotime())
949 * Always rekey when MAX_PACKETS sent in either direction
950 * As per RFC4344 section 3.1 we do this after 2^31 packets.
952 if (state
->p_send
.packets
> MAX_PACKETS
||
953 state
->p_read
.packets
> MAX_PACKETS
)
956 /* Rekey after (cipher-specific) maxiumum blocks */
957 out_blocks
= ROUNDUP(outbound_packet_len
,
958 state
->newkeys
[MODE_OUT
]->enc
.block_size
);
959 return (state
->max_blocks_out
&&
960 (state
->p_send
.blocks
+ out_blocks
> state
->max_blocks_out
)) ||
961 (state
->max_blocks_in
&&
962 (state
->p_read
.blocks
> state
->max_blocks_in
));
966 * Delayed compression for SSH2 is enabled after authentication:
967 * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
968 * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
971 ssh_packet_enable_delayed_compress(struct ssh
*ssh
)
973 struct session_state
*state
= ssh
->state
;
974 struct sshcomp
*comp
= NULL
;
978 * Remember that we are past the authentication step, so rekeying
979 * with COMP_DELAYED will turn on compression immediately.
981 state
->after_authentication
= 1;
982 for (mode
= 0; mode
< MODE_MAX
; mode
++) {
983 /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
984 if (state
->newkeys
[mode
] == NULL
)
986 comp
= &state
->newkeys
[mode
]->comp
;
987 if (comp
&& !comp
->enabled
&& comp
->type
== COMP_DELAYED
) {
988 if ((r
= ssh_packet_init_compression(ssh
)) != 0)
990 if (mode
== MODE_OUT
) {
991 if ((r
= start_compression_out(ssh
, 6)) != 0)
994 if ((r
= start_compression_in(ssh
)) != 0)
1003 /* Used to mute debug logging for noisy packet types */
1005 ssh_packet_log_type(u_char type
)
1008 case SSH2_MSG_CHANNEL_DATA
:
1009 case SSH2_MSG_CHANNEL_EXTENDED_DATA
:
1010 case SSH2_MSG_CHANNEL_WINDOW_ADJUST
:
1018 * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
1021 ssh_packet_send2_wrapped(struct ssh
*ssh
)
1023 struct session_state
*state
= ssh
->state
;
1024 u_char type
, *cp
, macbuf
[SSH_DIGEST_MAX_LENGTH
];
1025 u_char tmp
, padlen
, pad
= 0;
1026 u_int authlen
= 0, aadlen
= 0;
1028 struct sshenc
*enc
= NULL
;
1029 struct sshmac
*mac
= NULL
;
1030 struct sshcomp
*comp
= NULL
;
1033 if (state
->newkeys
[MODE_OUT
] != NULL
) {
1034 enc
= &state
->newkeys
[MODE_OUT
]->enc
;
1035 mac
= &state
->newkeys
[MODE_OUT
]->mac
;
1036 comp
= &state
->newkeys
[MODE_OUT
]->comp
;
1037 /* disable mac for authenticated encryption */
1038 if ((authlen
= cipher_authlen(enc
->cipher
)) != 0)
1041 block_size
= enc
? enc
->block_size
: 8;
1042 aadlen
= (mac
&& mac
->enabled
&& mac
->etm
) || authlen
? 4 : 0;
1044 type
= (sshbuf_ptr(state
->outgoing_packet
))[5];
1045 if (ssh_packet_log_type(type
))
1046 debug3("send packet: type %u", type
);
1048 fprintf(stderr
, "plain: ");
1049 sshbuf_dump(state
->outgoing_packet
, stderr
);
1052 if (comp
&& comp
->enabled
) {
1053 len
= sshbuf_len(state
->outgoing_packet
);
1054 /* skip header, compress only payload */
1055 if ((r
= sshbuf_consume(state
->outgoing_packet
, 5)) != 0)
1057 sshbuf_reset(state
->compression_buffer
);
1058 if ((r
= compress_buffer(ssh
, state
->outgoing_packet
,
1059 state
->compression_buffer
)) != 0)
1061 sshbuf_reset(state
->outgoing_packet
);
1062 if ((r
= sshbuf_put(state
->outgoing_packet
,
1063 "\0\0\0\0\0", 5)) != 0 ||
1064 (r
= sshbuf_putb(state
->outgoing_packet
,
1065 state
->compression_buffer
)) != 0)
1067 DBG(debug("compression: raw %d compressed %zd", len
,
1068 sshbuf_len(state
->outgoing_packet
)));
1071 /* sizeof (packet_len + pad_len + payload) */
1072 len
= sshbuf_len(state
->outgoing_packet
);
1075 * calc size of padding, alloc space, get random data,
1076 * minimum padding is 4 bytes
1078 len
-= aadlen
; /* packet length is not encrypted for EtM modes */
1079 padlen
= block_size
- (len
% block_size
);
1081 padlen
+= block_size
;
1082 if (state
->extra_pad
) {
1083 tmp
= state
->extra_pad
;
1085 ROUNDUP(state
->extra_pad
, block_size
);
1086 /* check if roundup overflowed */
1087 if (state
->extra_pad
< tmp
)
1088 return SSH_ERR_INVALID_ARGUMENT
;
1089 tmp
= (len
+ padlen
) % state
->extra_pad
;
1090 /* Check whether pad calculation below will underflow */
1091 if (tmp
> state
->extra_pad
)
1092 return SSH_ERR_INVALID_ARGUMENT
;
1093 pad
= state
->extra_pad
- tmp
;
1094 DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
1095 __func__
, pad
, len
, padlen
, state
->extra_pad
));
1098 /* Check whether padlen calculation overflowed */
1100 return SSH_ERR_INVALID_ARGUMENT
; /* overflow */
1101 state
->extra_pad
= 0;
1103 if ((r
= sshbuf_reserve(state
->outgoing_packet
, padlen
, &cp
)) != 0)
1105 if (enc
&& !cipher_ctx_is_plaintext(state
->send_context
)) {
1106 /* random padding */
1107 arc4random_buf(cp
, padlen
);
1110 explicit_bzero(cp
, padlen
);
1112 /* sizeof (packet_len + pad_len + payload + padding) */
1113 len
= sshbuf_len(state
->outgoing_packet
);
1114 cp
= sshbuf_mutable_ptr(state
->outgoing_packet
);
1116 r
= SSH_ERR_INTERNAL_ERROR
;
1119 /* packet_length includes payload, padding and padding length field */
1120 POKE_U32(cp
, len
- 4);
1122 DBG(debug("send: len %d (includes padlen %d, aadlen %d)",
1123 len
, padlen
, aadlen
));
1125 /* compute MAC over seqnr and packet(length fields, payload, padding) */
1126 if (mac
&& mac
->enabled
&& !mac
->etm
) {
1127 if ((r
= mac_compute(mac
, state
->p_send
.seqnr
,
1128 sshbuf_ptr(state
->outgoing_packet
), len
,
1129 macbuf
, sizeof(macbuf
))) != 0)
1131 DBG(debug("done calc MAC out #%d", state
->p_send
.seqnr
));
1133 /* encrypt packet and append to output buffer. */
1134 if ((r
= sshbuf_reserve(state
->output
,
1135 sshbuf_len(state
->outgoing_packet
) + authlen
, &cp
)) != 0)
1137 if ((r
= cipher_crypt(state
->send_context
, state
->p_send
.seqnr
, cp
,
1138 sshbuf_ptr(state
->outgoing_packet
),
1139 len
- aadlen
, aadlen
, authlen
)) != 0)
1141 /* append unencrypted MAC */
1142 if (mac
&& mac
->enabled
) {
1144 /* EtM: compute mac over aadlen + cipher text */
1145 if ((r
= mac_compute(mac
, state
->p_send
.seqnr
,
1146 cp
, len
, macbuf
, sizeof(macbuf
))) != 0)
1148 DBG(debug("done calc MAC(EtM) out #%d",
1149 state
->p_send
.seqnr
));
1151 if ((r
= sshbuf_put(state
->output
, macbuf
, mac
->mac_len
)) != 0)
1155 fprintf(stderr
, "encrypted: ");
1156 sshbuf_dump(state
->output
, stderr
);
1158 /* increment sequence number for outgoing packets */
1159 if (++state
->p_send
.seqnr
== 0)
1160 logit("outgoing seqnr wraps around");
1161 if (++state
->p_send
.packets
== 0)
1162 if (!(ssh
->compat
& SSH_BUG_NOREKEY
))
1163 return SSH_ERR_NEED_REKEY
;
1164 state
->p_send
.blocks
+= len
/ block_size
;
1165 state
->p_send
.bytes
+= len
;
1166 sshbuf_reset(state
->outgoing_packet
);
1168 if (type
== SSH2_MSG_NEWKEYS
)
1169 r
= ssh_set_newkeys(ssh
, MODE_OUT
);
1170 else if (type
== SSH2_MSG_USERAUTH_SUCCESS
&& state
->server_side
)
1171 r
= ssh_packet_enable_delayed_compress(ssh
);
1178 /* returns non-zero if the specified packet type is usec by KEX */
1180 ssh_packet_type_is_kex(u_char type
)
1183 type
>= SSH2_MSG_TRANSPORT_MIN
&&
1184 type
<= SSH2_MSG_TRANSPORT_MAX
&&
1185 type
!= SSH2_MSG_SERVICE_REQUEST
&&
1186 type
!= SSH2_MSG_SERVICE_ACCEPT
&&
1187 type
!= SSH2_MSG_EXT_INFO
;
1191 ssh_packet_send2(struct ssh
*ssh
)
1193 struct session_state
*state
= ssh
->state
;
1198 if (sshbuf_len(state
->outgoing_packet
) < 6)
1199 return SSH_ERR_INTERNAL_ERROR
;
1200 type
= sshbuf_ptr(state
->outgoing_packet
)[5];
1201 need_rekey
= !ssh_packet_type_is_kex(type
) &&
1202 ssh_packet_need_rekeying(ssh
, sshbuf_len(state
->outgoing_packet
));
1205 * During rekeying we can only send key exchange messages.
1206 * Queue everything else.
1208 if ((need_rekey
|| state
->rekeying
) && !ssh_packet_type_is_kex(type
)) {
1210 debug3("%s: rekex triggered", __func__
);
1211 debug("enqueue packet: %u", type
);
1212 p
= calloc(1, sizeof(*p
));
1214 return SSH_ERR_ALLOC_FAIL
;
1216 p
->payload
= state
->outgoing_packet
;
1217 TAILQ_INSERT_TAIL(&state
->outgoing
, p
, next
);
1218 state
->outgoing_packet
= sshbuf_new();
1219 if (state
->outgoing_packet
== NULL
)
1220 return SSH_ERR_ALLOC_FAIL
;
1223 * This packet triggered a rekey, so send the
1225 * NB. reenters this function via kex_start_rekex().
1227 return kex_start_rekex(ssh
);
1232 /* rekeying starts with sending KEXINIT */
1233 if (type
== SSH2_MSG_KEXINIT
)
1234 state
->rekeying
= 1;
1236 if ((r
= ssh_packet_send2_wrapped(ssh
)) != 0)
1239 /* after a NEWKEYS message we can send the complete queue */
1240 if (type
== SSH2_MSG_NEWKEYS
) {
1241 state
->rekeying
= 0;
1242 state
->rekey_time
= monotime();
1243 while ((p
= TAILQ_FIRST(&state
->outgoing
))) {
1246 * If this packet triggers a rekex, then skip the
1247 * remaining packets in the queue for now.
1248 * NB. re-enters this function via kex_start_rekex.
1250 if (ssh_packet_need_rekeying(ssh
,
1251 sshbuf_len(p
->payload
))) {
1252 debug3("%s: queued packet triggered rekex",
1254 return kex_start_rekex(ssh
);
1256 debug("dequeue packet: %u", type
);
1257 sshbuf_free(state
->outgoing_packet
);
1258 state
->outgoing_packet
= p
->payload
;
1259 TAILQ_REMOVE(&state
->outgoing
, p
, next
);
1260 memset(p
, 0, sizeof(*p
));
1262 if ((r
= ssh_packet_send2_wrapped(ssh
)) != 0)
1270 * Waits until a packet has been received, and returns its type. Note that
1271 * no other data is processed until this returns, so this function should not
1272 * be used during the interactive session.
1276 ssh_packet_read_seqnr(struct ssh
*ssh
, u_char
*typep
, u_int32_t
*seqnr_p
)
1278 struct session_state
*state
= ssh
->state
;
1279 int len
, r
, ms_remain
;
1282 struct timeval timeout
, start
, *timeoutp
= NULL
;
1284 DBG(debug("packet_read()"));
1286 setp
= calloc(howmany(state
->connection_in
+ 1,
1287 NFDBITS
), sizeof(fd_mask
));
1289 return SSH_ERR_ALLOC_FAIL
;
1292 * Since we are blocking, ensure that all written packets have
1295 if ((r
= ssh_packet_write_wait(ssh
)) != 0)
1298 /* Stay in the loop until we have received a complete packet. */
1300 /* Try to read a packet from the buffer. */
1301 r
= ssh_packet_read_poll_seqnr(ssh
, typep
, seqnr_p
);
1304 /* If we got a packet, return it. */
1305 if (*typep
!= SSH_MSG_NONE
)
1308 * Otherwise, wait for some data to arrive, add it to the
1309 * buffer, and try again.
1311 memset(setp
, 0, howmany(state
->connection_in
+ 1,
1312 NFDBITS
) * sizeof(fd_mask
));
1313 FD_SET(state
->connection_in
, setp
);
1315 if (state
->packet_timeout_ms
> 0) {
1316 ms_remain
= state
->packet_timeout_ms
;
1317 timeoutp
= &timeout
;
1319 /* Wait for some data to arrive. */
1321 if (state
->packet_timeout_ms
!= -1) {
1322 ms_to_timeval(&timeout
, ms_remain
);
1323 gettimeofday(&start
, NULL
);
1325 if ((r
= select(state
->connection_in
+ 1, setp
,
1326 NULL
, NULL
, timeoutp
)) >= 0)
1328 if (errno
!= EAGAIN
&& errno
!= EINTR
&&
1329 errno
!= EWOULDBLOCK
)
1331 if (state
->packet_timeout_ms
== -1)
1333 ms_subtract_diff(&start
, &ms_remain
);
1334 if (ms_remain
<= 0) {
1340 r
= SSH_ERR_CONN_TIMEOUT
;
1343 /* Read data from the socket. */
1344 len
= read(state
->connection_in
, buf
, sizeof(buf
));
1346 r
= SSH_ERR_CONN_CLOSED
;
1350 r
= SSH_ERR_SYSTEM_ERROR
;
1354 /* Append it to the buffer. */
1355 if ((r
= ssh_packet_process_incoming(ssh
, buf
, len
)) != 0)
1364 ssh_packet_read(struct ssh
*ssh
)
1369 if ((r
= ssh_packet_read_seqnr(ssh
, &type
, NULL
)) != 0)
1370 fatal("%s: %s", __func__
, ssh_err(r
));
1375 * Waits until a packet has been received, verifies that its type matches
1376 * that given, and gives a fatal error and exits if there is a mismatch.
1380 ssh_packet_read_expect(struct ssh
*ssh
, u_int expected_type
)
1385 if ((r
= ssh_packet_read_seqnr(ssh
, &type
, NULL
)) != 0)
1387 if (type
!= expected_type
) {
1388 if ((r
= sshpkt_disconnect(ssh
,
1389 "Protocol error: expected packet type %d, got %d",
1390 expected_type
, type
)) != 0)
1392 return SSH_ERR_PROTOCOL_ERROR
;
1398 ssh_packet_read_poll2_mux(struct ssh
*ssh
, u_char
*typep
, u_int32_t
*seqnr_p
)
1400 struct session_state
*state
= ssh
->state
;
1406 return SSH_ERR_INTERNAL_ERROR
;
1407 *typep
= SSH_MSG_NONE
;
1408 cp
= sshbuf_ptr(state
->input
);
1409 if (state
->packlen
== 0) {
1410 if (sshbuf_len(state
->input
) < 4 + 1)
1411 return 0; /* packet is incomplete */
1412 state
->packlen
= PEEK_U32(cp
);
1413 if (state
->packlen
< 4 + 1 ||
1414 state
->packlen
> PACKET_MAX_SIZE
)
1415 return SSH_ERR_MESSAGE_INCOMPLETE
;
1417 need
= state
->packlen
+ 4;
1418 if (sshbuf_len(state
->input
) < need
)
1419 return 0; /* packet is incomplete */
1420 sshbuf_reset(state
->incoming_packet
);
1421 if ((r
= sshbuf_put(state
->incoming_packet
, cp
+ 4,
1422 state
->packlen
)) != 0 ||
1423 (r
= sshbuf_consume(state
->input
, need
)) != 0 ||
1424 (r
= sshbuf_get_u8(state
->incoming_packet
, NULL
)) != 0 ||
1425 (r
= sshbuf_get_u8(state
->incoming_packet
, typep
)) != 0)
1427 if (ssh_packet_log_type(*typep
))
1428 debug3("%s: type %u", __func__
, *typep
);
1429 /* sshbuf_dump(state->incoming_packet, stderr); */
1430 /* reset for next packet */
1436 ssh_packet_read_poll2(struct ssh
*ssh
, u_char
*typep
, u_int32_t
*seqnr_p
)
1438 struct session_state
*state
= ssh
->state
;
1441 u_int maclen
, aadlen
= 0, authlen
= 0, block_size
;
1442 struct sshenc
*enc
= NULL
;
1443 struct sshmac
*mac
= NULL
;
1444 struct sshcomp
*comp
= NULL
;
1448 return ssh_packet_read_poll2_mux(ssh
, typep
, seqnr_p
);
1450 *typep
= SSH_MSG_NONE
;
1452 if (state
->packet_discard
)
1455 if (state
->newkeys
[MODE_IN
] != NULL
) {
1456 enc
= &state
->newkeys
[MODE_IN
]->enc
;
1457 mac
= &state
->newkeys
[MODE_IN
]->mac
;
1458 comp
= &state
->newkeys
[MODE_IN
]->comp
;
1459 /* disable mac for authenticated encryption */
1460 if ((authlen
= cipher_authlen(enc
->cipher
)) != 0)
1463 maclen
= mac
&& mac
->enabled
? mac
->mac_len
: 0;
1464 block_size
= enc
? enc
->block_size
: 8;
1465 aadlen
= (mac
&& mac
->enabled
&& mac
->etm
) || authlen
? 4 : 0;
1467 if (aadlen
&& state
->packlen
== 0) {
1468 if (cipher_get_length(state
->receive_context
,
1469 &state
->packlen
, state
->p_read
.seqnr
,
1470 sshbuf_ptr(state
->input
), sshbuf_len(state
->input
)) != 0)
1472 if (state
->packlen
< 1 + 4 ||
1473 state
->packlen
> PACKET_MAX_SIZE
) {
1475 sshbuf_dump(state
->input
, stderr
);
1477 logit("Bad packet length %u.", state
->packlen
);
1478 if ((r
= sshpkt_disconnect(ssh
, "Packet corrupt")) != 0)
1480 return SSH_ERR_CONN_CORRUPT
;
1482 sshbuf_reset(state
->incoming_packet
);
1483 } else if (state
->packlen
== 0) {
1485 * check if input size is less than the cipher block size,
1486 * decrypt first block and extract length of incoming packet
1488 if (sshbuf_len(state
->input
) < block_size
)
1490 sshbuf_reset(state
->incoming_packet
);
1491 if ((r
= sshbuf_reserve(state
->incoming_packet
, block_size
,
1494 if ((r
= cipher_crypt(state
->receive_context
,
1495 state
->p_send
.seqnr
, cp
, sshbuf_ptr(state
->input
),
1496 block_size
, 0, 0)) != 0)
1498 state
->packlen
= PEEK_U32(sshbuf_ptr(state
->incoming_packet
));
1499 if (state
->packlen
< 1 + 4 ||
1500 state
->packlen
> PACKET_MAX_SIZE
) {
1502 fprintf(stderr
, "input: \n");
1503 sshbuf_dump(state
->input
, stderr
);
1504 fprintf(stderr
, "incoming_packet: \n");
1505 sshbuf_dump(state
->incoming_packet
, stderr
);
1507 logit("Bad packet length %u.", state
->packlen
);
1508 return ssh_packet_start_discard(ssh
, enc
, mac
, 0,
1511 if ((r
= sshbuf_consume(state
->input
, block_size
)) != 0)
1514 DBG(debug("input: packet len %u", state
->packlen
+4));
1517 /* only the payload is encrypted */
1518 need
= state
->packlen
;
1521 * the payload size and the payload are encrypted, but we
1522 * have a partial packet of block_size bytes
1524 need
= 4 + state
->packlen
- block_size
;
1526 DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d,"
1527 " aadlen %d", block_size
, need
, maclen
, authlen
, aadlen
));
1528 if (need
% block_size
!= 0) {
1529 logit("padding error: need %d block %d mod %d",
1530 need
, block_size
, need
% block_size
);
1531 return ssh_packet_start_discard(ssh
, enc
, mac
, 0,
1532 PACKET_MAX_SIZE
- block_size
);
1535 * check if the entire packet has been received and
1536 * decrypt into incoming_packet:
1537 * 'aadlen' bytes are unencrypted, but authenticated.
1538 * 'need' bytes are encrypted, followed by either
1539 * 'authlen' bytes of authentication tag or
1540 * 'maclen' bytes of message authentication code.
1542 if (sshbuf_len(state
->input
) < aadlen
+ need
+ authlen
+ maclen
)
1543 return 0; /* packet is incomplete */
1545 fprintf(stderr
, "read_poll enc/full: ");
1546 sshbuf_dump(state
->input
, stderr
);
1548 /* EtM: check mac over encrypted input */
1549 if (mac
&& mac
->enabled
&& mac
->etm
) {
1550 if ((r
= mac_check(mac
, state
->p_read
.seqnr
,
1551 sshbuf_ptr(state
->input
), aadlen
+ need
,
1552 sshbuf_ptr(state
->input
) + aadlen
+ need
+ authlen
,
1554 if (r
== SSH_ERR_MAC_INVALID
)
1555 logit("Corrupted MAC on input.");
1559 if ((r
= sshbuf_reserve(state
->incoming_packet
, aadlen
+ need
,
1562 if ((r
= cipher_crypt(state
->receive_context
, state
->p_read
.seqnr
, cp
,
1563 sshbuf_ptr(state
->input
), need
, aadlen
, authlen
)) != 0)
1565 if ((r
= sshbuf_consume(state
->input
, aadlen
+ need
+ authlen
)) != 0)
1567 if (mac
&& mac
->enabled
) {
1568 /* Not EtM: check MAC over cleartext */
1569 if (!mac
->etm
&& (r
= mac_check(mac
, state
->p_read
.seqnr
,
1570 sshbuf_ptr(state
->incoming_packet
),
1571 sshbuf_len(state
->incoming_packet
),
1572 sshbuf_ptr(state
->input
), maclen
)) != 0) {
1573 if (r
!= SSH_ERR_MAC_INVALID
)
1575 logit("Corrupted MAC on input.");
1576 if (need
+ block_size
> PACKET_MAX_SIZE
)
1577 return SSH_ERR_INTERNAL_ERROR
;
1578 return ssh_packet_start_discard(ssh
, enc
, mac
,
1579 sshbuf_len(state
->incoming_packet
),
1580 PACKET_MAX_SIZE
- need
- block_size
);
1582 /* Remove MAC from input buffer */
1583 DBG(debug("MAC #%d ok", state
->p_read
.seqnr
));
1584 if ((r
= sshbuf_consume(state
->input
, mac
->mac_len
)) != 0)
1587 if (seqnr_p
!= NULL
)
1588 *seqnr_p
= state
->p_read
.seqnr
;
1589 if (++state
->p_read
.seqnr
== 0)
1590 logit("incoming seqnr wraps around");
1591 if (++state
->p_read
.packets
== 0)
1592 if (!(ssh
->compat
& SSH_BUG_NOREKEY
))
1593 return SSH_ERR_NEED_REKEY
;
1594 state
->p_read
.blocks
+= (state
->packlen
+ 4) / block_size
;
1595 state
->p_read
.bytes
+= state
->packlen
+ 4;
1598 padlen
= sshbuf_ptr(state
->incoming_packet
)[4];
1599 DBG(debug("input: padlen %d", padlen
));
1601 if ((r
= sshpkt_disconnect(ssh
,
1602 "Corrupted padlen %d on input.", padlen
)) != 0 ||
1603 (r
= ssh_packet_write_wait(ssh
)) != 0)
1605 return SSH_ERR_CONN_CORRUPT
;
1608 /* skip packet size + padlen, discard padding */
1609 if ((r
= sshbuf_consume(state
->incoming_packet
, 4 + 1)) != 0 ||
1610 ((r
= sshbuf_consume_end(state
->incoming_packet
, padlen
)) != 0))
1613 DBG(debug("input: len before de-compress %zd",
1614 sshbuf_len(state
->incoming_packet
)));
1615 if (comp
&& comp
->enabled
) {
1616 sshbuf_reset(state
->compression_buffer
);
1617 if ((r
= uncompress_buffer(ssh
, state
->incoming_packet
,
1618 state
->compression_buffer
)) != 0)
1620 sshbuf_reset(state
->incoming_packet
);
1621 if ((r
= sshbuf_putb(state
->incoming_packet
,
1622 state
->compression_buffer
)) != 0)
1624 DBG(debug("input: len after de-compress %zd",
1625 sshbuf_len(state
->incoming_packet
)));
1628 * get packet type, implies consume.
1629 * return length of payload (without type field)
1631 if ((r
= sshbuf_get_u8(state
->incoming_packet
, typep
)) != 0)
1633 if (ssh_packet_log_type(*typep
))
1634 debug3("receive packet: type %u", *typep
);
1635 if (*typep
< SSH2_MSG_MIN
|| *typep
>= SSH2_MSG_LOCAL_MIN
) {
1636 if ((r
= sshpkt_disconnect(ssh
,
1637 "Invalid ssh2 packet type: %d", *typep
)) != 0 ||
1638 (r
= ssh_packet_write_wait(ssh
)) != 0)
1640 return SSH_ERR_PROTOCOL_ERROR
;
1642 if (state
->hook_in
!= NULL
&&
1643 (r
= state
->hook_in(ssh
, state
->incoming_packet
, typep
,
1644 state
->hook_in_ctx
)) != 0)
1646 if (*typep
== SSH2_MSG_USERAUTH_SUCCESS
&& !state
->server_side
)
1647 r
= ssh_packet_enable_delayed_compress(ssh
);
1651 fprintf(stderr
, "read/plain[%d]:\r\n", *typep
);
1652 sshbuf_dump(state
->incoming_packet
, stderr
);
1654 /* reset for next packet */
1657 /* do we need to rekey? */
1658 if (ssh_packet_need_rekeying(ssh
, 0)) {
1659 debug3("%s: rekex triggered", __func__
);
1660 if ((r
= kex_start_rekex(ssh
)) != 0)
1668 ssh_packet_read_poll_seqnr(struct ssh
*ssh
, u_char
*typep
, u_int32_t
*seqnr_p
)
1670 struct session_state
*state
= ssh
->state
;
1671 u_int reason
, seqnr
;
1677 r
= ssh_packet_read_poll2(ssh
, typep
, seqnr_p
);
1681 state
->keep_alive_timeouts
= 0;
1682 DBG(debug("received packet type %d", *typep
));
1685 case SSH2_MSG_IGNORE
:
1686 debug3("Received SSH2_MSG_IGNORE");
1688 case SSH2_MSG_DEBUG
:
1689 if ((r
= sshpkt_get_u8(ssh
, NULL
)) != 0 ||
1690 (r
= sshpkt_get_string(ssh
, &msg
, NULL
)) != 0 ||
1691 (r
= sshpkt_get_string(ssh
, NULL
, NULL
)) != 0) {
1695 debug("Remote: %.900s", msg
);
1698 case SSH2_MSG_DISCONNECT
:
1699 if ((r
= sshpkt_get_u32(ssh
, &reason
)) != 0 ||
1700 (r
= sshpkt_get_string(ssh
, &msg
, NULL
)) != 0)
1702 /* Ignore normal client exit notifications */
1703 do_log2(ssh
->state
->server_side
&&
1704 reason
== SSH2_DISCONNECT_BY_APPLICATION
?
1705 SYSLOG_LEVEL_INFO
: SYSLOG_LEVEL_ERROR
,
1706 "Received disconnect from %s port %d:"
1707 "%u: %.400s", ssh_remote_ipaddr(ssh
),
1708 ssh_remote_port(ssh
), reason
, msg
);
1710 return SSH_ERR_DISCONNECTED
;
1711 case SSH2_MSG_UNIMPLEMENTED
:
1712 if ((r
= sshpkt_get_u32(ssh
, &seqnr
)) != 0)
1714 debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
1724 * Buffers the given amount of input characters. This is intended to be used
1725 * together with packet_read_poll.
1729 ssh_packet_process_incoming(struct ssh
*ssh
, const char *buf
, u_int len
)
1731 struct session_state
*state
= ssh
->state
;
1734 if (state
->packet_discard
) {
1735 state
->keep_alive_timeouts
= 0; /* ?? */
1736 if (len
>= state
->packet_discard
) {
1737 if ((r
= ssh_packet_stop_discard(ssh
)) != 0)
1740 state
->packet_discard
-= len
;
1743 if ((r
= sshbuf_put(ssh
->state
->input
, buf
, len
)) != 0)
1750 ssh_packet_remaining(struct ssh
*ssh
)
1752 return sshbuf_len(ssh
->state
->incoming_packet
);
1756 * Sends a diagnostic message from the server to the client. This message
1757 * can be sent at any time (but not while constructing another message). The
1758 * message is printed immediately, but only if the client is being executed
1759 * in verbose mode. These messages are primarily intended to ease debugging
1760 * authentication problems. The length of the formatted message must not
1761 * exceed 1024 bytes. This will automatically call ssh_packet_write_wait.
1764 ssh_packet_send_debug(struct ssh
*ssh
, const char *fmt
,...)
1770 if ((ssh
->compat
& SSH_BUG_DEBUG
))
1773 va_start(args
, fmt
);
1774 vsnprintf(buf
, sizeof(buf
), fmt
, args
);
1777 if ((r
= sshpkt_start(ssh
, SSH2_MSG_DEBUG
)) != 0 ||
1778 (r
= sshpkt_put_u8(ssh
, 0)) != 0 || /* always display */
1779 (r
= sshpkt_put_cstring(ssh
, buf
)) != 0 ||
1780 (r
= sshpkt_put_cstring(ssh
, "")) != 0 ||
1781 (r
= sshpkt_send(ssh
)) != 0 ||
1782 (r
= ssh_packet_write_wait(ssh
)) != 0)
1783 fatal("%s: %s", __func__
, ssh_err(r
));
1787 fmt_connection_id(struct ssh
*ssh
, char *s
, size_t l
)
1789 snprintf(s
, l
, "%.200s%s%s port %d",
1790 ssh
->log_preamble
? ssh
->log_preamble
: "",
1791 ssh
->log_preamble
? " " : "",
1792 ssh_remote_ipaddr(ssh
), ssh_remote_port(ssh
));
1796 * Pretty-print connection-terminating errors and exit.
1799 sshpkt_fatal(struct ssh
*ssh
, const char *tag
, int r
)
1801 char remote_id
[512];
1803 fmt_connection_id(ssh
, remote_id
, sizeof(remote_id
));
1806 case SSH_ERR_CONN_CLOSED
:
1807 ssh_packet_clear_keys(ssh
);
1808 logdie("Connection closed by %s", remote_id
);
1809 case SSH_ERR_CONN_TIMEOUT
:
1810 ssh_packet_clear_keys(ssh
);
1811 logdie("Connection %s %s timed out",
1812 ssh
->state
->server_side
? "from" : "to", remote_id
);
1813 case SSH_ERR_DISCONNECTED
:
1814 ssh_packet_clear_keys(ssh
);
1815 logdie("Disconnected from %s", remote_id
);
1816 case SSH_ERR_SYSTEM_ERROR
:
1817 if (errno
== ECONNRESET
) {
1818 ssh_packet_clear_keys(ssh
);
1819 logdie("Connection reset by %s", remote_id
);
1822 case SSH_ERR_NO_CIPHER_ALG_MATCH
:
1823 case SSH_ERR_NO_MAC_ALG_MATCH
:
1824 case SSH_ERR_NO_COMPRESS_ALG_MATCH
:
1825 case SSH_ERR_NO_KEX_ALG_MATCH
:
1826 case SSH_ERR_NO_HOSTKEY_ALG_MATCH
:
1827 if (ssh
&& ssh
->kex
&& ssh
->kex
->failed_choice
) {
1828 ssh_packet_clear_keys(ssh
);
1829 logdie("Unable to negotiate with %s: %s. "
1830 "Their offer: %s", remote_id
, ssh_err(r
),
1831 ssh
->kex
->failed_choice
);
1835 ssh_packet_clear_keys(ssh
);
1836 logdie("%s%sConnection %s %s: %s",
1837 tag
!= NULL
? tag
: "", tag
!= NULL
? ": " : "",
1838 ssh
->state
->server_side
? "from" : "to",
1839 remote_id
, ssh_err(r
));
1844 * Logs the error plus constructs and sends a disconnect packet, closes the
1845 * connection, and exits. This function never returns. The error message
1846 * should not contain a newline. The length of the formatted message must
1847 * not exceed 1024 bytes.
1850 ssh_packet_disconnect(struct ssh
*ssh
, const char *fmt
,...)
1852 char buf
[1024], remote_id
[512];
1854 static int disconnecting
= 0;
1857 if (disconnecting
) /* Guard against recursive invocations. */
1858 fatal("packet_disconnect called recursively.");
1862 * Format the message. Note that the caller must make sure the
1863 * message is of limited size.
1865 fmt_connection_id(ssh
, remote_id
, sizeof(remote_id
));
1866 va_start(args
, fmt
);
1867 vsnprintf(buf
, sizeof(buf
), fmt
, args
);
1870 /* Display the error locally */
1871 logit("Disconnecting %s: %.100s", remote_id
, buf
);
1874 * Send the disconnect message to the other side, and wait
1875 * for it to get sent.
1877 if ((r
= sshpkt_disconnect(ssh
, "%s", buf
)) != 0)
1878 sshpkt_fatal(ssh
, __func__
, r
);
1880 if ((r
= ssh_packet_write_wait(ssh
)) != 0)
1881 sshpkt_fatal(ssh
, __func__
, r
);
1883 /* Close the connection. */
1884 ssh_packet_close(ssh
);
1889 * Checks if there is any buffered output, and tries to write some of
1893 ssh_packet_write_poll(struct ssh
*ssh
)
1895 struct session_state
*state
= ssh
->state
;
1896 int len
= sshbuf_len(state
->output
);
1900 len
= write(state
->connection_out
,
1901 sshbuf_ptr(state
->output
), len
);
1903 if (errno
== EINTR
|| errno
== EAGAIN
||
1904 errno
== EWOULDBLOCK
)
1906 return SSH_ERR_SYSTEM_ERROR
;
1909 return SSH_ERR_CONN_CLOSED
;
1910 if ((r
= sshbuf_consume(state
->output
, len
)) != 0)
1917 * Calls packet_write_poll repeatedly until all pending output data has been
1921 ssh_packet_write_wait(struct ssh
*ssh
)
1924 int ret
, r
, ms_remain
= 0;
1925 struct timeval start
, timeout
, *timeoutp
= NULL
;
1926 struct session_state
*state
= ssh
->state
;
1928 setp
= calloc(howmany(state
->connection_out
+ 1,
1929 NFDBITS
), sizeof(fd_mask
));
1931 return SSH_ERR_ALLOC_FAIL
;
1932 if ((r
= ssh_packet_write_poll(ssh
)) != 0) {
1936 while (ssh_packet_have_data_to_write(ssh
)) {
1937 memset(setp
, 0, howmany(state
->connection_out
+ 1,
1938 NFDBITS
) * sizeof(fd_mask
));
1939 FD_SET(state
->connection_out
, setp
);
1941 if (state
->packet_timeout_ms
> 0) {
1942 ms_remain
= state
->packet_timeout_ms
;
1943 timeoutp
= &timeout
;
1946 if (state
->packet_timeout_ms
!= -1) {
1947 ms_to_timeval(&timeout
, ms_remain
);
1948 gettimeofday(&start
, NULL
);
1950 if ((ret
= select(state
->connection_out
+ 1,
1951 NULL
, setp
, NULL
, timeoutp
)) >= 0)
1953 if (errno
!= EAGAIN
&& errno
!= EINTR
&&
1954 errno
!= EWOULDBLOCK
)
1956 if (state
->packet_timeout_ms
== -1)
1958 ms_subtract_diff(&start
, &ms_remain
);
1959 if (ms_remain
<= 0) {
1966 return SSH_ERR_CONN_TIMEOUT
;
1968 if ((r
= ssh_packet_write_poll(ssh
)) != 0) {
1977 /* Returns true if there is buffered data to write to the connection. */
1980 ssh_packet_have_data_to_write(struct ssh
*ssh
)
1982 return sshbuf_len(ssh
->state
->output
) != 0;
1985 /* Returns true if there is not too much data to write to the connection. */
1988 ssh_packet_not_very_much_data_to_write(struct ssh
*ssh
)
1990 if (ssh
->state
->interactive_mode
)
1991 return sshbuf_len(ssh
->state
->output
) < 16384;
1993 return sshbuf_len(ssh
->state
->output
) < 128 * 1024;
1997 ssh_packet_set_tos(struct ssh
*ssh
, int tos
)
1999 #ifndef IP_TOS_IS_BROKEN
2000 if (!ssh_packet_connection_is_on_socket(ssh
) || tos
== INT_MAX
)
2002 switch (ssh_packet_connection_af(ssh
)) {
2005 debug3("%s: set IP_TOS 0x%02x", __func__
, tos
);
2006 if (setsockopt(ssh
->state
->connection_in
,
2007 IPPROTO_IP
, IP_TOS
, &tos
, sizeof(tos
)) < 0)
2008 error("setsockopt IP_TOS %d: %.100s:",
2009 tos
, strerror(errno
));
2011 # endif /* IP_TOS */
2014 debug3("%s: set IPV6_TCLASS 0x%02x", __func__
, tos
);
2015 if (setsockopt(ssh
->state
->connection_in
,
2016 IPPROTO_IPV6
, IPV6_TCLASS
, &tos
, sizeof(tos
)) < 0)
2017 error("setsockopt IPV6_TCLASS %d: %.100s:",
2018 tos
, strerror(errno
));
2020 # endif /* IPV6_TCLASS */
2022 #endif /* IP_TOS_IS_BROKEN */
2025 /* Informs that the current session is interactive. Sets IP flags for that. */
2028 ssh_packet_set_interactive(struct ssh
*ssh
, int interactive
, int qos_interactive
, int qos_bulk
)
2030 struct session_state
*state
= ssh
->state
;
2032 if (state
->set_interactive_called
)
2034 state
->set_interactive_called
= 1;
2036 /* Record that we are in interactive mode. */
2037 state
->interactive_mode
= interactive
;
2039 /* Only set socket options if using a socket. */
2040 if (!ssh_packet_connection_is_on_socket(ssh
))
2042 set_nodelay(state
->connection_in
);
2043 ssh_packet_set_tos(ssh
, interactive
? qos_interactive
:
2047 /* Returns true if the current connection is interactive. */
2050 ssh_packet_is_interactive(struct ssh
*ssh
)
2052 return ssh
->state
->interactive_mode
;
2056 ssh_packet_set_maxsize(struct ssh
*ssh
, u_int s
)
2058 struct session_state
*state
= ssh
->state
;
2060 if (state
->set_maxsize_called
) {
2061 logit("packet_set_maxsize: called twice: old %d new %d",
2062 state
->max_packet_size
, s
);
2065 if (s
< 4 * 1024 || s
> 1024 * 1024) {
2066 logit("packet_set_maxsize: bad size %d", s
);
2069 state
->set_maxsize_called
= 1;
2070 debug("packet_set_maxsize: setting to %d", s
);
2071 state
->max_packet_size
= s
;
2076 ssh_packet_inc_alive_timeouts(struct ssh
*ssh
)
2078 return ++ssh
->state
->keep_alive_timeouts
;
2082 ssh_packet_set_alive_timeouts(struct ssh
*ssh
, int ka
)
2084 ssh
->state
->keep_alive_timeouts
= ka
;
2088 ssh_packet_get_maxsize(struct ssh
*ssh
)
2090 return ssh
->state
->max_packet_size
;
2094 ssh_packet_set_rekey_limits(struct ssh
*ssh
, u_int64_t bytes
, u_int32_t seconds
)
2096 debug3("rekey after %llu bytes, %u seconds", (unsigned long long)bytes
,
2097 (unsigned int)seconds
);
2098 ssh
->state
->rekey_limit
= bytes
;
2099 ssh
->state
->rekey_interval
= seconds
;
2103 ssh_packet_get_rekey_timeout(struct ssh
*ssh
)
2107 seconds
= ssh
->state
->rekey_time
+ ssh
->state
->rekey_interval
-
2109 return (seconds
<= 0 ? 1 : seconds
);
2113 ssh_packet_set_server(struct ssh
*ssh
)
2115 ssh
->state
->server_side
= 1;
2119 ssh_packet_set_authenticated(struct ssh
*ssh
)
2121 ssh
->state
->after_authentication
= 1;
2125 ssh_packet_get_input(struct ssh
*ssh
)
2127 return (void *)ssh
->state
->input
;
2131 ssh_packet_get_output(struct ssh
*ssh
)
2133 return (void *)ssh
->state
->output
;
2136 /* Reset after_authentication and reset compression in post-auth privsep */
2138 ssh_packet_set_postauth(struct ssh
*ssh
)
2142 debug("%s: called", __func__
);
2143 /* This was set in net child, but is not visible in user child */
2144 ssh
->state
->after_authentication
= 1;
2145 ssh
->state
->rekeying
= 0;
2146 if ((r
= ssh_packet_enable_delayed_compress(ssh
)) != 0)
2151 /* Packet state (de-)serialization for privsep */
2153 /* turn kex into a blob for packet state serialization */
2155 kex_to_blob(struct sshbuf
*m
, struct kex
*kex
)
2159 if ((r
= sshbuf_put_string(m
, kex
->session_id
,
2160 kex
->session_id_len
)) != 0 ||
2161 (r
= sshbuf_put_u32(m
, kex
->we_need
)) != 0 ||
2162 (r
= sshbuf_put_u32(m
, kex
->hostkey_type
)) != 0 ||
2163 (r
= sshbuf_put_u32(m
, kex
->kex_type
)) != 0 ||
2164 (r
= sshbuf_put_stringb(m
, kex
->my
)) != 0 ||
2165 (r
= sshbuf_put_stringb(m
, kex
->peer
)) != 0 ||
2166 (r
= sshbuf_put_u32(m
, kex
->flags
)) != 0 ||
2167 (r
= sshbuf_put_cstring(m
, kex
->client_version_string
)) != 0 ||
2168 (r
= sshbuf_put_cstring(m
, kex
->server_version_string
)) != 0)
2173 /* turn key exchange results into a blob for packet state serialization */
2175 newkeys_to_blob(struct sshbuf
*m
, struct ssh
*ssh
, int mode
)
2178 struct sshcipher_ctx
*cc
;
2179 struct sshcomp
*comp
;
2182 struct newkeys
*newkey
;
2185 if ((newkey
= ssh
->state
->newkeys
[mode
]) == NULL
)
2186 return SSH_ERR_INTERNAL_ERROR
;
2189 comp
= &newkey
->comp
;
2190 cc
= (mode
== MODE_OUT
) ? ssh
->state
->send_context
:
2191 ssh
->state
->receive_context
;
2192 if ((r
= cipher_get_keyiv(cc
, enc
->iv
, enc
->iv_len
)) != 0)
2194 if ((b
= sshbuf_new()) == NULL
)
2195 return SSH_ERR_ALLOC_FAIL
;
2196 if ((r
= sshbuf_put_cstring(b
, enc
->name
)) != 0 ||
2197 (r
= sshbuf_put_u32(b
, enc
->enabled
)) != 0 ||
2198 (r
= sshbuf_put_u32(b
, enc
->block_size
)) != 0 ||
2199 (r
= sshbuf_put_string(b
, enc
->key
, enc
->key_len
)) != 0 ||
2200 (r
= sshbuf_put_string(b
, enc
->iv
, enc
->iv_len
)) != 0)
2202 if (cipher_authlen(enc
->cipher
) == 0) {
2203 if ((r
= sshbuf_put_cstring(b
, mac
->name
)) != 0 ||
2204 (r
= sshbuf_put_u32(b
, mac
->enabled
)) != 0 ||
2205 (r
= sshbuf_put_string(b
, mac
->key
, mac
->key_len
)) != 0)
2208 if ((r
= sshbuf_put_u32(b
, comp
->type
)) != 0 ||
2209 (r
= sshbuf_put_cstring(b
, comp
->name
)) != 0)
2211 r
= sshbuf_put_stringb(m
, b
);
2217 /* serialize packet state into a blob */
2219 ssh_packet_get_state(struct ssh
*ssh
, struct sshbuf
*m
)
2221 struct session_state
*state
= ssh
->state
;
2224 if ((r
= kex_to_blob(m
, ssh
->kex
)) != 0 ||
2225 (r
= newkeys_to_blob(m
, ssh
, MODE_OUT
)) != 0 ||
2226 (r
= newkeys_to_blob(m
, ssh
, MODE_IN
)) != 0 ||
2227 (r
= sshbuf_put_u64(m
, state
->rekey_limit
)) != 0 ||
2228 (r
= sshbuf_put_u32(m
, state
->rekey_interval
)) != 0 ||
2229 (r
= sshbuf_put_u32(m
, state
->p_send
.seqnr
)) != 0 ||
2230 (r
= sshbuf_put_u64(m
, state
->p_send
.blocks
)) != 0 ||
2231 (r
= sshbuf_put_u32(m
, state
->p_send
.packets
)) != 0 ||
2232 (r
= sshbuf_put_u64(m
, state
->p_send
.bytes
)) != 0 ||
2233 (r
= sshbuf_put_u32(m
, state
->p_read
.seqnr
)) != 0 ||
2234 (r
= sshbuf_put_u64(m
, state
->p_read
.blocks
)) != 0 ||
2235 (r
= sshbuf_put_u32(m
, state
->p_read
.packets
)) != 0 ||
2236 (r
= sshbuf_put_u64(m
, state
->p_read
.bytes
)) != 0 ||
2237 (r
= sshbuf_put_stringb(m
, state
->input
)) != 0 ||
2238 (r
= sshbuf_put_stringb(m
, state
->output
)) != 0)
2244 /* restore key exchange results from blob for packet state de-serialization */
2246 newkeys_from_blob(struct sshbuf
*m
, struct ssh
*ssh
, int mode
)
2248 struct sshbuf
*b
= NULL
;
2249 struct sshcomp
*comp
;
2252 struct newkeys
*newkey
= NULL
;
2253 size_t keylen
, ivlen
, maclen
;
2256 if ((newkey
= calloc(1, sizeof(*newkey
))) == NULL
) {
2257 r
= SSH_ERR_ALLOC_FAIL
;
2260 if ((r
= sshbuf_froms(m
, &b
)) != 0)
2263 sshbuf_dump(b
, stderr
);
2267 comp
= &newkey
->comp
;
2269 if ((r
= sshbuf_get_cstring(b
, &enc
->name
, NULL
)) != 0 ||
2270 (r
= sshbuf_get_u32(b
, (u_int
*)&enc
->enabled
)) != 0 ||
2271 (r
= sshbuf_get_u32(b
, &enc
->block_size
)) != 0 ||
2272 (r
= sshbuf_get_string(b
, &enc
->key
, &keylen
)) != 0 ||
2273 (r
= sshbuf_get_string(b
, &enc
->iv
, &ivlen
)) != 0)
2275 if ((enc
->cipher
= cipher_by_name(enc
->name
)) == NULL
) {
2276 r
= SSH_ERR_INVALID_FORMAT
;
2279 if (cipher_authlen(enc
->cipher
) == 0) {
2280 if ((r
= sshbuf_get_cstring(b
, &mac
->name
, NULL
)) != 0)
2282 if ((r
= mac_setup(mac
, mac
->name
)) != 0)
2284 if ((r
= sshbuf_get_u32(b
, (u_int
*)&mac
->enabled
)) != 0 ||
2285 (r
= sshbuf_get_string(b
, &mac
->key
, &maclen
)) != 0)
2287 if (maclen
> mac
->key_len
) {
2288 r
= SSH_ERR_INVALID_FORMAT
;
2291 mac
->key_len
= maclen
;
2293 if ((r
= sshbuf_get_u32(b
, &comp
->type
)) != 0 ||
2294 (r
= sshbuf_get_cstring(b
, &comp
->name
, NULL
)) != 0)
2296 if (sshbuf_len(b
) != 0) {
2297 r
= SSH_ERR_INVALID_FORMAT
;
2300 enc
->key_len
= keylen
;
2301 enc
->iv_len
= ivlen
;
2302 ssh
->kex
->newkeys
[mode
] = newkey
;
2311 /* restore kex from blob for packet state de-serialization */
2313 kex_from_blob(struct sshbuf
*m
, struct kex
**kexp
)
2318 if ((kex
= calloc(1, sizeof(struct kex
))) == NULL
||
2319 (kex
->my
= sshbuf_new()) == NULL
||
2320 (kex
->peer
= sshbuf_new()) == NULL
) {
2321 r
= SSH_ERR_ALLOC_FAIL
;
2324 if ((r
= sshbuf_get_string(m
, &kex
->session_id
, &kex
->session_id_len
)) != 0 ||
2325 (r
= sshbuf_get_u32(m
, &kex
->we_need
)) != 0 ||
2326 (r
= sshbuf_get_u32(m
, (u_int
*)&kex
->hostkey_type
)) != 0 ||
2327 (r
= sshbuf_get_u32(m
, &kex
->kex_type
)) != 0 ||
2328 (r
= sshbuf_get_stringb(m
, kex
->my
)) != 0 ||
2329 (r
= sshbuf_get_stringb(m
, kex
->peer
)) != 0 ||
2330 (r
= sshbuf_get_u32(m
, &kex
->flags
)) != 0 ||
2331 (r
= sshbuf_get_cstring(m
, &kex
->client_version_string
, NULL
)) != 0 ||
2332 (r
= sshbuf_get_cstring(m
, &kex
->server_version_string
, NULL
)) != 0)
2338 if (r
!= 0 || kexp
== NULL
) {
2340 sshbuf_free(kex
->my
);
2341 sshbuf_free(kex
->peer
);
2353 * Restore packet state from content of blob 'm' (de-serialization).
2354 * Note that 'm' will be partially consumed on parsing or any other errors.
2357 ssh_packet_set_state(struct ssh
*ssh
, struct sshbuf
*m
)
2359 struct session_state
*state
= ssh
->state
;
2360 const u_char
*input
, *output
;
2364 if ((r
= kex_from_blob(m
, &ssh
->kex
)) != 0 ||
2365 (r
= newkeys_from_blob(m
, ssh
, MODE_OUT
)) != 0 ||
2366 (r
= newkeys_from_blob(m
, ssh
, MODE_IN
)) != 0 ||
2367 (r
= sshbuf_get_u64(m
, &state
->rekey_limit
)) != 0 ||
2368 (r
= sshbuf_get_u32(m
, &state
->rekey_interval
)) != 0 ||
2369 (r
= sshbuf_get_u32(m
, &state
->p_send
.seqnr
)) != 0 ||
2370 (r
= sshbuf_get_u64(m
, &state
->p_send
.blocks
)) != 0 ||
2371 (r
= sshbuf_get_u32(m
, &state
->p_send
.packets
)) != 0 ||
2372 (r
= sshbuf_get_u64(m
, &state
->p_send
.bytes
)) != 0 ||
2373 (r
= sshbuf_get_u32(m
, &state
->p_read
.seqnr
)) != 0 ||
2374 (r
= sshbuf_get_u64(m
, &state
->p_read
.blocks
)) != 0 ||
2375 (r
= sshbuf_get_u32(m
, &state
->p_read
.packets
)) != 0 ||
2376 (r
= sshbuf_get_u64(m
, &state
->p_read
.bytes
)) != 0)
2379 * We set the time here so that in post-auth privsep slave we
2380 * count from the completion of the authentication.
2382 state
->rekey_time
= monotime();
2383 /* XXX ssh_set_newkeys overrides p_read.packets? XXX */
2384 if ((r
= ssh_set_newkeys(ssh
, MODE_IN
)) != 0 ||
2385 (r
= ssh_set_newkeys(ssh
, MODE_OUT
)) != 0)
2388 if ((r
= ssh_packet_set_postauth(ssh
)) != 0)
2391 sshbuf_reset(state
->input
);
2392 sshbuf_reset(state
->output
);
2393 if ((r
= sshbuf_get_string_direct(m
, &input
, &ilen
)) != 0 ||
2394 (r
= sshbuf_get_string_direct(m
, &output
, &olen
)) != 0 ||
2395 (r
= sshbuf_put(state
->input
, input
, ilen
)) != 0 ||
2396 (r
= sshbuf_put(state
->output
, output
, olen
)) != 0)
2400 return SSH_ERR_INVALID_FORMAT
;
2401 debug3("%s: done", __func__
);
2407 /* put data to the outgoing packet */
2410 sshpkt_put(struct ssh
*ssh
, const void *v
, size_t len
)
2412 return sshbuf_put(ssh
->state
->outgoing_packet
, v
, len
);
2416 sshpkt_putb(struct ssh
*ssh
, const struct sshbuf
*b
)
2418 return sshbuf_putb(ssh
->state
->outgoing_packet
, b
);
2422 sshpkt_put_u8(struct ssh
*ssh
, u_char val
)
2424 return sshbuf_put_u8(ssh
->state
->outgoing_packet
, val
);
2428 sshpkt_put_u32(struct ssh
*ssh
, u_int32_t val
)
2430 return sshbuf_put_u32(ssh
->state
->outgoing_packet
, val
);
2434 sshpkt_put_u64(struct ssh
*ssh
, u_int64_t val
)
2436 return sshbuf_put_u64(ssh
->state
->outgoing_packet
, val
);
2440 sshpkt_put_string(struct ssh
*ssh
, const void *v
, size_t len
)
2442 return sshbuf_put_string(ssh
->state
->outgoing_packet
, v
, len
);
2446 sshpkt_put_cstring(struct ssh
*ssh
, const void *v
)
2448 return sshbuf_put_cstring(ssh
->state
->outgoing_packet
, v
);
2452 sshpkt_put_stringb(struct ssh
*ssh
, const struct sshbuf
*v
)
2454 return sshbuf_put_stringb(ssh
->state
->outgoing_packet
, v
);
2458 #ifdef OPENSSL_HAS_ECC
2460 sshpkt_put_ec(struct ssh
*ssh
, const EC_POINT
*v
, const EC_GROUP
*g
)
2462 return sshbuf_put_ec(ssh
->state
->outgoing_packet
, v
, g
);
2464 #endif /* OPENSSL_HAS_ECC */
2468 sshpkt_put_bignum2(struct ssh
*ssh
, const BIGNUM
*v
)
2470 return sshbuf_put_bignum2(ssh
->state
->outgoing_packet
, v
);
2472 #endif /* WITH_OPENSSL */
2474 /* fetch data from the incoming packet */
2477 sshpkt_get(struct ssh
*ssh
, void *valp
, size_t len
)
2479 return sshbuf_get(ssh
->state
->incoming_packet
, valp
, len
);
2483 sshpkt_get_u8(struct ssh
*ssh
, u_char
*valp
)
2485 return sshbuf_get_u8(ssh
->state
->incoming_packet
, valp
);
2489 sshpkt_get_u32(struct ssh
*ssh
, u_int32_t
*valp
)
2491 return sshbuf_get_u32(ssh
->state
->incoming_packet
, valp
);
2495 sshpkt_get_u64(struct ssh
*ssh
, u_int64_t
*valp
)
2497 return sshbuf_get_u64(ssh
->state
->incoming_packet
, valp
);
2501 sshpkt_get_string(struct ssh
*ssh
, u_char
**valp
, size_t *lenp
)
2503 return sshbuf_get_string(ssh
->state
->incoming_packet
, valp
, lenp
);
2507 sshpkt_get_string_direct(struct ssh
*ssh
, const u_char
**valp
, size_t *lenp
)
2509 return sshbuf_get_string_direct(ssh
->state
->incoming_packet
, valp
, lenp
);
2513 sshpkt_peek_string_direct(struct ssh
*ssh
, const u_char
**valp
, size_t *lenp
)
2515 return sshbuf_peek_string_direct(ssh
->state
->incoming_packet
, valp
, lenp
);
2519 sshpkt_get_cstring(struct ssh
*ssh
, char **valp
, size_t *lenp
)
2521 return sshbuf_get_cstring(ssh
->state
->incoming_packet
, valp
, lenp
);
2525 #ifdef OPENSSL_HAS_ECC
2527 sshpkt_get_ec(struct ssh
*ssh
, EC_POINT
*v
, const EC_GROUP
*g
)
2529 return sshbuf_get_ec(ssh
->state
->incoming_packet
, v
, g
);
2531 #endif /* OPENSSL_HAS_ECC */
2535 sshpkt_get_bignum2(struct ssh
*ssh
, BIGNUM
*v
)
2537 return sshbuf_get_bignum2(ssh
->state
->incoming_packet
, v
);
2539 #endif /* WITH_OPENSSL */
2542 sshpkt_get_end(struct ssh
*ssh
)
2544 if (sshbuf_len(ssh
->state
->incoming_packet
) > 0)
2545 return SSH_ERR_UNEXPECTED_TRAILING_DATA
;
2550 sshpkt_ptr(struct ssh
*ssh
, size_t *lenp
)
2553 *lenp
= sshbuf_len(ssh
->state
->incoming_packet
);
2554 return sshbuf_ptr(ssh
->state
->incoming_packet
);
2557 /* start a new packet */
2560 sshpkt_start(struct ssh
*ssh
, u_char type
)
2562 u_char buf
[6]; /* u32 packet length, u8 pad len, u8 type */
2564 DBG(debug("packet_start[%d]", type
));
2565 memset(buf
, 0, sizeof(buf
));
2566 buf
[sizeof(buf
) - 1] = type
;
2567 sshbuf_reset(ssh
->state
->outgoing_packet
);
2568 return sshbuf_put(ssh
->state
->outgoing_packet
, buf
, sizeof(buf
));
2572 ssh_packet_send_mux(struct ssh
*ssh
)
2574 struct session_state
*state
= ssh
->state
;
2580 return SSH_ERR_INTERNAL_ERROR
;
2581 len
= sshbuf_len(state
->outgoing_packet
);
2583 return SSH_ERR_INTERNAL_ERROR
;
2584 cp
= sshbuf_mutable_ptr(state
->outgoing_packet
);
2586 if (ssh_packet_log_type(type
))
2587 debug3("%s: type %u", __func__
, type
);
2588 /* drop everything, but the connection protocol */
2589 if (type
>= SSH2_MSG_CONNECTION_MIN
&&
2590 type
<= SSH2_MSG_CONNECTION_MAX
) {
2591 POKE_U32(cp
, len
- 4);
2592 if ((r
= sshbuf_putb(state
->output
,
2593 state
->outgoing_packet
)) != 0)
2595 /* sshbuf_dump(state->output, stderr); */
2597 sshbuf_reset(state
->outgoing_packet
);
2602 * 9.2. Ignored Data Message
2604 * byte SSH_MSG_IGNORE
2607 * All implementations MUST understand (and ignore) this message at any
2608 * time (after receiving the protocol version). No implementation is
2609 * required to send them. This message can be used as an additional
2610 * protection measure against advanced traffic analysis techniques.
2613 sshpkt_msg_ignore(struct ssh
*ssh
, u_int nbytes
)
2619 if ((r
= sshpkt_start(ssh
, SSH2_MSG_IGNORE
)) != 0 ||
2620 (r
= sshpkt_put_u32(ssh
, nbytes
)) != 0)
2622 for (i
= 0; i
< nbytes
; i
++) {
2625 if ((r
= sshpkt_put_u8(ssh
, (u_char
)rnd
& 0xff)) != 0)
2635 sshpkt_send(struct ssh
*ssh
)
2637 if (ssh
->state
&& ssh
->state
->mux
)
2638 return ssh_packet_send_mux(ssh
);
2639 return ssh_packet_send2(ssh
);
2643 sshpkt_disconnect(struct ssh
*ssh
, const char *fmt
,...)
2649 va_start(args
, fmt
);
2650 vsnprintf(buf
, sizeof(buf
), fmt
, args
);
2653 if ((r
= sshpkt_start(ssh
, SSH2_MSG_DISCONNECT
)) != 0 ||
2654 (r
= sshpkt_put_u32(ssh
, SSH2_DISCONNECT_PROTOCOL_ERROR
)) != 0 ||
2655 (r
= sshpkt_put_cstring(ssh
, buf
)) != 0 ||
2656 (r
= sshpkt_put_cstring(ssh
, "")) != 0 ||
2657 (r
= sshpkt_send(ssh
)) != 0)
2662 /* roundup current message to pad bytes */
2664 sshpkt_add_padding(struct ssh
*ssh
, u_char pad
)
2666 ssh
->state
->extra_pad
= pad
;