1 |
|
|
/* $OpenBSD: packet.c,v 1.266 2017/10/25 00:17:08 djm Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 |
|
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 |
|
|
* All rights reserved |
6 |
|
|
* This file contains code implementing the packet protocol and communication |
7 |
|
|
* with the other side. This same code is used both on client and server side. |
8 |
|
|
* |
9 |
|
|
* As far as I am concerned, the code I have written for this software |
10 |
|
|
* can be used freely for any purpose. Any derived versions of this |
11 |
|
|
* software must be clearly marked as such, and if the derived work is |
12 |
|
|
* incompatible with the protocol description in the RFC file, it must be |
13 |
|
|
* called by a name other than "ssh" or "Secure Shell". |
14 |
|
|
* |
15 |
|
|
* |
16 |
|
|
* SSH2 packet format added by Markus Friedl. |
17 |
|
|
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
18 |
|
|
* |
19 |
|
|
* Redistribution and use in source and binary forms, with or without |
20 |
|
|
* modification, are permitted provided that the following conditions |
21 |
|
|
* are met: |
22 |
|
|
* 1. Redistributions of source code must retain the above copyright |
23 |
|
|
* notice, this list of conditions and the following disclaimer. |
24 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
25 |
|
|
* notice, this list of conditions and the following disclaimer in the |
26 |
|
|
* documentation and/or other materials provided with the distribution. |
27 |
|
|
* |
28 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
29 |
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
30 |
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
31 |
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
32 |
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
33 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
34 |
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
35 |
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
36 |
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
37 |
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
38 |
|
|
*/ |
39 |
|
|
|
40 |
|
|
#include <sys/types.h> |
41 |
|
|
#include <sys/queue.h> |
42 |
|
|
#include <sys/socket.h> |
43 |
|
|
#include <sys/time.h> |
44 |
|
|
#include <netinet/in.h> |
45 |
|
|
#include <netinet/ip.h> |
46 |
|
|
|
47 |
|
|
#include <errno.h> |
48 |
|
|
#include <netdb.h> |
49 |
|
|
#include <stdarg.h> |
50 |
|
|
#include <stdio.h> |
51 |
|
|
#include <stdlib.h> |
52 |
|
|
#include <string.h> |
53 |
|
|
#include <unistd.h> |
54 |
|
|
#include <limits.h> |
55 |
|
|
#include <signal.h> |
56 |
|
|
#include <time.h> |
57 |
|
|
|
58 |
|
|
#include <zlib.h> |
59 |
|
|
|
60 |
|
|
#include "buffer.h" /* typedefs XXX */ |
61 |
|
|
#include "key.h" /* typedefs XXX */ |
62 |
|
|
|
63 |
|
|
#include "xmalloc.h" |
64 |
|
|
#include "crc32.h" |
65 |
|
|
#include "compat.h" |
66 |
|
|
#include "ssh2.h" |
67 |
|
|
#include "cipher.h" |
68 |
|
|
#include "sshkey.h" |
69 |
|
|
#include "kex.h" |
70 |
|
|
#include "digest.h" |
71 |
|
|
#include "mac.h" |
72 |
|
|
#include "log.h" |
73 |
|
|
#include "canohost.h" |
74 |
|
|
#include "misc.h" |
75 |
|
|
#include "channels.h" |
76 |
|
|
#include "ssh.h" |
77 |
|
|
#include "packet.h" |
78 |
|
|
#include "ssherr.h" |
79 |
|
|
#include "sshbuf.h" |
80 |
|
|
|
81 |
|
|
#ifdef PACKET_DEBUG |
82 |
|
|
#define DBG(x) x |
83 |
|
|
#else |
84 |
|
|
#define DBG(x) |
85 |
|
|
#endif |
86 |
|
|
|
87 |
|
|
#define PACKET_MAX_SIZE (256 * 1024) |
88 |
|
|
|
89 |
|
|
struct packet_state { |
90 |
|
|
u_int32_t seqnr; |
91 |
|
|
u_int32_t packets; |
92 |
|
|
u_int64_t blocks; |
93 |
|
|
u_int64_t bytes; |
94 |
|
|
}; |
95 |
|
|
|
96 |
|
|
struct packet { |
97 |
|
|
TAILQ_ENTRY(packet) next; |
98 |
|
|
u_char type; |
99 |
|
|
struct sshbuf *payload; |
100 |
|
|
}; |
101 |
|
|
|
102 |
|
|
struct session_state { |
103 |
|
|
/* |
104 |
|
|
* This variable contains the file descriptors used for |
105 |
|
|
* communicating with the other side. connection_in is used for |
106 |
|
|
* reading; connection_out for writing. These can be the same |
107 |
|
|
* descriptor, in which case it is assumed to be a socket. |
108 |
|
|
*/ |
109 |
|
|
int connection_in; |
110 |
|
|
int connection_out; |
111 |
|
|
|
112 |
|
|
/* Protocol flags for the remote side. */ |
113 |
|
|
u_int remote_protocol_flags; |
114 |
|
|
|
115 |
|
|
/* Encryption context for receiving data. Only used for decryption. */ |
116 |
|
|
struct sshcipher_ctx *receive_context; |
117 |
|
|
|
118 |
|
|
/* Encryption context for sending data. Only used for encryption. */ |
119 |
|
|
struct sshcipher_ctx *send_context; |
120 |
|
|
|
121 |
|
|
/* Buffer for raw input data from the socket. */ |
122 |
|
|
struct sshbuf *input; |
123 |
|
|
|
124 |
|
|
/* Buffer for raw output data going to the socket. */ |
125 |
|
|
struct sshbuf *output; |
126 |
|
|
|
127 |
|
|
/* Buffer for the partial outgoing packet being constructed. */ |
128 |
|
|
struct sshbuf *outgoing_packet; |
129 |
|
|
|
130 |
|
|
/* Buffer for the incoming packet currently being processed. */ |
131 |
|
|
struct sshbuf *incoming_packet; |
132 |
|
|
|
133 |
|
|
/* Scratch buffer for packet compression/decompression. */ |
134 |
|
|
struct sshbuf *compression_buffer; |
135 |
|
|
|
136 |
|
|
/* Incoming/outgoing compression dictionaries */ |
137 |
|
|
z_stream compression_in_stream; |
138 |
|
|
z_stream compression_out_stream; |
139 |
|
|
int compression_in_started; |
140 |
|
|
int compression_out_started; |
141 |
|
|
int compression_in_failures; |
142 |
|
|
int compression_out_failures; |
143 |
|
|
|
144 |
|
|
/* |
145 |
|
|
* Flag indicating whether packet compression/decompression is |
146 |
|
|
* enabled. |
147 |
|
|
*/ |
148 |
|
|
int packet_compression; |
149 |
|
|
|
150 |
|
|
/* default maximum packet size */ |
151 |
|
|
u_int max_packet_size; |
152 |
|
|
|
153 |
|
|
/* Flag indicating whether this module has been initialized. */ |
154 |
|
|
int initialized; |
155 |
|
|
|
156 |
|
|
/* Set to true if the connection is interactive. */ |
157 |
|
|
int interactive_mode; |
158 |
|
|
|
159 |
|
|
/* Set to true if we are the server side. */ |
160 |
|
|
int server_side; |
161 |
|
|
|
162 |
|
|
/* Set to true if we are authenticated. */ |
163 |
|
|
int after_authentication; |
164 |
|
|
|
165 |
|
|
int keep_alive_timeouts; |
166 |
|
|
|
167 |
|
|
/* The maximum time that we will wait to send or receive a packet */ |
168 |
|
|
int packet_timeout_ms; |
169 |
|
|
|
170 |
|
|
/* Session key information for Encryption and MAC */ |
171 |
|
|
struct newkeys *newkeys[MODE_MAX]; |
172 |
|
|
struct packet_state p_read, p_send; |
173 |
|
|
|
174 |
|
|
/* Volume-based rekeying */ |
175 |
|
|
u_int64_t max_blocks_in, max_blocks_out, rekey_limit; |
176 |
|
|
|
177 |
|
|
/* Time-based rekeying */ |
178 |
|
|
u_int32_t rekey_interval; /* how often in seconds */ |
179 |
|
|
time_t rekey_time; /* time of last rekeying */ |
180 |
|
|
|
181 |
|
|
/* roundup current message to extra_pad bytes */ |
182 |
|
|
u_char extra_pad; |
183 |
|
|
|
184 |
|
|
/* XXX discard incoming data after MAC error */ |
185 |
|
|
u_int packet_discard; |
186 |
|
|
size_t packet_discard_mac_already; |
187 |
|
|
struct sshmac *packet_discard_mac; |
188 |
|
|
|
189 |
|
|
/* Used in packet_read_poll2() */ |
190 |
|
|
u_int packlen; |
191 |
|
|
|
192 |
|
|
/* Used in packet_send2 */ |
193 |
|
|
int rekeying; |
194 |
|
|
|
195 |
|
|
/* Used in ssh_packet_send_mux() */ |
196 |
|
|
int mux; |
197 |
|
|
|
198 |
|
|
/* Used in packet_set_interactive */ |
199 |
|
|
int set_interactive_called; |
200 |
|
|
|
201 |
|
|
/* Used in packet_set_maxsize */ |
202 |
|
|
int set_maxsize_called; |
203 |
|
|
|
204 |
|
|
/* One-off warning about weak ciphers */ |
205 |
|
|
int cipher_warning_done; |
206 |
|
|
|
207 |
|
|
/* Hook for fuzzing inbound packets */ |
208 |
|
|
ssh_packet_hook_fn *hook_in; |
209 |
|
|
void *hook_in_ctx; |
210 |
|
|
|
211 |
|
|
TAILQ_HEAD(, packet) outgoing; |
212 |
|
|
}; |
213 |
|
|
|
214 |
|
|
struct ssh * |
215 |
|
|
ssh_alloc_session_state(void) |
216 |
|
|
{ |
217 |
|
|
struct ssh *ssh = NULL; |
218 |
|
|
struct session_state *state = NULL; |
219 |
|
|
|
220 |
|
|
if ((ssh = calloc(1, sizeof(*ssh))) == NULL || |
221 |
|
|
(state = calloc(1, sizeof(*state))) == NULL || |
222 |
|
|
(state->input = sshbuf_new()) == NULL || |
223 |
|
|
(state->output = sshbuf_new()) == NULL || |
224 |
|
|
(state->outgoing_packet = sshbuf_new()) == NULL || |
225 |
|
|
(state->incoming_packet = sshbuf_new()) == NULL) |
226 |
|
|
goto fail; |
227 |
|
|
TAILQ_INIT(&state->outgoing); |
228 |
|
|
TAILQ_INIT(&ssh->private_keys); |
229 |
|
|
TAILQ_INIT(&ssh->public_keys); |
230 |
|
|
state->connection_in = -1; |
231 |
|
|
state->connection_out = -1; |
232 |
|
|
state->max_packet_size = 32768; |
233 |
|
|
state->packet_timeout_ms = -1; |
234 |
|
|
state->p_send.packets = state->p_read.packets = 0; |
235 |
|
|
state->initialized = 1; |
236 |
|
|
/* |
237 |
|
|
* ssh_packet_send2() needs to queue packets until |
238 |
|
|
* we've done the initial key exchange. |
239 |
|
|
*/ |
240 |
|
|
state->rekeying = 1; |
241 |
|
|
ssh->state = state; |
242 |
|
|
return ssh; |
243 |
|
|
fail: |
244 |
|
|
if (state) { |
245 |
|
|
sshbuf_free(state->input); |
246 |
|
|
sshbuf_free(state->output); |
247 |
|
|
sshbuf_free(state->incoming_packet); |
248 |
|
|
sshbuf_free(state->outgoing_packet); |
249 |
|
|
free(state); |
250 |
|
|
} |
251 |
|
|
free(ssh); |
252 |
|
|
return NULL; |
253 |
|
|
} |
254 |
|
|
|
255 |
|
|
void |
256 |
|
|
ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx) |
257 |
|
|
{ |
258 |
|
|
ssh->state->hook_in = hook; |
259 |
|
|
ssh->state->hook_in_ctx = ctx; |
260 |
|
|
} |
261 |
|
|
|
262 |
|
|
/* Returns nonzero if rekeying is in progress */ |
263 |
|
|
int |
264 |
|
|
ssh_packet_is_rekeying(struct ssh *ssh) |
265 |
|
|
{ |
266 |
|
|
return ssh->state->rekeying || |
267 |
|
|
(ssh->kex != NULL && ssh->kex->done == 0); |
268 |
|
|
} |
269 |
|
|
|
270 |
|
|
/* |
271 |
|
|
* Sets the descriptors used for communication. |
272 |
|
|
*/ |
273 |
|
|
struct ssh * |
274 |
|
|
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
275 |
|
|
{ |
276 |
|
|
struct session_state *state; |
277 |
|
|
const struct sshcipher *none = cipher_by_name("none"); |
278 |
|
|
int r; |
279 |
|
|
|
280 |
|
|
if (none == NULL) { |
281 |
|
|
error("%s: cannot load cipher 'none'", __func__); |
282 |
|
|
return NULL; |
283 |
|
|
} |
284 |
|
|
if (ssh == NULL) |
285 |
|
|
ssh = ssh_alloc_session_state(); |
286 |
|
|
if (ssh == NULL) { |
287 |
|
|
error("%s: cound not allocate state", __func__); |
288 |
|
|
return NULL; |
289 |
|
|
} |
290 |
|
|
state = ssh->state; |
291 |
|
|
state->connection_in = fd_in; |
292 |
|
|
state->connection_out = fd_out; |
293 |
|
|
if ((r = cipher_init(&state->send_context, none, |
294 |
|
|
(const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 || |
295 |
|
|
(r = cipher_init(&state->receive_context, none, |
296 |
|
|
(const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0) { |
297 |
|
|
error("%s: cipher_init failed: %s", __func__, ssh_err(r)); |
298 |
|
|
free(ssh); /* XXX need ssh_free_session_state? */ |
299 |
|
|
return NULL; |
300 |
|
|
} |
301 |
|
|
state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL; |
302 |
|
|
/* |
303 |
|
|
* Cache the IP address of the remote connection for use in error |
304 |
|
|
* messages that might be generated after the connection has closed. |
305 |
|
|
*/ |
306 |
|
|
(void)ssh_remote_ipaddr(ssh); |
307 |
|
|
return ssh; |
308 |
|
|
} |
309 |
|
|
|
310 |
|
|
void |
311 |
|
|
ssh_packet_set_timeout(struct ssh *ssh, int timeout, int count) |
312 |
|
|
{ |
313 |
|
|
struct session_state *state = ssh->state; |
314 |
|
|
|
315 |
|
|
if (timeout <= 0 || count <= 0) { |
316 |
|
|
state->packet_timeout_ms = -1; |
317 |
|
|
return; |
318 |
|
|
} |
319 |
|
|
if ((INT_MAX / 1000) / count < timeout) |
320 |
|
|
state->packet_timeout_ms = INT_MAX; |
321 |
|
|
else |
322 |
|
|
state->packet_timeout_ms = timeout * count * 1000; |
323 |
|
|
} |
324 |
|
|
|
325 |
|
|
void |
326 |
|
|
ssh_packet_set_mux(struct ssh *ssh) |
327 |
|
|
{ |
328 |
|
|
ssh->state->mux = 1; |
329 |
|
|
ssh->state->rekeying = 0; |
330 |
|
|
} |
331 |
|
|
|
332 |
|
|
int |
333 |
|
|
ssh_packet_get_mux(struct ssh *ssh) |
334 |
|
|
{ |
335 |
|
|
return ssh->state->mux; |
336 |
|
|
} |
337 |
|
|
|
338 |
|
|
int |
339 |
|
|
ssh_packet_set_log_preamble(struct ssh *ssh, const char *fmt, ...) |
340 |
|
|
{ |
341 |
|
|
va_list args; |
342 |
|
|
int r; |
343 |
|
|
|
344 |
|
|
free(ssh->log_preamble); |
345 |
|
|
if (fmt == NULL) |
346 |
|
|
ssh->log_preamble = NULL; |
347 |
|
|
else { |
348 |
|
|
va_start(args, fmt); |
349 |
|
|
r = vasprintf(&ssh->log_preamble, fmt, args); |
350 |
|
|
va_end(args); |
351 |
|
|
if (r < 0 || ssh->log_preamble == NULL) |
352 |
|
|
return SSH_ERR_ALLOC_FAIL; |
353 |
|
|
} |
354 |
|
|
return 0; |
355 |
|
|
} |
356 |
|
|
|
357 |
|
|
int |
358 |
|
|
ssh_packet_stop_discard(struct ssh *ssh) |
359 |
|
|
{ |
360 |
|
|
struct session_state *state = ssh->state; |
361 |
|
|
int r; |
362 |
|
|
|
363 |
|
|
if (state->packet_discard_mac) { |
364 |
|
|
char buf[1024]; |
365 |
|
|
size_t dlen = PACKET_MAX_SIZE; |
366 |
|
|
|
367 |
|
|
if (dlen > state->packet_discard_mac_already) |
368 |
|
|
dlen -= state->packet_discard_mac_already; |
369 |
|
|
memset(buf, 'a', sizeof(buf)); |
370 |
|
|
while (sshbuf_len(state->incoming_packet) < dlen) |
371 |
|
|
if ((r = sshbuf_put(state->incoming_packet, buf, |
372 |
|
|
sizeof(buf))) != 0) |
373 |
|
|
return r; |
374 |
|
|
(void) mac_compute(state->packet_discard_mac, |
375 |
|
|
state->p_read.seqnr, |
376 |
|
|
sshbuf_ptr(state->incoming_packet), dlen, |
377 |
|
|
NULL, 0); |
378 |
|
|
} |
379 |
|
|
logit("Finished discarding for %.200s port %d", |
380 |
|
|
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); |
381 |
|
|
return SSH_ERR_MAC_INVALID; |
382 |
|
|
} |
383 |
|
|
|
384 |
|
|
static int |
385 |
|
|
ssh_packet_start_discard(struct ssh *ssh, struct sshenc *enc, |
386 |
|
|
struct sshmac *mac, size_t mac_already, u_int discard) |
387 |
|
|
{ |
388 |
|
|
struct session_state *state = ssh->state; |
389 |
|
|
int r; |
390 |
|
|
|
391 |
|
|
if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) { |
392 |
|
|
if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) |
393 |
|
|
return r; |
394 |
|
|
return SSH_ERR_MAC_INVALID; |
395 |
|
|
} |
396 |
|
|
/* |
397 |
|
|
* Record number of bytes over which the mac has already |
398 |
|
|
* been computed in order to minimize timing attacks. |
399 |
|
|
*/ |
400 |
|
|
if (mac && mac->enabled) { |
401 |
|
|
state->packet_discard_mac = mac; |
402 |
|
|
state->packet_discard_mac_already = mac_already; |
403 |
|
|
} |
404 |
|
|
if (sshbuf_len(state->input) >= discard) |
405 |
|
|
return ssh_packet_stop_discard(ssh); |
406 |
|
|
state->packet_discard = discard - sshbuf_len(state->input); |
407 |
|
|
return 0; |
408 |
|
|
} |
409 |
|
|
|
410 |
|
|
/* Returns 1 if remote host is connected via socket, 0 if not. */ |
411 |
|
|
|
412 |
|
|
int |
413 |
|
|
ssh_packet_connection_is_on_socket(struct ssh *ssh) |
414 |
|
|
{ |
415 |
|
|
struct session_state *state = ssh->state; |
416 |
|
|
struct sockaddr_storage from, to; |
417 |
|
|
socklen_t fromlen, tolen; |
418 |
|
|
|
419 |
|
|
if (state->connection_in == -1 || state->connection_out == -1) |
420 |
|
|
return 0; |
421 |
|
|
|
422 |
|
|
/* filedescriptors in and out are the same, so it's a socket */ |
423 |
|
|
if (state->connection_in == state->connection_out) |
424 |
|
|
return 1; |
425 |
|
|
fromlen = sizeof(from); |
426 |
|
|
memset(&from, 0, sizeof(from)); |
427 |
|
|
if (getpeername(state->connection_in, (struct sockaddr *)&from, |
428 |
|
|
&fromlen) < 0) |
429 |
|
|
return 0; |
430 |
|
|
tolen = sizeof(to); |
431 |
|
|
memset(&to, 0, sizeof(to)); |
432 |
|
|
if (getpeername(state->connection_out, (struct sockaddr *)&to, |
433 |
|
|
&tolen) < 0) |
434 |
|
|
return 0; |
435 |
|
|
if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0) |
436 |
|
|
return 0; |
437 |
|
|
if (from.ss_family != AF_INET && from.ss_family != AF_INET6) |
438 |
|
|
return 0; |
439 |
|
|
return 1; |
440 |
|
|
} |
441 |
|
|
|
442 |
|
|
void |
443 |
|
|
ssh_packet_get_bytes(struct ssh *ssh, u_int64_t *ibytes, u_int64_t *obytes) |
444 |
|
|
{ |
445 |
|
|
if (ibytes) |
446 |
|
|
*ibytes = ssh->state->p_read.bytes; |
447 |
|
|
if (obytes) |
448 |
|
|
*obytes = ssh->state->p_send.bytes; |
449 |
|
|
} |
450 |
|
|
|
451 |
|
|
int |
452 |
|
|
ssh_packet_connection_af(struct ssh *ssh) |
453 |
|
|
{ |
454 |
|
|
struct sockaddr_storage to; |
455 |
|
|
socklen_t tolen = sizeof(to); |
456 |
|
|
|
457 |
|
|
memset(&to, 0, sizeof(to)); |
458 |
|
|
if (getsockname(ssh->state->connection_out, (struct sockaddr *)&to, |
459 |
|
|
&tolen) < 0) |
460 |
|
|
return 0; |
461 |
|
|
return to.ss_family; |
462 |
|
|
} |
463 |
|
|
|
464 |
|
|
/* Sets the connection into non-blocking mode. */ |
465 |
|
|
|
466 |
|
|
void |
467 |
|
|
ssh_packet_set_nonblocking(struct ssh *ssh) |
468 |
|
|
{ |
469 |
|
|
/* Set the socket into non-blocking mode. */ |
470 |
|
|
set_nonblock(ssh->state->connection_in); |
471 |
|
|
|
472 |
|
|
if (ssh->state->connection_out != ssh->state->connection_in) |
473 |
|
|
set_nonblock(ssh->state->connection_out); |
474 |
|
|
} |
475 |
|
|
|
476 |
|
|
/* Returns the socket used for reading. */ |
477 |
|
|
|
478 |
|
|
int |
479 |
|
|
ssh_packet_get_connection_in(struct ssh *ssh) |
480 |
|
|
{ |
481 |
|
|
return ssh->state->connection_in; |
482 |
|
|
} |
483 |
|
|
|
484 |
|
|
/* Returns the descriptor used for writing. */ |
485 |
|
|
|
486 |
|
|
int |
487 |
|
|
ssh_packet_get_connection_out(struct ssh *ssh) |
488 |
|
|
{ |
489 |
|
|
return ssh->state->connection_out; |
490 |
|
|
} |
491 |
|
|
|
492 |
|
|
/* |
493 |
|
|
* Returns the IP-address of the remote host as a string. The returned |
494 |
|
|
* string must not be freed. |
495 |
|
|
*/ |
496 |
|
|
|
497 |
|
|
const char * |
498 |
|
|
ssh_remote_ipaddr(struct ssh *ssh) |
499 |
|
|
{ |
500 |
|
|
const int sock = ssh->state->connection_in; |
501 |
|
|
|
502 |
|
|
/* Check whether we have cached the ipaddr. */ |
503 |
|
|
if (ssh->remote_ipaddr == NULL) { |
504 |
|
|
if (ssh_packet_connection_is_on_socket(ssh)) { |
505 |
|
|
ssh->remote_ipaddr = get_peer_ipaddr(sock); |
506 |
|
|
ssh->remote_port = get_peer_port(sock); |
507 |
|
|
ssh->local_ipaddr = get_local_ipaddr(sock); |
508 |
|
|
ssh->local_port = get_local_port(sock); |
509 |
|
|
} else { |
510 |
|
|
ssh->remote_ipaddr = strdup("UNKNOWN"); |
511 |
|
|
ssh->remote_port = 65535; |
512 |
|
|
ssh->local_ipaddr = strdup("UNKNOWN"); |
513 |
|
|
ssh->local_port = 65535; |
514 |
|
|
} |
515 |
|
|
} |
516 |
|
|
return ssh->remote_ipaddr; |
517 |
|
|
} |
518 |
|
|
|
519 |
|
|
/* Returns the port number of the remote host. */ |
520 |
|
|
|
521 |
|
|
int |
522 |
|
|
ssh_remote_port(struct ssh *ssh) |
523 |
|
|
{ |
524 |
|
|
(void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
525 |
|
|
return ssh->remote_port; |
526 |
|
|
} |
527 |
|
|
|
528 |
|
|
/* |
529 |
|
|
* Returns the IP-address of the local host as a string. The returned |
530 |
|
|
* string must not be freed. |
531 |
|
|
*/ |
532 |
|
|
|
533 |
|
|
const char * |
534 |
|
|
ssh_local_ipaddr(struct ssh *ssh) |
535 |
|
|
{ |
536 |
|
|
(void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
537 |
|
|
return ssh->local_ipaddr; |
538 |
|
|
} |
539 |
|
|
|
540 |
|
|
/* Returns the port number of the local host. */ |
541 |
|
|
|
542 |
|
|
int |
543 |
|
|
ssh_local_port(struct ssh *ssh) |
544 |
|
|
{ |
545 |
|
|
(void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ |
546 |
|
|
return ssh->local_port; |
547 |
|
|
} |
548 |
|
|
|
549 |
|
|
/* Returns the routing domain of the input socket, or NULL if unavailable */ |
550 |
|
|
const char * |
551 |
|
|
ssh_packet_rdomain_in(struct ssh *ssh) |
552 |
|
|
{ |
553 |
|
|
if (ssh->rdomain_in != NULL) |
554 |
|
|
return ssh->rdomain_in; |
555 |
|
|
if (!ssh_packet_connection_is_on_socket(ssh)) |
556 |
|
|
return NULL; |
557 |
|
|
ssh->rdomain_in = get_rdomain(ssh->state->connection_in); |
558 |
|
|
return ssh->rdomain_in; |
559 |
|
|
} |
560 |
|
|
|
561 |
|
|
/* Closes the connection and clears and frees internal data structures. */ |
562 |
|
|
|
563 |
|
|
static void |
564 |
|
|
ssh_packet_close_internal(struct ssh *ssh, int do_close) |
565 |
|
|
{ |
566 |
|
|
struct session_state *state = ssh->state; |
567 |
|
|
u_int mode; |
568 |
|
|
|
569 |
|
|
if (!state->initialized) |
570 |
|
|
return; |
571 |
|
|
state->initialized = 0; |
572 |
|
|
if (do_close) { |
573 |
|
|
if (state->connection_in == state->connection_out) { |
574 |
|
|
close(state->connection_out); |
575 |
|
|
} else { |
576 |
|
|
close(state->connection_in); |
577 |
|
|
close(state->connection_out); |
578 |
|
|
} |
579 |
|
|
} |
580 |
|
|
sshbuf_free(state->input); |
581 |
|
|
sshbuf_free(state->output); |
582 |
|
|
sshbuf_free(state->outgoing_packet); |
583 |
|
|
sshbuf_free(state->incoming_packet); |
584 |
|
|
for (mode = 0; mode < MODE_MAX; mode++) { |
585 |
|
|
kex_free_newkeys(state->newkeys[mode]); /* current keys */ |
586 |
|
|
state->newkeys[mode] = NULL; |
587 |
|
|
ssh_clear_newkeys(ssh, mode); /* next keys */ |
588 |
|
|
} |
589 |
|
|
/* comression state is in shared mem, so we can only release it once */ |
590 |
|
|
if (do_close && state->compression_buffer) { |
591 |
|
|
sshbuf_free(state->compression_buffer); |
592 |
|
|
if (state->compression_out_started) { |
593 |
|
|
z_streamp stream = &state->compression_out_stream; |
594 |
|
|
debug("compress outgoing: " |
595 |
|
|
"raw data %llu, compressed %llu, factor %.2f", |
596 |
|
|
(unsigned long long)stream->total_in, |
597 |
|
|
(unsigned long long)stream->total_out, |
598 |
|
|
stream->total_in == 0 ? 0.0 : |
599 |
|
|
(double) stream->total_out / stream->total_in); |
600 |
|
|
if (state->compression_out_failures == 0) |
601 |
|
|
deflateEnd(stream); |
602 |
|
|
} |
603 |
|
|
if (state->compression_in_started) { |
604 |
|
|
z_streamp stream = &state->compression_in_stream; |
605 |
|
|
debug("compress incoming: " |
606 |
|
|
"raw data %llu, compressed %llu, factor %.2f", |
607 |
|
|
(unsigned long long)stream->total_out, |
608 |
|
|
(unsigned long long)stream->total_in, |
609 |
|
|
stream->total_out == 0 ? 0.0 : |
610 |
|
|
(double) stream->total_in / stream->total_out); |
611 |
|
|
if (state->compression_in_failures == 0) |
612 |
|
|
inflateEnd(stream); |
613 |
|
|
} |
614 |
|
|
} |
615 |
|
|
cipher_free(state->send_context); |
616 |
|
|
cipher_free(state->receive_context); |
617 |
|
|
state->send_context = state->receive_context = NULL; |
618 |
|
|
if (do_close) { |
619 |
|
|
free(ssh->remote_ipaddr); |
620 |
|
|
ssh->remote_ipaddr = NULL; |
621 |
|
|
free(ssh->state); |
622 |
|
|
ssh->state = NULL; |
623 |
|
|
} |
624 |
|
|
} |
625 |
|
|
|
626 |
|
|
void |
627 |
|
|
ssh_packet_close(struct ssh *ssh) |
628 |
|
|
{ |
629 |
|
|
ssh_packet_close_internal(ssh, 1); |
630 |
|
|
} |
631 |
|
|
|
632 |
|
|
void |
633 |
|
|
ssh_packet_clear_keys(struct ssh *ssh) |
634 |
|
|
{ |
635 |
|
|
ssh_packet_close_internal(ssh, 0); |
636 |
|
|
} |
637 |
|
|
|
638 |
|
|
/* Sets remote side protocol flags. */ |
639 |
|
|
|
640 |
|
|
void |
641 |
|
|
ssh_packet_set_protocol_flags(struct ssh *ssh, u_int protocol_flags) |
642 |
|
|
{ |
643 |
|
|
ssh->state->remote_protocol_flags = protocol_flags; |
644 |
|
|
} |
645 |
|
|
|
646 |
|
|
/* Returns the remote protocol flags set earlier by the above function. */ |
647 |
|
|
|
648 |
|
|
u_int |
649 |
|
|
ssh_packet_get_protocol_flags(struct ssh *ssh) |
650 |
|
|
{ |
651 |
|
|
return ssh->state->remote_protocol_flags; |
652 |
|
|
} |
653 |
|
|
|
654 |
|
|
/* |
655 |
|
|
* Starts packet compression from the next packet on in both directions. |
656 |
|
|
* Level is compression level 1 (fastest) - 9 (slow, best) as in gzip. |
657 |
|
|
*/ |
658 |
|
|
|
659 |
|
|
static int |
660 |
|
|
ssh_packet_init_compression(struct ssh *ssh) |
661 |
|
|
{ |
662 |
|
|
if (!ssh->state->compression_buffer && |
663 |
|
|
((ssh->state->compression_buffer = sshbuf_new()) == NULL)) |
664 |
|
|
return SSH_ERR_ALLOC_FAIL; |
665 |
|
|
return 0; |
666 |
|
|
} |
667 |
|
|
|
668 |
|
|
static int |
669 |
|
|
start_compression_out(struct ssh *ssh, int level) |
670 |
|
|
{ |
671 |
|
|
if (level < 1 || level > 9) |
672 |
|
|
return SSH_ERR_INVALID_ARGUMENT; |
673 |
|
|
debug("Enabling compression at level %d.", level); |
674 |
|
|
if (ssh->state->compression_out_started == 1) |
675 |
|
|
deflateEnd(&ssh->state->compression_out_stream); |
676 |
|
|
switch (deflateInit(&ssh->state->compression_out_stream, level)) { |
677 |
|
|
case Z_OK: |
678 |
|
|
ssh->state->compression_out_started = 1; |
679 |
|
|
break; |
680 |
|
|
case Z_MEM_ERROR: |
681 |
|
|
return SSH_ERR_ALLOC_FAIL; |
682 |
|
|
default: |
683 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
684 |
|
|
} |
685 |
|
|
return 0; |
686 |
|
|
} |
687 |
|
|
|
688 |
|
|
static int |
689 |
|
|
start_compression_in(struct ssh *ssh) |
690 |
|
|
{ |
691 |
|
|
if (ssh->state->compression_in_started == 1) |
692 |
|
|
inflateEnd(&ssh->state->compression_in_stream); |
693 |
|
|
switch (inflateInit(&ssh->state->compression_in_stream)) { |
694 |
|
|
case Z_OK: |
695 |
|
|
ssh->state->compression_in_started = 1; |
696 |
|
|
break; |
697 |
|
|
case Z_MEM_ERROR: |
698 |
|
|
return SSH_ERR_ALLOC_FAIL; |
699 |
|
|
default: |
700 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
701 |
|
|
} |
702 |
|
|
return 0; |
703 |
|
|
} |
704 |
|
|
|
705 |
|
|
int |
706 |
|
|
ssh_packet_start_compression(struct ssh *ssh, int level) |
707 |
|
|
{ |
708 |
|
|
int r; |
709 |
|
|
|
710 |
|
|
if (ssh->state->packet_compression) |
711 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
712 |
|
|
ssh->state->packet_compression = 1; |
713 |
|
|
if ((r = ssh_packet_init_compression(ssh)) != 0 || |
714 |
|
|
(r = start_compression_in(ssh)) != 0 || |
715 |
|
|
(r = start_compression_out(ssh, level)) != 0) |
716 |
|
|
return r; |
717 |
|
|
return 0; |
718 |
|
|
} |
719 |
|
|
|
720 |
|
|
/* XXX remove need for separate compression buffer */ |
721 |
|
|
static int |
722 |
|
|
compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
723 |
|
|
{ |
724 |
|
|
u_char buf[4096]; |
725 |
|
|
int r, status; |
726 |
|
|
|
727 |
|
|
if (ssh->state->compression_out_started != 1) |
728 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
729 |
|
|
|
730 |
|
|
/* This case is not handled below. */ |
731 |
|
|
if (sshbuf_len(in) == 0) |
732 |
|
|
return 0; |
733 |
|
|
|
734 |
|
|
/* Input is the contents of the input buffer. */ |
735 |
|
|
if ((ssh->state->compression_out_stream.next_in = |
736 |
|
|
sshbuf_mutable_ptr(in)) == NULL) |
737 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
738 |
|
|
ssh->state->compression_out_stream.avail_in = sshbuf_len(in); |
739 |
|
|
|
740 |
|
|
/* Loop compressing until deflate() returns with avail_out != 0. */ |
741 |
|
|
do { |
742 |
|
|
/* Set up fixed-size output buffer. */ |
743 |
|
|
ssh->state->compression_out_stream.next_out = buf; |
744 |
|
|
ssh->state->compression_out_stream.avail_out = sizeof(buf); |
745 |
|
|
|
746 |
|
|
/* Compress as much data into the buffer as possible. */ |
747 |
|
|
status = deflate(&ssh->state->compression_out_stream, |
748 |
|
|
Z_PARTIAL_FLUSH); |
749 |
|
|
switch (status) { |
750 |
|
|
case Z_MEM_ERROR: |
751 |
|
|
return SSH_ERR_ALLOC_FAIL; |
752 |
|
|
case Z_OK: |
753 |
|
|
/* Append compressed data to output_buffer. */ |
754 |
|
|
if ((r = sshbuf_put(out, buf, sizeof(buf) - |
755 |
|
|
ssh->state->compression_out_stream.avail_out)) != 0) |
756 |
|
|
return r; |
757 |
|
|
break; |
758 |
|
|
case Z_STREAM_ERROR: |
759 |
|
|
default: |
760 |
|
|
ssh->state->compression_out_failures++; |
761 |
|
|
return SSH_ERR_INVALID_FORMAT; |
762 |
|
|
} |
763 |
|
|
} while (ssh->state->compression_out_stream.avail_out == 0); |
764 |
|
|
return 0; |
765 |
|
|
} |
766 |
|
|
|
767 |
|
|
static int |
768 |
|
|
uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) |
769 |
|
|
{ |
770 |
|
|
u_char buf[4096]; |
771 |
|
|
int r, status; |
772 |
|
|
|
773 |
|
|
if (ssh->state->compression_in_started != 1) |
774 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
775 |
|
|
|
776 |
|
|
if ((ssh->state->compression_in_stream.next_in = |
777 |
|
|
sshbuf_mutable_ptr(in)) == NULL) |
778 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
779 |
|
|
ssh->state->compression_in_stream.avail_in = sshbuf_len(in); |
780 |
|
|
|
781 |
|
|
for (;;) { |
782 |
|
|
/* Set up fixed-size output buffer. */ |
783 |
|
|
ssh->state->compression_in_stream.next_out = buf; |
784 |
|
|
ssh->state->compression_in_stream.avail_out = sizeof(buf); |
785 |
|
|
|
786 |
|
|
status = inflate(&ssh->state->compression_in_stream, |
787 |
|
|
Z_PARTIAL_FLUSH); |
788 |
|
|
switch (status) { |
789 |
|
|
case Z_OK: |
790 |
|
|
if ((r = sshbuf_put(out, buf, sizeof(buf) - |
791 |
|
|
ssh->state->compression_in_stream.avail_out)) != 0) |
792 |
|
|
return r; |
793 |
|
|
break; |
794 |
|
|
case Z_BUF_ERROR: |
795 |
|
|
/* |
796 |
|
|
* Comments in zlib.h say that we should keep calling |
797 |
|
|
* inflate() until we get an error. This appears to |
798 |
|
|
* be the error that we get. |
799 |
|
|
*/ |
800 |
|
|
return 0; |
801 |
|
|
case Z_DATA_ERROR: |
802 |
|
|
return SSH_ERR_INVALID_FORMAT; |
803 |
|
|
case Z_MEM_ERROR: |
804 |
|
|
return SSH_ERR_ALLOC_FAIL; |
805 |
|
|
case Z_STREAM_ERROR: |
806 |
|
|
default: |
807 |
|
|
ssh->state->compression_in_failures++; |
808 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
809 |
|
|
} |
810 |
|
|
} |
811 |
|
|
/* NOTREACHED */ |
812 |
|
|
} |
813 |
|
|
|
814 |
|
|
void |
815 |
|
|
ssh_clear_newkeys(struct ssh *ssh, int mode) |
816 |
|
|
{ |
817 |
|
|
if (ssh->kex && ssh->kex->newkeys[mode]) { |
818 |
|
|
kex_free_newkeys(ssh->kex->newkeys[mode]); |
819 |
|
|
ssh->kex->newkeys[mode] = NULL; |
820 |
|
|
} |
821 |
|
|
} |
822 |
|
|
|
823 |
|
|
int |
824 |
|
|
ssh_set_newkeys(struct ssh *ssh, int mode) |
825 |
|
|
{ |
826 |
|
|
struct session_state *state = ssh->state; |
827 |
|
|
struct sshenc *enc; |
828 |
|
|
struct sshmac *mac; |
829 |
|
|
struct sshcomp *comp; |
830 |
|
|
struct sshcipher_ctx **ccp; |
831 |
|
|
struct packet_state *ps; |
832 |
|
|
u_int64_t *max_blocks; |
833 |
|
|
const char *wmsg; |
834 |
|
|
int r, crypt_type; |
835 |
|
|
|
836 |
|
|
debug2("set_newkeys: mode %d", mode); |
837 |
|
|
|
838 |
|
|
if (mode == MODE_OUT) { |
839 |
|
|
ccp = &state->send_context; |
840 |
|
|
crypt_type = CIPHER_ENCRYPT; |
841 |
|
|
ps = &state->p_send; |
842 |
|
|
max_blocks = &state->max_blocks_out; |
843 |
|
|
} else { |
844 |
|
|
ccp = &state->receive_context; |
845 |
|
|
crypt_type = CIPHER_DECRYPT; |
846 |
|
|
ps = &state->p_read; |
847 |
|
|
max_blocks = &state->max_blocks_in; |
848 |
|
|
} |
849 |
|
|
if (state->newkeys[mode] != NULL) { |
850 |
|
|
debug("set_newkeys: rekeying, input %llu bytes %llu blocks, " |
851 |
|
|
"output %llu bytes %llu blocks", |
852 |
|
|
(unsigned long long)state->p_read.bytes, |
853 |
|
|
(unsigned long long)state->p_read.blocks, |
854 |
|
|
(unsigned long long)state->p_send.bytes, |
855 |
|
|
(unsigned long long)state->p_send.blocks); |
856 |
|
|
cipher_free(*ccp); |
857 |
|
|
*ccp = NULL; |
858 |
|
|
kex_free_newkeys(state->newkeys[mode]); |
859 |
|
|
state->newkeys[mode] = NULL; |
860 |
|
|
} |
861 |
|
|
/* note that both bytes and the seqnr are not reset */ |
862 |
|
|
ps->packets = ps->blocks = 0; |
863 |
|
|
/* move newkeys from kex to state */ |
864 |
|
|
if ((state->newkeys[mode] = ssh->kex->newkeys[mode]) == NULL) |
865 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
866 |
|
|
ssh->kex->newkeys[mode] = NULL; |
867 |
|
|
enc = &state->newkeys[mode]->enc; |
868 |
|
|
mac = &state->newkeys[mode]->mac; |
869 |
|
|
comp = &state->newkeys[mode]->comp; |
870 |
|
|
if (cipher_authlen(enc->cipher) == 0) { |
871 |
|
|
if ((r = mac_init(mac)) != 0) |
872 |
|
|
return r; |
873 |
|
|
} |
874 |
|
|
mac->enabled = 1; |
875 |
|
|
DBG(debug("cipher_init_context: %d", mode)); |
876 |
|
|
if ((r = cipher_init(ccp, enc->cipher, enc->key, enc->key_len, |
877 |
|
|
enc->iv, enc->iv_len, crypt_type)) != 0) |
878 |
|
|
return r; |
879 |
|
|
if (!state->cipher_warning_done && |
880 |
|
|
(wmsg = cipher_warning_message(*ccp)) != NULL) { |
881 |
|
|
error("Warning: %s", wmsg); |
882 |
|
|
state->cipher_warning_done = 1; |
883 |
|
|
} |
884 |
|
|
/* Deleting the keys does not gain extra security */ |
885 |
|
|
/* explicit_bzero(enc->iv, enc->block_size); |
886 |
|
|
explicit_bzero(enc->key, enc->key_len); |
887 |
|
|
explicit_bzero(mac->key, mac->key_len); */ |
888 |
|
|
if ((comp->type == COMP_ZLIB || |
889 |
|
|
(comp->type == COMP_DELAYED && |
890 |
|
|
state->after_authentication)) && comp->enabled == 0) { |
891 |
|
|
if ((r = ssh_packet_init_compression(ssh)) < 0) |
892 |
|
|
return r; |
893 |
|
|
if (mode == MODE_OUT) { |
894 |
|
|
if ((r = start_compression_out(ssh, 6)) != 0) |
895 |
|
|
return r; |
896 |
|
|
} else { |
897 |
|
|
if ((r = start_compression_in(ssh)) != 0) |
898 |
|
|
return r; |
899 |
|
|
} |
900 |
|
|
comp->enabled = 1; |
901 |
|
|
} |
902 |
|
|
/* |
903 |
|
|
* The 2^(blocksize*2) limit is too expensive for 3DES, |
904 |
|
|
* so enforce a 1GB limit for small blocksizes. |
905 |
|
|
* See RFC4344 section 3.2. |
906 |
|
|
*/ |
907 |
|
|
if (enc->block_size >= 16) |
908 |
|
|
*max_blocks = (u_int64_t)1 << (enc->block_size*2); |
909 |
|
|
else |
910 |
|
|
*max_blocks = ((u_int64_t)1 << 30) / enc->block_size; |
911 |
|
|
if (state->rekey_limit) |
912 |
|
|
*max_blocks = MINIMUM(*max_blocks, |
913 |
|
|
state->rekey_limit / enc->block_size); |
914 |
|
|
debug("rekey after %llu blocks", (unsigned long long)*max_blocks); |
915 |
|
|
return 0; |
916 |
|
|
} |
917 |
|
|
|
918 |
|
|
#define MAX_PACKETS (1U<<31) |
919 |
|
|
static int |
920 |
|
|
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
921 |
|
|
{ |
922 |
|
|
struct session_state *state = ssh->state; |
923 |
|
|
u_int32_t out_blocks; |
924 |
|
|
|
925 |
|
|
/* XXX client can't cope with rekeying pre-auth */ |
926 |
|
|
if (!state->after_authentication) |
927 |
|
|
return 0; |
928 |
|
|
|
929 |
|
|
/* Haven't keyed yet or KEX in progress. */ |
930 |
|
|
if (ssh->kex == NULL || ssh_packet_is_rekeying(ssh)) |
931 |
|
|
return 0; |
932 |
|
|
|
933 |
|
|
/* Peer can't rekey */ |
934 |
|
|
if (ssh->compat & SSH_BUG_NOREKEY) |
935 |
|
|
return 0; |
936 |
|
|
|
937 |
|
|
/* |
938 |
|
|
* Permit one packet in or out per rekey - this allows us to |
939 |
|
|
* make progress when rekey limits are very small. |
940 |
|
|
*/ |
941 |
|
|
if (state->p_send.packets == 0 && state->p_read.packets == 0) |
942 |
|
|
return 0; |
943 |
|
|
|
944 |
|
|
/* Time-based rekeying */ |
945 |
|
|
if (state->rekey_interval != 0 && |
946 |
|
|
(int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
947 |
|
|
return 1; |
948 |
|
|
|
949 |
|
|
/* |
950 |
|
|
* Always rekey when MAX_PACKETS sent in either direction |
951 |
|
|
* As per RFC4344 section 3.1 we do this after 2^31 packets. |
952 |
|
|
*/ |
953 |
|
|
if (state->p_send.packets > MAX_PACKETS || |
954 |
|
|
state->p_read.packets > MAX_PACKETS) |
955 |
|
|
return 1; |
956 |
|
|
|
957 |
|
|
/* Rekey after (cipher-specific) maxiumum blocks */ |
958 |
|
|
out_blocks = ROUNDUP(outbound_packet_len, |
959 |
|
|
state->newkeys[MODE_OUT]->enc.block_size); |
960 |
|
|
return (state->max_blocks_out && |
961 |
|
|
(state->p_send.blocks + out_blocks > state->max_blocks_out)) || |
962 |
|
|
(state->max_blocks_in && |
963 |
|
|
(state->p_read.blocks > state->max_blocks_in)); |
964 |
|
|
} |
965 |
|
|
|
966 |
|
|
/* |
967 |
|
|
* Delayed compression for SSH2 is enabled after authentication: |
968 |
|
|
* This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent, |
969 |
|
|
* and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received. |
970 |
|
|
*/ |
971 |
|
|
static int |
972 |
|
|
ssh_packet_enable_delayed_compress(struct ssh *ssh) |
973 |
|
|
{ |
974 |
|
|
struct session_state *state = ssh->state; |
975 |
|
|
struct sshcomp *comp = NULL; |
976 |
|
|
int r, mode; |
977 |
|
|
|
978 |
|
|
/* |
979 |
|
|
* Remember that we are past the authentication step, so rekeying |
980 |
|
|
* with COMP_DELAYED will turn on compression immediately. |
981 |
|
|
*/ |
982 |
|
|
state->after_authentication = 1; |
983 |
|
|
for (mode = 0; mode < MODE_MAX; mode++) { |
984 |
|
|
/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ |
985 |
|
|
if (state->newkeys[mode] == NULL) |
986 |
|
|
continue; |
987 |
|
|
comp = &state->newkeys[mode]->comp; |
988 |
|
|
if (comp && !comp->enabled && comp->type == COMP_DELAYED) { |
989 |
|
|
if ((r = ssh_packet_init_compression(ssh)) != 0) |
990 |
|
|
return r; |
991 |
|
|
if (mode == MODE_OUT) { |
992 |
|
|
if ((r = start_compression_out(ssh, 6)) != 0) |
993 |
|
|
return r; |
994 |
|
|
} else { |
995 |
|
|
if ((r = start_compression_in(ssh)) != 0) |
996 |
|
|
return r; |
997 |
|
|
} |
998 |
|
|
comp->enabled = 1; |
999 |
|
|
} |
1000 |
|
|
} |
1001 |
|
|
return 0; |
1002 |
|
|
} |
1003 |
|
|
|
1004 |
|
|
/* Used to mute debug logging for noisy packet types */ |
1005 |
|
|
int |
1006 |
|
|
ssh_packet_log_type(u_char type) |
1007 |
|
|
{ |
1008 |
|
|
switch (type) { |
1009 |
|
|
case SSH2_MSG_CHANNEL_DATA: |
1010 |
|
|
case SSH2_MSG_CHANNEL_EXTENDED_DATA: |
1011 |
|
|
case SSH2_MSG_CHANNEL_WINDOW_ADJUST: |
1012 |
|
|
return 0; |
1013 |
|
|
default: |
1014 |
|
|
return 1; |
1015 |
|
|
} |
1016 |
|
|
} |
1017 |
|
|
|
1018 |
|
|
/* |
1019 |
|
|
* Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) |
1020 |
|
|
*/ |
1021 |
|
|
int |
1022 |
|
|
ssh_packet_send2_wrapped(struct ssh *ssh) |
1023 |
|
|
{ |
1024 |
|
|
struct session_state *state = ssh->state; |
1025 |
|
|
u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH]; |
1026 |
|
|
u_char tmp, padlen, pad = 0; |
1027 |
|
|
u_int authlen = 0, aadlen = 0; |
1028 |
|
|
u_int len; |
1029 |
|
|
struct sshenc *enc = NULL; |
1030 |
|
|
struct sshmac *mac = NULL; |
1031 |
|
|
struct sshcomp *comp = NULL; |
1032 |
|
|
int r, block_size; |
1033 |
|
|
|
1034 |
|
|
if (state->newkeys[MODE_OUT] != NULL) { |
1035 |
|
|
enc = &state->newkeys[MODE_OUT]->enc; |
1036 |
|
|
mac = &state->newkeys[MODE_OUT]->mac; |
1037 |
|
|
comp = &state->newkeys[MODE_OUT]->comp; |
1038 |
|
|
/* disable mac for authenticated encryption */ |
1039 |
|
|
if ((authlen = cipher_authlen(enc->cipher)) != 0) |
1040 |
|
|
mac = NULL; |
1041 |
|
|
} |
1042 |
|
|
block_size = enc ? enc->block_size : 8; |
1043 |
|
|
aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; |
1044 |
|
|
|
1045 |
|
|
type = (sshbuf_ptr(state->outgoing_packet))[5]; |
1046 |
|
|
if (ssh_packet_log_type(type)) |
1047 |
|
|
debug3("send packet: type %u", type); |
1048 |
|
|
#ifdef PACKET_DEBUG |
1049 |
|
|
fprintf(stderr, "plain: "); |
1050 |
|
|
sshbuf_dump(state->outgoing_packet, stderr); |
1051 |
|
|
#endif |
1052 |
|
|
|
1053 |
|
|
if (comp && comp->enabled) { |
1054 |
|
|
len = sshbuf_len(state->outgoing_packet); |
1055 |
|
|
/* skip header, compress only payload */ |
1056 |
|
|
if ((r = sshbuf_consume(state->outgoing_packet, 5)) != 0) |
1057 |
|
|
goto out; |
1058 |
|
|
sshbuf_reset(state->compression_buffer); |
1059 |
|
|
if ((r = compress_buffer(ssh, state->outgoing_packet, |
1060 |
|
|
state->compression_buffer)) != 0) |
1061 |
|
|
goto out; |
1062 |
|
|
sshbuf_reset(state->outgoing_packet); |
1063 |
|
|
if ((r = sshbuf_put(state->outgoing_packet, |
1064 |
|
|
"\0\0\0\0\0", 5)) != 0 || |
1065 |
|
|
(r = sshbuf_putb(state->outgoing_packet, |
1066 |
|
|
state->compression_buffer)) != 0) |
1067 |
|
|
goto out; |
1068 |
|
|
DBG(debug("compression: raw %d compressed %zd", len, |
1069 |
|
|
sshbuf_len(state->outgoing_packet))); |
1070 |
|
|
} |
1071 |
|
|
|
1072 |
|
|
/* sizeof (packet_len + pad_len + payload) */ |
1073 |
|
|
len = sshbuf_len(state->outgoing_packet); |
1074 |
|
|
|
1075 |
|
|
/* |
1076 |
|
|
* calc size of padding, alloc space, get random data, |
1077 |
|
|
* minimum padding is 4 bytes |
1078 |
|
|
*/ |
1079 |
|
|
len -= aadlen; /* packet length is not encrypted for EtM modes */ |
1080 |
|
|
padlen = block_size - (len % block_size); |
1081 |
|
|
if (padlen < 4) |
1082 |
|
|
padlen += block_size; |
1083 |
|
|
if (state->extra_pad) { |
1084 |
|
|
tmp = state->extra_pad; |
1085 |
|
|
state->extra_pad = |
1086 |
|
|
ROUNDUP(state->extra_pad, block_size); |
1087 |
|
|
/* check if roundup overflowed */ |
1088 |
|
|
if (state->extra_pad < tmp) |
1089 |
|
|
return SSH_ERR_INVALID_ARGUMENT; |
1090 |
|
|
tmp = (len + padlen) % state->extra_pad; |
1091 |
|
|
/* Check whether pad calculation below will underflow */ |
1092 |
|
|
if (tmp > state->extra_pad) |
1093 |
|
|
return SSH_ERR_INVALID_ARGUMENT; |
1094 |
|
|
pad = state->extra_pad - tmp; |
1095 |
|
|
DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)", |
1096 |
|
|
__func__, pad, len, padlen, state->extra_pad)); |
1097 |
|
|
tmp = padlen; |
1098 |
|
|
padlen += pad; |
1099 |
|
|
/* Check whether padlen calculation overflowed */ |
1100 |
|
|
if (padlen < tmp) |
1101 |
|
|
return SSH_ERR_INVALID_ARGUMENT; /* overflow */ |
1102 |
|
|
state->extra_pad = 0; |
1103 |
|
|
} |
1104 |
|
|
if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0) |
1105 |
|
|
goto out; |
1106 |
|
|
if (enc && !cipher_ctx_is_plaintext(state->send_context)) { |
1107 |
|
|
/* random padding */ |
1108 |
|
|
arc4random_buf(cp, padlen); |
1109 |
|
|
} else { |
1110 |
|
|
/* clear padding */ |
1111 |
|
|
explicit_bzero(cp, padlen); |
1112 |
|
|
} |
1113 |
|
|
/* sizeof (packet_len + pad_len + payload + padding) */ |
1114 |
|
|
len = sshbuf_len(state->outgoing_packet); |
1115 |
|
|
cp = sshbuf_mutable_ptr(state->outgoing_packet); |
1116 |
|
|
if (cp == NULL) { |
1117 |
|
|
r = SSH_ERR_INTERNAL_ERROR; |
1118 |
|
|
goto out; |
1119 |
|
|
} |
1120 |
|
|
/* packet_length includes payload, padding and padding length field */ |
1121 |
|
|
POKE_U32(cp, len - 4); |
1122 |
|
|
cp[4] = padlen; |
1123 |
|
|
DBG(debug("send: len %d (includes padlen %d, aadlen %d)", |
1124 |
|
|
len, padlen, aadlen)); |
1125 |
|
|
|
1126 |
|
|
/* compute MAC over seqnr and packet(length fields, payload, padding) */ |
1127 |
|
|
if (mac && mac->enabled && !mac->etm) { |
1128 |
|
|
if ((r = mac_compute(mac, state->p_send.seqnr, |
1129 |
|
|
sshbuf_ptr(state->outgoing_packet), len, |
1130 |
|
|
macbuf, sizeof(macbuf))) != 0) |
1131 |
|
|
goto out; |
1132 |
|
|
DBG(debug("done calc MAC out #%d", state->p_send.seqnr)); |
1133 |
|
|
} |
1134 |
|
|
/* encrypt packet and append to output buffer. */ |
1135 |
|
|
if ((r = sshbuf_reserve(state->output, |
1136 |
|
|
sshbuf_len(state->outgoing_packet) + authlen, &cp)) != 0) |
1137 |
|
|
goto out; |
1138 |
|
|
if ((r = cipher_crypt(state->send_context, state->p_send.seqnr, cp, |
1139 |
|
|
sshbuf_ptr(state->outgoing_packet), |
1140 |
|
|
len - aadlen, aadlen, authlen)) != 0) |
1141 |
|
|
goto out; |
1142 |
|
|
/* append unencrypted MAC */ |
1143 |
|
|
if (mac && mac->enabled) { |
1144 |
|
|
if (mac->etm) { |
1145 |
|
|
/* EtM: compute mac over aadlen + cipher text */ |
1146 |
|
|
if ((r = mac_compute(mac, state->p_send.seqnr, |
1147 |
|
|
cp, len, macbuf, sizeof(macbuf))) != 0) |
1148 |
|
|
goto out; |
1149 |
|
|
DBG(debug("done calc MAC(EtM) out #%d", |
1150 |
|
|
state->p_send.seqnr)); |
1151 |
|
|
} |
1152 |
|
|
if ((r = sshbuf_put(state->output, macbuf, mac->mac_len)) != 0) |
1153 |
|
|
goto out; |
1154 |
|
|
} |
1155 |
|
|
#ifdef PACKET_DEBUG |
1156 |
|
|
fprintf(stderr, "encrypted: "); |
1157 |
|
|
sshbuf_dump(state->output, stderr); |
1158 |
|
|
#endif |
1159 |
|
|
/* increment sequence number for outgoing packets */ |
1160 |
|
|
if (++state->p_send.seqnr == 0) |
1161 |
|
|
logit("outgoing seqnr wraps around"); |
1162 |
|
|
if (++state->p_send.packets == 0) |
1163 |
|
|
if (!(ssh->compat & SSH_BUG_NOREKEY)) |
1164 |
|
|
return SSH_ERR_NEED_REKEY; |
1165 |
|
|
state->p_send.blocks += len / block_size; |
1166 |
|
|
state->p_send.bytes += len; |
1167 |
|
|
sshbuf_reset(state->outgoing_packet); |
1168 |
|
|
|
1169 |
|
|
if (type == SSH2_MSG_NEWKEYS) |
1170 |
|
|
r = ssh_set_newkeys(ssh, MODE_OUT); |
1171 |
|
|
else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) |
1172 |
|
|
r = ssh_packet_enable_delayed_compress(ssh); |
1173 |
|
|
else |
1174 |
|
|
r = 0; |
1175 |
|
|
out: |
1176 |
|
|
return r; |
1177 |
|
|
} |
1178 |
|
|
|
1179 |
|
|
/* returns non-zero if the specified packet type is usec by KEX */ |
1180 |
|
|
static int |
1181 |
|
|
ssh_packet_type_is_kex(u_char type) |
1182 |
|
|
{ |
1183 |
|
|
return |
1184 |
|
|
type >= SSH2_MSG_TRANSPORT_MIN && |
1185 |
|
|
type <= SSH2_MSG_TRANSPORT_MAX && |
1186 |
|
|
type != SSH2_MSG_SERVICE_REQUEST && |
1187 |
|
|
type != SSH2_MSG_SERVICE_ACCEPT && |
1188 |
|
|
type != SSH2_MSG_EXT_INFO; |
1189 |
|
|
} |
1190 |
|
|
|
1191 |
|
|
int |
1192 |
|
|
ssh_packet_send2(struct ssh *ssh) |
1193 |
|
|
{ |
1194 |
|
|
struct session_state *state = ssh->state; |
1195 |
|
|
struct packet *p; |
1196 |
|
|
u_char type; |
1197 |
|
|
int r, need_rekey; |
1198 |
|
|
|
1199 |
|
|
if (sshbuf_len(state->outgoing_packet) < 6) |
1200 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
1201 |
|
|
type = sshbuf_ptr(state->outgoing_packet)[5]; |
1202 |
|
|
need_rekey = !ssh_packet_type_is_kex(type) && |
1203 |
|
|
ssh_packet_need_rekeying(ssh, sshbuf_len(state->outgoing_packet)); |
1204 |
|
|
|
1205 |
|
|
/* |
1206 |
|
|
* During rekeying we can only send key exchange messages. |
1207 |
|
|
* Queue everything else. |
1208 |
|
|
*/ |
1209 |
|
|
if ((need_rekey || state->rekeying) && !ssh_packet_type_is_kex(type)) { |
1210 |
|
|
if (need_rekey) |
1211 |
|
|
debug3("%s: rekex triggered", __func__); |
1212 |
|
|
debug("enqueue packet: %u", type); |
1213 |
|
|
p = calloc(1, sizeof(*p)); |
1214 |
|
|
if (p == NULL) |
1215 |
|
|
return SSH_ERR_ALLOC_FAIL; |
1216 |
|
|
p->type = type; |
1217 |
|
|
p->payload = state->outgoing_packet; |
1218 |
|
|
TAILQ_INSERT_TAIL(&state->outgoing, p, next); |
1219 |
|
|
state->outgoing_packet = sshbuf_new(); |
1220 |
|
|
if (state->outgoing_packet == NULL) |
1221 |
|
|
return SSH_ERR_ALLOC_FAIL; |
1222 |
|
|
if (need_rekey) { |
1223 |
|
|
/* |
1224 |
|
|
* This packet triggered a rekey, so send the |
1225 |
|
|
* KEXINIT now. |
1226 |
|
|
* NB. reenters this function via kex_start_rekex(). |
1227 |
|
|
*/ |
1228 |
|
|
return kex_start_rekex(ssh); |
1229 |
|
|
} |
1230 |
|
|
return 0; |
1231 |
|
|
} |
1232 |
|
|
|
1233 |
|
|
/* rekeying starts with sending KEXINIT */ |
1234 |
|
|
if (type == SSH2_MSG_KEXINIT) |
1235 |
|
|
state->rekeying = 1; |
1236 |
|
|
|
1237 |
|
|
if ((r = ssh_packet_send2_wrapped(ssh)) != 0) |
1238 |
|
|
return r; |
1239 |
|
|
|
1240 |
|
|
/* after a NEWKEYS message we can send the complete queue */ |
1241 |
|
|
if (type == SSH2_MSG_NEWKEYS) { |
1242 |
|
|
state->rekeying = 0; |
1243 |
|
|
state->rekey_time = monotime(); |
1244 |
|
|
while ((p = TAILQ_FIRST(&state->outgoing))) { |
1245 |
|
|
type = p->type; |
1246 |
|
|
/* |
1247 |
|
|
* If this packet triggers a rekex, then skip the |
1248 |
|
|
* remaining packets in the queue for now. |
1249 |
|
|
* NB. re-enters this function via kex_start_rekex. |
1250 |
|
|
*/ |
1251 |
|
|
if (ssh_packet_need_rekeying(ssh, |
1252 |
|
|
sshbuf_len(p->payload))) { |
1253 |
|
|
debug3("%s: queued packet triggered rekex", |
1254 |
|
|
__func__); |
1255 |
|
|
return kex_start_rekex(ssh); |
1256 |
|
|
} |
1257 |
|
|
debug("dequeue packet: %u", type); |
1258 |
|
|
sshbuf_free(state->outgoing_packet); |
1259 |
|
|
state->outgoing_packet = p->payload; |
1260 |
|
|
TAILQ_REMOVE(&state->outgoing, p, next); |
1261 |
|
|
memset(p, 0, sizeof(*p)); |
1262 |
|
|
free(p); |
1263 |
|
|
if ((r = ssh_packet_send2_wrapped(ssh)) != 0) |
1264 |
|
|
return r; |
1265 |
|
|
} |
1266 |
|
|
} |
1267 |
|
|
return 0; |
1268 |
|
|
} |
1269 |
|
|
|
1270 |
|
|
/* |
1271 |
|
|
* Waits until a packet has been received, and returns its type. Note that |
1272 |
|
|
* no other data is processed until this returns, so this function should not |
1273 |
|
|
* be used during the interactive session. |
1274 |
|
|
*/ |
1275 |
|
|
|
1276 |
|
|
int |
1277 |
|
|
ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1278 |
|
|
{ |
1279 |
|
|
struct session_state *state = ssh->state; |
1280 |
|
|
int len, r, ms_remain; |
1281 |
|
|
fd_set *setp; |
1282 |
|
|
char buf[8192]; |
1283 |
|
|
struct timeval timeout, start, *timeoutp = NULL; |
1284 |
|
|
|
1285 |
|
|
DBG(debug("packet_read()")); |
1286 |
|
|
|
1287 |
|
|
setp = calloc(howmany(state->connection_in + 1, |
1288 |
|
|
NFDBITS), sizeof(fd_mask)); |
1289 |
|
|
if (setp == NULL) |
1290 |
|
|
return SSH_ERR_ALLOC_FAIL; |
1291 |
|
|
|
1292 |
|
|
/* |
1293 |
|
|
* Since we are blocking, ensure that all written packets have |
1294 |
|
|
* been sent. |
1295 |
|
|
*/ |
1296 |
|
|
if ((r = ssh_packet_write_wait(ssh)) != 0) |
1297 |
|
|
goto out; |
1298 |
|
|
|
1299 |
|
|
/* Stay in the loop until we have received a complete packet. */ |
1300 |
|
|
for (;;) { |
1301 |
|
|
/* Try to read a packet from the buffer. */ |
1302 |
|
|
r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p); |
1303 |
|
|
if (r != 0) |
1304 |
|
|
break; |
1305 |
|
|
/* If we got a packet, return it. */ |
1306 |
|
|
if (*typep != SSH_MSG_NONE) |
1307 |
|
|
break; |
1308 |
|
|
/* |
1309 |
|
|
* Otherwise, wait for some data to arrive, add it to the |
1310 |
|
|
* buffer, and try again. |
1311 |
|
|
*/ |
1312 |
|
|
memset(setp, 0, howmany(state->connection_in + 1, |
1313 |
|
|
NFDBITS) * sizeof(fd_mask)); |
1314 |
|
|
FD_SET(state->connection_in, setp); |
1315 |
|
|
|
1316 |
|
|
if (state->packet_timeout_ms > 0) { |
1317 |
|
|
ms_remain = state->packet_timeout_ms; |
1318 |
|
|
timeoutp = &timeout; |
1319 |
|
|
} |
1320 |
|
|
/* Wait for some data to arrive. */ |
1321 |
|
|
for (;;) { |
1322 |
|
|
if (state->packet_timeout_ms != -1) { |
1323 |
|
|
ms_to_timeval(&timeout, ms_remain); |
1324 |
|
|
gettimeofday(&start, NULL); |
1325 |
|
|
} |
1326 |
|
|
if ((r = select(state->connection_in + 1, setp, |
1327 |
|
|
NULL, NULL, timeoutp)) >= 0) |
1328 |
|
|
break; |
1329 |
|
|
if (errno != EAGAIN && errno != EINTR) |
1330 |
|
|
break; |
1331 |
|
|
if (state->packet_timeout_ms == -1) |
1332 |
|
|
continue; |
1333 |
|
|
ms_subtract_diff(&start, &ms_remain); |
1334 |
|
|
if (ms_remain <= 0) { |
1335 |
|
|
r = 0; |
1336 |
|
|
break; |
1337 |
|
|
} |
1338 |
|
|
} |
1339 |
|
|
if (r == 0) { |
1340 |
|
|
r = SSH_ERR_CONN_TIMEOUT; |
1341 |
|
|
goto out; |
1342 |
|
|
} |
1343 |
|
|
/* Read data from the socket. */ |
1344 |
|
|
len = read(state->connection_in, buf, sizeof(buf)); |
1345 |
|
|
if (len == 0) { |
1346 |
|
|
r = SSH_ERR_CONN_CLOSED; |
1347 |
|
|
goto out; |
1348 |
|
|
} |
1349 |
|
|
if (len < 0) { |
1350 |
|
|
r = SSH_ERR_SYSTEM_ERROR; |
1351 |
|
|
goto out; |
1352 |
|
|
} |
1353 |
|
|
|
1354 |
|
|
/* Append it to the buffer. */ |
1355 |
|
|
if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0) |
1356 |
|
|
goto out; |
1357 |
|
|
} |
1358 |
|
|
out: |
1359 |
|
|
free(setp); |
1360 |
|
|
return r; |
1361 |
|
|
} |
1362 |
|
|
|
1363 |
|
|
int |
1364 |
|
|
ssh_packet_read(struct ssh *ssh) |
1365 |
|
|
{ |
1366 |
|
|
u_char type; |
1367 |
|
|
int r; |
1368 |
|
|
|
1369 |
|
|
if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0) |
1370 |
|
|
fatal("%s: %s", __func__, ssh_err(r)); |
1371 |
|
|
return type; |
1372 |
|
|
} |
1373 |
|
|
|
1374 |
|
|
/* |
1375 |
|
|
* Waits until a packet has been received, verifies that its type matches |
1376 |
|
|
* that given, and gives a fatal error and exits if there is a mismatch. |
1377 |
|
|
*/ |
1378 |
|
|
|
1379 |
|
|
int |
1380 |
|
|
ssh_packet_read_expect(struct ssh *ssh, u_int expected_type) |
1381 |
|
|
{ |
1382 |
|
|
int r; |
1383 |
|
|
u_char type; |
1384 |
|
|
|
1385 |
|
|
if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0) |
1386 |
|
|
return r; |
1387 |
|
|
if (type != expected_type) { |
1388 |
|
|
if ((r = sshpkt_disconnect(ssh, |
1389 |
|
|
"Protocol error: expected packet type %d, got %d", |
1390 |
|
|
expected_type, type)) != 0) |
1391 |
|
|
return r; |
1392 |
|
|
return SSH_ERR_PROTOCOL_ERROR; |
1393 |
|
|
} |
1394 |
|
|
return 0; |
1395 |
|
|
} |
1396 |
|
|
|
1397 |
|
|
static int |
1398 |
|
|
ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1399 |
|
|
{ |
1400 |
|
|
struct session_state *state = ssh->state; |
1401 |
|
|
const u_char *cp; |
1402 |
|
|
size_t need; |
1403 |
|
|
int r; |
1404 |
|
|
|
1405 |
|
|
if (ssh->kex) |
1406 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
1407 |
|
|
*typep = SSH_MSG_NONE; |
1408 |
|
|
cp = sshbuf_ptr(state->input); |
1409 |
|
|
if (state->packlen == 0) { |
1410 |
|
|
if (sshbuf_len(state->input) < 4 + 1) |
1411 |
|
|
return 0; /* packet is incomplete */ |
1412 |
|
|
state->packlen = PEEK_U32(cp); |
1413 |
|
|
if (state->packlen < 4 + 1 || |
1414 |
|
|
state->packlen > PACKET_MAX_SIZE) |
1415 |
|
|
return SSH_ERR_MESSAGE_INCOMPLETE; |
1416 |
|
|
} |
1417 |
|
|
need = state->packlen + 4; |
1418 |
|
|
if (sshbuf_len(state->input) < need) |
1419 |
|
|
return 0; /* packet is incomplete */ |
1420 |
|
|
sshbuf_reset(state->incoming_packet); |
1421 |
|
|
if ((r = sshbuf_put(state->incoming_packet, cp + 4, |
1422 |
|
|
state->packlen)) != 0 || |
1423 |
|
|
(r = sshbuf_consume(state->input, need)) != 0 || |
1424 |
|
|
(r = sshbuf_get_u8(state->incoming_packet, NULL)) != 0 || |
1425 |
|
|
(r = sshbuf_get_u8(state->incoming_packet, typep)) != 0) |
1426 |
|
|
return r; |
1427 |
|
|
if (ssh_packet_log_type(*typep)) |
1428 |
|
|
debug3("%s: type %u", __func__, *typep); |
1429 |
|
|
/* sshbuf_dump(state->incoming_packet, stderr); */ |
1430 |
|
|
/* reset for next packet */ |
1431 |
|
|
state->packlen = 0; |
1432 |
|
|
return r; |
1433 |
|
|
} |
1434 |
|
|
|
1435 |
|
|
int |
1436 |
|
|
ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1437 |
|
|
{ |
1438 |
|
|
struct session_state *state = ssh->state; |
1439 |
|
|
u_int padlen, need; |
1440 |
|
|
u_char *cp; |
1441 |
|
|
u_int maclen, aadlen = 0, authlen = 0, block_size; |
1442 |
|
|
struct sshenc *enc = NULL; |
1443 |
|
|
struct sshmac *mac = NULL; |
1444 |
|
|
struct sshcomp *comp = NULL; |
1445 |
|
|
int r; |
1446 |
|
|
|
1447 |
|
|
if (state->mux) |
1448 |
|
|
return ssh_packet_read_poll2_mux(ssh, typep, seqnr_p); |
1449 |
|
|
|
1450 |
|
|
*typep = SSH_MSG_NONE; |
1451 |
|
|
|
1452 |
|
|
if (state->packet_discard) |
1453 |
|
|
return 0; |
1454 |
|
|
|
1455 |
|
|
if (state->newkeys[MODE_IN] != NULL) { |
1456 |
|
|
enc = &state->newkeys[MODE_IN]->enc; |
1457 |
|
|
mac = &state->newkeys[MODE_IN]->mac; |
1458 |
|
|
comp = &state->newkeys[MODE_IN]->comp; |
1459 |
|
|
/* disable mac for authenticated encryption */ |
1460 |
|
|
if ((authlen = cipher_authlen(enc->cipher)) != 0) |
1461 |
|
|
mac = NULL; |
1462 |
|
|
} |
1463 |
|
|
maclen = mac && mac->enabled ? mac->mac_len : 0; |
1464 |
|
|
block_size = enc ? enc->block_size : 8; |
1465 |
|
|
aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; |
1466 |
|
|
|
1467 |
|
|
if (aadlen && state->packlen == 0) { |
1468 |
|
|
if (cipher_get_length(state->receive_context, |
1469 |
|
|
&state->packlen, state->p_read.seqnr, |
1470 |
|
|
sshbuf_ptr(state->input), sshbuf_len(state->input)) != 0) |
1471 |
|
|
return 0; |
1472 |
|
|
if (state->packlen < 1 + 4 || |
1473 |
|
|
state->packlen > PACKET_MAX_SIZE) { |
1474 |
|
|
#ifdef PACKET_DEBUG |
1475 |
|
|
sshbuf_dump(state->input, stderr); |
1476 |
|
|
#endif |
1477 |
|
|
logit("Bad packet length %u.", state->packlen); |
1478 |
|
|
if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) |
1479 |
|
|
return r; |
1480 |
|
|
return SSH_ERR_CONN_CORRUPT; |
1481 |
|
|
} |
1482 |
|
|
sshbuf_reset(state->incoming_packet); |
1483 |
|
|
} else if (state->packlen == 0) { |
1484 |
|
|
/* |
1485 |
|
|
* check if input size is less than the cipher block size, |
1486 |
|
|
* decrypt first block and extract length of incoming packet |
1487 |
|
|
*/ |
1488 |
|
|
if (sshbuf_len(state->input) < block_size) |
1489 |
|
|
return 0; |
1490 |
|
|
sshbuf_reset(state->incoming_packet); |
1491 |
|
|
if ((r = sshbuf_reserve(state->incoming_packet, block_size, |
1492 |
|
|
&cp)) != 0) |
1493 |
|
|
goto out; |
1494 |
|
|
if ((r = cipher_crypt(state->receive_context, |
1495 |
|
|
state->p_send.seqnr, cp, sshbuf_ptr(state->input), |
1496 |
|
|
block_size, 0, 0)) != 0) |
1497 |
|
|
goto out; |
1498 |
|
|
state->packlen = PEEK_U32(sshbuf_ptr(state->incoming_packet)); |
1499 |
|
|
if (state->packlen < 1 + 4 || |
1500 |
|
|
state->packlen > PACKET_MAX_SIZE) { |
1501 |
|
|
#ifdef PACKET_DEBUG |
1502 |
|
|
fprintf(stderr, "input: \n"); |
1503 |
|
|
sshbuf_dump(state->input, stderr); |
1504 |
|
|
fprintf(stderr, "incoming_packet: \n"); |
1505 |
|
|
sshbuf_dump(state->incoming_packet, stderr); |
1506 |
|
|
#endif |
1507 |
|
|
logit("Bad packet length %u.", state->packlen); |
1508 |
|
|
return ssh_packet_start_discard(ssh, enc, mac, 0, |
1509 |
|
|
PACKET_MAX_SIZE); |
1510 |
|
|
} |
1511 |
|
|
if ((r = sshbuf_consume(state->input, block_size)) != 0) |
1512 |
|
|
goto out; |
1513 |
|
|
} |
1514 |
|
|
DBG(debug("input: packet len %u", state->packlen+4)); |
1515 |
|
|
|
1516 |
|
|
if (aadlen) { |
1517 |
|
|
/* only the payload is encrypted */ |
1518 |
|
|
need = state->packlen; |
1519 |
|
|
} else { |
1520 |
|
|
/* |
1521 |
|
|
* the payload size and the payload are encrypted, but we |
1522 |
|
|
* have a partial packet of block_size bytes |
1523 |
|
|
*/ |
1524 |
|
|
need = 4 + state->packlen - block_size; |
1525 |
|
|
} |
1526 |
|
|
DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d," |
1527 |
|
|
" aadlen %d", block_size, need, maclen, authlen, aadlen)); |
1528 |
|
|
if (need % block_size != 0) { |
1529 |
|
|
logit("padding error: need %d block %d mod %d", |
1530 |
|
|
need, block_size, need % block_size); |
1531 |
|
|
return ssh_packet_start_discard(ssh, enc, mac, 0, |
1532 |
|
|
PACKET_MAX_SIZE - block_size); |
1533 |
|
|
} |
1534 |
|
|
/* |
1535 |
|
|
* check if the entire packet has been received and |
1536 |
|
|
* decrypt into incoming_packet: |
1537 |
|
|
* 'aadlen' bytes are unencrypted, but authenticated. |
1538 |
|
|
* 'need' bytes are encrypted, followed by either |
1539 |
|
|
* 'authlen' bytes of authentication tag or |
1540 |
|
|
* 'maclen' bytes of message authentication code. |
1541 |
|
|
*/ |
1542 |
|
|
if (sshbuf_len(state->input) < aadlen + need + authlen + maclen) |
1543 |
|
|
return 0; /* packet is incomplete */ |
1544 |
|
|
#ifdef PACKET_DEBUG |
1545 |
|
|
fprintf(stderr, "read_poll enc/full: "); |
1546 |
|
|
sshbuf_dump(state->input, stderr); |
1547 |
|
|
#endif |
1548 |
|
|
/* EtM: check mac over encrypted input */ |
1549 |
|
|
if (mac && mac->enabled && mac->etm) { |
1550 |
|
|
if ((r = mac_check(mac, state->p_read.seqnr, |
1551 |
|
|
sshbuf_ptr(state->input), aadlen + need, |
1552 |
|
|
sshbuf_ptr(state->input) + aadlen + need + authlen, |
1553 |
|
|
maclen)) != 0) { |
1554 |
|
|
if (r == SSH_ERR_MAC_INVALID) |
1555 |
|
|
logit("Corrupted MAC on input."); |
1556 |
|
|
goto out; |
1557 |
|
|
} |
1558 |
|
|
} |
1559 |
|
|
if ((r = sshbuf_reserve(state->incoming_packet, aadlen + need, |
1560 |
|
|
&cp)) != 0) |
1561 |
|
|
goto out; |
1562 |
|
|
if ((r = cipher_crypt(state->receive_context, state->p_read.seqnr, cp, |
1563 |
|
|
sshbuf_ptr(state->input), need, aadlen, authlen)) != 0) |
1564 |
|
|
goto out; |
1565 |
|
|
if ((r = sshbuf_consume(state->input, aadlen + need + authlen)) != 0) |
1566 |
|
|
goto out; |
1567 |
|
|
if (mac && mac->enabled) { |
1568 |
|
|
/* Not EtM: check MAC over cleartext */ |
1569 |
|
|
if (!mac->etm && (r = mac_check(mac, state->p_read.seqnr, |
1570 |
|
|
sshbuf_ptr(state->incoming_packet), |
1571 |
|
|
sshbuf_len(state->incoming_packet), |
1572 |
|
|
sshbuf_ptr(state->input), maclen)) != 0) { |
1573 |
|
|
if (r != SSH_ERR_MAC_INVALID) |
1574 |
|
|
goto out; |
1575 |
|
|
logit("Corrupted MAC on input."); |
1576 |
|
|
if (need + block_size > PACKET_MAX_SIZE) |
1577 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
1578 |
|
|
return ssh_packet_start_discard(ssh, enc, mac, |
1579 |
|
|
sshbuf_len(state->incoming_packet), |
1580 |
|
|
PACKET_MAX_SIZE - need - block_size); |
1581 |
|
|
} |
1582 |
|
|
/* Remove MAC from input buffer */ |
1583 |
|
|
DBG(debug("MAC #%d ok", state->p_read.seqnr)); |
1584 |
|
|
if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) |
1585 |
|
|
goto out; |
1586 |
|
|
} |
1587 |
|
|
if (seqnr_p != NULL) |
1588 |
|
|
*seqnr_p = state->p_read.seqnr; |
1589 |
|
|
if (++state->p_read.seqnr == 0) |
1590 |
|
|
logit("incoming seqnr wraps around"); |
1591 |
|
|
if (++state->p_read.packets == 0) |
1592 |
|
|
if (!(ssh->compat & SSH_BUG_NOREKEY)) |
1593 |
|
|
return SSH_ERR_NEED_REKEY; |
1594 |
|
|
state->p_read.blocks += (state->packlen + 4) / block_size; |
1595 |
|
|
state->p_read.bytes += state->packlen + 4; |
1596 |
|
|
|
1597 |
|
|
/* get padlen */ |
1598 |
|
|
padlen = sshbuf_ptr(state->incoming_packet)[4]; |
1599 |
|
|
DBG(debug("input: padlen %d", padlen)); |
1600 |
|
|
if (padlen < 4) { |
1601 |
|
|
if ((r = sshpkt_disconnect(ssh, |
1602 |
|
|
"Corrupted padlen %d on input.", padlen)) != 0 || |
1603 |
|
|
(r = ssh_packet_write_wait(ssh)) != 0) |
1604 |
|
|
return r; |
1605 |
|
|
return SSH_ERR_CONN_CORRUPT; |
1606 |
|
|
} |
1607 |
|
|
|
1608 |
|
|
/* skip packet size + padlen, discard padding */ |
1609 |
|
|
if ((r = sshbuf_consume(state->incoming_packet, 4 + 1)) != 0 || |
1610 |
|
|
((r = sshbuf_consume_end(state->incoming_packet, padlen)) != 0)) |
1611 |
|
|
goto out; |
1612 |
|
|
|
1613 |
|
|
DBG(debug("input: len before de-compress %zd", |
1614 |
|
|
sshbuf_len(state->incoming_packet))); |
1615 |
|
|
if (comp && comp->enabled) { |
1616 |
|
|
sshbuf_reset(state->compression_buffer); |
1617 |
|
|
if ((r = uncompress_buffer(ssh, state->incoming_packet, |
1618 |
|
|
state->compression_buffer)) != 0) |
1619 |
|
|
goto out; |
1620 |
|
|
sshbuf_reset(state->incoming_packet); |
1621 |
|
|
if ((r = sshbuf_putb(state->incoming_packet, |
1622 |
|
|
state->compression_buffer)) != 0) |
1623 |
|
|
goto out; |
1624 |
|
|
DBG(debug("input: len after de-compress %zd", |
1625 |
|
|
sshbuf_len(state->incoming_packet))); |
1626 |
|
|
} |
1627 |
|
|
/* |
1628 |
|
|
* get packet type, implies consume. |
1629 |
|
|
* return length of payload (without type field) |
1630 |
|
|
*/ |
1631 |
|
|
if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0) |
1632 |
|
|
goto out; |
1633 |
|
|
if (ssh_packet_log_type(*typep)) |
1634 |
|
|
debug3("receive packet: type %u", *typep); |
1635 |
|
|
if (*typep < SSH2_MSG_MIN || *typep >= SSH2_MSG_LOCAL_MIN) { |
1636 |
|
|
if ((r = sshpkt_disconnect(ssh, |
1637 |
|
|
"Invalid ssh2 packet type: %d", *typep)) != 0 || |
1638 |
|
|
(r = ssh_packet_write_wait(ssh)) != 0) |
1639 |
|
|
return r; |
1640 |
|
|
return SSH_ERR_PROTOCOL_ERROR; |
1641 |
|
|
} |
1642 |
|
|
if (state->hook_in != NULL && |
1643 |
|
|
(r = state->hook_in(ssh, state->incoming_packet, typep, |
1644 |
|
|
state->hook_in_ctx)) != 0) |
1645 |
|
|
return r; |
1646 |
|
|
if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) |
1647 |
|
|
r = ssh_packet_enable_delayed_compress(ssh); |
1648 |
|
|
else |
1649 |
|
|
r = 0; |
1650 |
|
|
#ifdef PACKET_DEBUG |
1651 |
|
|
fprintf(stderr, "read/plain[%d]:\r\n", *typep); |
1652 |
|
|
sshbuf_dump(state->incoming_packet, stderr); |
1653 |
|
|
#endif |
1654 |
|
|
/* reset for next packet */ |
1655 |
|
|
state->packlen = 0; |
1656 |
|
|
|
1657 |
|
|
/* do we need to rekey? */ |
1658 |
|
|
if (ssh_packet_need_rekeying(ssh, 0)) { |
1659 |
|
|
debug3("%s: rekex triggered", __func__); |
1660 |
|
|
if ((r = kex_start_rekex(ssh)) != 0) |
1661 |
|
|
return r; |
1662 |
|
|
} |
1663 |
|
|
out: |
1664 |
|
|
return r; |
1665 |
|
|
} |
1666 |
|
|
|
1667 |
|
|
int |
1668 |
|
|
ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
1669 |
|
|
{ |
1670 |
|
|
struct session_state *state = ssh->state; |
1671 |
|
|
u_int reason, seqnr; |
1672 |
|
|
int r; |
1673 |
|
|
u_char *msg; |
1674 |
|
|
|
1675 |
|
|
for (;;) { |
1676 |
|
|
msg = NULL; |
1677 |
|
|
r = ssh_packet_read_poll2(ssh, typep, seqnr_p); |
1678 |
|
|
if (r != 0) |
1679 |
|
|
return r; |
1680 |
|
|
if (*typep) { |
1681 |
|
|
state->keep_alive_timeouts = 0; |
1682 |
|
|
DBG(debug("received packet type %d", *typep)); |
1683 |
|
|
} |
1684 |
|
|
switch (*typep) { |
1685 |
|
|
case SSH2_MSG_IGNORE: |
1686 |
|
|
debug3("Received SSH2_MSG_IGNORE"); |
1687 |
|
|
break; |
1688 |
|
|
case SSH2_MSG_DEBUG: |
1689 |
|
|
if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || |
1690 |
|
|
(r = sshpkt_get_string(ssh, &msg, NULL)) != 0 || |
1691 |
|
|
(r = sshpkt_get_string(ssh, NULL, NULL)) != 0) { |
1692 |
|
|
free(msg); |
1693 |
|
|
return r; |
1694 |
|
|
} |
1695 |
|
|
debug("Remote: %.900s", msg); |
1696 |
|
|
free(msg); |
1697 |
|
|
break; |
1698 |
|
|
case SSH2_MSG_DISCONNECT: |
1699 |
|
|
if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || |
1700 |
|
|
(r = sshpkt_get_string(ssh, &msg, NULL)) != 0) |
1701 |
|
|
return r; |
1702 |
|
|
/* Ignore normal client exit notifications */ |
1703 |
|
|
do_log2(ssh->state->server_side && |
1704 |
|
|
reason == SSH2_DISCONNECT_BY_APPLICATION ? |
1705 |
|
|
SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, |
1706 |
|
|
"Received disconnect from %s port %d:" |
1707 |
|
|
"%u: %.400s", ssh_remote_ipaddr(ssh), |
1708 |
|
|
ssh_remote_port(ssh), reason, msg); |
1709 |
|
|
free(msg); |
1710 |
|
|
return SSH_ERR_DISCONNECTED; |
1711 |
|
|
case SSH2_MSG_UNIMPLEMENTED: |
1712 |
|
|
if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) |
1713 |
|
|
return r; |
1714 |
|
|
debug("Received SSH2_MSG_UNIMPLEMENTED for %u", |
1715 |
|
|
seqnr); |
1716 |
|
|
break; |
1717 |
|
|
default: |
1718 |
|
|
return 0; |
1719 |
|
|
} |
1720 |
|
|
} |
1721 |
|
|
} |
1722 |
|
|
|
1723 |
|
|
/* |
1724 |
|
|
* Buffers the given amount of input characters. This is intended to be used |
1725 |
|
|
* together with packet_read_poll. |
1726 |
|
|
*/ |
1727 |
|
|
|
1728 |
|
|
int |
1729 |
|
|
ssh_packet_process_incoming(struct ssh *ssh, const char *buf, u_int len) |
1730 |
|
|
{ |
1731 |
|
|
struct session_state *state = ssh->state; |
1732 |
|
|
int r; |
1733 |
|
|
|
1734 |
|
|
if (state->packet_discard) { |
1735 |
|
|
state->keep_alive_timeouts = 0; /* ?? */ |
1736 |
|
|
if (len >= state->packet_discard) { |
1737 |
|
|
if ((r = ssh_packet_stop_discard(ssh)) != 0) |
1738 |
|
|
return r; |
1739 |
|
|
} |
1740 |
|
|
state->packet_discard -= len; |
1741 |
|
|
return 0; |
1742 |
|
|
} |
1743 |
|
|
if ((r = sshbuf_put(ssh->state->input, buf, len)) != 0) |
1744 |
|
|
return r; |
1745 |
|
|
|
1746 |
|
|
return 0; |
1747 |
|
|
} |
1748 |
|
|
|
1749 |
|
|
int |
1750 |
|
|
ssh_packet_remaining(struct ssh *ssh) |
1751 |
|
|
{ |
1752 |
|
|
return sshbuf_len(ssh->state->incoming_packet); |
1753 |
|
|
} |
1754 |
|
|
|
1755 |
|
|
/* |
1756 |
|
|
* Sends a diagnostic message from the server to the client. This message |
1757 |
|
|
* can be sent at any time (but not while constructing another message). The |
1758 |
|
|
* message is printed immediately, but only if the client is being executed |
1759 |
|
|
* in verbose mode. These messages are primarily intended to ease debugging |
1760 |
|
|
* authentication problems. The length of the formatted message must not |
1761 |
|
|
* exceed 1024 bytes. This will automatically call ssh_packet_write_wait. |
1762 |
|
|
*/ |
1763 |
|
|
void |
1764 |
|
|
ssh_packet_send_debug(struct ssh *ssh, const char *fmt,...) |
1765 |
|
|
{ |
1766 |
|
|
char buf[1024]; |
1767 |
|
|
va_list args; |
1768 |
|
|
int r; |
1769 |
|
|
|
1770 |
|
|
if ((ssh->compat & SSH_BUG_DEBUG)) |
1771 |
|
|
return; |
1772 |
|
|
|
1773 |
|
|
va_start(args, fmt); |
1774 |
|
|
vsnprintf(buf, sizeof(buf), fmt, args); |
1775 |
|
|
va_end(args); |
1776 |
|
|
|
1777 |
|
|
debug3("sending debug message: %s", buf); |
1778 |
|
|
|
1779 |
|
|
if ((r = sshpkt_start(ssh, SSH2_MSG_DEBUG)) != 0 || |
1780 |
|
|
(r = sshpkt_put_u8(ssh, 0)) != 0 || /* always display */ |
1781 |
|
|
(r = sshpkt_put_cstring(ssh, buf)) != 0 || |
1782 |
|
|
(r = sshpkt_put_cstring(ssh, "")) != 0 || |
1783 |
|
|
(r = sshpkt_send(ssh)) != 0 || |
1784 |
|
|
(r = ssh_packet_write_wait(ssh)) != 0) |
1785 |
|
|
fatal("%s: %s", __func__, ssh_err(r)); |
1786 |
|
|
} |
1787 |
|
|
|
1788 |
|
|
static void |
1789 |
|
|
fmt_connection_id(struct ssh *ssh, char *s, size_t l) |
1790 |
|
|
{ |
1791 |
|
|
snprintf(s, l, "%.200s%s%s port %d", |
1792 |
|
|
ssh->log_preamble ? ssh->log_preamble : "", |
1793 |
|
|
ssh->log_preamble ? " " : "", |
1794 |
|
|
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); |
1795 |
|
|
} |
1796 |
|
|
|
1797 |
|
|
/* |
1798 |
|
|
* Pretty-print connection-terminating errors and exit. |
1799 |
|
|
*/ |
1800 |
|
|
void |
1801 |
|
|
sshpkt_fatal(struct ssh *ssh, const char *tag, int r) |
1802 |
|
|
{ |
1803 |
|
|
char remote_id[512]; |
1804 |
|
|
|
1805 |
|
|
fmt_connection_id(ssh, remote_id, sizeof(remote_id)); |
1806 |
|
|
|
1807 |
|
|
switch (r) { |
1808 |
|
|
case SSH_ERR_CONN_CLOSED: |
1809 |
|
|
ssh_packet_clear_keys(ssh); |
1810 |
|
|
logdie("Connection closed by %s", remote_id); |
1811 |
|
|
case SSH_ERR_CONN_TIMEOUT: |
1812 |
|
|
ssh_packet_clear_keys(ssh); |
1813 |
|
|
logdie("Connection %s %s timed out", |
1814 |
|
|
ssh->state->server_side ? "from" : "to", remote_id); |
1815 |
|
|
case SSH_ERR_DISCONNECTED: |
1816 |
|
|
ssh_packet_clear_keys(ssh); |
1817 |
|
|
logdie("Disconnected from %s", remote_id); |
1818 |
|
|
case SSH_ERR_SYSTEM_ERROR: |
1819 |
|
|
if (errno == ECONNRESET) { |
1820 |
|
|
ssh_packet_clear_keys(ssh); |
1821 |
|
|
logdie("Connection reset by %s", remote_id); |
1822 |
|
|
} |
1823 |
|
|
/* FALLTHROUGH */ |
1824 |
|
|
case SSH_ERR_NO_CIPHER_ALG_MATCH: |
1825 |
|
|
case SSH_ERR_NO_MAC_ALG_MATCH: |
1826 |
|
|
case SSH_ERR_NO_COMPRESS_ALG_MATCH: |
1827 |
|
|
case SSH_ERR_NO_KEX_ALG_MATCH: |
1828 |
|
|
case SSH_ERR_NO_HOSTKEY_ALG_MATCH: |
1829 |
|
|
if (ssh && ssh->kex && ssh->kex->failed_choice) { |
1830 |
|
|
ssh_packet_clear_keys(ssh); |
1831 |
|
|
logdie("Unable to negotiate with %s: %s. " |
1832 |
|
|
"Their offer: %s", remote_id, ssh_err(r), |
1833 |
|
|
ssh->kex->failed_choice); |
1834 |
|
|
} |
1835 |
|
|
/* FALLTHROUGH */ |
1836 |
|
|
default: |
1837 |
|
|
ssh_packet_clear_keys(ssh); |
1838 |
|
|
logdie("%s%sConnection %s %s: %s", |
1839 |
|
|
tag != NULL ? tag : "", tag != NULL ? ": " : "", |
1840 |
|
|
ssh->state->server_side ? "from" : "to", |
1841 |
|
|
remote_id, ssh_err(r)); |
1842 |
|
|
} |
1843 |
|
|
} |
1844 |
|
|
|
1845 |
|
|
/* |
1846 |
|
|
* Logs the error plus constructs and sends a disconnect packet, closes the |
1847 |
|
|
* connection, and exits. This function never returns. The error message |
1848 |
|
|
* should not contain a newline. The length of the formatted message must |
1849 |
|
|
* not exceed 1024 bytes. |
1850 |
|
|
*/ |
1851 |
|
|
void |
1852 |
|
|
ssh_packet_disconnect(struct ssh *ssh, const char *fmt,...) |
1853 |
|
|
{ |
1854 |
|
|
char buf[1024], remote_id[512]; |
1855 |
|
|
va_list args; |
1856 |
|
|
static int disconnecting = 0; |
1857 |
|
|
int r; |
1858 |
|
|
|
1859 |
|
|
if (disconnecting) /* Guard against recursive invocations. */ |
1860 |
|
|
fatal("packet_disconnect called recursively."); |
1861 |
|
|
disconnecting = 1; |
1862 |
|
|
|
1863 |
|
|
/* |
1864 |
|
|
* Format the message. Note that the caller must make sure the |
1865 |
|
|
* message is of limited size. |
1866 |
|
|
*/ |
1867 |
|
|
fmt_connection_id(ssh, remote_id, sizeof(remote_id)); |
1868 |
|
|
va_start(args, fmt); |
1869 |
|
|
vsnprintf(buf, sizeof(buf), fmt, args); |
1870 |
|
|
va_end(args); |
1871 |
|
|
|
1872 |
|
|
/* Display the error locally */ |
1873 |
|
|
logit("Disconnecting %s: %.100s", remote_id, buf); |
1874 |
|
|
|
1875 |
|
|
/* |
1876 |
|
|
* Send the disconnect message to the other side, and wait |
1877 |
|
|
* for it to get sent. |
1878 |
|
|
*/ |
1879 |
|
|
if ((r = sshpkt_disconnect(ssh, "%s", buf)) != 0) |
1880 |
|
|
sshpkt_fatal(ssh, __func__, r); |
1881 |
|
|
|
1882 |
|
|
if ((r = ssh_packet_write_wait(ssh)) != 0) |
1883 |
|
|
sshpkt_fatal(ssh, __func__, r); |
1884 |
|
|
|
1885 |
|
|
/* Close the connection. */ |
1886 |
|
|
ssh_packet_close(ssh); |
1887 |
|
|
cleanup_exit(255); |
1888 |
|
|
} |
1889 |
|
|
|
1890 |
|
|
/* |
1891 |
|
|
* Checks if there is any buffered output, and tries to write some of |
1892 |
|
|
* the output. |
1893 |
|
|
*/ |
1894 |
|
|
int |
1895 |
|
|
ssh_packet_write_poll(struct ssh *ssh) |
1896 |
|
|
{ |
1897 |
|
|
struct session_state *state = ssh->state; |
1898 |
|
|
int len = sshbuf_len(state->output); |
1899 |
|
|
int r; |
1900 |
|
|
|
1901 |
|
|
if (len > 0) { |
1902 |
|
|
len = write(state->connection_out, |
1903 |
|
|
sshbuf_ptr(state->output), len); |
1904 |
|
|
if (len == -1) { |
1905 |
|
|
if (errno == EINTR || errno == EAGAIN) |
1906 |
|
|
return 0; |
1907 |
|
|
return SSH_ERR_SYSTEM_ERROR; |
1908 |
|
|
} |
1909 |
|
|
if (len == 0) |
1910 |
|
|
return SSH_ERR_CONN_CLOSED; |
1911 |
|
|
if ((r = sshbuf_consume(state->output, len)) != 0) |
1912 |
|
|
return r; |
1913 |
|
|
} |
1914 |
|
|
return 0; |
1915 |
|
|
} |
1916 |
|
|
|
1917 |
|
|
/* |
1918 |
|
|
* Calls packet_write_poll repeatedly until all pending output data has been |
1919 |
|
|
* written. |
1920 |
|
|
*/ |
1921 |
|
|
int |
1922 |
|
|
ssh_packet_write_wait(struct ssh *ssh) |
1923 |
|
|
{ |
1924 |
|
|
fd_set *setp; |
1925 |
|
|
int ret, r, ms_remain = 0; |
1926 |
|
|
struct timeval start, timeout, *timeoutp = NULL; |
1927 |
|
|
struct session_state *state = ssh->state; |
1928 |
|
|
|
1929 |
|
|
setp = calloc(howmany(state->connection_out + 1, |
1930 |
|
|
NFDBITS), sizeof(fd_mask)); |
1931 |
|
|
if (setp == NULL) |
1932 |
|
|
return SSH_ERR_ALLOC_FAIL; |
1933 |
|
|
if ((r = ssh_packet_write_poll(ssh)) != 0) { |
1934 |
|
|
free(setp); |
1935 |
|
|
return r; |
1936 |
|
|
} |
1937 |
|
|
while (ssh_packet_have_data_to_write(ssh)) { |
1938 |
|
|
memset(setp, 0, howmany(state->connection_out + 1, |
1939 |
|
|
NFDBITS) * sizeof(fd_mask)); |
1940 |
|
|
FD_SET(state->connection_out, setp); |
1941 |
|
|
|
1942 |
|
|
if (state->packet_timeout_ms > 0) { |
1943 |
|
|
ms_remain = state->packet_timeout_ms; |
1944 |
|
|
timeoutp = &timeout; |
1945 |
|
|
} |
1946 |
|
|
for (;;) { |
1947 |
|
|
if (state->packet_timeout_ms != -1) { |
1948 |
|
|
ms_to_timeval(&timeout, ms_remain); |
1949 |
|
|
gettimeofday(&start, NULL); |
1950 |
|
|
} |
1951 |
|
|
if ((ret = select(state->connection_out + 1, |
1952 |
|
|
NULL, setp, NULL, timeoutp)) >= 0) |
1953 |
|
|
break; |
1954 |
|
|
if (errno != EAGAIN && errno != EINTR) |
1955 |
|
|
break; |
1956 |
|
|
if (state->packet_timeout_ms == -1) |
1957 |
|
|
continue; |
1958 |
|
|
ms_subtract_diff(&start, &ms_remain); |
1959 |
|
|
if (ms_remain <= 0) { |
1960 |
|
|
ret = 0; |
1961 |
|
|
break; |
1962 |
|
|
} |
1963 |
|
|
} |
1964 |
|
|
if (ret == 0) { |
1965 |
|
|
free(setp); |
1966 |
|
|
return SSH_ERR_CONN_TIMEOUT; |
1967 |
|
|
} |
1968 |
|
|
if ((r = ssh_packet_write_poll(ssh)) != 0) { |
1969 |
|
|
free(setp); |
1970 |
|
|
return r; |
1971 |
|
|
} |
1972 |
|
|
} |
1973 |
|
|
free(setp); |
1974 |
|
|
return 0; |
1975 |
|
|
} |
1976 |
|
|
|
1977 |
|
|
/* Returns true if there is buffered data to write to the connection. */ |
1978 |
|
|
|
1979 |
|
|
int |
1980 |
|
|
ssh_packet_have_data_to_write(struct ssh *ssh) |
1981 |
|
|
{ |
1982 |
|
|
return sshbuf_len(ssh->state->output) != 0; |
1983 |
|
|
} |
1984 |
|
|
|
1985 |
|
|
/* Returns true if there is not too much data to write to the connection. */ |
1986 |
|
|
|
1987 |
|
|
int |
1988 |
|
|
ssh_packet_not_very_much_data_to_write(struct ssh *ssh) |
1989 |
|
|
{ |
1990 |
|
|
if (ssh->state->interactive_mode) |
1991 |
|
|
return sshbuf_len(ssh->state->output) < 16384; |
1992 |
|
|
else |
1993 |
|
|
return sshbuf_len(ssh->state->output) < 128 * 1024; |
1994 |
|
|
} |
1995 |
|
|
|
1996 |
|
|
void |
1997 |
|
|
ssh_packet_set_tos(struct ssh *ssh, int tos) |
1998 |
|
|
{ |
1999 |
|
|
if (!ssh_packet_connection_is_on_socket(ssh) || tos == INT_MAX) |
2000 |
|
|
return; |
2001 |
|
|
switch (ssh_packet_connection_af(ssh)) { |
2002 |
|
|
case AF_INET: |
2003 |
|
|
debug3("%s: set IP_TOS 0x%02x", __func__, tos); |
2004 |
|
|
if (setsockopt(ssh->state->connection_in, |
2005 |
|
|
IPPROTO_IP, IP_TOS, &tos, sizeof(tos)) < 0) |
2006 |
|
|
error("setsockopt IP_TOS %d: %.100s:", |
2007 |
|
|
tos, strerror(errno)); |
2008 |
|
|
break; |
2009 |
|
|
case AF_INET6: |
2010 |
|
|
debug3("%s: set IPV6_TCLASS 0x%02x", __func__, tos); |
2011 |
|
|
if (setsockopt(ssh->state->connection_in, |
2012 |
|
|
IPPROTO_IPV6, IPV6_TCLASS, &tos, sizeof(tos)) < 0) |
2013 |
|
|
error("setsockopt IPV6_TCLASS %d: %.100s:", |
2014 |
|
|
tos, strerror(errno)); |
2015 |
|
|
break; |
2016 |
|
|
} |
2017 |
|
|
} |
2018 |
|
|
|
2019 |
|
|
/* Informs that the current session is interactive. Sets IP flags for that. */ |
2020 |
|
|
|
2021 |
|
|
void |
2022 |
|
|
ssh_packet_set_interactive(struct ssh *ssh, int interactive, int qos_interactive, int qos_bulk) |
2023 |
|
|
{ |
2024 |
|
|
struct session_state *state = ssh->state; |
2025 |
|
|
|
2026 |
|
|
if (state->set_interactive_called) |
2027 |
|
|
return; |
2028 |
|
|
state->set_interactive_called = 1; |
2029 |
|
|
|
2030 |
|
|
/* Record that we are in interactive mode. */ |
2031 |
|
|
state->interactive_mode = interactive; |
2032 |
|
|
|
2033 |
|
|
/* Only set socket options if using a socket. */ |
2034 |
|
|
if (!ssh_packet_connection_is_on_socket(ssh)) |
2035 |
|
|
return; |
2036 |
|
|
set_nodelay(state->connection_in); |
2037 |
|
|
ssh_packet_set_tos(ssh, interactive ? qos_interactive : |
2038 |
|
|
qos_bulk); |
2039 |
|
|
} |
2040 |
|
|
|
2041 |
|
|
/* Returns true if the current connection is interactive. */ |
2042 |
|
|
|
2043 |
|
|
int |
2044 |
|
|
ssh_packet_is_interactive(struct ssh *ssh) |
2045 |
|
|
{ |
2046 |
|
|
return ssh->state->interactive_mode; |
2047 |
|
|
} |
2048 |
|
|
|
2049 |
|
|
int |
2050 |
|
|
ssh_packet_set_maxsize(struct ssh *ssh, u_int s) |
2051 |
|
|
{ |
2052 |
|
|
struct session_state *state = ssh->state; |
2053 |
|
|
|
2054 |
|
|
if (state->set_maxsize_called) { |
2055 |
|
|
logit("packet_set_maxsize: called twice: old %d new %d", |
2056 |
|
|
state->max_packet_size, s); |
2057 |
|
|
return -1; |
2058 |
|
|
} |
2059 |
|
|
if (s < 4 * 1024 || s > 1024 * 1024) { |
2060 |
|
|
logit("packet_set_maxsize: bad size %d", s); |
2061 |
|
|
return -1; |
2062 |
|
|
} |
2063 |
|
|
state->set_maxsize_called = 1; |
2064 |
|
|
debug("packet_set_maxsize: setting to %d", s); |
2065 |
|
|
state->max_packet_size = s; |
2066 |
|
|
return s; |
2067 |
|
|
} |
2068 |
|
|
|
2069 |
|
|
int |
2070 |
|
|
ssh_packet_inc_alive_timeouts(struct ssh *ssh) |
2071 |
|
|
{ |
2072 |
|
|
return ++ssh->state->keep_alive_timeouts; |
2073 |
|
|
} |
2074 |
|
|
|
2075 |
|
|
void |
2076 |
|
|
ssh_packet_set_alive_timeouts(struct ssh *ssh, int ka) |
2077 |
|
|
{ |
2078 |
|
|
ssh->state->keep_alive_timeouts = ka; |
2079 |
|
|
} |
2080 |
|
|
|
2081 |
|
|
u_int |
2082 |
|
|
ssh_packet_get_maxsize(struct ssh *ssh) |
2083 |
|
|
{ |
2084 |
|
|
return ssh->state->max_packet_size; |
2085 |
|
|
} |
2086 |
|
|
|
2087 |
|
|
void |
2088 |
|
|
ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, u_int32_t seconds) |
2089 |
|
|
{ |
2090 |
|
|
debug3("rekey after %llu bytes, %u seconds", (unsigned long long)bytes, |
2091 |
|
|
(unsigned int)seconds); |
2092 |
|
|
ssh->state->rekey_limit = bytes; |
2093 |
|
|
ssh->state->rekey_interval = seconds; |
2094 |
|
|
} |
2095 |
|
|
|
2096 |
|
|
time_t |
2097 |
|
|
ssh_packet_get_rekey_timeout(struct ssh *ssh) |
2098 |
|
|
{ |
2099 |
|
|
time_t seconds; |
2100 |
|
|
|
2101 |
|
|
seconds = ssh->state->rekey_time + ssh->state->rekey_interval - |
2102 |
|
|
monotime(); |
2103 |
|
|
return (seconds <= 0 ? 1 : seconds); |
2104 |
|
|
} |
2105 |
|
|
|
2106 |
|
|
void |
2107 |
|
|
ssh_packet_set_server(struct ssh *ssh) |
2108 |
|
|
{ |
2109 |
|
|
ssh->state->server_side = 1; |
2110 |
|
|
} |
2111 |
|
|
|
2112 |
|
|
void |
2113 |
|
|
ssh_packet_set_authenticated(struct ssh *ssh) |
2114 |
|
|
{ |
2115 |
|
|
ssh->state->after_authentication = 1; |
2116 |
|
|
} |
2117 |
|
|
|
2118 |
|
|
void * |
2119 |
|
|
ssh_packet_get_input(struct ssh *ssh) |
2120 |
|
|
{ |
2121 |
|
|
return (void *)ssh->state->input; |
2122 |
|
|
} |
2123 |
|
|
|
2124 |
|
|
void * |
2125 |
|
|
ssh_packet_get_output(struct ssh *ssh) |
2126 |
|
|
{ |
2127 |
|
|
return (void *)ssh->state->output; |
2128 |
|
|
} |
2129 |
|
|
|
2130 |
|
|
/* Reset after_authentication and reset compression in post-auth privsep */ |
2131 |
|
|
static int |
2132 |
|
|
ssh_packet_set_postauth(struct ssh *ssh) |
2133 |
|
|
{ |
2134 |
|
|
int r; |
2135 |
|
|
|
2136 |
|
|
debug("%s: called", __func__); |
2137 |
|
|
/* This was set in net child, but is not visible in user child */ |
2138 |
|
|
ssh->state->after_authentication = 1; |
2139 |
|
|
ssh->state->rekeying = 0; |
2140 |
|
|
if ((r = ssh_packet_enable_delayed_compress(ssh)) != 0) |
2141 |
|
|
return r; |
2142 |
|
|
return 0; |
2143 |
|
|
} |
2144 |
|
|
|
2145 |
|
|
/* Packet state (de-)serialization for privsep */ |
2146 |
|
|
|
2147 |
|
|
/* turn kex into a blob for packet state serialization */ |
2148 |
|
|
static int |
2149 |
|
|
kex_to_blob(struct sshbuf *m, struct kex *kex) |
2150 |
|
|
{ |
2151 |
|
|
int r; |
2152 |
|
|
|
2153 |
|
|
if ((r = sshbuf_put_string(m, kex->session_id, |
2154 |
|
|
kex->session_id_len)) != 0 || |
2155 |
|
|
(r = sshbuf_put_u32(m, kex->we_need)) != 0 || |
2156 |
|
|
(r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || |
2157 |
|
|
(r = sshbuf_put_u32(m, kex->kex_type)) != 0 || |
2158 |
|
|
(r = sshbuf_put_stringb(m, kex->my)) != 0 || |
2159 |
|
|
(r = sshbuf_put_stringb(m, kex->peer)) != 0 || |
2160 |
|
|
(r = sshbuf_put_u32(m, kex->flags)) != 0 || |
2161 |
|
|
(r = sshbuf_put_cstring(m, kex->client_version_string)) != 0 || |
2162 |
|
|
(r = sshbuf_put_cstring(m, kex->server_version_string)) != 0) |
2163 |
|
|
return r; |
2164 |
|
|
return 0; |
2165 |
|
|
} |
2166 |
|
|
|
2167 |
|
|
/* turn key exchange results into a blob for packet state serialization */ |
2168 |
|
|
static int |
2169 |
|
|
newkeys_to_blob(struct sshbuf *m, struct ssh *ssh, int mode) |
2170 |
|
|
{ |
2171 |
|
|
struct sshbuf *b; |
2172 |
|
|
struct sshcipher_ctx *cc; |
2173 |
|
|
struct sshcomp *comp; |
2174 |
|
|
struct sshenc *enc; |
2175 |
|
|
struct sshmac *mac; |
2176 |
|
|
struct newkeys *newkey; |
2177 |
|
|
int r; |
2178 |
|
|
|
2179 |
|
|
if ((newkey = ssh->state->newkeys[mode]) == NULL) |
2180 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
2181 |
|
|
enc = &newkey->enc; |
2182 |
|
|
mac = &newkey->mac; |
2183 |
|
|
comp = &newkey->comp; |
2184 |
|
|
cc = (mode == MODE_OUT) ? ssh->state->send_context : |
2185 |
|
|
ssh->state->receive_context; |
2186 |
|
|
if ((r = cipher_get_keyiv(cc, enc->iv, enc->iv_len)) != 0) |
2187 |
|
|
return r; |
2188 |
|
|
if ((b = sshbuf_new()) == NULL) |
2189 |
|
|
return SSH_ERR_ALLOC_FAIL; |
2190 |
|
|
if ((r = sshbuf_put_cstring(b, enc->name)) != 0 || |
2191 |
|
|
(r = sshbuf_put_u32(b, enc->enabled)) != 0 || |
2192 |
|
|
(r = sshbuf_put_u32(b, enc->block_size)) != 0 || |
2193 |
|
|
(r = sshbuf_put_string(b, enc->key, enc->key_len)) != 0 || |
2194 |
|
|
(r = sshbuf_put_string(b, enc->iv, enc->iv_len)) != 0) |
2195 |
|
|
goto out; |
2196 |
|
|
if (cipher_authlen(enc->cipher) == 0) { |
2197 |
|
|
if ((r = sshbuf_put_cstring(b, mac->name)) != 0 || |
2198 |
|
|
(r = sshbuf_put_u32(b, mac->enabled)) != 0 || |
2199 |
|
|
(r = sshbuf_put_string(b, mac->key, mac->key_len)) != 0) |
2200 |
|
|
goto out; |
2201 |
|
|
} |
2202 |
|
|
if ((r = sshbuf_put_u32(b, comp->type)) != 0 || |
2203 |
|
|
(r = sshbuf_put_cstring(b, comp->name)) != 0) |
2204 |
|
|
goto out; |
2205 |
|
|
r = sshbuf_put_stringb(m, b); |
2206 |
|
|
out: |
2207 |
|
|
sshbuf_free(b); |
2208 |
|
|
return r; |
2209 |
|
|
} |
2210 |
|
|
|
2211 |
|
|
/* serialize packet state into a blob */ |
2212 |
|
|
int |
2213 |
|
|
ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) |
2214 |
|
|
{ |
2215 |
|
|
struct session_state *state = ssh->state; |
2216 |
|
|
int r; |
2217 |
|
|
|
2218 |
|
|
if ((r = kex_to_blob(m, ssh->kex)) != 0 || |
2219 |
|
|
(r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 || |
2220 |
|
|
(r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 || |
2221 |
|
|
(r = sshbuf_put_u64(m, state->rekey_limit)) != 0 || |
2222 |
|
|
(r = sshbuf_put_u32(m, state->rekey_interval)) != 0 || |
2223 |
|
|
(r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 || |
2224 |
|
|
(r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 || |
2225 |
|
|
(r = sshbuf_put_u32(m, state->p_send.packets)) != 0 || |
2226 |
|
|
(r = sshbuf_put_u64(m, state->p_send.bytes)) != 0 || |
2227 |
|
|
(r = sshbuf_put_u32(m, state->p_read.seqnr)) != 0 || |
2228 |
|
|
(r = sshbuf_put_u64(m, state->p_read.blocks)) != 0 || |
2229 |
|
|
(r = sshbuf_put_u32(m, state->p_read.packets)) != 0 || |
2230 |
|
|
(r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 || |
2231 |
|
|
(r = sshbuf_put_stringb(m, state->input)) != 0 || |
2232 |
|
|
(r = sshbuf_put_stringb(m, state->output)) != 0) |
2233 |
|
|
return r; |
2234 |
|
|
|
2235 |
|
|
return 0; |
2236 |
|
|
} |
2237 |
|
|
|
2238 |
|
|
/* restore key exchange results from blob for packet state de-serialization */ |
2239 |
|
|
static int |
2240 |
|
|
newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode) |
2241 |
|
|
{ |
2242 |
|
|
struct sshbuf *b = NULL; |
2243 |
|
|
struct sshcomp *comp; |
2244 |
|
|
struct sshenc *enc; |
2245 |
|
|
struct sshmac *mac; |
2246 |
|
|
struct newkeys *newkey = NULL; |
2247 |
|
|
size_t keylen, ivlen, maclen; |
2248 |
|
|
int r; |
2249 |
|
|
|
2250 |
|
|
if ((newkey = calloc(1, sizeof(*newkey))) == NULL) { |
2251 |
|
|
r = SSH_ERR_ALLOC_FAIL; |
2252 |
|
|
goto out; |
2253 |
|
|
} |
2254 |
|
|
if ((r = sshbuf_froms(m, &b)) != 0) |
2255 |
|
|
goto out; |
2256 |
|
|
#ifdef DEBUG_PK |
2257 |
|
|
sshbuf_dump(b, stderr); |
2258 |
|
|
#endif |
2259 |
|
|
enc = &newkey->enc; |
2260 |
|
|
mac = &newkey->mac; |
2261 |
|
|
comp = &newkey->comp; |
2262 |
|
|
|
2263 |
|
|
if ((r = sshbuf_get_cstring(b, &enc->name, NULL)) != 0 || |
2264 |
|
|
(r = sshbuf_get_u32(b, (u_int *)&enc->enabled)) != 0 || |
2265 |
|
|
(r = sshbuf_get_u32(b, &enc->block_size)) != 0 || |
2266 |
|
|
(r = sshbuf_get_string(b, &enc->key, &keylen)) != 0 || |
2267 |
|
|
(r = sshbuf_get_string(b, &enc->iv, &ivlen)) != 0) |
2268 |
|
|
goto out; |
2269 |
|
|
if ((enc->cipher = cipher_by_name(enc->name)) == NULL) { |
2270 |
|
|
r = SSH_ERR_INVALID_FORMAT; |
2271 |
|
|
goto out; |
2272 |
|
|
} |
2273 |
|
|
if (cipher_authlen(enc->cipher) == 0) { |
2274 |
|
|
if ((r = sshbuf_get_cstring(b, &mac->name, NULL)) != 0) |
2275 |
|
|
goto out; |
2276 |
|
|
if ((r = mac_setup(mac, mac->name)) != 0) |
2277 |
|
|
goto out; |
2278 |
|
|
if ((r = sshbuf_get_u32(b, (u_int *)&mac->enabled)) != 0 || |
2279 |
|
|
(r = sshbuf_get_string(b, &mac->key, &maclen)) != 0) |
2280 |
|
|
goto out; |
2281 |
|
|
if (maclen > mac->key_len) { |
2282 |
|
|
r = SSH_ERR_INVALID_FORMAT; |
2283 |
|
|
goto out; |
2284 |
|
|
} |
2285 |
|
|
mac->key_len = maclen; |
2286 |
|
|
} |
2287 |
|
|
if ((r = sshbuf_get_u32(b, &comp->type)) != 0 || |
2288 |
|
|
(r = sshbuf_get_cstring(b, &comp->name, NULL)) != 0) |
2289 |
|
|
goto out; |
2290 |
|
|
if (sshbuf_len(b) != 0) { |
2291 |
|
|
r = SSH_ERR_INVALID_FORMAT; |
2292 |
|
|
goto out; |
2293 |
|
|
} |
2294 |
|
|
enc->key_len = keylen; |
2295 |
|
|
enc->iv_len = ivlen; |
2296 |
|
|
ssh->kex->newkeys[mode] = newkey; |
2297 |
|
|
newkey = NULL; |
2298 |
|
|
r = 0; |
2299 |
|
|
out: |
2300 |
|
|
free(newkey); |
2301 |
|
|
sshbuf_free(b); |
2302 |
|
|
return r; |
2303 |
|
|
} |
2304 |
|
|
|
2305 |
|
|
/* restore kex from blob for packet state de-serialization */ |
2306 |
|
|
static int |
2307 |
|
|
kex_from_blob(struct sshbuf *m, struct kex **kexp) |
2308 |
|
|
{ |
2309 |
|
|
struct kex *kex; |
2310 |
|
|
int r; |
2311 |
|
|
|
2312 |
|
|
if ((kex = calloc(1, sizeof(struct kex))) == NULL || |
2313 |
|
|
(kex->my = sshbuf_new()) == NULL || |
2314 |
|
|
(kex->peer = sshbuf_new()) == NULL) { |
2315 |
|
|
r = SSH_ERR_ALLOC_FAIL; |
2316 |
|
|
goto out; |
2317 |
|
|
} |
2318 |
|
|
if ((r = sshbuf_get_string(m, &kex->session_id, &kex->session_id_len)) != 0 || |
2319 |
|
|
(r = sshbuf_get_u32(m, &kex->we_need)) != 0 || |
2320 |
|
|
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || |
2321 |
|
|
(r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || |
2322 |
|
|
(r = sshbuf_get_stringb(m, kex->my)) != 0 || |
2323 |
|
|
(r = sshbuf_get_stringb(m, kex->peer)) != 0 || |
2324 |
|
|
(r = sshbuf_get_u32(m, &kex->flags)) != 0 || |
2325 |
|
|
(r = sshbuf_get_cstring(m, &kex->client_version_string, NULL)) != 0 || |
2326 |
|
|
(r = sshbuf_get_cstring(m, &kex->server_version_string, NULL)) != 0) |
2327 |
|
|
goto out; |
2328 |
|
|
kex->server = 1; |
2329 |
|
|
kex->done = 1; |
2330 |
|
|
r = 0; |
2331 |
|
|
out: |
2332 |
|
|
if (r != 0 || kexp == NULL) { |
2333 |
|
|
if (kex != NULL) { |
2334 |
|
|
sshbuf_free(kex->my); |
2335 |
|
|
sshbuf_free(kex->peer); |
2336 |
|
|
free(kex); |
2337 |
|
|
} |
2338 |
|
|
if (kexp != NULL) |
2339 |
|
|
*kexp = NULL; |
2340 |
|
|
} else { |
2341 |
|
|
*kexp = kex; |
2342 |
|
|
} |
2343 |
|
|
return r; |
2344 |
|
|
} |
2345 |
|
|
|
2346 |
|
|
/* |
2347 |
|
|
* Restore packet state from content of blob 'm' (de-serialization). |
2348 |
|
|
* Note that 'm' will be partially consumed on parsing or any other errors. |
2349 |
|
|
*/ |
2350 |
|
|
int |
2351 |
|
|
ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) |
2352 |
|
|
{ |
2353 |
|
|
struct session_state *state = ssh->state; |
2354 |
|
|
const u_char *input, *output; |
2355 |
|
|
size_t ilen, olen; |
2356 |
|
|
int r; |
2357 |
|
|
|
2358 |
|
|
if ((r = kex_from_blob(m, &ssh->kex)) != 0 || |
2359 |
|
|
(r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 || |
2360 |
|
|
(r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 || |
2361 |
|
|
(r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 || |
2362 |
|
|
(r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 || |
2363 |
|
|
(r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 || |
2364 |
|
|
(r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 || |
2365 |
|
|
(r = sshbuf_get_u32(m, &state->p_send.packets)) != 0 || |
2366 |
|
|
(r = sshbuf_get_u64(m, &state->p_send.bytes)) != 0 || |
2367 |
|
|
(r = sshbuf_get_u32(m, &state->p_read.seqnr)) != 0 || |
2368 |
|
|
(r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 || |
2369 |
|
|
(r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 || |
2370 |
|
|
(r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0) |
2371 |
|
|
return r; |
2372 |
|
|
/* |
2373 |
|
|
* We set the time here so that in post-auth privsep slave we |
2374 |
|
|
* count from the completion of the authentication. |
2375 |
|
|
*/ |
2376 |
|
|
state->rekey_time = monotime(); |
2377 |
|
|
/* XXX ssh_set_newkeys overrides p_read.packets? XXX */ |
2378 |
|
|
if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 || |
2379 |
|
|
(r = ssh_set_newkeys(ssh, MODE_OUT)) != 0) |
2380 |
|
|
return r; |
2381 |
|
|
|
2382 |
|
|
if ((r = ssh_packet_set_postauth(ssh)) != 0) |
2383 |
|
|
return r; |
2384 |
|
|
|
2385 |
|
|
sshbuf_reset(state->input); |
2386 |
|
|
sshbuf_reset(state->output); |
2387 |
|
|
if ((r = sshbuf_get_string_direct(m, &input, &ilen)) != 0 || |
2388 |
|
|
(r = sshbuf_get_string_direct(m, &output, &olen)) != 0 || |
2389 |
|
|
(r = sshbuf_put(state->input, input, ilen)) != 0 || |
2390 |
|
|
(r = sshbuf_put(state->output, output, olen)) != 0) |
2391 |
|
|
return r; |
2392 |
|
|
|
2393 |
|
|
if (sshbuf_len(m)) |
2394 |
|
|
return SSH_ERR_INVALID_FORMAT; |
2395 |
|
|
debug3("%s: done", __func__); |
2396 |
|
|
return 0; |
2397 |
|
|
} |
2398 |
|
|
|
2399 |
|
|
/* NEW API */ |
2400 |
|
|
|
2401 |
|
|
/* put data to the outgoing packet */ |
2402 |
|
|
|
2403 |
|
|
int |
2404 |
|
|
sshpkt_put(struct ssh *ssh, const void *v, size_t len) |
2405 |
|
|
{ |
2406 |
|
|
return sshbuf_put(ssh->state->outgoing_packet, v, len); |
2407 |
|
|
} |
2408 |
|
|
|
2409 |
|
|
int |
2410 |
|
|
sshpkt_putb(struct ssh *ssh, const struct sshbuf *b) |
2411 |
|
|
{ |
2412 |
|
|
return sshbuf_putb(ssh->state->outgoing_packet, b); |
2413 |
|
|
} |
2414 |
|
|
|
2415 |
|
|
int |
2416 |
|
|
sshpkt_put_u8(struct ssh *ssh, u_char val) |
2417 |
|
|
{ |
2418 |
|
|
return sshbuf_put_u8(ssh->state->outgoing_packet, val); |
2419 |
|
|
} |
2420 |
|
|
|
2421 |
|
|
int |
2422 |
|
|
sshpkt_put_u32(struct ssh *ssh, u_int32_t val) |
2423 |
|
|
{ |
2424 |
|
|
return sshbuf_put_u32(ssh->state->outgoing_packet, val); |
2425 |
|
|
} |
2426 |
|
|
|
2427 |
|
|
int |
2428 |
|
|
sshpkt_put_u64(struct ssh *ssh, u_int64_t val) |
2429 |
|
|
{ |
2430 |
|
|
return sshbuf_put_u64(ssh->state->outgoing_packet, val); |
2431 |
|
|
} |
2432 |
|
|
|
2433 |
|
|
int |
2434 |
|
|
sshpkt_put_string(struct ssh *ssh, const void *v, size_t len) |
2435 |
|
|
{ |
2436 |
|
|
return sshbuf_put_string(ssh->state->outgoing_packet, v, len); |
2437 |
|
|
} |
2438 |
|
|
|
2439 |
|
|
int |
2440 |
|
|
sshpkt_put_cstring(struct ssh *ssh, const void *v) |
2441 |
|
|
{ |
2442 |
|
|
return sshbuf_put_cstring(ssh->state->outgoing_packet, v); |
2443 |
|
|
} |
2444 |
|
|
|
2445 |
|
|
int |
2446 |
|
|
sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v) |
2447 |
|
|
{ |
2448 |
|
|
return sshbuf_put_stringb(ssh->state->outgoing_packet, v); |
2449 |
|
|
} |
2450 |
|
|
|
2451 |
|
|
#ifdef WITH_OPENSSL |
2452 |
|
|
int |
2453 |
|
|
sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g) |
2454 |
|
|
{ |
2455 |
|
|
return sshbuf_put_ec(ssh->state->outgoing_packet, v, g); |
2456 |
|
|
} |
2457 |
|
|
|
2458 |
|
|
|
2459 |
|
|
int |
2460 |
|
|
sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v) |
2461 |
|
|
{ |
2462 |
|
|
return sshbuf_put_bignum2(ssh->state->outgoing_packet, v); |
2463 |
|
|
} |
2464 |
|
|
#endif /* WITH_OPENSSL */ |
2465 |
|
|
|
2466 |
|
|
/* fetch data from the incoming packet */ |
2467 |
|
|
|
2468 |
|
|
int |
2469 |
|
|
sshpkt_get(struct ssh *ssh, void *valp, size_t len) |
2470 |
|
|
{ |
2471 |
|
|
return sshbuf_get(ssh->state->incoming_packet, valp, len); |
2472 |
|
|
} |
2473 |
|
|
|
2474 |
|
|
int |
2475 |
|
|
sshpkt_get_u8(struct ssh *ssh, u_char *valp) |
2476 |
|
|
{ |
2477 |
|
|
return sshbuf_get_u8(ssh->state->incoming_packet, valp); |
2478 |
|
|
} |
2479 |
|
|
|
2480 |
|
|
int |
2481 |
|
|
sshpkt_get_u32(struct ssh *ssh, u_int32_t *valp) |
2482 |
|
|
{ |
2483 |
|
|
return sshbuf_get_u32(ssh->state->incoming_packet, valp); |
2484 |
|
|
} |
2485 |
|
|
|
2486 |
|
|
int |
2487 |
|
|
sshpkt_get_u64(struct ssh *ssh, u_int64_t *valp) |
2488 |
|
|
{ |
2489 |
|
|
return sshbuf_get_u64(ssh->state->incoming_packet, valp); |
2490 |
|
|
} |
2491 |
|
|
|
2492 |
|
|
int |
2493 |
|
|
sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp) |
2494 |
|
|
{ |
2495 |
|
|
return sshbuf_get_string(ssh->state->incoming_packet, valp, lenp); |
2496 |
|
|
} |
2497 |
|
|
|
2498 |
|
|
int |
2499 |
|
|
sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp) |
2500 |
|
|
{ |
2501 |
|
|
return sshbuf_get_string_direct(ssh->state->incoming_packet, valp, lenp); |
2502 |
|
|
} |
2503 |
|
|
|
2504 |
|
|
int |
2505 |
|
|
sshpkt_peek_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp) |
2506 |
|
|
{ |
2507 |
|
|
return sshbuf_peek_string_direct(ssh->state->incoming_packet, valp, lenp); |
2508 |
|
|
} |
2509 |
|
|
|
2510 |
|
|
int |
2511 |
|
|
sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp) |
2512 |
|
|
{ |
2513 |
|
|
return sshbuf_get_cstring(ssh->state->incoming_packet, valp, lenp); |
2514 |
|
|
} |
2515 |
|
|
|
2516 |
|
|
#ifdef WITH_OPENSSL |
2517 |
|
|
int |
2518 |
|
|
sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g) |
2519 |
|
|
{ |
2520 |
|
|
return sshbuf_get_ec(ssh->state->incoming_packet, v, g); |
2521 |
|
|
} |
2522 |
|
|
|
2523 |
|
|
|
2524 |
|
|
int |
2525 |
|
|
sshpkt_get_bignum2(struct ssh *ssh, BIGNUM *v) |
2526 |
|
|
{ |
2527 |
|
|
return sshbuf_get_bignum2(ssh->state->incoming_packet, v); |
2528 |
|
|
} |
2529 |
|
|
#endif /* WITH_OPENSSL */ |
2530 |
|
|
|
2531 |
|
|
int |
2532 |
|
|
sshpkt_get_end(struct ssh *ssh) |
2533 |
|
|
{ |
2534 |
|
|
if (sshbuf_len(ssh->state->incoming_packet) > 0) |
2535 |
|
|
return SSH_ERR_UNEXPECTED_TRAILING_DATA; |
2536 |
|
|
return 0; |
2537 |
|
|
} |
2538 |
|
|
|
2539 |
|
|
const u_char * |
2540 |
|
|
sshpkt_ptr(struct ssh *ssh, size_t *lenp) |
2541 |
|
|
{ |
2542 |
|
|
if (lenp != NULL) |
2543 |
|
|
*lenp = sshbuf_len(ssh->state->incoming_packet); |
2544 |
|
|
return sshbuf_ptr(ssh->state->incoming_packet); |
2545 |
|
|
} |
2546 |
|
|
|
2547 |
|
|
/* start a new packet */ |
2548 |
|
|
|
2549 |
|
|
int |
2550 |
|
|
sshpkt_start(struct ssh *ssh, u_char type) |
2551 |
|
|
{ |
2552 |
|
|
u_char buf[6]; /* u32 packet length, u8 pad len, u8 type */ |
2553 |
|
|
|
2554 |
|
|
DBG(debug("packet_start[%d]", type)); |
2555 |
|
|
memset(buf, 0, sizeof(buf)); |
2556 |
|
|
buf[sizeof(buf) - 1] = type; |
2557 |
|
|
sshbuf_reset(ssh->state->outgoing_packet); |
2558 |
|
|
return sshbuf_put(ssh->state->outgoing_packet, buf, sizeof(buf)); |
2559 |
|
|
} |
2560 |
|
|
|
2561 |
|
|
static int |
2562 |
|
|
ssh_packet_send_mux(struct ssh *ssh) |
2563 |
|
|
{ |
2564 |
|
|
struct session_state *state = ssh->state; |
2565 |
|
|
u_char type, *cp; |
2566 |
|
|
size_t len; |
2567 |
|
|
int r; |
2568 |
|
|
|
2569 |
|
|
if (ssh->kex) |
2570 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
2571 |
|
|
len = sshbuf_len(state->outgoing_packet); |
2572 |
|
|
if (len < 6) |
2573 |
|
|
return SSH_ERR_INTERNAL_ERROR; |
2574 |
|
|
cp = sshbuf_mutable_ptr(state->outgoing_packet); |
2575 |
|
|
type = cp[5]; |
2576 |
|
|
if (ssh_packet_log_type(type)) |
2577 |
|
|
debug3("%s: type %u", __func__, type); |
2578 |
|
|
/* drop everything, but the connection protocol */ |
2579 |
|
|
if (type >= SSH2_MSG_CONNECTION_MIN && |
2580 |
|
|
type <= SSH2_MSG_CONNECTION_MAX) { |
2581 |
|
|
POKE_U32(cp, len - 4); |
2582 |
|
|
if ((r = sshbuf_putb(state->output, |
2583 |
|
|
state->outgoing_packet)) != 0) |
2584 |
|
|
return r; |
2585 |
|
|
/* sshbuf_dump(state->output, stderr); */ |
2586 |
|
|
} |
2587 |
|
|
sshbuf_reset(state->outgoing_packet); |
2588 |
|
|
return 0; |
2589 |
|
|
} |
2590 |
|
|
|
2591 |
|
|
/* |
2592 |
|
|
* 9.2. Ignored Data Message |
2593 |
|
|
* |
2594 |
|
|
* byte SSH_MSG_IGNORE |
2595 |
|
|
* string data |
2596 |
|
|
* |
2597 |
|
|
* All implementations MUST understand (and ignore) this message at any |
2598 |
|
|
* time (after receiving the protocol version). No implementation is |
2599 |
|
|
* required to send them. This message can be used as an additional |
2600 |
|
|
* protection measure against advanced traffic analysis techniques. |
2601 |
|
|
*/ |
2602 |
|
|
int |
2603 |
|
|
sshpkt_msg_ignore(struct ssh *ssh, u_int nbytes) |
2604 |
|
|
{ |
2605 |
|
|
u_int32_t rnd = 0; |
2606 |
|
|
int r; |
2607 |
|
|
u_int i; |
2608 |
|
|
|
2609 |
|
|
if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE)) != 0 || |
2610 |
|
|
(r = sshpkt_put_u32(ssh, nbytes)) != 0) |
2611 |
|
|
return r; |
2612 |
|
|
for (i = 0; i < nbytes; i++) { |
2613 |
|
|
if (i % 4 == 0) |
2614 |
|
|
rnd = arc4random(); |
2615 |
|
|
if ((r = sshpkt_put_u8(ssh, (u_char)rnd & 0xff)) != 0) |
2616 |
|
|
return r; |
2617 |
|
|
rnd >>= 8; |
2618 |
|
|
} |
2619 |
|
|
return 0; |
2620 |
|
|
} |
2621 |
|
|
|
2622 |
|
|
/* send it */ |
2623 |
|
|
|
2624 |
|
|
int |
2625 |
|
|
sshpkt_send(struct ssh *ssh) |
2626 |
|
|
{ |
2627 |
|
|
if (ssh->state && ssh->state->mux) |
2628 |
|
|
return ssh_packet_send_mux(ssh); |
2629 |
|
|
return ssh_packet_send2(ssh); |
2630 |
|
|
} |
2631 |
|
|
|
2632 |
|
|
int |
2633 |
|
|
sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) |
2634 |
|
|
{ |
2635 |
|
|
char buf[1024]; |
2636 |
|
|
va_list args; |
2637 |
|
|
int r; |
2638 |
|
|
|
2639 |
|
|
va_start(args, fmt); |
2640 |
|
|
vsnprintf(buf, sizeof(buf), fmt, args); |
2641 |
|
|
va_end(args); |
2642 |
|
|
|
2643 |
|
|
if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || |
2644 |
|
|
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || |
2645 |
|
|
(r = sshpkt_put_cstring(ssh, buf)) != 0 || |
2646 |
|
|
(r = sshpkt_put_cstring(ssh, "")) != 0 || |
2647 |
|
|
(r = sshpkt_send(ssh)) != 0) |
2648 |
|
|
return r; |
2649 |
|
|
return 0; |
2650 |
|
|
} |
2651 |
|
|
|
2652 |
|
|
/* roundup current message to pad bytes */ |
2653 |
|
|
int |
2654 |
|
|
sshpkt_add_padding(struct ssh *ssh, u_char pad) |
2655 |
|
|
{ |
2656 |
|
|
ssh->state->extra_pad = pad; |
2657 |
|
|
return 0; |
2658 |
|
|
} |