xref: /freebsd/crypto/openssh/packet.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  * This file contains code implementing the packet protocol and communication
7  * with the other side.  This same code is used both on client and server side.
8  *
9  * As far as I am concerned, the code I have written for this software
10  * can be used freely for any purpose.  Any derived versions of this
11  * software must be clearly marked as such, and if the derived work is
12  * incompatible with the protocol description in the RFC file, it must be
13  * called by a name other than "ssh" or "Secure Shell".
14  *
15  *
16  * SSH2 packet format added by Markus Friedl.
17  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
18  *
19  * Redistribution and use in source and binary forms, with or without
20  * modification, are permitted provided that the following conditions
21  * are met:
22  * 1. Redistributions of source code must retain the above copyright
23  *    notice, this list of conditions and the following disclaimer.
24  * 2. Redistributions in binary form must reproduce the above copyright
25  *    notice, this list of conditions and the following disclaimer in the
26  *    documentation and/or other materials provided with the distribution.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38  */
39 
40 #include "includes.h"
41 
42 #include <sys/types.h>
43 #include "openbsd-compat/sys-queue.h"
44 #include <sys/param.h>
45 #include <sys/socket.h>
46 #ifdef HAVE_SYS_TIME_H
47 # include <sys/time.h>
48 #endif
49 
50 #include <netinet/in_systm.h>
51 #include <netinet/in.h>
52 #include <netinet/ip.h>
53 #include <arpa/inet.h>
54 
55 #include <errno.h>
56 #include <stdarg.h>
57 #include <stdio.h>
58 #include <stdlib.h>
59 #include <string.h>
60 #include <unistd.h>
61 #include <signal.h>
62 
63 #include "xmalloc.h"
64 #include "buffer.h"
65 #include "packet.h"
66 #include "crc32.h"
67 #include "compress.h"
68 #include "deattack.h"
69 #include "channels.h"
70 #include "compat.h"
71 #include "ssh1.h"
72 #include "ssh2.h"
73 #include "cipher.h"
74 #include "key.h"
75 #include "kex.h"
76 #include "mac.h"
77 #include "log.h"
78 #include "canohost.h"
79 #include "misc.h"
80 #include "ssh.h"
81 
82 #ifdef PACKET_DEBUG
83 #define DBG(x) x
84 #else
85 #define DBG(x)
86 #endif
87 
88 /*
89  * This variable contains the file descriptors used for communicating with
90  * the other side.  connection_in is used for reading; connection_out for
91  * writing.  These can be the same descriptor, in which case it is assumed to
92  * be a socket.
93  */
94 static int connection_in = -1;
95 static int connection_out = -1;
96 
97 /* Protocol flags for the remote side. */
98 static u_int remote_protocol_flags = 0;
99 
100 /* Encryption context for receiving data.  This is only used for decryption. */
101 static CipherContext receive_context;
102 
103 /* Encryption context for sending data.  This is only used for encryption. */
104 static CipherContext send_context;
105 
106 /* Buffer for raw input data from the socket. */
107 Buffer input;
108 
109 /* Buffer for raw output data going to the socket. */
110 Buffer output;
111 
112 /* Buffer for the partial outgoing packet being constructed. */
113 static Buffer outgoing_packet;
114 
115 /* Buffer for the incoming packet currently being processed. */
116 static Buffer incoming_packet;
117 
118 /* Scratch buffer for packet compression/decompression. */
119 static Buffer compression_buffer;
120 static int compression_buffer_ready = 0;
121 
122 /* Flag indicating whether packet compression/decompression is enabled. */
123 static int packet_compression = 0;
124 
125 /* default maximum packet size */
126 u_int max_packet_size = 32768;
127 
128 /* Flag indicating whether this module has been initialized. */
129 static int initialized = 0;
130 
131 /* Set to true if the connection is interactive. */
132 static int interactive_mode = 0;
133 
134 /* Set to true if we are the server side. */
135 static int server_side = 0;
136 
137 /* Set to true if we are authenticated. */
138 static int after_authentication = 0;
139 
140 /* Session key information for Encryption and MAC */
141 Newkeys *newkeys[MODE_MAX];
142 static struct packet_state {
143 	u_int32_t seqnr;
144 	u_int32_t packets;
145 	u_int64_t blocks;
146 } p_read, p_send;
147 
148 static u_int64_t max_blocks_in, max_blocks_out;
149 static u_int32_t rekey_limit;
150 
151 /* Session key for protocol v1 */
152 static u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
153 static u_int ssh1_keylen;
154 
155 /* roundup current message to extra_pad bytes */
156 static u_char extra_pad = 0;
157 
158 struct packet {
159 	TAILQ_ENTRY(packet) next;
160 	u_char type;
161 	Buffer payload;
162 };
163 TAILQ_HEAD(, packet) outgoing;
164 
165 /*
166  * Sets the descriptors used for communication.  Disables encryption until
167  * packet_set_encryption_key is called.
168  */
169 void
170 packet_set_connection(int fd_in, int fd_out)
171 {
172 	Cipher *none = cipher_by_name("none");
173 
174 	if (none == NULL)
175 		fatal("packet_set_connection: cannot load cipher 'none'");
176 	connection_in = fd_in;
177 	connection_out = fd_out;
178 	cipher_init(&send_context, none, (const u_char *)"",
179 	    0, NULL, 0, CIPHER_ENCRYPT);
180 	cipher_init(&receive_context, none, (const u_char *)"",
181 	    0, NULL, 0, CIPHER_DECRYPT);
182 	newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
183 	if (!initialized) {
184 		initialized = 1;
185 		buffer_init(&input);
186 		buffer_init(&output);
187 		buffer_init(&outgoing_packet);
188 		buffer_init(&incoming_packet);
189 		TAILQ_INIT(&outgoing);
190 	}
191 }
192 
193 /* Returns 1 if remote host is connected via socket, 0 if not. */
194 
195 int
196 packet_connection_is_on_socket(void)
197 {
198 	struct sockaddr_storage from, to;
199 	socklen_t fromlen, tolen;
200 
201 	/* filedescriptors in and out are the same, so it's a socket */
202 	if (connection_in == connection_out)
203 		return 1;
204 	fromlen = sizeof(from);
205 	memset(&from, 0, sizeof(from));
206 	if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0)
207 		return 0;
208 	tolen = sizeof(to);
209 	memset(&to, 0, sizeof(to));
210 	if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0)
211 		return 0;
212 	if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
213 		return 0;
214 	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
215 		return 0;
216 	return 1;
217 }
218 
219 /*
220  * Exports an IV from the CipherContext required to export the key
221  * state back from the unprivileged child to the privileged parent
222  * process.
223  */
224 
225 void
226 packet_get_keyiv(int mode, u_char *iv, u_int len)
227 {
228 	CipherContext *cc;
229 
230 	if (mode == MODE_OUT)
231 		cc = &send_context;
232 	else
233 		cc = &receive_context;
234 
235 	cipher_get_keyiv(cc, iv, len);
236 }
237 
238 int
239 packet_get_keycontext(int mode, u_char *dat)
240 {
241 	CipherContext *cc;
242 
243 	if (mode == MODE_OUT)
244 		cc = &send_context;
245 	else
246 		cc = &receive_context;
247 
248 	return (cipher_get_keycontext(cc, dat));
249 }
250 
251 void
252 packet_set_keycontext(int mode, u_char *dat)
253 {
254 	CipherContext *cc;
255 
256 	if (mode == MODE_OUT)
257 		cc = &send_context;
258 	else
259 		cc = &receive_context;
260 
261 	cipher_set_keycontext(cc, dat);
262 }
263 
264 int
265 packet_get_keyiv_len(int mode)
266 {
267 	CipherContext *cc;
268 
269 	if (mode == MODE_OUT)
270 		cc = &send_context;
271 	else
272 		cc = &receive_context;
273 
274 	return (cipher_get_keyiv_len(cc));
275 }
276 
277 void
278 packet_set_iv(int mode, u_char *dat)
279 {
280 	CipherContext *cc;
281 
282 	if (mode == MODE_OUT)
283 		cc = &send_context;
284 	else
285 		cc = &receive_context;
286 
287 	cipher_set_keyiv(cc, dat);
288 }
289 
290 int
291 packet_get_ssh1_cipher(void)
292 {
293 	return (cipher_get_number(receive_context.cipher));
294 }
295 
296 void
297 packet_get_state(int mode, u_int32_t *seqnr, u_int64_t *blocks, u_int32_t *packets)
298 {
299 	struct packet_state *state;
300 
301 	state = (mode == MODE_IN) ? &p_read : &p_send;
302 	*seqnr = state->seqnr;
303 	*blocks = state->blocks;
304 	*packets = state->packets;
305 }
306 
307 void
308 packet_set_state(int mode, u_int32_t seqnr, u_int64_t blocks, u_int32_t packets)
309 {
310 	struct packet_state *state;
311 
312 	state = (mode == MODE_IN) ? &p_read : &p_send;
313 	state->seqnr = seqnr;
314 	state->blocks = blocks;
315 	state->packets = packets;
316 }
317 
318 /* returns 1 if connection is via ipv4 */
319 
320 int
321 packet_connection_is_ipv4(void)
322 {
323 	struct sockaddr_storage to;
324 	socklen_t tolen = sizeof(to);
325 
326 	memset(&to, 0, sizeof(to));
327 	if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
328 		return 0;
329 	if (to.ss_family == AF_INET)
330 		return 1;
331 #ifdef IPV4_IN_IPV6
332 	if (to.ss_family == AF_INET6 &&
333 	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
334 		return 1;
335 #endif
336 	return 0;
337 }
338 
339 /* Sets the connection into non-blocking mode. */
340 
341 void
342 packet_set_nonblocking(void)
343 {
344 	/* Set the socket into non-blocking mode. */
345 	set_nonblock(connection_in);
346 
347 	if (connection_out != connection_in)
348 		set_nonblock(connection_out);
349 }
350 
351 /* Returns the socket used for reading. */
352 
353 int
354 packet_get_connection_in(void)
355 {
356 	return connection_in;
357 }
358 
359 /* Returns the descriptor used for writing. */
360 
361 int
362 packet_get_connection_out(void)
363 {
364 	return connection_out;
365 }
366 
367 /* Closes the connection and clears and frees internal data structures. */
368 
369 void
370 packet_close(void)
371 {
372 	if (!initialized)
373 		return;
374 	initialized = 0;
375 	if (connection_in == connection_out) {
376 		shutdown(connection_out, SHUT_RDWR);
377 		close(connection_out);
378 	} else {
379 		close(connection_in);
380 		close(connection_out);
381 	}
382 	buffer_free(&input);
383 	buffer_free(&output);
384 	buffer_free(&outgoing_packet);
385 	buffer_free(&incoming_packet);
386 	if (compression_buffer_ready) {
387 		buffer_free(&compression_buffer);
388 		buffer_compress_uninit();
389 	}
390 	cipher_cleanup(&send_context);
391 	cipher_cleanup(&receive_context);
392 }
393 
394 /* Sets remote side protocol flags. */
395 
396 void
397 packet_set_protocol_flags(u_int protocol_flags)
398 {
399 	remote_protocol_flags = protocol_flags;
400 }
401 
402 /* Returns the remote protocol flags set earlier by the above function. */
403 
404 u_int
405 packet_get_protocol_flags(void)
406 {
407 	return remote_protocol_flags;
408 }
409 
410 /*
411  * Starts packet compression from the next packet on in both directions.
412  * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
413  */
414 
415 static void
416 packet_init_compression(void)
417 {
418 	if (compression_buffer_ready == 1)
419 		return;
420 	compression_buffer_ready = 1;
421 	buffer_init(&compression_buffer);
422 }
423 
424 void
425 packet_start_compression(int level)
426 {
427 	if (packet_compression && !compat20)
428 		fatal("Compression already enabled.");
429 	packet_compression = 1;
430 	packet_init_compression();
431 	buffer_compress_init_send(level);
432 	buffer_compress_init_recv();
433 }
434 
435 /*
436  * Causes any further packets to be encrypted using the given key.  The same
437  * key is used for both sending and reception.  However, both directions are
438  * encrypted independently of each other.
439  */
440 
441 void
442 packet_set_encryption_key(const u_char *key, u_int keylen,
443     int number)
444 {
445 	Cipher *cipher = cipher_by_number(number);
446 
447 	if (cipher == NULL)
448 		fatal("packet_set_encryption_key: unknown cipher number %d", number);
449 	if (keylen < 20)
450 		fatal("packet_set_encryption_key: keylen too small: %d", keylen);
451 	if (keylen > SSH_SESSION_KEY_LENGTH)
452 		fatal("packet_set_encryption_key: keylen too big: %d", keylen);
453 	memcpy(ssh1_key, key, keylen);
454 	ssh1_keylen = keylen;
455 	cipher_init(&send_context, cipher, key, keylen, NULL, 0, CIPHER_ENCRYPT);
456 	cipher_init(&receive_context, cipher, key, keylen, NULL, 0, CIPHER_DECRYPT);
457 }
458 
459 u_int
460 packet_get_encryption_key(u_char *key)
461 {
462 	if (key == NULL)
463 		return (ssh1_keylen);
464 	memcpy(key, ssh1_key, ssh1_keylen);
465 	return (ssh1_keylen);
466 }
467 
468 /* Start constructing a packet to send. */
469 void
470 packet_start(u_char type)
471 {
472 	u_char buf[9];
473 	int len;
474 
475 	DBG(debug("packet_start[%d]", type));
476 	len = compat20 ? 6 : 9;
477 	memset(buf, 0, len - 1);
478 	buf[len - 1] = type;
479 	buffer_clear(&outgoing_packet);
480 	buffer_append(&outgoing_packet, buf, len);
481 }
482 
483 /* Append payload. */
484 void
485 packet_put_char(int value)
486 {
487 	char ch = value;
488 
489 	buffer_append(&outgoing_packet, &ch, 1);
490 }
491 
492 void
493 packet_put_int(u_int value)
494 {
495 	buffer_put_int(&outgoing_packet, value);
496 }
497 
498 void
499 packet_put_string(const void *buf, u_int len)
500 {
501 	buffer_put_string(&outgoing_packet, buf, len);
502 }
503 
504 void
505 packet_put_cstring(const char *str)
506 {
507 	buffer_put_cstring(&outgoing_packet, str);
508 }
509 
510 void
511 packet_put_raw(const void *buf, u_int len)
512 {
513 	buffer_append(&outgoing_packet, buf, len);
514 }
515 
516 void
517 packet_put_bignum(BIGNUM * value)
518 {
519 	buffer_put_bignum(&outgoing_packet, value);
520 }
521 
522 void
523 packet_put_bignum2(BIGNUM * value)
524 {
525 	buffer_put_bignum2(&outgoing_packet, value);
526 }
527 
528 /*
529  * Finalizes and sends the packet.  If the encryption key has been set,
530  * encrypts the packet before sending.
531  */
532 
533 static void
534 packet_send1(void)
535 {
536 	u_char buf[8], *cp;
537 	int i, padding, len;
538 	u_int checksum;
539 	u_int32_t rnd = 0;
540 
541 	/*
542 	 * If using packet compression, compress the payload of the outgoing
543 	 * packet.
544 	 */
545 	if (packet_compression) {
546 		buffer_clear(&compression_buffer);
547 		/* Skip padding. */
548 		buffer_consume(&outgoing_packet, 8);
549 		/* padding */
550 		buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8);
551 		buffer_compress(&outgoing_packet, &compression_buffer);
552 		buffer_clear(&outgoing_packet);
553 		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
554 		    buffer_len(&compression_buffer));
555 	}
556 	/* Compute packet length without padding (add checksum, remove padding). */
557 	len = buffer_len(&outgoing_packet) + 4 - 8;
558 
559 	/* Insert padding. Initialized to zero in packet_start1() */
560 	padding = 8 - len % 8;
561 	if (!send_context.plaintext) {
562 		cp = buffer_ptr(&outgoing_packet);
563 		for (i = 0; i < padding; i++) {
564 			if (i % 4 == 0)
565 				rnd = arc4random();
566 			cp[7 - i] = rnd & 0xff;
567 			rnd >>= 8;
568 		}
569 	}
570 	buffer_consume(&outgoing_packet, 8 - padding);
571 
572 	/* Add check bytes. */
573 	checksum = ssh_crc32(buffer_ptr(&outgoing_packet),
574 	    buffer_len(&outgoing_packet));
575 	put_u32(buf, checksum);
576 	buffer_append(&outgoing_packet, buf, 4);
577 
578 #ifdef PACKET_DEBUG
579 	fprintf(stderr, "packet_send plain: ");
580 	buffer_dump(&outgoing_packet);
581 #endif
582 
583 	/* Append to output. */
584 	put_u32(buf, len);
585 	buffer_append(&output, buf, 4);
586 	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
587 	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
588 	    buffer_len(&outgoing_packet));
589 
590 #ifdef PACKET_DEBUG
591 	fprintf(stderr, "encrypted: ");
592 	buffer_dump(&output);
593 #endif
594 
595 	buffer_clear(&outgoing_packet);
596 
597 	/*
598 	 * Note that the packet is now only buffered in output.  It won't be
599 	 * actually sent until packet_write_wait or packet_write_poll is
600 	 * called.
601 	 */
602 }
603 
604 void
605 set_newkeys(int mode)
606 {
607 	Enc *enc;
608 	Mac *mac;
609 	Comp *comp;
610 	CipherContext *cc;
611 	u_int64_t *max_blocks;
612 	int crypt_type;
613 
614 	debug2("set_newkeys: mode %d", mode);
615 
616 	if (mode == MODE_OUT) {
617 		cc = &send_context;
618 		crypt_type = CIPHER_ENCRYPT;
619 		p_send.packets = p_send.blocks = 0;
620 		max_blocks = &max_blocks_out;
621 	} else {
622 		cc = &receive_context;
623 		crypt_type = CIPHER_DECRYPT;
624 		p_read.packets = p_read.blocks = 0;
625 		max_blocks = &max_blocks_in;
626 	}
627 	if (newkeys[mode] != NULL) {
628 		debug("set_newkeys: rekeying");
629 		cipher_cleanup(cc);
630 		enc  = &newkeys[mode]->enc;
631 		mac  = &newkeys[mode]->mac;
632 		comp = &newkeys[mode]->comp;
633 		memset(mac->key, 0, mac->key_len);
634 		xfree(enc->name);
635 		xfree(enc->iv);
636 		xfree(enc->key);
637 		xfree(mac->name);
638 		xfree(mac->key);
639 		xfree(comp->name);
640 		xfree(newkeys[mode]);
641 	}
642 	newkeys[mode] = kex_get_newkeys(mode);
643 	if (newkeys[mode] == NULL)
644 		fatal("newkeys: no keys for mode %d", mode);
645 	enc  = &newkeys[mode]->enc;
646 	mac  = &newkeys[mode]->mac;
647 	comp = &newkeys[mode]->comp;
648 	if (mac->md != NULL)
649 		mac->enabled = 1;
650 	DBG(debug("cipher_init_context: %d", mode));
651 	cipher_init(cc, enc->cipher, enc->key, enc->key_len,
652 	    enc->iv, enc->block_size, crypt_type);
653 	/* Deleting the keys does not gain extra security */
654 	/* memset(enc->iv,  0, enc->block_size);
655 	   memset(enc->key, 0, enc->key_len); */
656 	if ((comp->type == COMP_ZLIB ||
657 	    (comp->type == COMP_DELAYED && after_authentication)) &&
658 	    comp->enabled == 0) {
659 		packet_init_compression();
660 		if (mode == MODE_OUT)
661 			buffer_compress_init_send(6);
662 		else
663 			buffer_compress_init_recv();
664 		comp->enabled = 1;
665 	}
666 	/*
667 	 * The 2^(blocksize*2) limit is too expensive for 3DES,
668 	 * blowfish, etc, so enforce a 1GB limit for small blocksizes.
669 	 */
670 	if (enc->block_size >= 16)
671 		*max_blocks = (u_int64_t)1 << (enc->block_size*2);
672 	else
673 		*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
674 	if (rekey_limit)
675 		*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
676 }
677 
678 /*
679  * Delayed compression for SSH2 is enabled after authentication:
680  * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
681  * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
682  */
683 static void
684 packet_enable_delayed_compress(void)
685 {
686 	Comp *comp = NULL;
687 	int mode;
688 
689 	/*
690 	 * Remember that we are past the authentication step, so rekeying
691 	 * with COMP_DELAYED will turn on compression immediately.
692 	 */
693 	after_authentication = 1;
694 	for (mode = 0; mode < MODE_MAX; mode++) {
695 		/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
696 		if (newkeys[mode] == NULL)
697 			continue;
698 		comp = &newkeys[mode]->comp;
699 		if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
700 			packet_init_compression();
701 			if (mode == MODE_OUT)
702 				buffer_compress_init_send(6);
703 			else
704 				buffer_compress_init_recv();
705 			comp->enabled = 1;
706 		}
707 	}
708 }
709 
710 /*
711  * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
712  */
713 static void
714 packet_send2_wrapped(void)
715 {
716 	u_char type, *cp, *macbuf = NULL;
717 	u_char padlen, pad;
718 	u_int packet_length = 0;
719 	u_int i, len;
720 	u_int32_t rnd = 0;
721 	Enc *enc   = NULL;
722 	Mac *mac   = NULL;
723 	Comp *comp = NULL;
724 	int block_size;
725 
726 	if (newkeys[MODE_OUT] != NULL) {
727 		enc  = &newkeys[MODE_OUT]->enc;
728 		mac  = &newkeys[MODE_OUT]->mac;
729 		comp = &newkeys[MODE_OUT]->comp;
730 	}
731 	block_size = enc ? enc->block_size : 8;
732 
733 	cp = buffer_ptr(&outgoing_packet);
734 	type = cp[5];
735 
736 #ifdef PACKET_DEBUG
737 	fprintf(stderr, "plain:     ");
738 	buffer_dump(&outgoing_packet);
739 #endif
740 
741 	if (comp && comp->enabled) {
742 		len = buffer_len(&outgoing_packet);
743 		/* skip header, compress only payload */
744 		buffer_consume(&outgoing_packet, 5);
745 		buffer_clear(&compression_buffer);
746 		buffer_compress(&outgoing_packet, &compression_buffer);
747 		buffer_clear(&outgoing_packet);
748 		buffer_append(&outgoing_packet, "\0\0\0\0\0", 5);
749 		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
750 		    buffer_len(&compression_buffer));
751 		DBG(debug("compression: raw %d compressed %d", len,
752 		    buffer_len(&outgoing_packet)));
753 	}
754 
755 	/* sizeof (packet_len + pad_len + payload) */
756 	len = buffer_len(&outgoing_packet);
757 
758 	/*
759 	 * calc size of padding, alloc space, get random data,
760 	 * minimum padding is 4 bytes
761 	 */
762 	padlen = block_size - (len % block_size);
763 	if (padlen < 4)
764 		padlen += block_size;
765 	if (extra_pad) {
766 		/* will wrap if extra_pad+padlen > 255 */
767 		extra_pad  = roundup(extra_pad, block_size);
768 		pad = extra_pad - ((len + padlen) % extra_pad);
769 		debug3("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
770 		    pad, len, padlen, extra_pad);
771 		padlen += pad;
772 		extra_pad = 0;
773 	}
774 	cp = buffer_append_space(&outgoing_packet, padlen);
775 	if (enc && !send_context.plaintext) {
776 		/* random padding */
777 		for (i = 0; i < padlen; i++) {
778 			if (i % 4 == 0)
779 				rnd = arc4random();
780 			cp[i] = rnd & 0xff;
781 			rnd >>= 8;
782 		}
783 	} else {
784 		/* clear padding */
785 		memset(cp, 0, padlen);
786 	}
787 	/* packet_length includes payload, padding and padding length field */
788 	packet_length = buffer_len(&outgoing_packet) - 4;
789 	cp = buffer_ptr(&outgoing_packet);
790 	put_u32(cp, packet_length);
791 	cp[4] = padlen;
792 	DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
793 
794 	/* compute MAC over seqnr and packet(length fields, payload, padding) */
795 	if (mac && mac->enabled) {
796 		macbuf = mac_compute(mac, p_send.seqnr,
797 		    buffer_ptr(&outgoing_packet),
798 		    buffer_len(&outgoing_packet));
799 		DBG(debug("done calc MAC out #%d", p_send.seqnr));
800 	}
801 	/* encrypt packet and append to output buffer. */
802 	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
803 	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
804 	    buffer_len(&outgoing_packet));
805 	/* append unencrypted MAC */
806 	if (mac && mac->enabled)
807 		buffer_append(&output, macbuf, mac->mac_len);
808 #ifdef PACKET_DEBUG
809 	fprintf(stderr, "encrypted: ");
810 	buffer_dump(&output);
811 #endif
812 	/* increment sequence number for outgoing packets */
813 	if (++p_send.seqnr == 0)
814 		logit("outgoing seqnr wraps around");
815 	if (++p_send.packets == 0)
816 		if (!(datafellows & SSH_BUG_NOREKEY))
817 			fatal("XXX too many packets with same key");
818 	p_send.blocks += (packet_length + 4) / block_size;
819 	buffer_clear(&outgoing_packet);
820 
821 	if (type == SSH2_MSG_NEWKEYS)
822 		set_newkeys(MODE_OUT);
823 	else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
824 		packet_enable_delayed_compress();
825 }
826 
827 static void
828 packet_send2(void)
829 {
830 	static int rekeying = 0;
831 	struct packet *p;
832 	u_char type, *cp;
833 
834 	cp = buffer_ptr(&outgoing_packet);
835 	type = cp[5];
836 
837 	/* during rekeying we can only send key exchange messages */
838 	if (rekeying) {
839 		if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
840 		    (type <= SSH2_MSG_TRANSPORT_MAX))) {
841 			debug("enqueue packet: %u", type);
842 			p = xmalloc(sizeof(*p));
843 			p->type = type;
844 			memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
845 			buffer_init(&outgoing_packet);
846 			TAILQ_INSERT_TAIL(&outgoing, p, next);
847 			return;
848 		}
849 	}
850 
851 	/* rekeying starts with sending KEXINIT */
852 	if (type == SSH2_MSG_KEXINIT)
853 		rekeying = 1;
854 
855 	packet_send2_wrapped();
856 
857 	/* after a NEWKEYS message we can send the complete queue */
858 	if (type == SSH2_MSG_NEWKEYS) {
859 		rekeying = 0;
860 		while ((p = TAILQ_FIRST(&outgoing))) {
861 			type = p->type;
862 			debug("dequeue packet: %u", type);
863 			buffer_free(&outgoing_packet);
864 			memcpy(&outgoing_packet, &p->payload,
865 			    sizeof(Buffer));
866 			TAILQ_REMOVE(&outgoing, p, next);
867 			xfree(p);
868 			packet_send2_wrapped();
869 		}
870 	}
871 }
872 
873 void
874 packet_send(void)
875 {
876 	if (compat20)
877 		packet_send2();
878 	else
879 		packet_send1();
880 	DBG(debug("packet_send done"));
881 }
882 
883 /*
884  * Waits until a packet has been received, and returns its type.  Note that
885  * no other data is processed until this returns, so this function should not
886  * be used during the interactive session.
887  */
888 
889 int
890 packet_read_seqnr(u_int32_t *seqnr_p)
891 {
892 	int type, len;
893 	fd_set *setp;
894 	char buf[8192];
895 	DBG(debug("packet_read()"));
896 
897 	setp = (fd_set *)xcalloc(howmany(connection_in+1, NFDBITS),
898 	    sizeof(fd_mask));
899 
900 	/* Since we are blocking, ensure that all written packets have been sent. */
901 	packet_write_wait();
902 
903 	/* Stay in the loop until we have received a complete packet. */
904 	for (;;) {
905 		/* Try to read a packet from the buffer. */
906 		type = packet_read_poll_seqnr(seqnr_p);
907 		if (!compat20 && (
908 		    type == SSH_SMSG_SUCCESS
909 		    || type == SSH_SMSG_FAILURE
910 		    || type == SSH_CMSG_EOF
911 		    || type == SSH_CMSG_EXIT_CONFIRMATION))
912 			packet_check_eom();
913 		/* If we got a packet, return it. */
914 		if (type != SSH_MSG_NONE) {
915 			xfree(setp);
916 			return type;
917 		}
918 		/*
919 		 * Otherwise, wait for some data to arrive, add it to the
920 		 * buffer, and try again.
921 		 */
922 		memset(setp, 0, howmany(connection_in + 1, NFDBITS) *
923 		    sizeof(fd_mask));
924 		FD_SET(connection_in, setp);
925 
926 		/* Wait for some data to arrive. */
927 		while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 &&
928 		    (errno == EAGAIN || errno == EINTR))
929 			;
930 
931 		/* Read data from the socket. */
932 		len = read(connection_in, buf, sizeof(buf));
933 		if (len == 0) {
934 			logit("Connection closed by %.200s", get_remote_ipaddr());
935 			cleanup_exit(255);
936 		}
937 		if (len < 0)
938 			fatal("Read from socket failed: %.100s", strerror(errno));
939 		/* Append it to the buffer. */
940 		packet_process_incoming(buf, len);
941 	}
942 	/* NOTREACHED */
943 }
944 
945 int
946 packet_read(void)
947 {
948 	return packet_read_seqnr(NULL);
949 }
950 
951 /*
952  * Waits until a packet has been received, verifies that its type matches
953  * that given, and gives a fatal error and exits if there is a mismatch.
954  */
955 
956 void
957 packet_read_expect(int expected_type)
958 {
959 	int type;
960 
961 	type = packet_read();
962 	if (type != expected_type)
963 		packet_disconnect("Protocol error: expected packet type %d, got %d",
964 		    expected_type, type);
965 }
966 
967 /* Checks if a full packet is available in the data received so far via
968  * packet_process_incoming.  If so, reads the packet; otherwise returns
969  * SSH_MSG_NONE.  This does not wait for data from the connection.
970  *
971  * SSH_MSG_DISCONNECT is handled specially here.  Also,
972  * SSH_MSG_IGNORE messages are skipped by this function and are never returned
973  * to higher levels.
974  */
975 
976 static int
977 packet_read_poll1(void)
978 {
979 	u_int len, padded_len;
980 	u_char *cp, type;
981 	u_int checksum, stored_checksum;
982 
983 	/* Check if input size is less than minimum packet size. */
984 	if (buffer_len(&input) < 4 + 8)
985 		return SSH_MSG_NONE;
986 	/* Get length of incoming packet. */
987 	cp = buffer_ptr(&input);
988 	len = get_u32(cp);
989 	if (len < 1 + 2 + 2 || len > 256 * 1024)
990 		packet_disconnect("Bad packet length %u.", len);
991 	padded_len = (len + 8) & ~7;
992 
993 	/* Check if the packet has been entirely received. */
994 	if (buffer_len(&input) < 4 + padded_len)
995 		return SSH_MSG_NONE;
996 
997 	/* The entire packet is in buffer. */
998 
999 	/* Consume packet length. */
1000 	buffer_consume(&input, 4);
1001 
1002 	/*
1003 	 * Cryptographic attack detector for ssh
1004 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
1005 	 * Ariel Futoransky(futo@core-sdi.com)
1006 	 */
1007 	if (!receive_context.plaintext) {
1008 		switch (detect_attack(buffer_ptr(&input), padded_len)) {
1009 		case DEATTACK_DETECTED:
1010 			packet_disconnect("crc32 compensation attack: "
1011 			    "network attack detected");
1012 		case DEATTACK_DOS_DETECTED:
1013 			packet_disconnect("deattack denial of "
1014 			    "service detected");
1015 		}
1016 	}
1017 
1018 	/* Decrypt data to incoming_packet. */
1019 	buffer_clear(&incoming_packet);
1020 	cp = buffer_append_space(&incoming_packet, padded_len);
1021 	cipher_crypt(&receive_context, cp, buffer_ptr(&input), padded_len);
1022 
1023 	buffer_consume(&input, padded_len);
1024 
1025 #ifdef PACKET_DEBUG
1026 	fprintf(stderr, "read_poll plain: ");
1027 	buffer_dump(&incoming_packet);
1028 #endif
1029 
1030 	/* Compute packet checksum. */
1031 	checksum = ssh_crc32(buffer_ptr(&incoming_packet),
1032 	    buffer_len(&incoming_packet) - 4);
1033 
1034 	/* Skip padding. */
1035 	buffer_consume(&incoming_packet, 8 - len % 8);
1036 
1037 	/* Test check bytes. */
1038 	if (len != buffer_len(&incoming_packet))
1039 		packet_disconnect("packet_read_poll1: len %d != buffer_len %d.",
1040 		    len, buffer_len(&incoming_packet));
1041 
1042 	cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4;
1043 	stored_checksum = get_u32(cp);
1044 	if (checksum != stored_checksum)
1045 		packet_disconnect("Corrupted check bytes on input.");
1046 	buffer_consume_end(&incoming_packet, 4);
1047 
1048 	if (packet_compression) {
1049 		buffer_clear(&compression_buffer);
1050 		buffer_uncompress(&incoming_packet, &compression_buffer);
1051 		buffer_clear(&incoming_packet);
1052 		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
1053 		    buffer_len(&compression_buffer));
1054 	}
1055 	type = buffer_get_char(&incoming_packet);
1056 	if (type < SSH_MSG_MIN || type > SSH_MSG_MAX)
1057 		packet_disconnect("Invalid ssh1 packet type: %d", type);
1058 	return type;
1059 }
1060 
1061 static int
1062 packet_read_poll2(u_int32_t *seqnr_p)
1063 {
1064 	static u_int packet_length = 0;
1065 	u_int padlen, need;
1066 	u_char *macbuf, *cp, type;
1067 	u_int maclen, block_size;
1068 	Enc *enc   = NULL;
1069 	Mac *mac   = NULL;
1070 	Comp *comp = NULL;
1071 
1072 	if (newkeys[MODE_IN] != NULL) {
1073 		enc  = &newkeys[MODE_IN]->enc;
1074 		mac  = &newkeys[MODE_IN]->mac;
1075 		comp = &newkeys[MODE_IN]->comp;
1076 	}
1077 	maclen = mac && mac->enabled ? mac->mac_len : 0;
1078 	block_size = enc ? enc->block_size : 8;
1079 
1080 	if (packet_length == 0) {
1081 		/*
1082 		 * check if input size is less than the cipher block size,
1083 		 * decrypt first block and extract length of incoming packet
1084 		 */
1085 		if (buffer_len(&input) < block_size)
1086 			return SSH_MSG_NONE;
1087 		buffer_clear(&incoming_packet);
1088 		cp = buffer_append_space(&incoming_packet, block_size);
1089 		cipher_crypt(&receive_context, cp, buffer_ptr(&input),
1090 		    block_size);
1091 		cp = buffer_ptr(&incoming_packet);
1092 		packet_length = get_u32(cp);
1093 		if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
1094 #ifdef PACKET_DEBUG
1095 			buffer_dump(&incoming_packet);
1096 #endif
1097 			packet_disconnect("Bad packet length %u.", packet_length);
1098 		}
1099 		DBG(debug("input: packet len %u", packet_length+4));
1100 		buffer_consume(&input, block_size);
1101 	}
1102 	/* we have a partial packet of block_size bytes */
1103 	need = 4 + packet_length - block_size;
1104 	DBG(debug("partial packet %d, need %d, maclen %d", block_size,
1105 	    need, maclen));
1106 	if (need % block_size != 0)
1107 		fatal("padding error: need %d block %d mod %d",
1108 		    need, block_size, need % block_size);
1109 	/*
1110 	 * check if the entire packet has been received and
1111 	 * decrypt into incoming_packet
1112 	 */
1113 	if (buffer_len(&input) < need + maclen)
1114 		return SSH_MSG_NONE;
1115 #ifdef PACKET_DEBUG
1116 	fprintf(stderr, "read_poll enc/full: ");
1117 	buffer_dump(&input);
1118 #endif
1119 	cp = buffer_append_space(&incoming_packet, need);
1120 	cipher_crypt(&receive_context, cp, buffer_ptr(&input), need);
1121 	buffer_consume(&input, need);
1122 	/*
1123 	 * compute MAC over seqnr and packet,
1124 	 * increment sequence number for incoming packet
1125 	 */
1126 	if (mac && mac->enabled) {
1127 		macbuf = mac_compute(mac, p_read.seqnr,
1128 		    buffer_ptr(&incoming_packet),
1129 		    buffer_len(&incoming_packet));
1130 		if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
1131 			packet_disconnect("Corrupted MAC on input.");
1132 		DBG(debug("MAC #%d ok", p_read.seqnr));
1133 		buffer_consume(&input, mac->mac_len);
1134 	}
1135 	if (seqnr_p != NULL)
1136 		*seqnr_p = p_read.seqnr;
1137 	if (++p_read.seqnr == 0)
1138 		logit("incoming seqnr wraps around");
1139 	if (++p_read.packets == 0)
1140 		if (!(datafellows & SSH_BUG_NOREKEY))
1141 			fatal("XXX too many packets with same key");
1142 	p_read.blocks += (packet_length + 4) / block_size;
1143 
1144 	/* get padlen */
1145 	cp = buffer_ptr(&incoming_packet);
1146 	padlen = cp[4];
1147 	DBG(debug("input: padlen %d", padlen));
1148 	if (padlen < 4)
1149 		packet_disconnect("Corrupted padlen %d on input.", padlen);
1150 
1151 	/* skip packet size + padlen, discard padding */
1152 	buffer_consume(&incoming_packet, 4 + 1);
1153 	buffer_consume_end(&incoming_packet, padlen);
1154 
1155 	DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
1156 	if (comp && comp->enabled) {
1157 		buffer_clear(&compression_buffer);
1158 		buffer_uncompress(&incoming_packet, &compression_buffer);
1159 		buffer_clear(&incoming_packet);
1160 		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
1161 		    buffer_len(&compression_buffer));
1162 		DBG(debug("input: len after de-compress %d",
1163 		    buffer_len(&incoming_packet)));
1164 	}
1165 	/*
1166 	 * get packet type, implies consume.
1167 	 * return length of payload (without type field)
1168 	 */
1169 	type = buffer_get_char(&incoming_packet);
1170 	if (type < SSH2_MSG_MIN || type >= SSH2_MSG_LOCAL_MIN)
1171 		packet_disconnect("Invalid ssh2 packet type: %d", type);
1172 	if (type == SSH2_MSG_NEWKEYS)
1173 		set_newkeys(MODE_IN);
1174 	else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side)
1175 		packet_enable_delayed_compress();
1176 #ifdef PACKET_DEBUG
1177 	fprintf(stderr, "read/plain[%d]:\r\n", type);
1178 	buffer_dump(&incoming_packet);
1179 #endif
1180 	/* reset for next packet */
1181 	packet_length = 0;
1182 	return type;
1183 }
1184 
1185 int
1186 packet_read_poll_seqnr(u_int32_t *seqnr_p)
1187 {
1188 	u_int reason, seqnr;
1189 	u_char type;
1190 	char *msg;
1191 
1192 	for (;;) {
1193 		if (compat20) {
1194 			type = packet_read_poll2(seqnr_p);
1195 			if (type)
1196 				DBG(debug("received packet type %d", type));
1197 			switch (type) {
1198 			case SSH2_MSG_IGNORE:
1199 				break;
1200 			case SSH2_MSG_DEBUG:
1201 				packet_get_char();
1202 				msg = packet_get_string(NULL);
1203 				debug("Remote: %.900s", msg);
1204 				xfree(msg);
1205 				msg = packet_get_string(NULL);
1206 				xfree(msg);
1207 				break;
1208 			case SSH2_MSG_DISCONNECT:
1209 				reason = packet_get_int();
1210 				msg = packet_get_string(NULL);
1211 				logit("Received disconnect from %s: %u: %.400s",
1212 				    get_remote_ipaddr(), reason, msg);
1213 				xfree(msg);
1214 				cleanup_exit(255);
1215 				break;
1216 			case SSH2_MSG_UNIMPLEMENTED:
1217 				seqnr = packet_get_int();
1218 				debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
1219 				    seqnr);
1220 				break;
1221 			default:
1222 				return type;
1223 			}
1224 		} else {
1225 			type = packet_read_poll1();
1226 			switch (type) {
1227 			case SSH_MSG_IGNORE:
1228 				break;
1229 			case SSH_MSG_DEBUG:
1230 				msg = packet_get_string(NULL);
1231 				debug("Remote: %.900s", msg);
1232 				xfree(msg);
1233 				break;
1234 			case SSH_MSG_DISCONNECT:
1235 				msg = packet_get_string(NULL);
1236 				logit("Received disconnect from %s: %.400s",
1237 				    get_remote_ipaddr(), msg);
1238 				cleanup_exit(255);
1239 				xfree(msg);
1240 				break;
1241 			default:
1242 				if (type)
1243 					DBG(debug("received packet type %d", type));
1244 				return type;
1245 			}
1246 		}
1247 	}
1248 }
1249 
1250 int
1251 packet_read_poll(void)
1252 {
1253 	return packet_read_poll_seqnr(NULL);
1254 }
1255 
1256 /*
1257  * Buffers the given amount of input characters.  This is intended to be used
1258  * together with packet_read_poll.
1259  */
1260 
1261 void
1262 packet_process_incoming(const char *buf, u_int len)
1263 {
1264 	buffer_append(&input, buf, len);
1265 }
1266 
1267 /* Returns a character from the packet. */
1268 
1269 u_int
1270 packet_get_char(void)
1271 {
1272 	char ch;
1273 
1274 	buffer_get(&incoming_packet, &ch, 1);
1275 	return (u_char) ch;
1276 }
1277 
1278 /* Returns an integer from the packet data. */
1279 
1280 u_int
1281 packet_get_int(void)
1282 {
1283 	return buffer_get_int(&incoming_packet);
1284 }
1285 
1286 /*
1287  * Returns an arbitrary precision integer from the packet data.  The integer
1288  * must have been initialized before this call.
1289  */
1290 
1291 void
1292 packet_get_bignum(BIGNUM * value)
1293 {
1294 	buffer_get_bignum(&incoming_packet, value);
1295 }
1296 
1297 void
1298 packet_get_bignum2(BIGNUM * value)
1299 {
1300 	buffer_get_bignum2(&incoming_packet, value);
1301 }
1302 
1303 void *
1304 packet_get_raw(u_int *length_ptr)
1305 {
1306 	u_int bytes = buffer_len(&incoming_packet);
1307 
1308 	if (length_ptr != NULL)
1309 		*length_ptr = bytes;
1310 	return buffer_ptr(&incoming_packet);
1311 }
1312 
1313 int
1314 packet_remaining(void)
1315 {
1316 	return buffer_len(&incoming_packet);
1317 }
1318 
1319 /*
1320  * Returns a string from the packet data.  The string is allocated using
1321  * xmalloc; it is the responsibility of the calling program to free it when
1322  * no longer needed.  The length_ptr argument may be NULL, or point to an
1323  * integer into which the length of the string is stored.
1324  */
1325 
1326 void *
1327 packet_get_string(u_int *length_ptr)
1328 {
1329 	return buffer_get_string(&incoming_packet, length_ptr);
1330 }
1331 
1332 /*
1333  * Sends a diagnostic message from the server to the client.  This message
1334  * can be sent at any time (but not while constructing another message). The
1335  * message is printed immediately, but only if the client is being executed
1336  * in verbose mode.  These messages are primarily intended to ease debugging
1337  * authentication problems.   The length of the formatted message must not
1338  * exceed 1024 bytes.  This will automatically call packet_write_wait.
1339  */
1340 
1341 void
1342 packet_send_debug(const char *fmt,...)
1343 {
1344 	char buf[1024];
1345 	va_list args;
1346 
1347 	if (compat20 && (datafellows & SSH_BUG_DEBUG))
1348 		return;
1349 
1350 	va_start(args, fmt);
1351 	vsnprintf(buf, sizeof(buf), fmt, args);
1352 	va_end(args);
1353 
1354 	if (compat20) {
1355 		packet_start(SSH2_MSG_DEBUG);
1356 		packet_put_char(0);	/* bool: always display */
1357 		packet_put_cstring(buf);
1358 		packet_put_cstring("");
1359 	} else {
1360 		packet_start(SSH_MSG_DEBUG);
1361 		packet_put_cstring(buf);
1362 	}
1363 	packet_send();
1364 	packet_write_wait();
1365 }
1366 
1367 /*
1368  * Logs the error plus constructs and sends a disconnect packet, closes the
1369  * connection, and exits.  This function never returns. The error message
1370  * should not contain a newline.  The length of the formatted message must
1371  * not exceed 1024 bytes.
1372  */
1373 
1374 void
1375 packet_disconnect(const char *fmt,...)
1376 {
1377 	char buf[1024];
1378 	va_list args;
1379 	static int disconnecting = 0;
1380 
1381 	if (disconnecting)	/* Guard against recursive invocations. */
1382 		fatal("packet_disconnect called recursively.");
1383 	disconnecting = 1;
1384 
1385 	/*
1386 	 * Format the message.  Note that the caller must make sure the
1387 	 * message is of limited size.
1388 	 */
1389 	va_start(args, fmt);
1390 	vsnprintf(buf, sizeof(buf), fmt, args);
1391 	va_end(args);
1392 
1393 	/* Display the error locally */
1394 	logit("Disconnecting: %.100s", buf);
1395 
1396 	/* Send the disconnect message to the other side, and wait for it to get sent. */
1397 	if (compat20) {
1398 		packet_start(SSH2_MSG_DISCONNECT);
1399 		packet_put_int(SSH2_DISCONNECT_PROTOCOL_ERROR);
1400 		packet_put_cstring(buf);
1401 		packet_put_cstring("");
1402 	} else {
1403 		packet_start(SSH_MSG_DISCONNECT);
1404 		packet_put_cstring(buf);
1405 	}
1406 	packet_send();
1407 	packet_write_wait();
1408 
1409 	/* Stop listening for connections. */
1410 	channel_close_all();
1411 
1412 	/* Close the connection. */
1413 	packet_close();
1414 	cleanup_exit(255);
1415 }
1416 
1417 /* Checks if there is any buffered output, and tries to write some of the output. */
1418 
1419 void
1420 packet_write_poll(void)
1421 {
1422 	int len = buffer_len(&output);
1423 
1424 	if (len > 0) {
1425 		len = write(connection_out, buffer_ptr(&output), len);
1426 		if (len <= 0) {
1427 			if (errno == EAGAIN)
1428 				return;
1429 			else
1430 				fatal("Write failed: %.100s", strerror(errno));
1431 		}
1432 		buffer_consume(&output, len);
1433 	}
1434 }
1435 
1436 /*
1437  * Calls packet_write_poll repeatedly until all pending output data has been
1438  * written.
1439  */
1440 
1441 void
1442 packet_write_wait(void)
1443 {
1444 	fd_set *setp;
1445 
1446 	setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS),
1447 	    sizeof(fd_mask));
1448 	packet_write_poll();
1449 	while (packet_have_data_to_write()) {
1450 		memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
1451 		    sizeof(fd_mask));
1452 		FD_SET(connection_out, setp);
1453 		while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 &&
1454 		    (errno == EAGAIN || errno == EINTR))
1455 			;
1456 		packet_write_poll();
1457 	}
1458 	xfree(setp);
1459 }
1460 
1461 /* Returns true if there is buffered data to write to the connection. */
1462 
1463 int
1464 packet_have_data_to_write(void)
1465 {
1466 	return buffer_len(&output) != 0;
1467 }
1468 
1469 /* Returns true if there is not too much data to write to the connection. */
1470 
1471 int
1472 packet_not_very_much_data_to_write(void)
1473 {
1474 	if (interactive_mode)
1475 		return buffer_len(&output) < 16384;
1476 	else
1477 		return buffer_len(&output) < 128 * 1024;
1478 }
1479 
1480 
1481 static void
1482 packet_set_tos(int interactive)
1483 {
1484 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1485 	int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT;
1486 
1487 	if (!packet_connection_is_on_socket() ||
1488 	    !packet_connection_is_ipv4())
1489 		return;
1490 	if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &tos,
1491 	    sizeof(tos)) < 0)
1492 		error("setsockopt IP_TOS %d: %.100s:",
1493 		    tos, strerror(errno));
1494 #endif
1495 }
1496 
1497 /* Informs that the current session is interactive.  Sets IP flags for that. */
1498 
1499 void
1500 packet_set_interactive(int interactive)
1501 {
1502 	static int called = 0;
1503 
1504 	if (called)
1505 		return;
1506 	called = 1;
1507 
1508 	/* Record that we are in interactive mode. */
1509 	interactive_mode = interactive;
1510 
1511 	/* Only set socket options if using a socket.  */
1512 	if (!packet_connection_is_on_socket())
1513 		return;
1514 	set_nodelay(connection_in);
1515 	packet_set_tos(interactive);
1516 }
1517 
1518 /* Returns true if the current connection is interactive. */
1519 
1520 int
1521 packet_is_interactive(void)
1522 {
1523 	return interactive_mode;
1524 }
1525 
1526 int
1527 packet_set_maxsize(u_int s)
1528 {
1529 	static int called = 0;
1530 
1531 	if (called) {
1532 		logit("packet_set_maxsize: called twice: old %d new %d",
1533 		    max_packet_size, s);
1534 		return -1;
1535 	}
1536 	if (s < 4 * 1024 || s > 1024 * 1024) {
1537 		logit("packet_set_maxsize: bad size %d", s);
1538 		return -1;
1539 	}
1540 	called = 1;
1541 	debug("packet_set_maxsize: setting to %d", s);
1542 	max_packet_size = s;
1543 	return s;
1544 }
1545 
1546 /* roundup current message to pad bytes */
1547 void
1548 packet_add_padding(u_char pad)
1549 {
1550 	extra_pad = pad;
1551 }
1552 
1553 /*
1554  * 9.2.  Ignored Data Message
1555  *
1556  *   byte      SSH_MSG_IGNORE
1557  *   string    data
1558  *
1559  * All implementations MUST understand (and ignore) this message at any
1560  * time (after receiving the protocol version). No implementation is
1561  * required to send them. This message can be used as an additional
1562  * protection measure against advanced traffic analysis techniques.
1563  */
1564 void
1565 packet_send_ignore(int nbytes)
1566 {
1567 	u_int32_t rnd = 0;
1568 	int i;
1569 
1570 	packet_start(compat20 ? SSH2_MSG_IGNORE : SSH_MSG_IGNORE);
1571 	packet_put_int(nbytes);
1572 	for (i = 0; i < nbytes; i++) {
1573 		if (i % 4 == 0)
1574 			rnd = arc4random();
1575 		packet_put_char((u_char)rnd & 0xff);
1576 		rnd >>= 8;
1577 	}
1578 }
1579 
1580 #define MAX_PACKETS	(1U<<31)
1581 int
1582 packet_need_rekeying(void)
1583 {
1584 	if (datafellows & SSH_BUG_NOREKEY)
1585 		return 0;
1586 	return
1587 	    (p_send.packets > MAX_PACKETS) ||
1588 	    (p_read.packets > MAX_PACKETS) ||
1589 	    (max_blocks_out && (p_send.blocks > max_blocks_out)) ||
1590 	    (max_blocks_in  && (p_read.blocks > max_blocks_in));
1591 }
1592 
1593 void
1594 packet_set_rekey_limit(u_int32_t bytes)
1595 {
1596 	rekey_limit = bytes;
1597 }
1598 
1599 void
1600 packet_set_server(void)
1601 {
1602 	server_side = 1;
1603 }
1604 
1605 void
1606 packet_set_authenticated(void)
1607 {
1608 	after_authentication = 1;
1609 }
1610