xref: /freebsd/crypto/openssh/packet.c (revision 32100375a661c1e16588ddfa7b90ca8d26cb9786)
1 /* $OpenBSD: packet.c,v 1.277 2018/07/16 03:09:13 djm Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  * This file contains code implementing the packet protocol and communication
7  * with the other side.  This same code is used both on client and server side.
8  *
9  * As far as I am concerned, the code I have written for this software
10  * can be used freely for any purpose.  Any derived versions of this
11  * software must be clearly marked as such, and if the derived work is
12  * incompatible with the protocol description in the RFC file, it must be
13  * called by a name other than "ssh" or "Secure Shell".
14  *
15  *
16  * SSH2 packet format added by Markus Friedl.
17  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
18  *
19  * Redistribution and use in source and binary forms, with or without
20  * modification, are permitted provided that the following conditions
21  * are met:
22  * 1. Redistributions of source code must retain the above copyright
23  *    notice, this list of conditions and the following disclaimer.
24  * 2. Redistributions in binary form must reproduce the above copyright
25  *    notice, this list of conditions and the following disclaimer in the
26  *    documentation and/or other materials provided with the distribution.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38  */
39 
40 #include "includes.h"
41 __RCSID("$FreeBSD$");
42 
43 #include <sys/types.h>
44 #include "openbsd-compat/sys-queue.h"
45 #include <sys/socket.h>
46 #ifdef HAVE_SYS_TIME_H
47 # include <sys/time.h>
48 #endif
49 
50 #include <netinet/in.h>
51 #include <netinet/ip.h>
52 #include <arpa/inet.h>
53 
54 #include <errno.h>
55 #include <netdb.h>
56 #include <stdarg.h>
57 #include <stdio.h>
58 #include <stdlib.h>
59 #include <string.h>
60 #include <unistd.h>
61 #include <limits.h>
62 #include <signal.h>
63 #include <time.h>
64 
65 /*
66  * Explicitly include OpenSSL before zlib as some versions of OpenSSL have
67  * "free_func" in their headers, which zlib typedefs.
68  */
69 #ifdef WITH_OPENSSL
70 # include <openssl/bn.h>
71 # include <openssl/evp.h>
72 # ifdef OPENSSL_HAS_ECC
73 #  include <openssl/ec.h>
74 # endif
75 #endif
76 
77 #include <zlib.h>
78 
79 #include "xmalloc.h"
80 #include "crc32.h"
81 #include "compat.h"
82 #include "ssh2.h"
83 #include "cipher.h"
84 #include "sshkey.h"
85 #include "kex.h"
86 #include "digest.h"
87 #include "mac.h"
88 #include "log.h"
89 #include "canohost.h"
90 #include "misc.h"
91 #include "channels.h"
92 #include "ssh.h"
93 #include "packet.h"
94 #include "ssherr.h"
95 #include "sshbuf.h"
96 #include "blacklist_client.h"
97 
98 #ifdef PACKET_DEBUG
99 #define DBG(x) x
100 #else
101 #define DBG(x)
102 #endif
103 
104 #define PACKET_MAX_SIZE (256 * 1024)
105 
106 struct packet_state {
107 	u_int32_t seqnr;
108 	u_int32_t packets;
109 	u_int64_t blocks;
110 	u_int64_t bytes;
111 };
112 
113 struct packet {
114 	TAILQ_ENTRY(packet) next;
115 	u_char type;
116 	struct sshbuf *payload;
117 };
118 
119 struct session_state {
120 	/*
121 	 * This variable contains the file descriptors used for
122 	 * communicating with the other side.  connection_in is used for
123 	 * reading; connection_out for writing.  These can be the same
124 	 * descriptor, in which case it is assumed to be a socket.
125 	 */
126 	int connection_in;
127 	int connection_out;
128 
129 	/* Protocol flags for the remote side. */
130 	u_int remote_protocol_flags;
131 
132 	/* Encryption context for receiving data.  Only used for decryption. */
133 	struct sshcipher_ctx *receive_context;
134 
135 	/* Encryption context for sending data.  Only used for encryption. */
136 	struct sshcipher_ctx *send_context;
137 
138 	/* Buffer for raw input data from the socket. */
139 	struct sshbuf *input;
140 
141 	/* Buffer for raw output data going to the socket. */
142 	struct sshbuf *output;
143 
144 	/* Buffer for the partial outgoing packet being constructed. */
145 	struct sshbuf *outgoing_packet;
146 
147 	/* Buffer for the incoming packet currently being processed. */
148 	struct sshbuf *incoming_packet;
149 
150 	/* Scratch buffer for packet compression/decompression. */
151 	struct sshbuf *compression_buffer;
152 
153 	/* Incoming/outgoing compression dictionaries */
154 	z_stream compression_in_stream;
155 	z_stream compression_out_stream;
156 	int compression_in_started;
157 	int compression_out_started;
158 	int compression_in_failures;
159 	int compression_out_failures;
160 
161 	/* default maximum packet size */
162 	u_int max_packet_size;
163 
164 	/* Flag indicating whether this module has been initialized. */
165 	int initialized;
166 
167 	/* Set to true if the connection is interactive. */
168 	int interactive_mode;
169 
170 	/* Set to true if we are the server side. */
171 	int server_side;
172 
173 	/* Set to true if we are authenticated. */
174 	int after_authentication;
175 
176 	int keep_alive_timeouts;
177 
178 	/* The maximum time that we will wait to send or receive a packet */
179 	int packet_timeout_ms;
180 
181 	/* Session key information for Encryption and MAC */
182 	struct newkeys *newkeys[MODE_MAX];
183 	struct packet_state p_read, p_send;
184 
185 	/* Volume-based rekeying */
186 	u_int64_t max_blocks_in, max_blocks_out, rekey_limit;
187 
188 	/* Time-based rekeying */
189 	u_int32_t rekey_interval;	/* how often in seconds */
190 	time_t rekey_time;	/* time of last rekeying */
191 
192 	/* roundup current message to extra_pad bytes */
193 	u_char extra_pad;
194 
195 	/* XXX discard incoming data after MAC error */
196 	u_int packet_discard;
197 	size_t packet_discard_mac_already;
198 	struct sshmac *packet_discard_mac;
199 
200 	/* Used in packet_read_poll2() */
201 	u_int packlen;
202 
203 	/* Used in packet_send2 */
204 	int rekeying;
205 
206 	/* Used in ssh_packet_send_mux() */
207 	int mux;
208 
209 	/* Used in packet_set_interactive */
210 	int set_interactive_called;
211 
212 	/* Used in packet_set_maxsize */
213 	int set_maxsize_called;
214 
215 	/* One-off warning about weak ciphers */
216 	int cipher_warning_done;
217 
218 	/* Hook for fuzzing inbound packets */
219 	ssh_packet_hook_fn *hook_in;
220 	void *hook_in_ctx;
221 
222 	TAILQ_HEAD(, packet) outgoing;
223 };
224 
225 struct ssh *
226 ssh_alloc_session_state(void)
227 {
228 	struct ssh *ssh = NULL;
229 	struct session_state *state = NULL;
230 
231 	if ((ssh = calloc(1, sizeof(*ssh))) == NULL ||
232 	    (state = calloc(1, sizeof(*state))) == NULL ||
233 	    (state->input = sshbuf_new()) == NULL ||
234 	    (state->output = sshbuf_new()) == NULL ||
235 	    (state->outgoing_packet = sshbuf_new()) == NULL ||
236 	    (state->incoming_packet = sshbuf_new()) == NULL)
237 		goto fail;
238 	TAILQ_INIT(&state->outgoing);
239 	TAILQ_INIT(&ssh->private_keys);
240 	TAILQ_INIT(&ssh->public_keys);
241 	state->connection_in = -1;
242 	state->connection_out = -1;
243 	state->max_packet_size = 32768;
244 	state->packet_timeout_ms = -1;
245 	state->p_send.packets = state->p_read.packets = 0;
246 	state->initialized = 1;
247 	/*
248 	 * ssh_packet_send2() needs to queue packets until
249 	 * we've done the initial key exchange.
250 	 */
251 	state->rekeying = 1;
252 	ssh->state = state;
253 	return ssh;
254  fail:
255 	if (state) {
256 		sshbuf_free(state->input);
257 		sshbuf_free(state->output);
258 		sshbuf_free(state->incoming_packet);
259 		sshbuf_free(state->outgoing_packet);
260 		free(state);
261 	}
262 	free(ssh);
263 	return NULL;
264 }
265 
266 void
267 ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx)
268 {
269 	ssh->state->hook_in = hook;
270 	ssh->state->hook_in_ctx = ctx;
271 }
272 
273 /* Returns nonzero if rekeying is in progress */
274 int
275 ssh_packet_is_rekeying(struct ssh *ssh)
276 {
277 	return ssh->state->rekeying ||
278 	    (ssh->kex != NULL && ssh->kex->done == 0);
279 }
280 
281 /*
282  * Sets the descriptors used for communication.
283  */
284 struct ssh *
285 ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
286 {
287 	struct session_state *state;
288 	const struct sshcipher *none = cipher_by_name("none");
289 	int r;
290 
291 	if (none == NULL) {
292 		error("%s: cannot load cipher 'none'", __func__);
293 		return NULL;
294 	}
295 	if (ssh == NULL)
296 		ssh = ssh_alloc_session_state();
297 	if (ssh == NULL) {
298 		error("%s: cound not allocate state", __func__);
299 		return NULL;
300 	}
301 	state = ssh->state;
302 	state->connection_in = fd_in;
303 	state->connection_out = fd_out;
304 	if ((r = cipher_init(&state->send_context, none,
305 	    (const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
306 	    (r = cipher_init(&state->receive_context, none,
307 	    (const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0) {
308 		error("%s: cipher_init failed: %s", __func__, ssh_err(r));
309 		free(ssh); /* XXX need ssh_free_session_state? */
310 		return NULL;
311 	}
312 	state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL;
313 	/*
314 	 * Cache the IP address of the remote connection for use in error
315 	 * messages that might be generated after the connection has closed.
316 	 */
317 	(void)ssh_remote_ipaddr(ssh);
318 	return ssh;
319 }
320 
321 void
322 ssh_packet_set_timeout(struct ssh *ssh, int timeout, int count)
323 {
324 	struct session_state *state = ssh->state;
325 
326 	if (timeout <= 0 || count <= 0) {
327 		state->packet_timeout_ms = -1;
328 		return;
329 	}
330 	if ((INT_MAX / 1000) / count < timeout)
331 		state->packet_timeout_ms = INT_MAX;
332 	else
333 		state->packet_timeout_ms = timeout * count * 1000;
334 }
335 
336 void
337 ssh_packet_set_mux(struct ssh *ssh)
338 {
339 	ssh->state->mux = 1;
340 	ssh->state->rekeying = 0;
341 }
342 
343 int
344 ssh_packet_get_mux(struct ssh *ssh)
345 {
346 	return ssh->state->mux;
347 }
348 
349 int
350 ssh_packet_set_log_preamble(struct ssh *ssh, const char *fmt, ...)
351 {
352 	va_list args;
353 	int r;
354 
355 	free(ssh->log_preamble);
356 	if (fmt == NULL)
357 		ssh->log_preamble = NULL;
358 	else {
359 		va_start(args, fmt);
360 		r = vasprintf(&ssh->log_preamble, fmt, args);
361 		va_end(args);
362 		if (r < 0 || ssh->log_preamble == NULL)
363 			return SSH_ERR_ALLOC_FAIL;
364 	}
365 	return 0;
366 }
367 
368 int
369 ssh_packet_stop_discard(struct ssh *ssh)
370 {
371 	struct session_state *state = ssh->state;
372 	int r;
373 
374 	if (state->packet_discard_mac) {
375 		char buf[1024];
376 		size_t dlen = PACKET_MAX_SIZE;
377 
378 		if (dlen > state->packet_discard_mac_already)
379 			dlen -= state->packet_discard_mac_already;
380 		memset(buf, 'a', sizeof(buf));
381 		while (sshbuf_len(state->incoming_packet) < dlen)
382 			if ((r = sshbuf_put(state->incoming_packet, buf,
383 			    sizeof(buf))) != 0)
384 				return r;
385 		(void) mac_compute(state->packet_discard_mac,
386 		    state->p_read.seqnr,
387 		    sshbuf_ptr(state->incoming_packet), dlen,
388 		    NULL, 0);
389 	}
390 	logit("Finished discarding for %.200s port %d",
391 	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
392 	return SSH_ERR_MAC_INVALID;
393 }
394 
395 static int
396 ssh_packet_start_discard(struct ssh *ssh, struct sshenc *enc,
397     struct sshmac *mac, size_t mac_already, u_int discard)
398 {
399 	struct session_state *state = ssh->state;
400 	int r;
401 
402 	if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) {
403 		if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
404 			return r;
405 		return SSH_ERR_MAC_INVALID;
406 	}
407 	/*
408 	 * Record number of bytes over which the mac has already
409 	 * been computed in order to minimize timing attacks.
410 	 */
411 	if (mac && mac->enabled) {
412 		state->packet_discard_mac = mac;
413 		state->packet_discard_mac_already = mac_already;
414 	}
415 	if (sshbuf_len(state->input) >= discard)
416 		return ssh_packet_stop_discard(ssh);
417 	state->packet_discard = discard - sshbuf_len(state->input);
418 	return 0;
419 }
420 
421 /* Returns 1 if remote host is connected via socket, 0 if not. */
422 
423 int
424 ssh_packet_connection_is_on_socket(struct ssh *ssh)
425 {
426 	struct session_state *state;
427 	struct sockaddr_storage from, to;
428 	socklen_t fromlen, tolen;
429 
430 	if (ssh == NULL || ssh->state == NULL)
431 		return 0;
432 
433 	state = ssh->state;
434 	if (state->connection_in == -1 || state->connection_out == -1)
435 		return 0;
436 	/* filedescriptors in and out are the same, so it's a socket */
437 	if (state->connection_in == state->connection_out)
438 		return 1;
439 	fromlen = sizeof(from);
440 	memset(&from, 0, sizeof(from));
441 	if (getpeername(state->connection_in, (struct sockaddr *)&from,
442 	    &fromlen) < 0)
443 		return 0;
444 	tolen = sizeof(to);
445 	memset(&to, 0, sizeof(to));
446 	if (getpeername(state->connection_out, (struct sockaddr *)&to,
447 	    &tolen) < 0)
448 		return 0;
449 	if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
450 		return 0;
451 	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
452 		return 0;
453 	return 1;
454 }
455 
456 void
457 ssh_packet_get_bytes(struct ssh *ssh, u_int64_t *ibytes, u_int64_t *obytes)
458 {
459 	if (ibytes)
460 		*ibytes = ssh->state->p_read.bytes;
461 	if (obytes)
462 		*obytes = ssh->state->p_send.bytes;
463 }
464 
465 int
466 ssh_packet_connection_af(struct ssh *ssh)
467 {
468 	struct sockaddr_storage to;
469 	socklen_t tolen = sizeof(to);
470 
471 	memset(&to, 0, sizeof(to));
472 	if (getsockname(ssh->state->connection_out, (struct sockaddr *)&to,
473 	    &tolen) < 0)
474 		return 0;
475 #ifdef IPV4_IN_IPV6
476 	if (to.ss_family == AF_INET6 &&
477 	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
478 		return AF_INET;
479 #endif
480 	return to.ss_family;
481 }
482 
483 /* Sets the connection into non-blocking mode. */
484 
485 void
486 ssh_packet_set_nonblocking(struct ssh *ssh)
487 {
488 	/* Set the socket into non-blocking mode. */
489 	set_nonblock(ssh->state->connection_in);
490 
491 	if (ssh->state->connection_out != ssh->state->connection_in)
492 		set_nonblock(ssh->state->connection_out);
493 }
494 
495 /* Returns the socket used for reading. */
496 
497 int
498 ssh_packet_get_connection_in(struct ssh *ssh)
499 {
500 	return ssh->state->connection_in;
501 }
502 
503 /* Returns the descriptor used for writing. */
504 
505 int
506 ssh_packet_get_connection_out(struct ssh *ssh)
507 {
508 	return ssh->state->connection_out;
509 }
510 
511 /*
512  * Returns the IP-address of the remote host as a string.  The returned
513  * string must not be freed.
514  */
515 
516 const char *
517 ssh_remote_ipaddr(struct ssh *ssh)
518 {
519 	int sock;
520 
521 	/* Check whether we have cached the ipaddr. */
522 	if (ssh->remote_ipaddr == NULL) {
523 		if (ssh_packet_connection_is_on_socket(ssh)) {
524 			sock = ssh->state->connection_in;
525 			ssh->remote_ipaddr = get_peer_ipaddr(sock);
526 			ssh->remote_port = get_peer_port(sock);
527 			ssh->local_ipaddr = get_local_ipaddr(sock);
528 			ssh->local_port = get_local_port(sock);
529 		} else {
530 			ssh->remote_ipaddr = strdup("UNKNOWN");
531 			ssh->remote_port = 65535;
532 			ssh->local_ipaddr = strdup("UNKNOWN");
533 			ssh->local_port = 65535;
534 		}
535 	}
536 	return ssh->remote_ipaddr;
537 }
538 
539 /* Returns the port number of the remote host. */
540 
541 int
542 ssh_remote_port(struct ssh *ssh)
543 {
544 	(void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
545 	return ssh->remote_port;
546 }
547 
548 /*
549  * Returns the IP-address of the local host as a string.  The returned
550  * string must not be freed.
551  */
552 
553 const char *
554 ssh_local_ipaddr(struct ssh *ssh)
555 {
556 	(void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
557 	return ssh->local_ipaddr;
558 }
559 
560 /* Returns the port number of the local host. */
561 
562 int
563 ssh_local_port(struct ssh *ssh)
564 {
565 	(void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */
566 	return ssh->local_port;
567 }
568 
569 /* Returns the routing domain of the input socket, or NULL if unavailable */
570 const char *
571 ssh_packet_rdomain_in(struct ssh *ssh)
572 {
573 	if (ssh->rdomain_in != NULL)
574 		return ssh->rdomain_in;
575 	if (!ssh_packet_connection_is_on_socket(ssh))
576 		return NULL;
577 	ssh->rdomain_in = get_rdomain(ssh->state->connection_in);
578 	return ssh->rdomain_in;
579 }
580 
581 /* Closes the connection and clears and frees internal data structures. */
582 
583 static void
584 ssh_packet_close_internal(struct ssh *ssh, int do_close)
585 {
586 	struct session_state *state = ssh->state;
587 	u_int mode;
588 
589 	if (!state->initialized)
590 		return;
591 	state->initialized = 0;
592 	if (do_close) {
593 		if (state->connection_in == state->connection_out) {
594 			close(state->connection_out);
595 		} else {
596 			close(state->connection_in);
597 			close(state->connection_out);
598 		}
599 	}
600 	sshbuf_free(state->input);
601 	sshbuf_free(state->output);
602 	sshbuf_free(state->outgoing_packet);
603 	sshbuf_free(state->incoming_packet);
604 	for (mode = 0; mode < MODE_MAX; mode++) {
605 		kex_free_newkeys(state->newkeys[mode]);	/* current keys */
606 		state->newkeys[mode] = NULL;
607 		ssh_clear_newkeys(ssh, mode);		/* next keys */
608 	}
609 	/* compression state is in shared mem, so we can only release it once */
610 	if (do_close && state->compression_buffer) {
611 		sshbuf_free(state->compression_buffer);
612 		if (state->compression_out_started) {
613 			z_streamp stream = &state->compression_out_stream;
614 			debug("compress outgoing: "
615 			    "raw data %llu, compressed %llu, factor %.2f",
616 				(unsigned long long)stream->total_in,
617 				(unsigned long long)stream->total_out,
618 				stream->total_in == 0 ? 0.0 :
619 				(double) stream->total_out / stream->total_in);
620 			if (state->compression_out_failures == 0)
621 				deflateEnd(stream);
622 		}
623 		if (state->compression_in_started) {
624 			z_streamp stream = &state->compression_in_stream;
625 			debug("compress incoming: "
626 			    "raw data %llu, compressed %llu, factor %.2f",
627 			    (unsigned long long)stream->total_out,
628 			    (unsigned long long)stream->total_in,
629 			    stream->total_out == 0 ? 0.0 :
630 			    (double) stream->total_in / stream->total_out);
631 			if (state->compression_in_failures == 0)
632 				inflateEnd(stream);
633 		}
634 	}
635 	cipher_free(state->send_context);
636 	cipher_free(state->receive_context);
637 	state->send_context = state->receive_context = NULL;
638 	if (do_close) {
639 		free(ssh->local_ipaddr);
640 		ssh->local_ipaddr = NULL;
641 		free(ssh->remote_ipaddr);
642 		ssh->remote_ipaddr = NULL;
643 		free(ssh->state);
644 		ssh->state = NULL;
645 	}
646 }
647 
648 void
649 ssh_packet_close(struct ssh *ssh)
650 {
651 	ssh_packet_close_internal(ssh, 1);
652 }
653 
654 void
655 ssh_packet_clear_keys(struct ssh *ssh)
656 {
657 	ssh_packet_close_internal(ssh, 0);
658 }
659 
660 /* Sets remote side protocol flags. */
661 
662 void
663 ssh_packet_set_protocol_flags(struct ssh *ssh, u_int protocol_flags)
664 {
665 	ssh->state->remote_protocol_flags = protocol_flags;
666 }
667 
668 /* Returns the remote protocol flags set earlier by the above function. */
669 
670 u_int
671 ssh_packet_get_protocol_flags(struct ssh *ssh)
672 {
673 	return ssh->state->remote_protocol_flags;
674 }
675 
676 /*
677  * Starts packet compression from the next packet on in both directions.
678  * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
679  */
680 
681 static int
682 ssh_packet_init_compression(struct ssh *ssh)
683 {
684 	if (!ssh->state->compression_buffer &&
685 	   ((ssh->state->compression_buffer = sshbuf_new()) == NULL))
686 		return SSH_ERR_ALLOC_FAIL;
687 	return 0;
688 }
689 
690 static int
691 start_compression_out(struct ssh *ssh, int level)
692 {
693 	if (level < 1 || level > 9)
694 		return SSH_ERR_INVALID_ARGUMENT;
695 	debug("Enabling compression at level %d.", level);
696 	if (ssh->state->compression_out_started == 1)
697 		deflateEnd(&ssh->state->compression_out_stream);
698 	switch (deflateInit(&ssh->state->compression_out_stream, level)) {
699 	case Z_OK:
700 		ssh->state->compression_out_started = 1;
701 		break;
702 	case Z_MEM_ERROR:
703 		return SSH_ERR_ALLOC_FAIL;
704 	default:
705 		return SSH_ERR_INTERNAL_ERROR;
706 	}
707 	return 0;
708 }
709 
710 static int
711 start_compression_in(struct ssh *ssh)
712 {
713 	if (ssh->state->compression_in_started == 1)
714 		inflateEnd(&ssh->state->compression_in_stream);
715 	switch (inflateInit(&ssh->state->compression_in_stream)) {
716 	case Z_OK:
717 		ssh->state->compression_in_started = 1;
718 		break;
719 	case Z_MEM_ERROR:
720 		return SSH_ERR_ALLOC_FAIL;
721 	default:
722 		return SSH_ERR_INTERNAL_ERROR;
723 	}
724 	return 0;
725 }
726 
727 /* XXX remove need for separate compression buffer */
728 static int
729 compress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
730 {
731 	u_char buf[4096];
732 	int r, status;
733 
734 	if (ssh->state->compression_out_started != 1)
735 		return SSH_ERR_INTERNAL_ERROR;
736 
737 	/* This case is not handled below. */
738 	if (sshbuf_len(in) == 0)
739 		return 0;
740 
741 	/* Input is the contents of the input buffer. */
742 	if ((ssh->state->compression_out_stream.next_in =
743 	    sshbuf_mutable_ptr(in)) == NULL)
744 		return SSH_ERR_INTERNAL_ERROR;
745 	ssh->state->compression_out_stream.avail_in = sshbuf_len(in);
746 
747 	/* Loop compressing until deflate() returns with avail_out != 0. */
748 	do {
749 		/* Set up fixed-size output buffer. */
750 		ssh->state->compression_out_stream.next_out = buf;
751 		ssh->state->compression_out_stream.avail_out = sizeof(buf);
752 
753 		/* Compress as much data into the buffer as possible. */
754 		status = deflate(&ssh->state->compression_out_stream,
755 		    Z_PARTIAL_FLUSH);
756 		switch (status) {
757 		case Z_MEM_ERROR:
758 			return SSH_ERR_ALLOC_FAIL;
759 		case Z_OK:
760 			/* Append compressed data to output_buffer. */
761 			if ((r = sshbuf_put(out, buf, sizeof(buf) -
762 			    ssh->state->compression_out_stream.avail_out)) != 0)
763 				return r;
764 			break;
765 		case Z_STREAM_ERROR:
766 		default:
767 			ssh->state->compression_out_failures++;
768 			return SSH_ERR_INVALID_FORMAT;
769 		}
770 	} while (ssh->state->compression_out_stream.avail_out == 0);
771 	return 0;
772 }
773 
774 static int
775 uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out)
776 {
777 	u_char buf[4096];
778 	int r, status;
779 
780 	if (ssh->state->compression_in_started != 1)
781 		return SSH_ERR_INTERNAL_ERROR;
782 
783 	if ((ssh->state->compression_in_stream.next_in =
784 	    sshbuf_mutable_ptr(in)) == NULL)
785 		return SSH_ERR_INTERNAL_ERROR;
786 	ssh->state->compression_in_stream.avail_in = sshbuf_len(in);
787 
788 	for (;;) {
789 		/* Set up fixed-size output buffer. */
790 		ssh->state->compression_in_stream.next_out = buf;
791 		ssh->state->compression_in_stream.avail_out = sizeof(buf);
792 
793 		status = inflate(&ssh->state->compression_in_stream,
794 		    Z_PARTIAL_FLUSH);
795 		switch (status) {
796 		case Z_OK:
797 			if ((r = sshbuf_put(out, buf, sizeof(buf) -
798 			    ssh->state->compression_in_stream.avail_out)) != 0)
799 				return r;
800 			break;
801 		case Z_BUF_ERROR:
802 			/*
803 			 * Comments in zlib.h say that we should keep calling
804 			 * inflate() until we get an error.  This appears to
805 			 * be the error that we get.
806 			 */
807 			return 0;
808 		case Z_DATA_ERROR:
809 			return SSH_ERR_INVALID_FORMAT;
810 		case Z_MEM_ERROR:
811 			return SSH_ERR_ALLOC_FAIL;
812 		case Z_STREAM_ERROR:
813 		default:
814 			ssh->state->compression_in_failures++;
815 			return SSH_ERR_INTERNAL_ERROR;
816 		}
817 	}
818 	/* NOTREACHED */
819 }
820 
821 void
822 ssh_clear_newkeys(struct ssh *ssh, int mode)
823 {
824 	if (ssh->kex && ssh->kex->newkeys[mode]) {
825 		kex_free_newkeys(ssh->kex->newkeys[mode]);
826 		ssh->kex->newkeys[mode] = NULL;
827 	}
828 }
829 
830 int
831 ssh_set_newkeys(struct ssh *ssh, int mode)
832 {
833 	struct session_state *state = ssh->state;
834 	struct sshenc *enc;
835 	struct sshmac *mac;
836 	struct sshcomp *comp;
837 	struct sshcipher_ctx **ccp;
838 	struct packet_state *ps;
839 	u_int64_t *max_blocks;
840 	const char *wmsg;
841 	int r, crypt_type;
842 
843 	debug2("set_newkeys: mode %d", mode);
844 
845 	if (mode == MODE_OUT) {
846 		ccp = &state->send_context;
847 		crypt_type = CIPHER_ENCRYPT;
848 		ps = &state->p_send;
849 		max_blocks = &state->max_blocks_out;
850 	} else {
851 		ccp = &state->receive_context;
852 		crypt_type = CIPHER_DECRYPT;
853 		ps = &state->p_read;
854 		max_blocks = &state->max_blocks_in;
855 	}
856 	if (state->newkeys[mode] != NULL) {
857 		debug("set_newkeys: rekeying, input %llu bytes %llu blocks, "
858 		   "output %llu bytes %llu blocks",
859 		   (unsigned long long)state->p_read.bytes,
860 		   (unsigned long long)state->p_read.blocks,
861 		   (unsigned long long)state->p_send.bytes,
862 		   (unsigned long long)state->p_send.blocks);
863 		cipher_free(*ccp);
864 		*ccp = NULL;
865 		kex_free_newkeys(state->newkeys[mode]);
866 		state->newkeys[mode] = NULL;
867 	}
868 	/* note that both bytes and the seqnr are not reset */
869 	ps->packets = ps->blocks = 0;
870 	/* move newkeys from kex to state */
871 	if ((state->newkeys[mode] = ssh->kex->newkeys[mode]) == NULL)
872 		return SSH_ERR_INTERNAL_ERROR;
873 	ssh->kex->newkeys[mode] = NULL;
874 	enc  = &state->newkeys[mode]->enc;
875 	mac  = &state->newkeys[mode]->mac;
876 	comp = &state->newkeys[mode]->comp;
877 	if (cipher_authlen(enc->cipher) == 0) {
878 		if ((r = mac_init(mac)) != 0)
879 			return r;
880 	}
881 	mac->enabled = 1;
882 	DBG(debug("cipher_init_context: %d", mode));
883 	if ((r = cipher_init(ccp, enc->cipher, enc->key, enc->key_len,
884 	    enc->iv, enc->iv_len, crypt_type)) != 0)
885 		return r;
886 	if (!state->cipher_warning_done &&
887 	    (wmsg = cipher_warning_message(*ccp)) != NULL) {
888 		error("Warning: %s", wmsg);
889 		state->cipher_warning_done = 1;
890 	}
891 	/* Deleting the keys does not gain extra security */
892 	/* explicit_bzero(enc->iv,  enc->block_size);
893 	   explicit_bzero(enc->key, enc->key_len);
894 	   explicit_bzero(mac->key, mac->key_len); */
895 	if ((comp->type == COMP_ZLIB ||
896 	    (comp->type == COMP_DELAYED &&
897 	     state->after_authentication)) && comp->enabled == 0) {
898 		if ((r = ssh_packet_init_compression(ssh)) < 0)
899 			return r;
900 		if (mode == MODE_OUT) {
901 			if ((r = start_compression_out(ssh, 6)) != 0)
902 				return r;
903 		} else {
904 			if ((r = start_compression_in(ssh)) != 0)
905 				return r;
906 		}
907 		comp->enabled = 1;
908 	}
909 	/*
910 	 * The 2^(blocksize*2) limit is too expensive for 3DES,
911 	 * so enforce a 1GB limit for small blocksizes.
912 	 * See RFC4344 section 3.2.
913 	 */
914 	if (enc->block_size >= 16)
915 		*max_blocks = (u_int64_t)1 << (enc->block_size*2);
916 	else
917 		*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
918 	if (state->rekey_limit)
919 		*max_blocks = MINIMUM(*max_blocks,
920 		    state->rekey_limit / enc->block_size);
921 	debug("rekey after %llu blocks", (unsigned long long)*max_blocks);
922 	return 0;
923 }
924 
925 #define MAX_PACKETS	(1U<<31)
926 static int
927 ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
928 {
929 	struct session_state *state = ssh->state;
930 	u_int32_t out_blocks;
931 
932 	/* XXX client can't cope with rekeying pre-auth */
933 	if (!state->after_authentication)
934 		return 0;
935 
936 	/* Haven't keyed yet or KEX in progress. */
937 	if (ssh->kex == NULL || ssh_packet_is_rekeying(ssh))
938 		return 0;
939 
940 	/* Peer can't rekey */
941 	if (ssh->compat & SSH_BUG_NOREKEY)
942 		return 0;
943 
944 	/*
945 	 * Permit one packet in or out per rekey - this allows us to
946 	 * make progress when rekey limits are very small.
947 	 */
948 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
949 		return 0;
950 
951 	/* Time-based rekeying */
952 	if (state->rekey_interval != 0 &&
953 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
954 		return 1;
955 
956 	/*
957 	 * Always rekey when MAX_PACKETS sent in either direction
958 	 * As per RFC4344 section 3.1 we do this after 2^31 packets.
959 	 */
960 	if (state->p_send.packets > MAX_PACKETS ||
961 	    state->p_read.packets > MAX_PACKETS)
962 		return 1;
963 
964 	/* Rekey after (cipher-specific) maximum blocks */
965 	out_blocks = ROUNDUP(outbound_packet_len,
966 	    state->newkeys[MODE_OUT]->enc.block_size);
967 	return (state->max_blocks_out &&
968 	    (state->p_send.blocks + out_blocks > state->max_blocks_out)) ||
969 	    (state->max_blocks_in &&
970 	    (state->p_read.blocks > state->max_blocks_in));
971 }
972 
973 /*
974  * Delayed compression for SSH2 is enabled after authentication:
975  * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
976  * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
977  */
978 static int
979 ssh_packet_enable_delayed_compress(struct ssh *ssh)
980 {
981 	struct session_state *state = ssh->state;
982 	struct sshcomp *comp = NULL;
983 	int r, mode;
984 
985 	/*
986 	 * Remember that we are past the authentication step, so rekeying
987 	 * with COMP_DELAYED will turn on compression immediately.
988 	 */
989 	state->after_authentication = 1;
990 	for (mode = 0; mode < MODE_MAX; mode++) {
991 		/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
992 		if (state->newkeys[mode] == NULL)
993 			continue;
994 		comp = &state->newkeys[mode]->comp;
995 		if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
996 			if ((r = ssh_packet_init_compression(ssh)) != 0)
997 				return r;
998 			if (mode == MODE_OUT) {
999 				if ((r = start_compression_out(ssh, 6)) != 0)
1000 					return r;
1001 			} else {
1002 				if ((r = start_compression_in(ssh)) != 0)
1003 					return r;
1004 			}
1005 			comp->enabled = 1;
1006 		}
1007 	}
1008 	return 0;
1009 }
1010 
1011 /* Used to mute debug logging for noisy packet types */
1012 int
1013 ssh_packet_log_type(u_char type)
1014 {
1015 	switch (type) {
1016 	case SSH2_MSG_CHANNEL_DATA:
1017 	case SSH2_MSG_CHANNEL_EXTENDED_DATA:
1018 	case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
1019 		return 0;
1020 	default:
1021 		return 1;
1022 	}
1023 }
1024 
1025 /*
1026  * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
1027  */
1028 int
1029 ssh_packet_send2_wrapped(struct ssh *ssh)
1030 {
1031 	struct session_state *state = ssh->state;
1032 	u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH];
1033 	u_char tmp, padlen, pad = 0;
1034 	u_int authlen = 0, aadlen = 0;
1035 	u_int len;
1036 	struct sshenc *enc   = NULL;
1037 	struct sshmac *mac   = NULL;
1038 	struct sshcomp *comp = NULL;
1039 	int r, block_size;
1040 
1041 	if (state->newkeys[MODE_OUT] != NULL) {
1042 		enc  = &state->newkeys[MODE_OUT]->enc;
1043 		mac  = &state->newkeys[MODE_OUT]->mac;
1044 		comp = &state->newkeys[MODE_OUT]->comp;
1045 		/* disable mac for authenticated encryption */
1046 		if ((authlen = cipher_authlen(enc->cipher)) != 0)
1047 			mac = NULL;
1048 	}
1049 	block_size = enc ? enc->block_size : 8;
1050 	aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
1051 
1052 	type = (sshbuf_ptr(state->outgoing_packet))[5];
1053 	if (ssh_packet_log_type(type))
1054 		debug3("send packet: type %u", type);
1055 #ifdef PACKET_DEBUG
1056 	fprintf(stderr, "plain:     ");
1057 	sshbuf_dump(state->outgoing_packet, stderr);
1058 #endif
1059 
1060 	if (comp && comp->enabled) {
1061 		len = sshbuf_len(state->outgoing_packet);
1062 		/* skip header, compress only payload */
1063 		if ((r = sshbuf_consume(state->outgoing_packet, 5)) != 0)
1064 			goto out;
1065 		sshbuf_reset(state->compression_buffer);
1066 		if ((r = compress_buffer(ssh, state->outgoing_packet,
1067 		    state->compression_buffer)) != 0)
1068 			goto out;
1069 		sshbuf_reset(state->outgoing_packet);
1070 		if ((r = sshbuf_put(state->outgoing_packet,
1071 		    "\0\0\0\0\0", 5)) != 0 ||
1072 		    (r = sshbuf_putb(state->outgoing_packet,
1073 		    state->compression_buffer)) != 0)
1074 			goto out;
1075 		DBG(debug("compression: raw %d compressed %zd", len,
1076 		    sshbuf_len(state->outgoing_packet)));
1077 	}
1078 
1079 	/* sizeof (packet_len + pad_len + payload) */
1080 	len = sshbuf_len(state->outgoing_packet);
1081 
1082 	/*
1083 	 * calc size of padding, alloc space, get random data,
1084 	 * minimum padding is 4 bytes
1085 	 */
1086 	len -= aadlen; /* packet length is not encrypted for EtM modes */
1087 	padlen = block_size - (len % block_size);
1088 	if (padlen < 4)
1089 		padlen += block_size;
1090 	if (state->extra_pad) {
1091 		tmp = state->extra_pad;
1092 		state->extra_pad =
1093 		    ROUNDUP(state->extra_pad, block_size);
1094 		/* check if roundup overflowed */
1095 		if (state->extra_pad < tmp)
1096 			return SSH_ERR_INVALID_ARGUMENT;
1097 		tmp = (len + padlen) % state->extra_pad;
1098 		/* Check whether pad calculation below will underflow */
1099 		if (tmp > state->extra_pad)
1100 			return SSH_ERR_INVALID_ARGUMENT;
1101 		pad = state->extra_pad - tmp;
1102 		DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
1103 		    __func__, pad, len, padlen, state->extra_pad));
1104 		tmp = padlen;
1105 		padlen += pad;
1106 		/* Check whether padlen calculation overflowed */
1107 		if (padlen < tmp)
1108 			return SSH_ERR_INVALID_ARGUMENT; /* overflow */
1109 		state->extra_pad = 0;
1110 	}
1111 	if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0)
1112 		goto out;
1113 	if (enc && !cipher_ctx_is_plaintext(state->send_context)) {
1114 		/* random padding */
1115 		arc4random_buf(cp, padlen);
1116 	} else {
1117 		/* clear padding */
1118 		explicit_bzero(cp, padlen);
1119 	}
1120 	/* sizeof (packet_len + pad_len + payload + padding) */
1121 	len = sshbuf_len(state->outgoing_packet);
1122 	cp = sshbuf_mutable_ptr(state->outgoing_packet);
1123 	if (cp == NULL) {
1124 		r = SSH_ERR_INTERNAL_ERROR;
1125 		goto out;
1126 	}
1127 	/* packet_length includes payload, padding and padding length field */
1128 	POKE_U32(cp, len - 4);
1129 	cp[4] = padlen;
1130 	DBG(debug("send: len %d (includes padlen %d, aadlen %d)",
1131 	    len, padlen, aadlen));
1132 
1133 	/* compute MAC over seqnr and packet(length fields, payload, padding) */
1134 	if (mac && mac->enabled && !mac->etm) {
1135 		if ((r = mac_compute(mac, state->p_send.seqnr,
1136 		    sshbuf_ptr(state->outgoing_packet), len,
1137 		    macbuf, sizeof(macbuf))) != 0)
1138 			goto out;
1139 		DBG(debug("done calc MAC out #%d", state->p_send.seqnr));
1140 	}
1141 	/* encrypt packet and append to output buffer. */
1142 	if ((r = sshbuf_reserve(state->output,
1143 	    sshbuf_len(state->outgoing_packet) + authlen, &cp)) != 0)
1144 		goto out;
1145 	if ((r = cipher_crypt(state->send_context, state->p_send.seqnr, cp,
1146 	    sshbuf_ptr(state->outgoing_packet),
1147 	    len - aadlen, aadlen, authlen)) != 0)
1148 		goto out;
1149 	/* append unencrypted MAC */
1150 	if (mac && mac->enabled) {
1151 		if (mac->etm) {
1152 			/* EtM: compute mac over aadlen + cipher text */
1153 			if ((r = mac_compute(mac, state->p_send.seqnr,
1154 			    cp, len, macbuf, sizeof(macbuf))) != 0)
1155 				goto out;
1156 			DBG(debug("done calc MAC(EtM) out #%d",
1157 			    state->p_send.seqnr));
1158 		}
1159 		if ((r = sshbuf_put(state->output, macbuf, mac->mac_len)) != 0)
1160 			goto out;
1161 	}
1162 #ifdef PACKET_DEBUG
1163 	fprintf(stderr, "encrypted: ");
1164 	sshbuf_dump(state->output, stderr);
1165 #endif
1166 	/* increment sequence number for outgoing packets */
1167 	if (++state->p_send.seqnr == 0)
1168 		logit("outgoing seqnr wraps around");
1169 	if (++state->p_send.packets == 0)
1170 		if (!(ssh->compat & SSH_BUG_NOREKEY))
1171 			return SSH_ERR_NEED_REKEY;
1172 	state->p_send.blocks += len / block_size;
1173 	state->p_send.bytes += len;
1174 	sshbuf_reset(state->outgoing_packet);
1175 
1176 	if (type == SSH2_MSG_NEWKEYS)
1177 		r = ssh_set_newkeys(ssh, MODE_OUT);
1178 	else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
1179 		r = ssh_packet_enable_delayed_compress(ssh);
1180 	else
1181 		r = 0;
1182  out:
1183 	return r;
1184 }
1185 
1186 /* returns non-zero if the specified packet type is usec by KEX */
1187 static int
1188 ssh_packet_type_is_kex(u_char type)
1189 {
1190 	return
1191 	    type >= SSH2_MSG_TRANSPORT_MIN &&
1192 	    type <= SSH2_MSG_TRANSPORT_MAX &&
1193 	    type != SSH2_MSG_SERVICE_REQUEST &&
1194 	    type != SSH2_MSG_SERVICE_ACCEPT &&
1195 	    type != SSH2_MSG_EXT_INFO;
1196 }
1197 
1198 int
1199 ssh_packet_send2(struct ssh *ssh)
1200 {
1201 	struct session_state *state = ssh->state;
1202 	struct packet *p;
1203 	u_char type;
1204 	int r, need_rekey;
1205 
1206 	if (sshbuf_len(state->outgoing_packet) < 6)
1207 		return SSH_ERR_INTERNAL_ERROR;
1208 	type = sshbuf_ptr(state->outgoing_packet)[5];
1209 	need_rekey = !ssh_packet_type_is_kex(type) &&
1210 	    ssh_packet_need_rekeying(ssh, sshbuf_len(state->outgoing_packet));
1211 
1212 	/*
1213 	 * During rekeying we can only send key exchange messages.
1214 	 * Queue everything else.
1215 	 */
1216 	if ((need_rekey || state->rekeying) && !ssh_packet_type_is_kex(type)) {
1217 		if (need_rekey)
1218 			debug3("%s: rekex triggered", __func__);
1219 		debug("enqueue packet: %u", type);
1220 		p = calloc(1, sizeof(*p));
1221 		if (p == NULL)
1222 			return SSH_ERR_ALLOC_FAIL;
1223 		p->type = type;
1224 		p->payload = state->outgoing_packet;
1225 		TAILQ_INSERT_TAIL(&state->outgoing, p, next);
1226 		state->outgoing_packet = sshbuf_new();
1227 		if (state->outgoing_packet == NULL)
1228 			return SSH_ERR_ALLOC_FAIL;
1229 		if (need_rekey) {
1230 			/*
1231 			 * This packet triggered a rekey, so send the
1232 			 * KEXINIT now.
1233 			 * NB. reenters this function via kex_start_rekex().
1234 			 */
1235 			return kex_start_rekex(ssh);
1236 		}
1237 		return 0;
1238 	}
1239 
1240 	/* rekeying starts with sending KEXINIT */
1241 	if (type == SSH2_MSG_KEXINIT)
1242 		state->rekeying = 1;
1243 
1244 	if ((r = ssh_packet_send2_wrapped(ssh)) != 0)
1245 		return r;
1246 
1247 	/* after a NEWKEYS message we can send the complete queue */
1248 	if (type == SSH2_MSG_NEWKEYS) {
1249 		state->rekeying = 0;
1250 		state->rekey_time = monotime();
1251 		while ((p = TAILQ_FIRST(&state->outgoing))) {
1252 			type = p->type;
1253 			/*
1254 			 * If this packet triggers a rekex, then skip the
1255 			 * remaining packets in the queue for now.
1256 			 * NB. re-enters this function via kex_start_rekex.
1257 			 */
1258 			if (ssh_packet_need_rekeying(ssh,
1259 			    sshbuf_len(p->payload))) {
1260 				debug3("%s: queued packet triggered rekex",
1261 				    __func__);
1262 				return kex_start_rekex(ssh);
1263 			}
1264 			debug("dequeue packet: %u", type);
1265 			sshbuf_free(state->outgoing_packet);
1266 			state->outgoing_packet = p->payload;
1267 			TAILQ_REMOVE(&state->outgoing, p, next);
1268 			memset(p, 0, sizeof(*p));
1269 			free(p);
1270 			if ((r = ssh_packet_send2_wrapped(ssh)) != 0)
1271 				return r;
1272 		}
1273 	}
1274 	return 0;
1275 }
1276 
1277 /*
1278  * Waits until a packet has been received, and returns its type.  Note that
1279  * no other data is processed until this returns, so this function should not
1280  * be used during the interactive session.
1281  */
1282 
1283 int
1284 ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1285 {
1286 	struct session_state *state = ssh->state;
1287 	int len, r, ms_remain;
1288 	fd_set *setp;
1289 	char buf[8192];
1290 	struct timeval timeout, start, *timeoutp = NULL;
1291 
1292 	DBG(debug("packet_read()"));
1293 
1294 	setp = calloc(howmany(state->connection_in + 1,
1295 	    NFDBITS), sizeof(fd_mask));
1296 	if (setp == NULL)
1297 		return SSH_ERR_ALLOC_FAIL;
1298 
1299 	/*
1300 	 * Since we are blocking, ensure that all written packets have
1301 	 * been sent.
1302 	 */
1303 	if ((r = ssh_packet_write_wait(ssh)) != 0)
1304 		goto out;
1305 
1306 	/* Stay in the loop until we have received a complete packet. */
1307 	for (;;) {
1308 		/* Try to read a packet from the buffer. */
1309 		r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
1310 		if (r != 0)
1311 			break;
1312 		/* If we got a packet, return it. */
1313 		if (*typep != SSH_MSG_NONE)
1314 			break;
1315 		/*
1316 		 * Otherwise, wait for some data to arrive, add it to the
1317 		 * buffer, and try again.
1318 		 */
1319 		memset(setp, 0, howmany(state->connection_in + 1,
1320 		    NFDBITS) * sizeof(fd_mask));
1321 		FD_SET(state->connection_in, setp);
1322 
1323 		if (state->packet_timeout_ms > 0) {
1324 			ms_remain = state->packet_timeout_ms;
1325 			timeoutp = &timeout;
1326 		}
1327 		/* Wait for some data to arrive. */
1328 		for (;;) {
1329 			if (state->packet_timeout_ms != -1) {
1330 				ms_to_timeval(&timeout, ms_remain);
1331 				monotime_tv(&start);
1332 			}
1333 			if ((r = select(state->connection_in + 1, setp,
1334 			    NULL, NULL, timeoutp)) >= 0)
1335 				break;
1336 			if (errno != EAGAIN && errno != EINTR &&
1337 			    errno != EWOULDBLOCK) {
1338 				r = SSH_ERR_SYSTEM_ERROR;
1339 				goto out;
1340 			}
1341 			if (state->packet_timeout_ms == -1)
1342 				continue;
1343 			ms_subtract_diff(&start, &ms_remain);
1344 			if (ms_remain <= 0) {
1345 				r = 0;
1346 				break;
1347 			}
1348 		}
1349 		if (r == 0) {
1350 			r = SSH_ERR_CONN_TIMEOUT;
1351 			goto out;
1352 		}
1353 		/* Read data from the socket. */
1354 		len = read(state->connection_in, buf, sizeof(buf));
1355 		if (len == 0) {
1356 			r = SSH_ERR_CONN_CLOSED;
1357 			goto out;
1358 		}
1359 		if (len < 0) {
1360 			r = SSH_ERR_SYSTEM_ERROR;
1361 			goto out;
1362 		}
1363 
1364 		/* Append it to the buffer. */
1365 		if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0)
1366 			goto out;
1367 	}
1368  out:
1369 	free(setp);
1370 	return r;
1371 }
1372 
1373 int
1374 ssh_packet_read(struct ssh *ssh)
1375 {
1376 	u_char type;
1377 	int r;
1378 
1379 	if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
1380 		fatal("%s: %s", __func__, ssh_err(r));
1381 	return type;
1382 }
1383 
1384 /*
1385  * Waits until a packet has been received, verifies that its type matches
1386  * that given, and gives a fatal error and exits if there is a mismatch.
1387  */
1388 
1389 int
1390 ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)
1391 {
1392 	int r;
1393 	u_char type;
1394 
1395 	if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
1396 		return r;
1397 	if (type != expected_type) {
1398 		if ((r = sshpkt_disconnect(ssh,
1399 		    "Protocol error: expected packet type %d, got %d",
1400 		    expected_type, type)) != 0)
1401 			return r;
1402 		return SSH_ERR_PROTOCOL_ERROR;
1403 	}
1404 	return 0;
1405 }
1406 
1407 static int
1408 ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1409 {
1410 	struct session_state *state = ssh->state;
1411 	const u_char *cp;
1412 	size_t need;
1413 	int r;
1414 
1415 	if (ssh->kex)
1416 		return SSH_ERR_INTERNAL_ERROR;
1417 	*typep = SSH_MSG_NONE;
1418 	cp = sshbuf_ptr(state->input);
1419 	if (state->packlen == 0) {
1420 		if (sshbuf_len(state->input) < 4 + 1)
1421 			return 0; /* packet is incomplete */
1422 		state->packlen = PEEK_U32(cp);
1423 		if (state->packlen < 4 + 1 ||
1424 		    state->packlen > PACKET_MAX_SIZE)
1425 			return SSH_ERR_MESSAGE_INCOMPLETE;
1426 	}
1427 	need = state->packlen + 4;
1428 	if (sshbuf_len(state->input) < need)
1429 		return 0; /* packet is incomplete */
1430 	sshbuf_reset(state->incoming_packet);
1431 	if ((r = sshbuf_put(state->incoming_packet, cp + 4,
1432 	    state->packlen)) != 0 ||
1433 	    (r = sshbuf_consume(state->input, need)) != 0 ||
1434 	    (r = sshbuf_get_u8(state->incoming_packet, NULL)) != 0 ||
1435 	    (r = sshbuf_get_u8(state->incoming_packet, typep)) != 0)
1436 		return r;
1437 	if (ssh_packet_log_type(*typep))
1438 		debug3("%s: type %u", __func__, *typep);
1439 	/* sshbuf_dump(state->incoming_packet, stderr); */
1440 	/* reset for next packet */
1441 	state->packlen = 0;
1442 	return r;
1443 }
1444 
1445 int
1446 ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1447 {
1448 	struct session_state *state = ssh->state;
1449 	u_int padlen, need;
1450 	u_char *cp;
1451 	u_int maclen, aadlen = 0, authlen = 0, block_size;
1452 	struct sshenc *enc   = NULL;
1453 	struct sshmac *mac   = NULL;
1454 	struct sshcomp *comp = NULL;
1455 	int r;
1456 
1457 	if (state->mux)
1458 		return ssh_packet_read_poll2_mux(ssh, typep, seqnr_p);
1459 
1460 	*typep = SSH_MSG_NONE;
1461 
1462 	if (state->packet_discard)
1463 		return 0;
1464 
1465 	if (state->newkeys[MODE_IN] != NULL) {
1466 		enc  = &state->newkeys[MODE_IN]->enc;
1467 		mac  = &state->newkeys[MODE_IN]->mac;
1468 		comp = &state->newkeys[MODE_IN]->comp;
1469 		/* disable mac for authenticated encryption */
1470 		if ((authlen = cipher_authlen(enc->cipher)) != 0)
1471 			mac = NULL;
1472 	}
1473 	maclen = mac && mac->enabled ? mac->mac_len : 0;
1474 	block_size = enc ? enc->block_size : 8;
1475 	aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
1476 
1477 	if (aadlen && state->packlen == 0) {
1478 		if (cipher_get_length(state->receive_context,
1479 		    &state->packlen, state->p_read.seqnr,
1480 		    sshbuf_ptr(state->input), sshbuf_len(state->input)) != 0)
1481 			return 0;
1482 		if (state->packlen < 1 + 4 ||
1483 		    state->packlen > PACKET_MAX_SIZE) {
1484 #ifdef PACKET_DEBUG
1485 			sshbuf_dump(state->input, stderr);
1486 #endif
1487 			logit("Bad packet length %u.", state->packlen);
1488 			if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
1489 				return r;
1490 			return SSH_ERR_CONN_CORRUPT;
1491 		}
1492 		sshbuf_reset(state->incoming_packet);
1493 	} else if (state->packlen == 0) {
1494 		/*
1495 		 * check if input size is less than the cipher block size,
1496 		 * decrypt first block and extract length of incoming packet
1497 		 */
1498 		if (sshbuf_len(state->input) < block_size)
1499 			return 0;
1500 		sshbuf_reset(state->incoming_packet);
1501 		if ((r = sshbuf_reserve(state->incoming_packet, block_size,
1502 		    &cp)) != 0)
1503 			goto out;
1504 		if ((r = cipher_crypt(state->receive_context,
1505 		    state->p_send.seqnr, cp, sshbuf_ptr(state->input),
1506 		    block_size, 0, 0)) != 0)
1507 			goto out;
1508 		state->packlen = PEEK_U32(sshbuf_ptr(state->incoming_packet));
1509 		if (state->packlen < 1 + 4 ||
1510 		    state->packlen > PACKET_MAX_SIZE) {
1511 #ifdef PACKET_DEBUG
1512 			fprintf(stderr, "input: \n");
1513 			sshbuf_dump(state->input, stderr);
1514 			fprintf(stderr, "incoming_packet: \n");
1515 			sshbuf_dump(state->incoming_packet, stderr);
1516 #endif
1517 			logit("Bad packet length %u.", state->packlen);
1518 			return ssh_packet_start_discard(ssh, enc, mac, 0,
1519 			    PACKET_MAX_SIZE);
1520 		}
1521 		if ((r = sshbuf_consume(state->input, block_size)) != 0)
1522 			goto out;
1523 	}
1524 	DBG(debug("input: packet len %u", state->packlen+4));
1525 
1526 	if (aadlen) {
1527 		/* only the payload is encrypted */
1528 		need = state->packlen;
1529 	} else {
1530 		/*
1531 		 * the payload size and the payload are encrypted, but we
1532 		 * have a partial packet of block_size bytes
1533 		 */
1534 		need = 4 + state->packlen - block_size;
1535 	}
1536 	DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d,"
1537 	    " aadlen %d", block_size, need, maclen, authlen, aadlen));
1538 	if (need % block_size != 0) {
1539 		logit("padding error: need %d block %d mod %d",
1540 		    need, block_size, need % block_size);
1541 		return ssh_packet_start_discard(ssh, enc, mac, 0,
1542 		    PACKET_MAX_SIZE - block_size);
1543 	}
1544 	/*
1545 	 * check if the entire packet has been received and
1546 	 * decrypt into incoming_packet:
1547 	 * 'aadlen' bytes are unencrypted, but authenticated.
1548 	 * 'need' bytes are encrypted, followed by either
1549 	 * 'authlen' bytes of authentication tag or
1550 	 * 'maclen' bytes of message authentication code.
1551 	 */
1552 	if (sshbuf_len(state->input) < aadlen + need + authlen + maclen)
1553 		return 0; /* packet is incomplete */
1554 #ifdef PACKET_DEBUG
1555 	fprintf(stderr, "read_poll enc/full: ");
1556 	sshbuf_dump(state->input, stderr);
1557 #endif
1558 	/* EtM: check mac over encrypted input */
1559 	if (mac && mac->enabled && mac->etm) {
1560 		if ((r = mac_check(mac, state->p_read.seqnr,
1561 		    sshbuf_ptr(state->input), aadlen + need,
1562 		    sshbuf_ptr(state->input) + aadlen + need + authlen,
1563 		    maclen)) != 0) {
1564 			if (r == SSH_ERR_MAC_INVALID)
1565 				logit("Corrupted MAC on input.");
1566 			goto out;
1567 		}
1568 	}
1569 	if ((r = sshbuf_reserve(state->incoming_packet, aadlen + need,
1570 	    &cp)) != 0)
1571 		goto out;
1572 	if ((r = cipher_crypt(state->receive_context, state->p_read.seqnr, cp,
1573 	    sshbuf_ptr(state->input), need, aadlen, authlen)) != 0)
1574 		goto out;
1575 	if ((r = sshbuf_consume(state->input, aadlen + need + authlen)) != 0)
1576 		goto out;
1577 	if (mac && mac->enabled) {
1578 		/* Not EtM: check MAC over cleartext */
1579 		if (!mac->etm && (r = mac_check(mac, state->p_read.seqnr,
1580 		    sshbuf_ptr(state->incoming_packet),
1581 		    sshbuf_len(state->incoming_packet),
1582 		    sshbuf_ptr(state->input), maclen)) != 0) {
1583 			if (r != SSH_ERR_MAC_INVALID)
1584 				goto out;
1585 			logit("Corrupted MAC on input.");
1586 			if (need + block_size > PACKET_MAX_SIZE)
1587 				return SSH_ERR_INTERNAL_ERROR;
1588 			return ssh_packet_start_discard(ssh, enc, mac,
1589 			    sshbuf_len(state->incoming_packet),
1590 			    PACKET_MAX_SIZE - need - block_size);
1591 		}
1592 		/* Remove MAC from input buffer */
1593 		DBG(debug("MAC #%d ok", state->p_read.seqnr));
1594 		if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
1595 			goto out;
1596 	}
1597 	if (seqnr_p != NULL)
1598 		*seqnr_p = state->p_read.seqnr;
1599 	if (++state->p_read.seqnr == 0)
1600 		logit("incoming seqnr wraps around");
1601 	if (++state->p_read.packets == 0)
1602 		if (!(ssh->compat & SSH_BUG_NOREKEY))
1603 			return SSH_ERR_NEED_REKEY;
1604 	state->p_read.blocks += (state->packlen + 4) / block_size;
1605 	state->p_read.bytes += state->packlen + 4;
1606 
1607 	/* get padlen */
1608 	padlen = sshbuf_ptr(state->incoming_packet)[4];
1609 	DBG(debug("input: padlen %d", padlen));
1610 	if (padlen < 4)	{
1611 		if ((r = sshpkt_disconnect(ssh,
1612 		    "Corrupted padlen %d on input.", padlen)) != 0 ||
1613 		    (r = ssh_packet_write_wait(ssh)) != 0)
1614 			return r;
1615 		return SSH_ERR_CONN_CORRUPT;
1616 	}
1617 
1618 	/* skip packet size + padlen, discard padding */
1619 	if ((r = sshbuf_consume(state->incoming_packet, 4 + 1)) != 0 ||
1620 	    ((r = sshbuf_consume_end(state->incoming_packet, padlen)) != 0))
1621 		goto out;
1622 
1623 	DBG(debug("input: len before de-compress %zd",
1624 	    sshbuf_len(state->incoming_packet)));
1625 	if (comp && comp->enabled) {
1626 		sshbuf_reset(state->compression_buffer);
1627 		if ((r = uncompress_buffer(ssh, state->incoming_packet,
1628 		    state->compression_buffer)) != 0)
1629 			goto out;
1630 		sshbuf_reset(state->incoming_packet);
1631 		if ((r = sshbuf_putb(state->incoming_packet,
1632 		    state->compression_buffer)) != 0)
1633 			goto out;
1634 		DBG(debug("input: len after de-compress %zd",
1635 		    sshbuf_len(state->incoming_packet)));
1636 	}
1637 	/*
1638 	 * get packet type, implies consume.
1639 	 * return length of payload (without type field)
1640 	 */
1641 	if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0)
1642 		goto out;
1643 	if (ssh_packet_log_type(*typep))
1644 		debug3("receive packet: type %u", *typep);
1645 	if (*typep < SSH2_MSG_MIN || *typep >= SSH2_MSG_LOCAL_MIN) {
1646 		if ((r = sshpkt_disconnect(ssh,
1647 		    "Invalid ssh2 packet type: %d", *typep)) != 0 ||
1648 		    (r = ssh_packet_write_wait(ssh)) != 0)
1649 			return r;
1650 		return SSH_ERR_PROTOCOL_ERROR;
1651 	}
1652 	if (state->hook_in != NULL &&
1653 	    (r = state->hook_in(ssh, state->incoming_packet, typep,
1654 	    state->hook_in_ctx)) != 0)
1655 		return r;
1656 	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
1657 		r = ssh_packet_enable_delayed_compress(ssh);
1658 	else
1659 		r = 0;
1660 #ifdef PACKET_DEBUG
1661 	fprintf(stderr, "read/plain[%d]:\r\n", *typep);
1662 	sshbuf_dump(state->incoming_packet, stderr);
1663 #endif
1664 	/* reset for next packet */
1665 	state->packlen = 0;
1666 
1667 	/* do we need to rekey? */
1668 	if (ssh_packet_need_rekeying(ssh, 0)) {
1669 		debug3("%s: rekex triggered", __func__);
1670 		if ((r = kex_start_rekex(ssh)) != 0)
1671 			return r;
1672 	}
1673  out:
1674 	return r;
1675 }
1676 
1677 int
1678 ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1679 {
1680 	struct session_state *state = ssh->state;
1681 	u_int reason, seqnr;
1682 	int r;
1683 	u_char *msg;
1684 
1685 	for (;;) {
1686 		msg = NULL;
1687 		r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
1688 		if (r != 0)
1689 			return r;
1690 		if (*typep) {
1691 			state->keep_alive_timeouts = 0;
1692 			DBG(debug("received packet type %d", *typep));
1693 		}
1694 		switch (*typep) {
1695 		case SSH2_MSG_IGNORE:
1696 			debug3("Received SSH2_MSG_IGNORE");
1697 			break;
1698 		case SSH2_MSG_DEBUG:
1699 			if ((r = sshpkt_get_u8(ssh, NULL)) != 0 ||
1700 			    (r = sshpkt_get_string(ssh, &msg, NULL)) != 0 ||
1701 			    (r = sshpkt_get_string(ssh, NULL, NULL)) != 0) {
1702 				free(msg);
1703 				return r;
1704 			}
1705 			debug("Remote: %.900s", msg);
1706 			free(msg);
1707 			break;
1708 		case SSH2_MSG_DISCONNECT:
1709 			if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
1710 			    (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
1711 				return r;
1712 			/* Ignore normal client exit notifications */
1713 			do_log2(ssh->state->server_side &&
1714 			    reason == SSH2_DISCONNECT_BY_APPLICATION ?
1715 			    SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
1716 			    "Received disconnect from %s port %d:"
1717 			    "%u: %.400s", ssh_remote_ipaddr(ssh),
1718 			    ssh_remote_port(ssh), reason, msg);
1719 			free(msg);
1720 			return SSH_ERR_DISCONNECTED;
1721 		case SSH2_MSG_UNIMPLEMENTED:
1722 			if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
1723 				return r;
1724 			debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
1725 			    seqnr);
1726 			break;
1727 		default:
1728 			return 0;
1729 		}
1730 	}
1731 }
1732 
1733 /*
1734  * Buffers the given amount of input characters.  This is intended to be used
1735  * together with packet_read_poll.
1736  */
1737 
1738 int
1739 ssh_packet_process_incoming(struct ssh *ssh, const char *buf, u_int len)
1740 {
1741 	struct session_state *state = ssh->state;
1742 	int r;
1743 
1744 	if (state->packet_discard) {
1745 		state->keep_alive_timeouts = 0; /* ?? */
1746 		if (len >= state->packet_discard) {
1747 			if ((r = ssh_packet_stop_discard(ssh)) != 0)
1748 				return r;
1749 		}
1750 		state->packet_discard -= len;
1751 		return 0;
1752 	}
1753 	if ((r = sshbuf_put(ssh->state->input, buf, len)) != 0)
1754 		return r;
1755 
1756 	return 0;
1757 }
1758 
1759 int
1760 ssh_packet_remaining(struct ssh *ssh)
1761 {
1762 	return sshbuf_len(ssh->state->incoming_packet);
1763 }
1764 
1765 /*
1766  * Sends a diagnostic message from the server to the client.  This message
1767  * can be sent at any time (but not while constructing another message). The
1768  * message is printed immediately, but only if the client is being executed
1769  * in verbose mode.  These messages are primarily intended to ease debugging
1770  * authentication problems.   The length of the formatted message must not
1771  * exceed 1024 bytes.  This will automatically call ssh_packet_write_wait.
1772  */
1773 void
1774 ssh_packet_send_debug(struct ssh *ssh, const char *fmt,...)
1775 {
1776 	char buf[1024];
1777 	va_list args;
1778 	int r;
1779 
1780 	if ((ssh->compat & SSH_BUG_DEBUG))
1781 		return;
1782 
1783 	va_start(args, fmt);
1784 	vsnprintf(buf, sizeof(buf), fmt, args);
1785 	va_end(args);
1786 
1787 	debug3("sending debug message: %s", buf);
1788 
1789 	if ((r = sshpkt_start(ssh, SSH2_MSG_DEBUG)) != 0 ||
1790 	    (r = sshpkt_put_u8(ssh, 0)) != 0 || /* always display */
1791 	    (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
1792 	    (r = sshpkt_put_cstring(ssh, "")) != 0 ||
1793 	    (r = sshpkt_send(ssh)) != 0 ||
1794 	    (r = ssh_packet_write_wait(ssh)) != 0)
1795 		fatal("%s: %s", __func__, ssh_err(r));
1796 }
1797 
1798 void
1799 sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l)
1800 {
1801 	snprintf(s, l, "%.200s%s%s port %d",
1802 	    ssh->log_preamble ? ssh->log_preamble : "",
1803 	    ssh->log_preamble ? " " : "",
1804 	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
1805 }
1806 
1807 /*
1808  * Pretty-print connection-terminating errors and exit.
1809  */
1810 void
1811 sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
1812 {
1813 	char remote_id[512];
1814 
1815 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
1816 
1817 	switch (r) {
1818 	case SSH_ERR_CONN_CLOSED:
1819 		ssh_packet_clear_keys(ssh);
1820 		logdie("Connection closed by %s", remote_id);
1821 	case SSH_ERR_CONN_TIMEOUT:
1822 		ssh_packet_clear_keys(ssh);
1823 		logdie("Connection %s %s timed out",
1824 		    ssh->state->server_side ? "from" : "to", remote_id);
1825 	case SSH_ERR_DISCONNECTED:
1826 		ssh_packet_clear_keys(ssh);
1827 		logdie("Disconnected from %s", remote_id);
1828 	case SSH_ERR_SYSTEM_ERROR:
1829 		if (errno == ECONNRESET) {
1830 			ssh_packet_clear_keys(ssh);
1831 			logdie("Connection reset by %s", remote_id);
1832 		}
1833 		/* FALLTHROUGH */
1834 	case SSH_ERR_NO_CIPHER_ALG_MATCH:
1835 	case SSH_ERR_NO_MAC_ALG_MATCH:
1836 	case SSH_ERR_NO_COMPRESS_ALG_MATCH:
1837 	case SSH_ERR_NO_KEX_ALG_MATCH:
1838 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
1839 		if (ssh && ssh->kex && ssh->kex->failed_choice) {
1840 			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
1841 			ssh_packet_clear_keys(ssh);
1842 			logdie("Unable to negotiate with %s: %s. "
1843 			    "Their offer: %s", remote_id, ssh_err(r),
1844 			    ssh->kex->failed_choice);
1845 		}
1846 		/* FALLTHROUGH */
1847 	default:
1848 		ssh_packet_clear_keys(ssh);
1849 		logdie("%s%sConnection %s %s: %s",
1850 		    tag != NULL ? tag : "", tag != NULL ? ": " : "",
1851 		    ssh->state->server_side ? "from" : "to",
1852 		    remote_id, ssh_err(r));
1853 	}
1854 }
1855 
1856 /*
1857  * Logs the error plus constructs and sends a disconnect packet, closes the
1858  * connection, and exits.  This function never returns. The error message
1859  * should not contain a newline.  The length of the formatted message must
1860  * not exceed 1024 bytes.
1861  */
1862 void
1863 ssh_packet_disconnect(struct ssh *ssh, const char *fmt,...)
1864 {
1865 	char buf[1024], remote_id[512];
1866 	va_list args;
1867 	static int disconnecting = 0;
1868 	int r;
1869 
1870 	if (disconnecting)	/* Guard against recursive invocations. */
1871 		fatal("packet_disconnect called recursively.");
1872 	disconnecting = 1;
1873 
1874 	/*
1875 	 * Format the message.  Note that the caller must make sure the
1876 	 * message is of limited size.
1877 	 */
1878 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
1879 	va_start(args, fmt);
1880 	vsnprintf(buf, sizeof(buf), fmt, args);
1881 	va_end(args);
1882 
1883 	/* Display the error locally */
1884 	logit("Disconnecting %s: %.100s", remote_id, buf);
1885 
1886 	/*
1887 	 * Send the disconnect message to the other side, and wait
1888 	 * for it to get sent.
1889 	 */
1890 	if ((r = sshpkt_disconnect(ssh, "%s", buf)) != 0)
1891 		sshpkt_fatal(ssh, __func__, r);
1892 
1893 	if ((r = ssh_packet_write_wait(ssh)) != 0)
1894 		sshpkt_fatal(ssh, __func__, r);
1895 
1896 	/* Close the connection. */
1897 	ssh_packet_close(ssh);
1898 	cleanup_exit(255);
1899 }
1900 
1901 /*
1902  * Checks if there is any buffered output, and tries to write some of
1903  * the output.
1904  */
1905 int
1906 ssh_packet_write_poll(struct ssh *ssh)
1907 {
1908 	struct session_state *state = ssh->state;
1909 	int len = sshbuf_len(state->output);
1910 	int r;
1911 
1912 	if (len > 0) {
1913 		len = write(state->connection_out,
1914 		    sshbuf_ptr(state->output), len);
1915 		if (len == -1) {
1916 			if (errno == EINTR || errno == EAGAIN ||
1917 			    errno == EWOULDBLOCK)
1918 				return 0;
1919 			return SSH_ERR_SYSTEM_ERROR;
1920 		}
1921 		if (len == 0)
1922 			return SSH_ERR_CONN_CLOSED;
1923 		if ((r = sshbuf_consume(state->output, len)) != 0)
1924 			return r;
1925 	}
1926 	return 0;
1927 }
1928 
1929 /*
1930  * Calls packet_write_poll repeatedly until all pending output data has been
1931  * written.
1932  */
1933 int
1934 ssh_packet_write_wait(struct ssh *ssh)
1935 {
1936 	fd_set *setp;
1937 	int ret, r, ms_remain = 0;
1938 	struct timeval start, timeout, *timeoutp = NULL;
1939 	struct session_state *state = ssh->state;
1940 
1941 	setp = calloc(howmany(state->connection_out + 1,
1942 	    NFDBITS), sizeof(fd_mask));
1943 	if (setp == NULL)
1944 		return SSH_ERR_ALLOC_FAIL;
1945 	if ((r = ssh_packet_write_poll(ssh)) != 0) {
1946 		free(setp);
1947 		return r;
1948 	}
1949 	while (ssh_packet_have_data_to_write(ssh)) {
1950 		memset(setp, 0, howmany(state->connection_out + 1,
1951 		    NFDBITS) * sizeof(fd_mask));
1952 		FD_SET(state->connection_out, setp);
1953 
1954 		if (state->packet_timeout_ms > 0) {
1955 			ms_remain = state->packet_timeout_ms;
1956 			timeoutp = &timeout;
1957 		}
1958 		for (;;) {
1959 			if (state->packet_timeout_ms != -1) {
1960 				ms_to_timeval(&timeout, ms_remain);
1961 				monotime_tv(&start);
1962 			}
1963 			if ((ret = select(state->connection_out + 1,
1964 			    NULL, setp, NULL, timeoutp)) >= 0)
1965 				break;
1966 			if (errno != EAGAIN && errno != EINTR &&
1967 			    errno != EWOULDBLOCK)
1968 				break;
1969 			if (state->packet_timeout_ms == -1)
1970 				continue;
1971 			ms_subtract_diff(&start, &ms_remain);
1972 			if (ms_remain <= 0) {
1973 				ret = 0;
1974 				break;
1975 			}
1976 		}
1977 		if (ret == 0) {
1978 			free(setp);
1979 			return SSH_ERR_CONN_TIMEOUT;
1980 		}
1981 		if ((r = ssh_packet_write_poll(ssh)) != 0) {
1982 			free(setp);
1983 			return r;
1984 		}
1985 	}
1986 	free(setp);
1987 	return 0;
1988 }
1989 
1990 /* Returns true if there is buffered data to write to the connection. */
1991 
1992 int
1993 ssh_packet_have_data_to_write(struct ssh *ssh)
1994 {
1995 	return sshbuf_len(ssh->state->output) != 0;
1996 }
1997 
1998 /* Returns true if there is not too much data to write to the connection. */
1999 
2000 int
2001 ssh_packet_not_very_much_data_to_write(struct ssh *ssh)
2002 {
2003 	if (ssh->state->interactive_mode)
2004 		return sshbuf_len(ssh->state->output) < 16384;
2005 	else
2006 		return sshbuf_len(ssh->state->output) < 128 * 1024;
2007 }
2008 
2009 void
2010 ssh_packet_set_tos(struct ssh *ssh, int tos)
2011 {
2012 #ifndef IP_TOS_IS_BROKEN
2013 	if (!ssh_packet_connection_is_on_socket(ssh) || tos == INT_MAX)
2014 		return;
2015 	switch (ssh_packet_connection_af(ssh)) {
2016 # ifdef IP_TOS
2017 	case AF_INET:
2018 		debug3("%s: set IP_TOS 0x%02x", __func__, tos);
2019 		if (setsockopt(ssh->state->connection_in,
2020 		    IPPROTO_IP, IP_TOS, &tos, sizeof(tos)) < 0)
2021 			error("setsockopt IP_TOS %d: %.100s:",
2022 			    tos, strerror(errno));
2023 		break;
2024 # endif /* IP_TOS */
2025 # ifdef IPV6_TCLASS
2026 	case AF_INET6:
2027 		debug3("%s: set IPV6_TCLASS 0x%02x", __func__, tos);
2028 		if (setsockopt(ssh->state->connection_in,
2029 		    IPPROTO_IPV6, IPV6_TCLASS, &tos, sizeof(tos)) < 0)
2030 			error("setsockopt IPV6_TCLASS %d: %.100s:",
2031 			    tos, strerror(errno));
2032 		break;
2033 # endif /* IPV6_TCLASS */
2034 	}
2035 #endif /* IP_TOS_IS_BROKEN */
2036 }
2037 
2038 /* Informs that the current session is interactive.  Sets IP flags for that. */
2039 
2040 void
2041 ssh_packet_set_interactive(struct ssh *ssh, int interactive, int qos_interactive, int qos_bulk)
2042 {
2043 	struct session_state *state = ssh->state;
2044 
2045 	if (state->set_interactive_called)
2046 		return;
2047 	state->set_interactive_called = 1;
2048 
2049 	/* Record that we are in interactive mode. */
2050 	state->interactive_mode = interactive;
2051 
2052 	/* Only set socket options if using a socket.  */
2053 	if (!ssh_packet_connection_is_on_socket(ssh))
2054 		return;
2055 	set_nodelay(state->connection_in);
2056 	ssh_packet_set_tos(ssh, interactive ? qos_interactive :
2057 	    qos_bulk);
2058 }
2059 
2060 /* Returns true if the current connection is interactive. */
2061 
2062 int
2063 ssh_packet_is_interactive(struct ssh *ssh)
2064 {
2065 	return ssh->state->interactive_mode;
2066 }
2067 
2068 int
2069 ssh_packet_set_maxsize(struct ssh *ssh, u_int s)
2070 {
2071 	struct session_state *state = ssh->state;
2072 
2073 	if (state->set_maxsize_called) {
2074 		logit("packet_set_maxsize: called twice: old %d new %d",
2075 		    state->max_packet_size, s);
2076 		return -1;
2077 	}
2078 	if (s < 4 * 1024 || s > 1024 * 1024) {
2079 		logit("packet_set_maxsize: bad size %d", s);
2080 		return -1;
2081 	}
2082 	state->set_maxsize_called = 1;
2083 	debug("packet_set_maxsize: setting to %d", s);
2084 	state->max_packet_size = s;
2085 	return s;
2086 }
2087 
2088 int
2089 ssh_packet_inc_alive_timeouts(struct ssh *ssh)
2090 {
2091 	return ++ssh->state->keep_alive_timeouts;
2092 }
2093 
2094 void
2095 ssh_packet_set_alive_timeouts(struct ssh *ssh, int ka)
2096 {
2097 	ssh->state->keep_alive_timeouts = ka;
2098 }
2099 
2100 u_int
2101 ssh_packet_get_maxsize(struct ssh *ssh)
2102 {
2103 	return ssh->state->max_packet_size;
2104 }
2105 
2106 void
2107 ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, u_int32_t seconds)
2108 {
2109 	debug3("rekey after %llu bytes, %u seconds", (unsigned long long)bytes,
2110 	    (unsigned int)seconds);
2111 	ssh->state->rekey_limit = bytes;
2112 	ssh->state->rekey_interval = seconds;
2113 }
2114 
2115 time_t
2116 ssh_packet_get_rekey_timeout(struct ssh *ssh)
2117 {
2118 	time_t seconds;
2119 
2120 	seconds = ssh->state->rekey_time + ssh->state->rekey_interval -
2121 	    monotime();
2122 	return (seconds <= 0 ? 1 : seconds);
2123 }
2124 
2125 void
2126 ssh_packet_set_server(struct ssh *ssh)
2127 {
2128 	ssh->state->server_side = 1;
2129 }
2130 
2131 void
2132 ssh_packet_set_authenticated(struct ssh *ssh)
2133 {
2134 	ssh->state->after_authentication = 1;
2135 }
2136 
2137 void *
2138 ssh_packet_get_input(struct ssh *ssh)
2139 {
2140 	return (void *)ssh->state->input;
2141 }
2142 
2143 void *
2144 ssh_packet_get_output(struct ssh *ssh)
2145 {
2146 	return (void *)ssh->state->output;
2147 }
2148 
2149 /* Reset after_authentication and reset compression in post-auth privsep */
2150 static int
2151 ssh_packet_set_postauth(struct ssh *ssh)
2152 {
2153 	int r;
2154 
2155 	debug("%s: called", __func__);
2156 	/* This was set in net child, but is not visible in user child */
2157 	ssh->state->after_authentication = 1;
2158 	ssh->state->rekeying = 0;
2159 	if ((r = ssh_packet_enable_delayed_compress(ssh)) != 0)
2160 		return r;
2161 	return 0;
2162 }
2163 
2164 /* Packet state (de-)serialization for privsep */
2165 
2166 /* turn kex into a blob for packet state serialization */
2167 static int
2168 kex_to_blob(struct sshbuf *m, struct kex *kex)
2169 {
2170 	int r;
2171 
2172 	if ((r = sshbuf_put_string(m, kex->session_id,
2173 	    kex->session_id_len)) != 0 ||
2174 	    (r = sshbuf_put_u32(m, kex->we_need)) != 0 ||
2175 	    (r = sshbuf_put_cstring(m, kex->hostkey_alg)) != 0 ||
2176 	    (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
2177 	    (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
2178 	    (r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
2179 	    (r = sshbuf_put_stringb(m, kex->my)) != 0 ||
2180 	    (r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
2181 	    (r = sshbuf_put_u32(m, kex->flags)) != 0 ||
2182 	    (r = sshbuf_put_cstring(m, kex->client_version_string)) != 0 ||
2183 	    (r = sshbuf_put_cstring(m, kex->server_version_string)) != 0)
2184 		return r;
2185 	return 0;
2186 }
2187 
2188 /* turn key exchange results into a blob for packet state serialization */
2189 static int
2190 newkeys_to_blob(struct sshbuf *m, struct ssh *ssh, int mode)
2191 {
2192 	struct sshbuf *b;
2193 	struct sshcipher_ctx *cc;
2194 	struct sshcomp *comp;
2195 	struct sshenc *enc;
2196 	struct sshmac *mac;
2197 	struct newkeys *newkey;
2198 	int r;
2199 
2200 	if ((newkey = ssh->state->newkeys[mode]) == NULL)
2201 		return SSH_ERR_INTERNAL_ERROR;
2202 	enc = &newkey->enc;
2203 	mac = &newkey->mac;
2204 	comp = &newkey->comp;
2205 	cc = (mode == MODE_OUT) ? ssh->state->send_context :
2206 	    ssh->state->receive_context;
2207 	if ((r = cipher_get_keyiv(cc, enc->iv, enc->iv_len)) != 0)
2208 		return r;
2209 	if ((b = sshbuf_new()) == NULL)
2210 		return SSH_ERR_ALLOC_FAIL;
2211 	if ((r = sshbuf_put_cstring(b, enc->name)) != 0 ||
2212 	    (r = sshbuf_put_u32(b, enc->enabled)) != 0 ||
2213 	    (r = sshbuf_put_u32(b, enc->block_size)) != 0 ||
2214 	    (r = sshbuf_put_string(b, enc->key, enc->key_len)) != 0 ||
2215 	    (r = sshbuf_put_string(b, enc->iv, enc->iv_len)) != 0)
2216 		goto out;
2217 	if (cipher_authlen(enc->cipher) == 0) {
2218 		if ((r = sshbuf_put_cstring(b, mac->name)) != 0 ||
2219 		    (r = sshbuf_put_u32(b, mac->enabled)) != 0 ||
2220 		    (r = sshbuf_put_string(b, mac->key, mac->key_len)) != 0)
2221 			goto out;
2222 	}
2223 	if ((r = sshbuf_put_u32(b, comp->type)) != 0 ||
2224 	    (r = sshbuf_put_cstring(b, comp->name)) != 0)
2225 		goto out;
2226 	r = sshbuf_put_stringb(m, b);
2227  out:
2228 	sshbuf_free(b);
2229 	return r;
2230 }
2231 
2232 /* serialize packet state into a blob */
2233 int
2234 ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m)
2235 {
2236 	struct session_state *state = ssh->state;
2237 	int r;
2238 
2239 	if ((r = kex_to_blob(m, ssh->kex)) != 0 ||
2240 	    (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 ||
2241 	    (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 ||
2242 	    (r = sshbuf_put_u64(m, state->rekey_limit)) != 0 ||
2243 	    (r = sshbuf_put_u32(m, state->rekey_interval)) != 0 ||
2244 	    (r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 ||
2245 	    (r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 ||
2246 	    (r = sshbuf_put_u32(m, state->p_send.packets)) != 0 ||
2247 	    (r = sshbuf_put_u64(m, state->p_send.bytes)) != 0 ||
2248 	    (r = sshbuf_put_u32(m, state->p_read.seqnr)) != 0 ||
2249 	    (r = sshbuf_put_u64(m, state->p_read.blocks)) != 0 ||
2250 	    (r = sshbuf_put_u32(m, state->p_read.packets)) != 0 ||
2251 	    (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 ||
2252 	    (r = sshbuf_put_stringb(m, state->input)) != 0 ||
2253 	    (r = sshbuf_put_stringb(m, state->output)) != 0)
2254 		return r;
2255 
2256 	return 0;
2257 }
2258 
2259 /* restore key exchange results from blob for packet state de-serialization */
2260 static int
2261 newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode)
2262 {
2263 	struct sshbuf *b = NULL;
2264 	struct sshcomp *comp;
2265 	struct sshenc *enc;
2266 	struct sshmac *mac;
2267 	struct newkeys *newkey = NULL;
2268 	size_t keylen, ivlen, maclen;
2269 	int r;
2270 
2271 	if ((newkey = calloc(1, sizeof(*newkey))) == NULL) {
2272 		r = SSH_ERR_ALLOC_FAIL;
2273 		goto out;
2274 	}
2275 	if ((r = sshbuf_froms(m, &b)) != 0)
2276 		goto out;
2277 #ifdef DEBUG_PK
2278 	sshbuf_dump(b, stderr);
2279 #endif
2280 	enc = &newkey->enc;
2281 	mac = &newkey->mac;
2282 	comp = &newkey->comp;
2283 
2284 	if ((r = sshbuf_get_cstring(b, &enc->name, NULL)) != 0 ||
2285 	    (r = sshbuf_get_u32(b, (u_int *)&enc->enabled)) != 0 ||
2286 	    (r = sshbuf_get_u32(b, &enc->block_size)) != 0 ||
2287 	    (r = sshbuf_get_string(b, &enc->key, &keylen)) != 0 ||
2288 	    (r = sshbuf_get_string(b, &enc->iv, &ivlen)) != 0)
2289 		goto out;
2290 	if ((enc->cipher = cipher_by_name(enc->name)) == NULL) {
2291 		r = SSH_ERR_INVALID_FORMAT;
2292 		goto out;
2293 	}
2294 	if (cipher_authlen(enc->cipher) == 0) {
2295 		if ((r = sshbuf_get_cstring(b, &mac->name, NULL)) != 0)
2296 			goto out;
2297 		if ((r = mac_setup(mac, mac->name)) != 0)
2298 			goto out;
2299 		if ((r = sshbuf_get_u32(b, (u_int *)&mac->enabled)) != 0 ||
2300 		    (r = sshbuf_get_string(b, &mac->key, &maclen)) != 0)
2301 			goto out;
2302 		if (maclen > mac->key_len) {
2303 			r = SSH_ERR_INVALID_FORMAT;
2304 			goto out;
2305 		}
2306 		mac->key_len = maclen;
2307 	}
2308 	if ((r = sshbuf_get_u32(b, &comp->type)) != 0 ||
2309 	    (r = sshbuf_get_cstring(b, &comp->name, NULL)) != 0)
2310 		goto out;
2311 	if (sshbuf_len(b) != 0) {
2312 		r = SSH_ERR_INVALID_FORMAT;
2313 		goto out;
2314 	}
2315 	enc->key_len = keylen;
2316 	enc->iv_len = ivlen;
2317 	ssh->kex->newkeys[mode] = newkey;
2318 	newkey = NULL;
2319 	r = 0;
2320  out:
2321 	free(newkey);
2322 	sshbuf_free(b);
2323 	return r;
2324 }
2325 
2326 /* restore kex from blob for packet state de-serialization */
2327 static int
2328 kex_from_blob(struct sshbuf *m, struct kex **kexp)
2329 {
2330 	struct kex *kex;
2331 	int r;
2332 
2333 	if ((kex = calloc(1, sizeof(struct kex))) == NULL ||
2334 	    (kex->my = sshbuf_new()) == NULL ||
2335 	    (kex->peer = sshbuf_new()) == NULL) {
2336 		r = SSH_ERR_ALLOC_FAIL;
2337 		goto out;
2338 	}
2339 	if ((r = sshbuf_get_string(m, &kex->session_id, &kex->session_id_len)) != 0 ||
2340 	    (r = sshbuf_get_u32(m, &kex->we_need)) != 0 ||
2341 	    (r = sshbuf_get_cstring(m, &kex->hostkey_alg, NULL)) != 0 ||
2342 	    (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
2343 	    (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
2344 	    (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
2345 	    (r = sshbuf_get_stringb(m, kex->my)) != 0 ||
2346 	    (r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
2347 	    (r = sshbuf_get_u32(m, &kex->flags)) != 0 ||
2348 	    (r = sshbuf_get_cstring(m, &kex->client_version_string, NULL)) != 0 ||
2349 	    (r = sshbuf_get_cstring(m, &kex->server_version_string, NULL)) != 0)
2350 		goto out;
2351 	kex->server = 1;
2352 	kex->done = 1;
2353 	r = 0;
2354  out:
2355 	if (r != 0 || kexp == NULL) {
2356 		if (kex != NULL) {
2357 			sshbuf_free(kex->my);
2358 			sshbuf_free(kex->peer);
2359 			free(kex);
2360 		}
2361 		if (kexp != NULL)
2362 			*kexp = NULL;
2363 	} else {
2364 		*kexp = kex;
2365 	}
2366 	return r;
2367 }
2368 
2369 /*
2370  * Restore packet state from content of blob 'm' (de-serialization).
2371  * Note that 'm' will be partially consumed on parsing or any other errors.
2372  */
2373 int
2374 ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m)
2375 {
2376 	struct session_state *state = ssh->state;
2377 	const u_char *input, *output;
2378 	size_t ilen, olen;
2379 	int r;
2380 
2381 	if ((r = kex_from_blob(m, &ssh->kex)) != 0 ||
2382 	    (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 ||
2383 	    (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 ||
2384 	    (r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 ||
2385 	    (r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 ||
2386 	    (r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 ||
2387 	    (r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 ||
2388 	    (r = sshbuf_get_u32(m, &state->p_send.packets)) != 0 ||
2389 	    (r = sshbuf_get_u64(m, &state->p_send.bytes)) != 0 ||
2390 	    (r = sshbuf_get_u32(m, &state->p_read.seqnr)) != 0 ||
2391 	    (r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 ||
2392 	    (r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 ||
2393 	    (r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0)
2394 		return r;
2395 	/*
2396 	 * We set the time here so that in post-auth privsep slave we
2397 	 * count from the completion of the authentication.
2398 	 */
2399 	state->rekey_time = monotime();
2400 	/* XXX ssh_set_newkeys overrides p_read.packets? XXX */
2401 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 ||
2402 	    (r = ssh_set_newkeys(ssh, MODE_OUT)) != 0)
2403 		return r;
2404 
2405 	if ((r = ssh_packet_set_postauth(ssh)) != 0)
2406 		return r;
2407 
2408 	sshbuf_reset(state->input);
2409 	sshbuf_reset(state->output);
2410 	if ((r = sshbuf_get_string_direct(m, &input, &ilen)) != 0 ||
2411 	    (r = sshbuf_get_string_direct(m, &output, &olen)) != 0 ||
2412 	    (r = sshbuf_put(state->input, input, ilen)) != 0 ||
2413 	    (r = sshbuf_put(state->output, output, olen)) != 0)
2414 		return r;
2415 
2416 	if (sshbuf_len(m))
2417 		return SSH_ERR_INVALID_FORMAT;
2418 	debug3("%s: done", __func__);
2419 	return 0;
2420 }
2421 
2422 /* NEW API */
2423 
2424 /* put data to the outgoing packet */
2425 
2426 int
2427 sshpkt_put(struct ssh *ssh, const void *v, size_t len)
2428 {
2429 	return sshbuf_put(ssh->state->outgoing_packet, v, len);
2430 }
2431 
2432 int
2433 sshpkt_putb(struct ssh *ssh, const struct sshbuf *b)
2434 {
2435 	return sshbuf_putb(ssh->state->outgoing_packet, b);
2436 }
2437 
2438 int
2439 sshpkt_put_u8(struct ssh *ssh, u_char val)
2440 {
2441 	return sshbuf_put_u8(ssh->state->outgoing_packet, val);
2442 }
2443 
2444 int
2445 sshpkt_put_u32(struct ssh *ssh, u_int32_t val)
2446 {
2447 	return sshbuf_put_u32(ssh->state->outgoing_packet, val);
2448 }
2449 
2450 int
2451 sshpkt_put_u64(struct ssh *ssh, u_int64_t val)
2452 {
2453 	return sshbuf_put_u64(ssh->state->outgoing_packet, val);
2454 }
2455 
2456 int
2457 sshpkt_put_string(struct ssh *ssh, const void *v, size_t len)
2458 {
2459 	return sshbuf_put_string(ssh->state->outgoing_packet, v, len);
2460 }
2461 
2462 int
2463 sshpkt_put_cstring(struct ssh *ssh, const void *v)
2464 {
2465 	return sshbuf_put_cstring(ssh->state->outgoing_packet, v);
2466 }
2467 
2468 int
2469 sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v)
2470 {
2471 	return sshbuf_put_stringb(ssh->state->outgoing_packet, v);
2472 }
2473 
2474 #ifdef WITH_OPENSSL
2475 #ifdef OPENSSL_HAS_ECC
2476 int
2477 sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g)
2478 {
2479 	return sshbuf_put_ec(ssh->state->outgoing_packet, v, g);
2480 }
2481 #endif /* OPENSSL_HAS_ECC */
2482 
2483 
2484 int
2485 sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v)
2486 {
2487 	return sshbuf_put_bignum2(ssh->state->outgoing_packet, v);
2488 }
2489 #endif /* WITH_OPENSSL */
2490 
2491 /* fetch data from the incoming packet */
2492 
2493 int
2494 sshpkt_get(struct ssh *ssh, void *valp, size_t len)
2495 {
2496 	return sshbuf_get(ssh->state->incoming_packet, valp, len);
2497 }
2498 
2499 int
2500 sshpkt_get_u8(struct ssh *ssh, u_char *valp)
2501 {
2502 	return sshbuf_get_u8(ssh->state->incoming_packet, valp);
2503 }
2504 
2505 int
2506 sshpkt_get_u32(struct ssh *ssh, u_int32_t *valp)
2507 {
2508 	return sshbuf_get_u32(ssh->state->incoming_packet, valp);
2509 }
2510 
2511 int
2512 sshpkt_get_u64(struct ssh *ssh, u_int64_t *valp)
2513 {
2514 	return sshbuf_get_u64(ssh->state->incoming_packet, valp);
2515 }
2516 
2517 int
2518 sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp)
2519 {
2520 	return sshbuf_get_string(ssh->state->incoming_packet, valp, lenp);
2521 }
2522 
2523 int
2524 sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp)
2525 {
2526 	return sshbuf_get_string_direct(ssh->state->incoming_packet, valp, lenp);
2527 }
2528 
2529 int
2530 sshpkt_peek_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp)
2531 {
2532 	return sshbuf_peek_string_direct(ssh->state->incoming_packet, valp, lenp);
2533 }
2534 
2535 int
2536 sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp)
2537 {
2538 	return sshbuf_get_cstring(ssh->state->incoming_packet, valp, lenp);
2539 }
2540 
2541 #ifdef WITH_OPENSSL
2542 #ifdef OPENSSL_HAS_ECC
2543 int
2544 sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g)
2545 {
2546 	return sshbuf_get_ec(ssh->state->incoming_packet, v, g);
2547 }
2548 #endif /* OPENSSL_HAS_ECC */
2549 
2550 
2551 int
2552 sshpkt_get_bignum2(struct ssh *ssh, BIGNUM *v)
2553 {
2554 	return sshbuf_get_bignum2(ssh->state->incoming_packet, v);
2555 }
2556 #endif /* WITH_OPENSSL */
2557 
2558 int
2559 sshpkt_get_end(struct ssh *ssh)
2560 {
2561 	if (sshbuf_len(ssh->state->incoming_packet) > 0)
2562 		return SSH_ERR_UNEXPECTED_TRAILING_DATA;
2563 	return 0;
2564 }
2565 
2566 const u_char *
2567 sshpkt_ptr(struct ssh *ssh, size_t *lenp)
2568 {
2569 	if (lenp != NULL)
2570 		*lenp = sshbuf_len(ssh->state->incoming_packet);
2571 	return sshbuf_ptr(ssh->state->incoming_packet);
2572 }
2573 
2574 /* start a new packet */
2575 
2576 int
2577 sshpkt_start(struct ssh *ssh, u_char type)
2578 {
2579 	u_char buf[6]; /* u32 packet length, u8 pad len, u8 type */
2580 
2581 	DBG(debug("packet_start[%d]", type));
2582 	memset(buf, 0, sizeof(buf));
2583 	buf[sizeof(buf) - 1] = type;
2584 	sshbuf_reset(ssh->state->outgoing_packet);
2585 	return sshbuf_put(ssh->state->outgoing_packet, buf, sizeof(buf));
2586 }
2587 
2588 static int
2589 ssh_packet_send_mux(struct ssh *ssh)
2590 {
2591 	struct session_state *state = ssh->state;
2592 	u_char type, *cp;
2593 	size_t len;
2594 	int r;
2595 
2596 	if (ssh->kex)
2597 		return SSH_ERR_INTERNAL_ERROR;
2598 	len = sshbuf_len(state->outgoing_packet);
2599 	if (len < 6)
2600 		return SSH_ERR_INTERNAL_ERROR;
2601 	cp = sshbuf_mutable_ptr(state->outgoing_packet);
2602 	type = cp[5];
2603 	if (ssh_packet_log_type(type))
2604 		debug3("%s: type %u", __func__, type);
2605 	/* drop everything, but the connection protocol */
2606 	if (type >= SSH2_MSG_CONNECTION_MIN &&
2607 	    type <= SSH2_MSG_CONNECTION_MAX) {
2608 		POKE_U32(cp, len - 4);
2609 		if ((r = sshbuf_putb(state->output,
2610 		    state->outgoing_packet)) != 0)
2611 			return r;
2612 		/* sshbuf_dump(state->output, stderr); */
2613 	}
2614 	sshbuf_reset(state->outgoing_packet);
2615 	return 0;
2616 }
2617 
2618 /*
2619  * 9.2.  Ignored Data Message
2620  *
2621  *   byte      SSH_MSG_IGNORE
2622  *   string    data
2623  *
2624  * All implementations MUST understand (and ignore) this message at any
2625  * time (after receiving the protocol version). No implementation is
2626  * required to send them. This message can be used as an additional
2627  * protection measure against advanced traffic analysis techniques.
2628  */
2629 int
2630 sshpkt_msg_ignore(struct ssh *ssh, u_int nbytes)
2631 {
2632 	u_int32_t rnd = 0;
2633 	int r;
2634 	u_int i;
2635 
2636 	if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE)) != 0 ||
2637 	    (r = sshpkt_put_u32(ssh, nbytes)) != 0)
2638 		return r;
2639 	for (i = 0; i < nbytes; i++) {
2640 		if (i % 4 == 0)
2641 			rnd = arc4random();
2642 		if ((r = sshpkt_put_u8(ssh, (u_char)rnd & 0xff)) != 0)
2643 			return r;
2644 		rnd >>= 8;
2645 	}
2646 	return 0;
2647 }
2648 
2649 /* send it */
2650 
2651 int
2652 sshpkt_send(struct ssh *ssh)
2653 {
2654 	if (ssh->state && ssh->state->mux)
2655 		return ssh_packet_send_mux(ssh);
2656 	return ssh_packet_send2(ssh);
2657 }
2658 
2659 int
2660 sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
2661 {
2662 	char buf[1024];
2663 	va_list args;
2664 	int r;
2665 
2666 	va_start(args, fmt);
2667 	vsnprintf(buf, sizeof(buf), fmt, args);
2668 	va_end(args);
2669 
2670 	if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
2671 	    (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
2672 	    (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
2673 	    (r = sshpkt_put_cstring(ssh, "")) != 0 ||
2674 	    (r = sshpkt_send(ssh)) != 0)
2675 		return r;
2676 	return 0;
2677 }
2678 
2679 /* roundup current message to pad bytes */
2680 int
2681 sshpkt_add_padding(struct ssh *ssh, u_char pad)
2682 {
2683 	ssh->state->extra_pad = pad;
2684 	return 0;
2685 }
2686