xref: /titanic_50/usr/src/cmd/ssh/libssh/common/packet.c (revision 2017c9656f884256b400be40fa25d96d630bf02a)
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * This file contains code implementing the packet protocol and communication
6  * with the other side.  This same code is used both on client and server side.
7  *
8  * As far as I am concerned, the code I have written for this software
9  * can be used freely for any purpose.  Any derived versions of this
10  * software must be clearly marked as such, and if the derived work is
11  * incompatible with the protocol description in the RFC file, it must be
12  * called by a name other than "ssh" or "Secure Shell".
13  *
14  *
15  * SSH2 packet format added by Markus Friedl.
16  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
17  *
18  * Redistribution and use in source and binary forms, with or without
19  * modification, are permitted provided that the following conditions
20  * are met:
21  * 1. Redistributions of source code must retain the above copyright
22  *    notice, this list of conditions and the following disclaimer.
23  * 2. Redistributions in binary form must reproduce the above copyright
24  *    notice, this list of conditions and the following disclaimer in the
25  *    documentation and/or other materials provided with the distribution.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37  */
38 /*
39  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
40  * Use is subject to license terms.
41  */
42 
43 /* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */
44 
45 #include "includes.h"
46 
47 #include "sys-queue.h"
48 #include "xmalloc.h"
49 #include "buffer.h"
50 #include "packet.h"
51 #include "bufaux.h"
52 #include "crc32.h"
53 #include "getput.h"
54 #include "compress.h"
55 #include "deattack.h"
56 #include "channels.h"
57 #include "compat.h"
58 #include "ssh1.h"
59 #include "ssh2.h"
60 #include "cipher.h"
61 #include "kex.h"
62 #include "mac.h"
63 #include "log.h"
64 #include "canohost.h"
65 #include "misc.h"
66 #include "ssh.h"
67 #include "engine.h"
68 
69 /* PKCS#11 engine */
70 ENGINE *e;
71 
72 #ifdef ALTPRIVSEP
73 static int packet_server = 0;
74 static int packet_monitor = 0;
75 #endif /* ALTPRIVSEP */
76 
77 #ifdef PACKET_DEBUG
78 #define DBG(x) x
79 #else
80 #define DBG(x)
81 #endif
82 
83 static void packet_send2(void);
84 
85 /*
86  * This variable contains the file descriptors used for communicating with
87  * the other side.  connection_in is used for reading; connection_out for
88  * writing.  These can be the same descriptor, in which case it is assumed to
89  * be a socket.
90  */
91 static int connection_in = -1;
92 static int connection_out = -1;
93 
94 /* Protocol flags for the remote side. */
95 static u_int remote_protocol_flags = 0;
96 
97 /* Encryption context for receiving data.  This is only used for decryption. */
98 static CipherContext receive_context;
99 
100 /* Encryption context for sending data.  This is only used for encryption. */
101 static CipherContext send_context;
102 
103 /* Buffer for raw input data from the socket. */
104 Buffer input;
105 
106 /* Buffer for raw output data going to the socket. */
107 Buffer output;
108 
109 /* Buffer for the partial outgoing packet being constructed. */
110 static Buffer outgoing_packet;
111 
112 /* Buffer for the incoming packet currently being processed. */
113 static Buffer incoming_packet;
114 
115 /* Scratch buffer for packet compression/decompression. */
116 static Buffer compression_buffer;
117 static int compression_buffer_ready = 0;
118 
119 /* Flag indicating whether packet compression/decompression is enabled. */
120 static int packet_compression = 0;
121 
122 /* default maximum packet size */
123 int max_packet_size = 32768;
124 
125 /* Flag indicating whether this module has been initialized. */
126 static int initialized = 0;
127 
128 /* Set to true if the connection is interactive. */
129 static int interactive_mode = 0;
130 
131 /* Session key information for Encryption and MAC */
132 Newkeys *newkeys[MODE_MAX];
133 static struct packet_state {
134 	u_int32_t seqnr;
135 	u_int32_t packets;
136 	u_int64_t blocks;
137 } p_read, p_send;
138 
139 static u_int64_t max_blocks_in, max_blocks_out;
140 static u_int32_t rekey_limit;
141 
142 /* Session key for protocol v1 */
143 static u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
144 static u_int ssh1_keylen;
145 
146 /* roundup current message to extra_pad bytes */
147 static u_char extra_pad = 0;
148 
149 struct packet {
150 	TAILQ_ENTRY(packet) next;
151 	u_char type;
152 	Buffer payload;
153 };
154 TAILQ_HEAD(, packet) outgoing;
155 
156 /*
157  * Part of what -f option and ~& escape sequence do in the client is that they
158  * will force it to daemonize itself. Due to the fork safety rules inherent in
159  * any PKCS#11 environment, if the engine is used we must do a key re-exchange
160  * before forking a child to negotiate the new keys. Those keys will be used to
161  * inicialize the new crypto contexts. This involves finishing the engine in the
162  * parent and reinitializing it again in both processes after fork() returns.
163  * This approach also leaves protocol 1 out since it doesn't support rekeying.
164  */
165 int will_daemonize;
166 
167 #ifdef	PACKET_DEBUG
168 /* This function dumps data onto stderr. This is for debugging only. */
169 void
170 data_dump(void *data, u_int len)
171 {
172 	Buffer buf;
173 
174 	buffer_init(&buf);
175 	buffer_append(&buf, data, len);
176 	buffer_dump(&buf);
177 	buffer_free(&buf);
178 }
179 #endif
180 
181 /*
182  * Sets the descriptors used for communication.  Disables encryption until
183  * packet_set_encryption_key is called.
184  */
185 void
186 packet_set_connection(int fd_in, int fd_out)
187 {
188 	Cipher *none = cipher_by_name("none");
189 
190 	if (none == NULL)
191 		fatal("packet_set_connection: cannot load cipher 'none'");
192 	connection_in = fd_in;
193 	connection_out = fd_out;
194 	cipher_init(&send_context, none, (unsigned char *) "", 0, NULL, 0, CIPHER_ENCRYPT);
195 	cipher_init(&receive_context, none, (unsigned char *) "", 0, NULL, 0, CIPHER_DECRYPT);
196 	newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
197 	if (!initialized) {
198 		initialized = 1;
199 		buffer_init(&input);
200 		buffer_init(&output);
201 		buffer_init(&outgoing_packet);
202 		buffer_init(&incoming_packet);
203 		TAILQ_INIT(&outgoing);
204 	} else {
205 		buffer_clear(&input);
206 		buffer_clear(&output);
207 		buffer_clear(&outgoing_packet);
208 		buffer_clear(&incoming_packet);
209 	}
210 
211 	/*
212 	 * Prime the cache for get_remote_ipaddr() while we have a
213 	 * socket on which to do a getpeername().
214 	 */
215 	(void) get_remote_ipaddr();
216 
217 	/* Kludge: arrange the close function to be called from fatal(). */
218 	fatal_add_cleanup((void (*) (void *)) packet_close, NULL);
219 }
220 
221 /* Returns 1 if remote host is connected via socket, 0 if not. */
222 
223 int
224 packet_connection_is_on_socket(void)
225 {
226 	struct sockaddr_storage from, to;
227 	socklen_t fromlen, tolen;
228 
229 	/* filedescriptors in and out are the same, so it's a socket */
230 	if (connection_in != -1 && connection_in == connection_out)
231 		return 1;
232 	fromlen = sizeof(from);
233 	memset(&from, 0, sizeof(from));
234 	if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0)
235 		return 0;
236 	tolen = sizeof(to);
237 	memset(&to, 0, sizeof(to));
238 	if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0)
239 		return 0;
240 	if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
241 		return 0;
242 	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
243 		return 0;
244 	return 1;
245 }
246 
247 /* returns 1 if connection is via ipv4 */
248 
249 int
250 packet_connection_is_ipv4(void)
251 {
252 	struct sockaddr_storage to;
253 	socklen_t tolen = sizeof(to);
254 
255 	memset(&to, 0, sizeof(to));
256 	if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
257 		return 0;
258 	if (to.ss_family == AF_INET)
259 		return 1;
260 #ifdef IPV4_IN_IPV6
261 	if (to.ss_family == AF_INET6 &&
262 	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
263 		return 1;
264 #endif
265 	return 0;
266 }
267 
268 /* Sets the connection into non-blocking mode. */
269 
270 void
271 packet_set_nonblocking(void)
272 {
273 	/* Set the socket into non-blocking mode. */
274 	if (fcntl(connection_in, F_SETFL, O_NONBLOCK) < 0)
275 		error("fcntl O_NONBLOCK: %.100s", strerror(errno));
276 
277 	if (connection_out != connection_in) {
278 		if (fcntl(connection_out, F_SETFL, O_NONBLOCK) < 0)
279 			error("fcntl O_NONBLOCK: %.100s", strerror(errno));
280 	}
281 }
282 
283 /* Returns the socket used for reading. */
284 
285 int
286 packet_get_connection_in(void)
287 {
288 	return connection_in;
289 }
290 
291 /* Returns the descriptor used for writing. */
292 
293 int
294 packet_get_connection_out(void)
295 {
296 	return connection_out;
297 }
298 
299 /* Closes the connection and clears and frees internal data structures. */
300 
301 void
302 packet_close(void)
303 {
304 	if (!initialized)
305 		return;
306 	initialized = 0;
307 	if (connection_in == connection_out) {
308 		shutdown(connection_out, SHUT_RDWR);
309 		close(connection_out);
310 	} else {
311 		close(connection_in);
312 		close(connection_out);
313 	}
314 	buffer_free(&input);
315 	buffer_free(&output);
316 	buffer_free(&outgoing_packet);
317 	buffer_free(&incoming_packet);
318 	if (compression_buffer_ready) {
319 		buffer_free(&compression_buffer);
320 		buffer_compress_uninit();
321 		compression_buffer_ready = 0;
322 	}
323 	cipher_cleanup(&send_context);
324 	cipher_cleanup(&receive_context);
325 }
326 
327 /* Sets remote side protocol flags. */
328 
329 void
330 packet_set_protocol_flags(u_int protocol_flags)
331 {
332 	remote_protocol_flags = protocol_flags;
333 }
334 
335 /* Returns the remote protocol flags set earlier by the above function. */
336 
337 u_int
338 packet_get_protocol_flags(void)
339 {
340 	return remote_protocol_flags;
341 }
342 
343 /*
344  * Starts packet compression from the next packet on in both directions.
345  * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
346  */
347 
348 static void
349 packet_init_compression(void)
350 {
351 	if (compression_buffer_ready == 1)
352 		return;
353 	compression_buffer_ready = 1;
354 	buffer_init(&compression_buffer);
355 }
356 
357 void
358 packet_start_compression(int level)
359 {
360 #ifdef ALTPRIVSEP
361 	/* shouldn't happen! */
362 	if (packet_monitor)
363 		fatal("INTERNAL ERROR: The monitor cannot compress.");
364 #endif /* ALTPRIVSEP */
365 
366 	if (packet_compression && !compat20)
367 		fatal("Compression already enabled.");
368 	packet_compression = 1;
369 	packet_init_compression();
370 	buffer_compress_init_send(level);
371 	buffer_compress_init_recv();
372 }
373 
374 /*
375  * Causes any further packets to be encrypted using the given key.  The same
376  * key is used for both sending and reception.  However, both directions are
377  * encrypted independently of each other.
378  */
379 
380 void
381 packet_set_encryption_key(const u_char *key, u_int keylen,
382     int number)
383 {
384 	Cipher *cipher = cipher_by_number(number);
385 
386 	if (cipher == NULL)
387 		fatal("packet_set_encryption_key: unknown cipher number %d", number);
388 	if (keylen < 20)
389 		fatal("packet_set_encryption_key: keylen too small: %d", keylen);
390 	if (keylen > SSH_SESSION_KEY_LENGTH)
391 		fatal("packet_set_encryption_key: keylen too big: %d", keylen);
392 	memcpy(ssh1_key, key, keylen);
393 	ssh1_keylen = keylen;
394 	cipher_init(&send_context, cipher, key, keylen, NULL, 0, CIPHER_ENCRYPT);
395 	cipher_init(&receive_context, cipher, key, keylen, NULL, 0, CIPHER_DECRYPT);
396 }
397 
398 u_int
399 packet_get_encryption_key(u_char *key)
400 {
401 	if (key == NULL)
402 		return (ssh1_keylen);
403 	memcpy(key, ssh1_key, ssh1_keylen);
404 	return (ssh1_keylen);
405 }
406 
407 /* Start constructing a packet to send. */
408 void
409 packet_start(u_char type)
410 {
411 	u_char buf[9];
412 	int len;
413 
414 	DBG(debug("packet_start[%d]", type));
415 	len = compat20 ? 6 : 9;
416 	memset(buf, 0, len - 1);
417 	buf[len - 1] = type;
418 	buffer_clear(&outgoing_packet);
419 	buffer_append(&outgoing_packet, buf, len);
420 }
421 
422 /* Append payload. */
423 void
424 packet_put_char(int value)
425 {
426 	char ch = value;
427 
428 	buffer_append(&outgoing_packet, &ch, 1);
429 }
430 
431 void
432 packet_put_int(u_int value)
433 {
434 	buffer_put_int(&outgoing_packet, value);
435 }
436 
437 void
438 packet_put_string(const void *buf, u_int len)
439 {
440 	buffer_put_string(&outgoing_packet, buf, len);
441 }
442 
443 void
444 packet_put_cstring(const char *str)
445 {
446 	buffer_put_cstring(&outgoing_packet, str);
447 }
448 
449 void
450 packet_put_ascii_cstring(const char *str)
451 {
452 	buffer_put_ascii_cstring(&outgoing_packet, str);
453 }
454 void
455 packet_put_utf8_cstring(const u_char *str)
456 {
457 	buffer_put_utf8_cstring(&outgoing_packet, str);
458 }
459 #if 0
460 void
461 packet_put_ascii_string(const void *buf, u_int len)
462 {
463 	buffer_put_ascii_string(&outgoing_packet, buf, len);
464 }
465 void
466 packet_put_utf8_string(const void *buf, u_int len)
467 {
468 	buffer_put_utf8_string(&outgoing_packet, buf, len);
469 }
470 #endif
471 void
472 packet_put_raw(const void *buf, u_int len)
473 {
474 	buffer_append(&outgoing_packet, buf, len);
475 }
476 
477 void
478 packet_put_bignum(BIGNUM * value)
479 {
480 	buffer_put_bignum(&outgoing_packet, value);
481 }
482 
483 void
484 packet_put_bignum2(BIGNUM * value)
485 {
486 	buffer_put_bignum2(&outgoing_packet, value);
487 }
488 
489 /*
490  * Finalizes and sends the packet.  If the encryption key has been set,
491  * encrypts the packet before sending.
492  */
493 
494 static void
495 packet_send1(void)
496 {
497 	u_char buf[8], *cp;
498 	int i, padding, len;
499 	u_int checksum;
500 	u_int32_t rnd = 0;
501 
502 	/*
503 	 * If using packet compression, compress the payload of the outgoing
504 	 * packet.
505 	 */
506 	if (packet_compression) {
507 		buffer_clear(&compression_buffer);
508 		/* Skip padding. */
509 		buffer_consume(&outgoing_packet, 8);
510 		/* padding */
511 		buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8);
512 		buffer_compress(&outgoing_packet, &compression_buffer);
513 		buffer_clear(&outgoing_packet);
514 		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
515 		    buffer_len(&compression_buffer));
516 	}
517 	/* Compute packet length without padding (add checksum, remove padding). */
518 	len = buffer_len(&outgoing_packet) + 4 - 8;
519 
520 	/* Insert padding. Initialized to zero in packet_start1() */
521 	padding = 8 - len % 8;
522 	if (!send_context.plaintext) {
523 		cp = buffer_ptr(&outgoing_packet);
524 		for (i = 0; i < padding; i++) {
525 			if (i % 4 == 0)
526 				rnd = arc4random();
527 			cp[7 - i] = rnd & 0xff;
528 			rnd >>= 8;
529 		}
530 	}
531 	buffer_consume(&outgoing_packet, 8 - padding);
532 
533 	/* Add check bytes. */
534 	checksum = ssh_crc32(buffer_ptr(&outgoing_packet),
535 	    buffer_len(&outgoing_packet));
536 	PUT_32BIT(buf, checksum);
537 	buffer_append(&outgoing_packet, buf, 4);
538 
539 #ifdef PACKET_DEBUG
540 	fprintf(stderr, "packet_send plain: ");
541 	buffer_dump(&outgoing_packet);
542 #endif
543 
544 	/* Append to output. */
545 	PUT_32BIT(buf, len);
546 	buffer_append(&output, buf, 4);
547 	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
548 	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
549 	    buffer_len(&outgoing_packet));
550 
551 #ifdef PACKET_DEBUG
552 	debug("encrypted output queue now contains (%d bytes):\n",
553 	    buffer_len(&output));
554 	buffer_dump(&output);
555 #endif
556 
557 	buffer_clear(&outgoing_packet);
558 
559 	/*
560 	 * Note that the packet is now only buffered in output.  It won\'t be
561 	 * actually sent until packet_write_wait or packet_write_poll is
562 	 * called.
563 	 */
564 }
565 
566 void
567 set_newkeys(int mode)
568 {
569 	Enc *enc;
570 	Mac *mac;
571 	Comp *comp;
572 	CipherContext *cc;
573 	u_int64_t *max_blocks;
574 	int crypt_type;
575 
576 	debug2("set_newkeys: mode %d", mode);
577 
578 	if (mode == MODE_OUT) {
579 		cc = &send_context;
580 		crypt_type = CIPHER_ENCRYPT;
581 		p_send.packets = p_send.blocks = 0;
582 		max_blocks = &max_blocks_out;
583 	} else {
584 		cc = &receive_context;
585 		crypt_type = CIPHER_DECRYPT;
586 		p_read.packets = p_read.blocks = 0;
587 		max_blocks = &max_blocks_in;
588 	}
589 
590 	debug("set_newkeys: setting new keys for '%s' mode",
591 	    mode == MODE_IN ? "in" : "out");
592 
593 	if (newkeys[mode] != NULL) {
594 		cipher_cleanup(cc);
595 		free_keys(newkeys[mode]);
596 	}
597 
598 	newkeys[mode] = kex_get_newkeys(mode);
599 	if (newkeys[mode] == NULL)
600 		fatal("newkeys: no keys for mode %d", mode);
601 	enc  = &newkeys[mode]->enc;
602 	mac  = &newkeys[mode]->mac;
603 	comp = &newkeys[mode]->comp;
604 	if (mac_init(mac) == 0)
605 		mac->enabled = 1;
606 #ifdef	PACKET_DEBUG
607 	debug("new encryption key:\n");
608 	data_dump(enc->key, enc->key_len);
609 	debug("new encryption IV:\n");
610 	data_dump(enc->iv, enc->block_size);
611 	debug("new MAC key:\n");
612 	data_dump(mac->key, mac->key_len);
613 #endif
614 	cipher_init(cc, enc->cipher, enc->key, enc->key_len,
615 	    enc->iv, enc->block_size, crypt_type);
616 	/* Deleting the keys does not gain extra security */
617 	/* memset(enc->iv,  0, enc->block_size);
618 	   memset(enc->key, 0, enc->key_len); */
619 	if (comp->type != 0 && comp->enabled == 0) {
620 		packet_init_compression();
621 		if (mode == MODE_OUT)
622 			buffer_compress_init_send(6);
623 		else
624 			buffer_compress_init_recv();
625 		comp->enabled = 1;
626 	}
627 
628 	/*
629 	 * In accordance to the RFCs listed below we enforce the key
630 	 * re-exchange for:
631 	 *
632 	 * - every 1GB of transmitted data if the selected cipher block size
633 	 *   is less than 16 bytes (3DES, Blowfish)
634 	 * - every 2^(2*B) cipher blocks transmitted (B is block size in bytes)
635 	 *   if the cipher block size is greater than or equal to 16 bytes (AES)
636 	 * - and we never send more than 2^32 SSH packets using the same keys.
637 	 *   The recommendation of 2^31 packets is not enforced here but in
638 	 *   packet_need_rekeying(). There is also a hard check in
639 	 *   packet_send2_wrapped() that we don't send more than 2^32 packets.
640 	 *
641 	 * Note that if the SSH_BUG_NOREKEY compatibility flag is set then no
642 	 * automatic rekeying is performed nor do we enforce the 3rd rule.
643 	 * This means that we can be always forced by the opposite side to never
644 	 * initiate automatic key re-exchange. This might change in the future.
645 	 *
646 	 * The RekeyLimit option keyword may only enforce more frequent key
647 	 * renegotiation, never less. For more information on key renegotiation,
648 	 * see:
649 	 *
650 	 * - RFC 4253 (SSH Transport Layer Protocol), section "9. Key
651 	 *   Re-Exchange"
652 	 * - RFC 4344 (SSH Transport Layer Encryption Modes), sections "3.
653 	 *   Rekeying" and "6.1 Rekeying Considerations"
654 	 */
655 	if (enc->block_size >= 16)
656 		*max_blocks = (u_int64_t)1 << (enc->block_size * 2);
657 	else
658 		*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
659 
660 	if (rekey_limit)
661 		*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
662 }
663 
664 void
665 free_keys(Newkeys *keys)
666 {
667 	Enc *enc;
668 	Mac *mac;
669 	Comp *comp;
670 
671 	enc  = &keys->enc;
672 	mac  = &keys->mac;
673 	comp = &keys->comp;
674 	xfree(enc->name);
675 	xfree(enc->iv);
676 	xfree(enc->key);
677 
678 	memset(mac->key, 0, mac->key_len);
679 	xfree(mac->key);
680 	xfree(mac->name);
681 	mac_clear(mac);
682 
683 	xfree(comp->name);
684 	xfree(keys);
685 }
686 
687 /*
688  * Process SSH2_MSG_NEWKEYS message. If we are using the engine we must have
689  * both SSH2_MSG_NEWKEYS processed before we can finish the engine, fork, and
690  * reinitialize the crypto contexts. We can't fork before processing the 2nd
691  * message otherwise we couldn't encrypt/decrypt that message at all - note that
692  * parent's PKCS#11 sessions are useless after the fork and we must process
693  * both SSH2_MSG_NEWKEYS messages using the old keys.
694  */
695 void
696 process_newkeys(int mode)
697 {
698 	/* this function is for the client only */
699 	if (packet_is_server() != 0)
700 		return;
701 
702 	if (will_daemonize == FIRST_NEWKEYS_PROCESSED) {
703 		debug3("both SSH2_MSG_NEWKEYS processed, will daemonize now");
704 		cipher_cleanup(&send_context);
705 		cipher_cleanup(&receive_context);
706 		pkcs11_engine_finish(e);
707 		if (daemon(1, 1) < 0) {
708 			fatal("daemon() failed: %.200s",
709 			    strerror(errno));
710 		}
711 		e = pkcs11_engine_load(e != NULL ? 1 : 0);
712 
713 		set_newkeys(MODE_OUT);
714 		set_newkeys(MODE_IN);
715 		will_daemonize = SECOND_NEWKEYS_PROCESSED;
716 		packet_send2();
717 	} else {
718 		if (will_daemonize == DAEMONIZING_REQUESTED)
719 			will_daemonize = FIRST_NEWKEYS_PROCESSED;
720 		else
721 			set_newkeys(mode);
722 	}
723 }
724 
725 /*
726  * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
727  */
728 static void
729 packet_send2_wrapped(void)
730 {
731 	u_char type, *cp, *macbuf = NULL;
732 	u_char padlen, pad;
733 	u_int packet_length = 0;
734 	u_int i, len;
735 	u_int32_t rnd = 0;
736 	Enc *enc   = NULL;
737 	Mac *mac   = NULL;
738 	Comp *comp = NULL;
739 	int block_size;
740 
741 	if (newkeys[MODE_OUT] != NULL) {
742 		enc  = &newkeys[MODE_OUT]->enc;
743 		mac  = &newkeys[MODE_OUT]->mac;
744 		comp = &newkeys[MODE_OUT]->comp;
745 	}
746 	block_size = enc ? enc->block_size : 8;
747 
748 	cp = buffer_ptr(&outgoing_packet);
749 	type = cp[5];
750 
751 #ifdef PACKET_DEBUG
752 	debug("plain output packet to be processed (%d bytes):\n",
753 	    buffer_len(&outgoing_packet));
754 	buffer_dump(&outgoing_packet);
755 #endif
756 
757 	if (comp && comp->enabled) {
758 		len = buffer_len(&outgoing_packet);
759 		/* skip header, compress only payload */
760 		buffer_consume(&outgoing_packet, 5);
761 		buffer_clear(&compression_buffer);
762 		buffer_compress(&outgoing_packet, &compression_buffer);
763 		buffer_clear(&outgoing_packet);
764 		buffer_append(&outgoing_packet, "\0\0\0\0\0", 5);
765 		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
766 		    buffer_len(&compression_buffer));
767 		DBG(debug("compression: raw %d compressed %d", len,
768 		    buffer_len(&outgoing_packet)));
769 	}
770 
771 	/* sizeof (packet_len + pad_len + payload) */
772 	len = buffer_len(&outgoing_packet);
773 
774 	/*
775 	 * calc size of padding, alloc space, get random data,
776 	 * minimum padding is 4 bytes
777 	 */
778 	padlen = block_size - (len % block_size);
779 	if (padlen < 4)
780 		padlen += block_size;
781 	if (extra_pad) {
782 		/* will wrap if extra_pad+padlen > 255 */
783 		extra_pad  = roundup(extra_pad, block_size);
784 		pad = extra_pad - ((len + padlen) % extra_pad);
785 		debug3("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
786 		    pad, len, padlen, extra_pad);
787 		padlen += pad;
788 		extra_pad = 0;
789 	}
790 	cp = buffer_append_space(&outgoing_packet, padlen);
791 	if (enc && !send_context.plaintext) {
792 		/* random padding */
793 		for (i = 0; i < padlen; i++) {
794 			if (i % 4 == 0)
795 				rnd = arc4random();
796 			cp[i] = rnd & 0xff;
797 			rnd >>= 8;
798 		}
799 	} else {
800 		/* clear padding */
801 		memset(cp, 0, padlen);
802 	}
803 	/* packet_length includes payload, padding and padding length field */
804 	packet_length = buffer_len(&outgoing_packet) - 4;
805 	cp = buffer_ptr(&outgoing_packet);
806 	PUT_32BIT(cp, packet_length);
807 	cp[4] = padlen;
808 	DBG(debug("will send %d bytes (includes padlen %d)",
809 	    packet_length + 4, padlen));
810 
811 	/* compute MAC over seqnr and packet(length fields, payload, padding) */
812 	if (mac && mac->enabled) {
813 		macbuf = mac_compute(mac, p_send.seqnr,
814 		    buffer_ptr(&outgoing_packet),
815 		    buffer_len(&outgoing_packet));
816 		DBG(debug("done calc MAC out #%d", p_send.seqnr));
817 	}
818 	/* encrypt packet and append to output buffer. */
819 	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
820 	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
821 	    buffer_len(&outgoing_packet));
822 	/* append unencrypted MAC */
823 	if (mac && mac->enabled)
824 		buffer_append(&output, (char *)macbuf, mac->mac_len);
825 #ifdef PACKET_DEBUG
826 	debug("encrypted output queue now contains (%d bytes):\n",
827 	    buffer_len(&output));
828 	buffer_dump(&output);
829 #endif
830 	/* increment sequence number for outgoing packets */
831 	if (++p_send.seqnr == 0)
832 		log("outgoing seqnr wraps around");
833 
834 	/*
835 	 * RFC 4344: 3.1. First Rekeying Recommendation
836 	 *
837 	 * "Because of possible information leakage through the MAC tag after a
838 	 * key exchange, .... an SSH implementation SHOULD NOT send more than
839 	 * 2**32 packets before rekeying again."
840 	 *
841 	 * The code below is a hard check so that we are sure we don't go across
842 	 * the suggestion. However, since the largest cipher block size we have
843 	 * (AES) is 16 bytes we can't reach 2^32 SSH packets encrypted with the
844 	 * same key while performing periodic rekeying.
845 	 */
846 	if (++p_send.packets == 0)
847 		if (!(datafellows & SSH_BUG_NOREKEY))
848 			fatal("too many packets encrypted with same key");
849 	p_send.blocks += (packet_length + 4) / block_size;
850 	buffer_clear(&outgoing_packet);
851 
852 	if (type == SSH2_MSG_NEWKEYS) {
853 		/*
854 		 * set_newkeys(MODE_OUT) in the client. Note that in the
855 		 * unprivileged child, set_newkeys() for MODE_OUT are set after
856 		 * SSH2_MSG_NEWKEYS is read from the monitor and forwarded to
857 		 * the client side.
858 		 */
859 		process_newkeys(MODE_OUT);
860 	}
861 }
862 
863 /*
864  * Packets we deal with here are plain until we encrypt them in
865  * packet_send2_wrapped().
866  *
867  * As already mentioned in a comment at process_newkeys() function we must not
868  * fork() until both SSH2_MSG_NEWKEYS packets were processed. Until this is done
869  * we must queue all packets so that they can be encrypted with the new keys and
870  * then sent to the other side. However, what can happen here is that we get
871  * SSH2_MSG_NEWKEYS after we sent it. In that situation we must call
872  * packet_send2() anyway to empty the queue, and set the rekey flag to the
873  * finished state. If we didn't do that we would just hang and enqueue data.
874  */
875 static void
876 packet_send2(void)
877 {
878 	static int rekeying = 0;
879 	struct packet *p;
880 	u_char type, *cp;
881 
882 	if (will_daemonize != SECOND_NEWKEYS_PROCESSED) {
883 		cp = buffer_ptr(&outgoing_packet);
884 		type = cp[5];
885 
886 		/* during rekeying we can only send key exchange messages */
887 		if (rekeying) {
888 			if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
889 			    (type <= SSH2_MSG_TRANSPORT_MAX))) {
890 				debug("enqueue a plain packet because rekex in "
891 				    "progress [type %u]", type);
892 				p = xmalloc(sizeof(*p));
893 				p->type = type;
894 				memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
895 				buffer_init(&outgoing_packet);
896 				TAILQ_INSERT_TAIL(&outgoing, p, next);
897 				return;
898 			}
899 		}
900 
901 		/* rekeying starts with sending KEXINIT */
902 		if (type == SSH2_MSG_KEXINIT)
903 			rekeying = 1;
904 
905 		packet_send2_wrapped();
906 	}
907 
908 	/* after rekex is done we can process the queue of plain packets */
909 	if (will_daemonize == SECOND_NEWKEYS_PROCESSED ||
910 	    (will_daemonize == NOT_DAEMONIZING && type == SSH2_MSG_NEWKEYS)) {
911 		rekeying = 0;
912 		will_daemonize = NOT_DAEMONIZING;
913 		while ((p = TAILQ_FIRST(&outgoing)) != NULL) {
914 			type = p->type;
915 			debug("dequeuing a plain packet since rekex is over "
916 			    "[type %u]", type);
917 			buffer_free(&outgoing_packet);
918 			memcpy(&outgoing_packet, &p->payload, sizeof(Buffer));
919 			TAILQ_REMOVE(&outgoing, p, next);
920 			xfree(p);
921 			packet_send2_wrapped();
922 		}
923 	}
924 }
925 
926 void
927 packet_send(void)
928 {
929 	if (compat20)
930 		packet_send2();
931 	else
932 		packet_send1();
933 	DBG(debug("packet_send done"));
934 }
935 
936 /*
937  * Waits until a packet has been received, and returns its type.  Note that
938  * no other data is processed until this returns, so this function should not
939  * be used during the interactive session.
940  */
941 
942 int
943 packet_read_seqnr(u_int32_t *seqnr_p)
944 {
945 	int type, len;
946 	fd_set *setp;
947 	char buf[8192];
948 	DBG(debug("packet_read()"));
949 
950 	setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) *
951 	    sizeof(fd_mask));
952 
953 	/* Since we are blocking, ensure that all written packets have been sent. */
954 	packet_write_wait();
955 
956 	/* Stay in the loop until we have received a complete packet. */
957 	for (;;) {
958 		/* Try to read a packet from the buffer. */
959 		type = packet_read_poll_seqnr(seqnr_p);
960 		if (!compat20 && (
961 		    type == SSH_SMSG_SUCCESS
962 		    || type == SSH_SMSG_FAILURE
963 		    || type == SSH_CMSG_EOF
964 		    || type == SSH_CMSG_EXIT_CONFIRMATION))
965 			packet_check_eom();
966 		/* If we got a packet, return it. */
967 		if (type != SSH_MSG_NONE) {
968 			xfree(setp);
969 			return type;
970 		}
971 		/*
972 		 * Otherwise, wait for some data to arrive, add it to the
973 		 * buffer, and try again.
974 		 */
975 		memset(setp, 0, howmany(connection_in + 1, NFDBITS) *
976 		    sizeof(fd_mask));
977 		FD_SET(connection_in, setp);
978 
979 		/* Wait for some data to arrive. */
980 		while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 &&
981 		    (errno == EAGAIN || errno == EINTR))
982 			;
983 
984 		/* Read data from the socket. */
985 		len = read(connection_in, buf, sizeof(buf));
986 		if (len == 0) {
987 			log("Connection closed by %.200s", get_remote_ipaddr());
988 			fatal_cleanup();
989 		}
990 		if (len < 0)
991 			fatal("Read from socket failed: %.100s", strerror(errno));
992 		/* Append it to the buffer. */
993 		packet_process_incoming(buf, len);
994 	}
995 	/* NOTREACHED */
996 }
997 
998 int
999 packet_read(void)
1000 {
1001 	return packet_read_seqnr(NULL);
1002 }
1003 
1004 /*
1005  * Waits until a packet has been received, verifies that its type matches
1006  * that given, and gives a fatal error and exits if there is a mismatch.
1007  */
1008 
1009 void
1010 packet_read_expect(int expected_type)
1011 {
1012 	int type;
1013 
1014 	type = packet_read();
1015 	if (type != expected_type)
1016 		packet_disconnect("Protocol error: expected packet type %d, got %d",
1017 		    expected_type, type);
1018 }
1019 
1020 /* Checks if a full packet is available in the data received so far via
1021  * packet_process_incoming.  If so, reads the packet; otherwise returns
1022  * SSH_MSG_NONE.  This does not wait for data from the connection.
1023  *
1024  * SSH_MSG_DISCONNECT is handled specially here.  Also,
1025  * SSH_MSG_IGNORE messages are skipped by this function and are never returned
1026  * to higher levels.
1027  */
1028 
1029 static int
1030 packet_read_poll1(void)
1031 {
1032 	u_int len, padded_len;
1033 	u_char *cp, type;
1034 	u_int checksum, stored_checksum;
1035 
1036 	/* Check if input size is less than minimum packet size. */
1037 	if (buffer_len(&input) < 4 + 8)
1038 		return SSH_MSG_NONE;
1039 	/* Get length of incoming packet. */
1040 	cp = buffer_ptr(&input);
1041 	len = GET_32BIT(cp);
1042 	if (len < 1 + 2 + 2 || len > 256 * 1024)
1043 		packet_disconnect("Bad packet length %d.", len);
1044 	padded_len = (len + 8) & ~7;
1045 
1046 	/* Check if the packet has been entirely received. */
1047 	if (buffer_len(&input) < 4 + padded_len)
1048 		return SSH_MSG_NONE;
1049 
1050 	/* The entire packet is in buffer. */
1051 
1052 	/* Consume packet length. */
1053 	buffer_consume(&input, 4);
1054 
1055 	/*
1056 	 * Cryptographic attack detector for ssh
1057 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
1058 	 * Ariel Futoransky(futo@core-sdi.com)
1059 	 */
1060 	if (!receive_context.plaintext) {
1061 		switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
1062 		case DEATTACK_DETECTED:
1063 			packet_disconnect("crc32 compensation attack: "
1064 			    "network attack detected");
1065 			break;
1066 		case DEATTACK_DOS_DETECTED:
1067 			packet_disconnect("deattack denial of "
1068 			    "service detected");
1069 			break;
1070 		}
1071 	}
1072 
1073 	/* Decrypt data to incoming_packet. */
1074 	buffer_clear(&incoming_packet);
1075 	cp = buffer_append_space(&incoming_packet, padded_len);
1076 	cipher_crypt(&receive_context, cp, buffer_ptr(&input), padded_len);
1077 
1078 	buffer_consume(&input, padded_len);
1079 
1080 #ifdef PACKET_DEBUG
1081 	debug("read_poll plain/full:\n");
1082 	buffer_dump(&incoming_packet);
1083 #endif
1084 
1085 	/* Compute packet checksum. */
1086 	checksum = ssh_crc32(buffer_ptr(&incoming_packet),
1087 	    buffer_len(&incoming_packet) - 4);
1088 
1089 	/* Skip padding. */
1090 	buffer_consume(&incoming_packet, 8 - len % 8);
1091 
1092 	/* Test check bytes. */
1093 	if (len != buffer_len(&incoming_packet))
1094 		packet_disconnect("packet_read_poll1: len %d != buffer_len %d.",
1095 		    len, buffer_len(&incoming_packet));
1096 
1097 	cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4;
1098 	stored_checksum = GET_32BIT(cp);
1099 	if (checksum != stored_checksum)
1100 		packet_disconnect("Corrupted check bytes on input.");
1101 	buffer_consume_end(&incoming_packet, 4);
1102 
1103 	if (packet_compression) {
1104 		buffer_clear(&compression_buffer);
1105 		buffer_uncompress(&incoming_packet, &compression_buffer);
1106 		buffer_clear(&incoming_packet);
1107 		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
1108 		    buffer_len(&compression_buffer));
1109 	}
1110 	type = buffer_get_char(&incoming_packet);
1111 	return type;
1112 }
1113 
1114 static int
1115 packet_read_poll2(u_int32_t *seqnr_p)
1116 {
1117 	static u_int packet_length = 0;
1118 	u_int padlen, need;
1119 	u_char *macbuf, *cp, type;
1120 	int maclen, block_size;
1121 	Enc *enc   = NULL;
1122 	Mac *mac   = NULL;
1123 	Comp *comp = NULL;
1124 
1125 	if (newkeys[MODE_IN] != NULL) {
1126 		enc  = &newkeys[MODE_IN]->enc;
1127 		mac  = &newkeys[MODE_IN]->mac;
1128 		comp = &newkeys[MODE_IN]->comp;
1129 	}
1130 	maclen = mac && mac->enabled ? mac->mac_len : 0;
1131 	block_size = enc ? enc->block_size : 8;
1132 
1133 	if (packet_length == 0) {
1134 		/*
1135 		 * check if input size is less than the cipher block size,
1136 		 * decrypt first block and extract length of incoming packet
1137 		 */
1138 		if (buffer_len(&input) < block_size)
1139 			return SSH_MSG_NONE;
1140 #ifdef PACKET_DEBUG
1141 		debug("encrypted data we have in read queue (%d bytes):\n",
1142 		    buffer_len(&input));
1143 		buffer_dump(&input);
1144 #endif
1145 		buffer_clear(&incoming_packet);
1146 		cp = buffer_append_space(&incoming_packet, block_size);
1147 		cipher_crypt(&receive_context, cp, buffer_ptr(&input),
1148 		    block_size);
1149 		cp = buffer_ptr(&incoming_packet);
1150 		packet_length = GET_32BIT(cp);
1151 		if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
1152 			packet_disconnect("Bad packet length.");
1153 		}
1154 		DBG(debug("input: packet len %u", packet_length + 4));
1155 		buffer_consume(&input, block_size);
1156 	}
1157 	/* we have a partial packet of block_size bytes */
1158 	need = 4 + packet_length - block_size;
1159 	DBG(debug("partial packet %d, still need %d, maclen %d", block_size,
1160 	    need, maclen));
1161 	if (need % block_size != 0)
1162 		packet_disconnect("Bad packet length.");
1163 	/*
1164 	 * check if the entire packet has been received and
1165 	 * decrypt into incoming_packet
1166 	 */
1167 	if (buffer_len(&input) < need + maclen)
1168 		return SSH_MSG_NONE;
1169 #ifdef PACKET_DEBUG
1170 	debug("in read_poll, the encrypted input queue now contains "
1171 	    "(%d bytes):\n", buffer_len(&input));
1172 	buffer_dump(&input);
1173 #endif
1174 	cp = buffer_append_space(&incoming_packet, need);
1175 	cipher_crypt(&receive_context, cp, buffer_ptr(&input), need);
1176 	buffer_consume(&input, need);
1177 	/*
1178 	 * compute MAC over seqnr and packet,
1179 	 * increment sequence number for incoming packet
1180 	 */
1181 	if (mac && mac->enabled) {
1182 		macbuf = mac_compute(mac, p_read.seqnr,
1183 		    buffer_ptr(&incoming_packet),
1184 		    buffer_len(&incoming_packet));
1185 		if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
1186 			packet_disconnect("Corrupted MAC on input.");
1187 		DBG(debug("MAC #%d ok", p_read.seqnr));
1188 		buffer_consume(&input, mac->mac_len);
1189 	}
1190 	if (seqnr_p != NULL)
1191 		*seqnr_p = p_read.seqnr;
1192 	if (++p_read.seqnr == 0)
1193 		log("incoming seqnr wraps around");
1194 
1195 	/* see above for the comment on "First Rekeying Recommendation" */
1196 	if (++p_read.packets == 0)
1197 		if (!(datafellows & SSH_BUG_NOREKEY))
1198 			fatal("too many packets with same key");
1199 	p_read.blocks += (packet_length + 4) / block_size;
1200 
1201 	/* get padlen */
1202 	cp = buffer_ptr(&incoming_packet);
1203 	padlen = cp[4];
1204 	DBG(debug("input: padlen %d", padlen));
1205 	if (padlen < 4)
1206 		packet_disconnect("Corrupted padlen %d on input.", padlen);
1207 
1208 	/* skip packet size + padlen, discard padding */
1209 	buffer_consume(&incoming_packet, 4 + 1);
1210 	buffer_consume_end(&incoming_packet, padlen);
1211 
1212 	DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
1213 	if (comp && comp->enabled) {
1214 		buffer_clear(&compression_buffer);
1215 		buffer_uncompress(&incoming_packet, &compression_buffer);
1216 		buffer_clear(&incoming_packet);
1217 		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
1218 		    buffer_len(&compression_buffer));
1219 		DBG(debug("input: len after de-compress %d",
1220 		    buffer_len(&incoming_packet)));
1221 	}
1222 	/*
1223 	 * get packet type, implies consume.
1224 	 * return length of payload (without type field)
1225 	 */
1226 	type = buffer_get_char(&incoming_packet);
1227 	if (type == SSH2_MSG_NEWKEYS) {
1228 		/*
1229 		 * set_newkeys(MODE_IN) in the client because it doesn't have a
1230 		 * dispatch function for SSH2_MSG_NEWKEYS in contrast to the
1231 		 * server processes. Note that in the unprivileged child,
1232 		 * set_newkeys() for MODE_IN are set in dispatch function
1233 		 * altprivsep_rekey() after SSH2_MSG_NEWKEYS packet is received
1234 		 * from the client.
1235 		 */
1236 		process_newkeys(MODE_IN);
1237 	}
1238 
1239 #ifdef PACKET_DEBUG
1240 	debug("decrypted input packet [type %d]:\n", type);
1241 	buffer_dump(&incoming_packet);
1242 #endif
1243 	/* reset for next packet */
1244 	packet_length = 0;
1245 	return type;
1246 }
1247 
1248 /*
1249  * This tries to read a packet from the buffer of received data. Note that it
1250  * doesn't read() anything from the network socket.
1251  */
1252 int
1253 packet_read_poll_seqnr(u_int32_t *seqnr_p)
1254 {
1255 	u_int reason, seqnr;
1256 	u_char type;
1257 	char *msg;
1258 
1259 	for (;;) {
1260 		if (compat20) {
1261 			type = packet_read_poll2(seqnr_p);
1262 			DBG(debug("received packet type %d", type));
1263 			switch (type) {
1264 			case SSH2_MSG_IGNORE:
1265 				break;
1266 			case SSH2_MSG_DEBUG:
1267 				packet_get_char();
1268 				msg = packet_get_string(NULL);
1269 				debug("Remote: %.900s", msg);
1270 				xfree(msg);
1271 				msg = packet_get_string(NULL);
1272 				xfree(msg);
1273 				break;
1274 			case SSH2_MSG_DISCONNECT:
1275 				reason = packet_get_int();
1276 				msg = packet_get_string(NULL);
1277 				log("Received disconnect from %s: %u: %.400s",
1278 				    get_remote_ipaddr(), reason, msg);
1279 				xfree(msg);
1280 				fatal_cleanup();
1281 				break;
1282 			case SSH2_MSG_UNIMPLEMENTED:
1283 				seqnr = packet_get_int();
1284 				debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
1285 				    seqnr);
1286 				break;
1287 			default:
1288 				return type;
1289 				break;
1290 			}
1291 		} else {
1292 			type = packet_read_poll1();
1293 			DBG(debug("received packet type %d", type));
1294 			switch (type) {
1295 			case SSH_MSG_IGNORE:
1296 				break;
1297 			case SSH_MSG_DEBUG:
1298 				msg = packet_get_string(NULL);
1299 				debug("Remote: %.900s", msg);
1300 				xfree(msg);
1301 				break;
1302 			case SSH_MSG_DISCONNECT:
1303 				msg = packet_get_string(NULL);
1304 				log("Received disconnect from %s: %.400s",
1305 				    get_remote_ipaddr(), msg);
1306 				fatal_cleanup();
1307 				xfree(msg);
1308 				break;
1309 			default:
1310 				return type;
1311 				break;
1312 			}
1313 		}
1314 	}
1315 }
1316 
1317 int
1318 packet_read_poll(void)
1319 {
1320 	return packet_read_poll_seqnr(NULL);
1321 }
1322 
1323 /*
1324  * Buffers the given amount of input characters.  This is intended to be used
1325  * together with packet_read_poll.
1326  */
1327 
1328 void
1329 packet_process_incoming(const char *buf, u_int len)
1330 {
1331 	buffer_append(&input, buf, len);
1332 }
1333 
1334 /* Returns a character from the packet. */
1335 
1336 u_int
1337 packet_get_char(void)
1338 {
1339 	char ch;
1340 
1341 	buffer_get(&incoming_packet, &ch, 1);
1342 	return (u_char) ch;
1343 }
1344 
1345 /* Returns an integer from the packet data. */
1346 
1347 u_int
1348 packet_get_int(void)
1349 {
1350 	return buffer_get_int(&incoming_packet);
1351 }
1352 
1353 /*
1354  * Returns an arbitrary precision integer from the packet data.  The integer
1355  * must have been initialized before this call.
1356  */
1357 
1358 void
1359 packet_get_bignum(BIGNUM * value)
1360 {
1361 	buffer_get_bignum(&incoming_packet, value);
1362 }
1363 
1364 void
1365 packet_get_bignum2(BIGNUM * value)
1366 {
1367 	buffer_get_bignum2(&incoming_packet, value);
1368 }
1369 
1370 void *
1371 packet_get_raw(u_int *length_ptr)
1372 {
1373 	u_int bytes = buffer_len(&incoming_packet);
1374 
1375 	if (length_ptr != NULL)
1376 		*length_ptr = bytes;
1377 	return buffer_ptr(&incoming_packet);
1378 }
1379 
1380 int
1381 packet_remaining(void)
1382 {
1383 	return buffer_len(&incoming_packet);
1384 }
1385 
1386 /*
1387  * Returns a string from the packet data.  The string is allocated using
1388  * xmalloc; it is the responsibility of the calling program to free it when
1389  * no longer needed.  The length_ptr argument may be NULL, or point to an
1390  * integer into which the length of the string is stored.
1391  */
1392 
1393 void *
1394 packet_get_string(u_int *length_ptr)
1395 {
1396 	return buffer_get_string(&incoming_packet, length_ptr);
1397 }
1398 char *
1399 packet_get_ascii_cstring()
1400 {
1401 	return buffer_get_ascii_cstring(&incoming_packet);
1402 }
1403 u_char *
1404 packet_get_utf8_cstring()
1405 {
1406 	return buffer_get_utf8_cstring(&incoming_packet);
1407 }
1408 
1409 /*
1410  * Sends a diagnostic message from the server to the client.  This message
1411  * can be sent at any time (but not while constructing another message). The
1412  * message is printed immediately, but only if the client is being executed
1413  * in verbose mode.  These messages are primarily intended to ease debugging
1414  * authentication problems.   The length of the formatted message must not
1415  * exceed 1024 bytes.  This will automatically call packet_write_wait.
1416  */
1417 
1418 void
1419 packet_send_debug(const char *fmt,...)
1420 {
1421 	char buf[1024];
1422 	va_list args;
1423 
1424 	if (compat20 && (datafellows & SSH_BUG_DEBUG))
1425 		return;
1426 
1427 	va_start(args, fmt);
1428 	vsnprintf(buf, sizeof(buf), gettext(fmt), args);
1429 	va_end(args);
1430 
1431 #ifdef ALTPRIVSEP
1432 	/* shouldn't happen */
1433 	if (packet_monitor) {
1434 		debug("packet_send_debug: %s", buf);
1435 		return;
1436 	}
1437 #endif /* ALTPRIVSEP */
1438 
1439 	if (compat20) {
1440 		packet_start(SSH2_MSG_DEBUG);
1441 		packet_put_char(0);	/* bool: always display */
1442 		packet_put_cstring(buf);
1443 		packet_put_cstring("");
1444 	} else {
1445 		packet_start(SSH_MSG_DEBUG);
1446 		packet_put_cstring(buf);
1447 	}
1448 	packet_send();
1449 	packet_write_wait();
1450 }
1451 
1452 /*
1453  * Logs the error plus constructs and sends a disconnect packet, closes the
1454  * connection, and exits.  This function never returns. The error message
1455  * should not contain a newline.  The length of the formatted message must
1456  * not exceed 1024 bytes.
1457  */
1458 
1459 void
1460 packet_disconnect(const char *fmt,...)
1461 {
1462 	char buf[1024];
1463 	va_list args;
1464 	static int disconnecting = 0;
1465 
1466 	if (disconnecting)	/* Guard against recursive invocations. */
1467 		fatal("packet_disconnect called recursively.");
1468 	disconnecting = 1;
1469 
1470 	/*
1471 	 * Format the message.  Note that the caller must make sure the
1472 	 * message is of limited size.
1473 	 */
1474 	va_start(args, fmt);
1475 	vsnprintf(buf, sizeof(buf), fmt, args);
1476 	va_end(args);
1477 
1478 #ifdef ALTPRIVSEP
1479 	/*
1480 	 * If we packet_disconnect() in the monitor the fatal cleanups will take
1481 	 * care of the child.  See main() in sshd.c.  We don't send the packet
1482 	 * disconnect message here because: a) the child might not be looking
1483 	 * for it and b) because we don't really know if the child is compat20
1484 	 * or not as we lost that information when packet_set_monitor() was
1485 	 * called.
1486 	 */
1487 	if (packet_monitor)
1488 		goto close_stuff;
1489 #endif /* ALTPRIVSEP */
1490 
1491 	/* Send the disconnect message to the other side, and wait for it to get sent. */
1492 	if (compat20) {
1493 		packet_start(SSH2_MSG_DISCONNECT);
1494 		packet_put_int(SSH2_DISCONNECT_PROTOCOL_ERROR);
1495 		packet_put_cstring(buf);
1496 		packet_put_cstring("");
1497 	} else {
1498 		packet_start(SSH_MSG_DISCONNECT);
1499 		packet_put_cstring(buf);
1500 	}
1501 	packet_send();
1502 	packet_write_wait();
1503 
1504 #ifdef ALTPRIVSEP
1505 close_stuff:
1506 #endif /* ALTPRIVSEP */
1507 	/* Stop listening for connections. */
1508 	channel_close_all();
1509 
1510 	/* Close the connection. */
1511 	packet_close();
1512 
1513 	/* Display the error locally and exit. */
1514 	log("Disconnecting: %.100s", buf);
1515 	fatal_cleanup();
1516 }
1517 
1518 /* Checks if there is any buffered output, and tries to write some of the output. */
1519 
1520 void
1521 packet_write_poll(void)
1522 {
1523 	int len = buffer_len(&output);
1524 
1525 	if (len > 0) {
1526 		len = write(connection_out, buffer_ptr(&output), len);
1527 		if (len <= 0) {
1528 			if (errno == EAGAIN)
1529 				return;
1530 			else
1531 				fatal("Write failed: %.100s", strerror(errno));
1532 		}
1533 #ifdef PACKET_DEBUG
1534 		debug("in packet_write_poll, %d bytes just sent to the "
1535 		    "remote side", len);
1536 #endif
1537 		buffer_consume(&output, len);
1538 	}
1539 }
1540 
1541 /*
1542  * Calls packet_write_poll repeatedly until all pending output data has been
1543  * written.
1544  */
1545 
1546 void
1547 packet_write_wait(void)
1548 {
1549 	fd_set *setp;
1550 
1551 	setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) *
1552 	    sizeof(fd_mask));
1553 	packet_write_poll();
1554 	while (packet_have_data_to_write()) {
1555 		memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
1556 		    sizeof(fd_mask));
1557 		FD_SET(connection_out, setp);
1558 		while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 &&
1559 		    (errno == EAGAIN || errno == EINTR))
1560 			;
1561 		packet_write_poll();
1562 	}
1563 	xfree(setp);
1564 }
1565 
1566 /* Returns true if there is buffered data to write to the connection. */
1567 
1568 int
1569 packet_have_data_to_write(void)
1570 {
1571 	return buffer_len(&output) != 0;
1572 }
1573 
1574 /* Returns true if there is not too much data to write to the connection. */
1575 
1576 int
1577 packet_not_very_much_data_to_write(void)
1578 {
1579 	if (interactive_mode)
1580 		return buffer_len(&output) < 16384;
1581 	else
1582 		return buffer_len(&output) < 128 * 1024;
1583 }
1584 
1585 /* Informs that the current session is interactive.  Sets IP flags for that. */
1586 
1587 void
1588 packet_set_interactive(int interactive)
1589 {
1590 	static int called = 0;
1591 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1592 	int lowdelay = IPTOS_LOWDELAY;
1593 	int throughput = IPTOS_THROUGHPUT;
1594 #endif
1595 
1596 	if (called)
1597 		return;
1598 	called = 1;
1599 
1600 	/* Record that we are in interactive mode. */
1601 	interactive_mode = interactive;
1602 
1603 	/* Only set socket options if using a socket.  */
1604 	if (!packet_connection_is_on_socket())
1605 		return;
1606 	/*
1607 	 * IPTOS_LOWDELAY and IPTOS_THROUGHPUT are IPv4 only
1608 	 */
1609 	if (interactive) {
1610 		/*
1611 		 * Set IP options for an interactive connection.  Use
1612 		 * IPTOS_LOWDELAY and TCP_NODELAY.
1613 		 */
1614 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1615 		if (packet_connection_is_ipv4()) {
1616 			if (setsockopt(connection_in, IPPROTO_IP, IP_TOS,
1617 			    &lowdelay, sizeof(lowdelay)) < 0)
1618 				error("setsockopt IPTOS_LOWDELAY: %.100s",
1619 				    strerror(errno));
1620 		}
1621 #endif
1622 		set_nodelay(connection_in);
1623 	}
1624 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1625 	else if (packet_connection_is_ipv4()) {
1626 		/*
1627 		 * Set IP options for a non-interactive connection.  Use
1628 		 * IPTOS_THROUGHPUT.
1629 		 */
1630 		if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &throughput,
1631 		    sizeof(throughput)) < 0)
1632 			error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno));
1633 	}
1634 #endif
1635 }
1636 
1637 /* Returns true if the current connection is interactive. */
1638 
1639 int
1640 packet_is_interactive(void)
1641 {
1642 	return interactive_mode;
1643 }
1644 
1645 int
1646 packet_set_maxsize(int s)
1647 {
1648 	static int called = 0;
1649 
1650 	if (called) {
1651 		log("packet_set_maxsize: called twice: old %d new %d",
1652 		    max_packet_size, s);
1653 		return -1;
1654 	}
1655 	if (s < 4 * 1024 || s > 1024 * 1024) {
1656 		log("packet_set_maxsize: bad size %d", s);
1657 		return -1;
1658 	}
1659 	called = 1;
1660 	debug("packet_set_maxsize: setting to %d", s);
1661 	max_packet_size = s;
1662 	return s;
1663 }
1664 
1665 /* roundup current message to pad bytes */
1666 void
1667 packet_add_padding(u_char pad)
1668 {
1669 	extra_pad = pad;
1670 }
1671 
1672 /*
1673  * 9.2.  Ignored Data Message
1674  *
1675  *   byte      SSH_MSG_IGNORE
1676  *   string    data
1677  *
1678  * All implementations MUST understand (and ignore) this message at any
1679  * time (after receiving the protocol version). No implementation is
1680  * required to send them. This message can be used as an additional
1681  * protection measure against advanced traffic analysis techniques.
1682  */
1683 void
1684 packet_send_ignore(int nbytes)
1685 {
1686 	u_int32_t rnd = 0;
1687 	int i;
1688 
1689 #ifdef ALTPRIVSEP
1690 	/* shouldn't happen -- see packet_set_monitor() */
1691 	if (packet_monitor)
1692 		return;
1693 #endif /* ALTPRIVSEP */
1694 
1695 	packet_start(compat20 ? SSH2_MSG_IGNORE : SSH_MSG_IGNORE);
1696 	packet_put_int(nbytes);
1697 	for (i = 0; i < nbytes; i++) {
1698 		if (i % 4 == 0)
1699 			rnd = arc4random();
1700 		packet_put_char((u_char)rnd & 0xff);
1701 		rnd >>= 8;
1702 	}
1703 }
1704 
1705 #define MAX_PACKETS	(1U<<31)
1706 int
1707 packet_need_rekeying(void)
1708 {
1709 	if (datafellows & SSH_BUG_NOREKEY)
1710 		return 0;
1711 	return
1712 	    (p_send.packets > MAX_PACKETS) ||
1713 	    (p_read.packets > MAX_PACKETS) ||
1714 	    (max_blocks_out && (p_send.blocks > max_blocks_out)) ||
1715 	    (max_blocks_in  && (p_read.blocks > max_blocks_in));
1716 }
1717 
1718 void
1719 packet_set_rekey_limit(u_int32_t bytes)
1720 {
1721 	rekey_limit = bytes;
1722 }
1723 
1724 #ifdef ALTPRIVSEP
1725 void
1726 packet_set_server(void)
1727 {
1728 	packet_server = 1;
1729 }
1730 
1731 int
1732 packet_is_server(void)
1733 {
1734 	return (packet_server);
1735 }
1736 
1737 void
1738 packet_set_monitor(int pipe)
1739 {
1740 	int dup_fd;
1741 
1742 	packet_server = 1;
1743 	packet_monitor = 1;
1744 
1745 	/*
1746 	 * Awful hack follows.
1747 	 *
1748 	 * For SSHv1 the monitor does not process any SSHv1 packets, only
1749 	 * ALTPRIVSEP packets.  We take advantage of that here to keep changes
1750 	 * to packet.c to a minimum by using the SSHv2 binary packet protocol,
1751 	 * with cipher "none," mac "none" and compression alg "none," as the
1752 	 * basis for the monitor protocol.  And so to force packet.c to treat
1753 	 * packets as SSHv2 we force compat20 == 1 here.
1754 	 *
1755 	 * For completeness and to help future developers catch this we also
1756 	 * force compat20 == 1 in the monitor loop, in serverloop.c.
1757 	 */
1758 	compat20 = 1;
1759 
1760 	/*
1761 	 * NOTE:  Assumptions below!
1762 	 *
1763 	 *  - lots of packet.c code assumes that (connection_in ==
1764 	 *  connection_out) -> connection is socket
1765 	 *
1766 	 *  - packet_close() does not shutdown() the connection fildes
1767 	 *  if connection_in != connection_out
1768 	 *
1769 	 *  - other code assumes the connection is a socket if
1770 	 *  connection_in == connection_out
1771 	 */
1772 
1773 	if ((dup_fd = dup(pipe)) < 0)
1774 		fatal("Monitor failed to start: %s", strerror(errno));
1775 
1776 	/*
1777 	 * make sure that the monitor's child's socket is not shutdown(3SOCKET)
1778 	 * when we packet_close(). Setting connection_out to -1 will take care
1779 	 * of that.
1780 	 */
1781 	if (packet_connection_is_on_socket())
1782 		connection_out = -1;
1783 
1784 	/*
1785 	 * Now clean up the state related to the server socket. As a side
1786 	 * effect, we also clean up existing cipher contexts that were
1787 	 * initialized with 'none' cipher in packet_set_connection(). That
1788 	 * function was called in the child server process shortly after the
1789 	 * master SSH process forked. However, all of that is reinialized again
1790 	 * by another packet_set_connection() call right below.
1791 	 */
1792 	packet_close();
1793 
1794 	/*
1795 	 * Now make the monitor pipe look like the ssh connection which means
1796 	 * that connection_in and connection_out will be set to the
1797 	 * communication pipe descriptors.
1798 	 */
1799 	packet_set_connection(pipe, dup_fd);
1800 }
1801 
1802 /*
1803  * We temporarily need to set connection_in and connection_out descriptors so
1804  * that we can make use of existing code that gets the IP address and hostname
1805  * of the peer to write a login/logout record. It's not nice but we would have
1806  * to change more code when implementing the PKCS#11 engine support.
1807  */
1808 void
1809 packet_set_fds(int fd, int restore)
1810 {
1811 	static int stored_fd;
1812 
1813 	if (stored_fd == 0 && restore == 0) {
1814 		debug3("packet_set_fds: saving %d, installing %d",
1815 		    connection_in, fd);
1816 		stored_fd = connection_in;
1817 		/* we don't have a socket in inetd mode */
1818 		if (fd != -1)
1819 			connection_in = connection_out = fd;
1820 		return;
1821 	}
1822 
1823 	if (restore == 1) {
1824 		debug3("restoring %d to connection_in/out", stored_fd);
1825 		connection_in = connection_out = stored_fd;
1826 	}
1827 }
1828 
1829 int
1830 packet_is_monitor(void)
1831 {
1832 	return (packet_monitor);
1833 }
1834 #endif /* ALTPRIVSEP */
1835