xref: /titanic_50/usr/src/cmd/ssh/libssh/common/packet.c (revision 7ff836697c120cb94bd30d5c2204eb9b74718e4c)
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * This file contains code implementing the packet protocol and communication
6  * with the other side.  This same code is used both on client and server side.
7  *
8  * As far as I am concerned, the code I have written for this software
9  * can be used freely for any purpose.  Any derived versions of this
10  * software must be clearly marked as such, and if the derived work is
11  * incompatible with the protocol description in the RFC file, it must be
12  * called by a name other than "ssh" or "Secure Shell".
13  *
14  *
15  * SSH2 packet format added by Markus Friedl.
16  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
17  *
18  * Redistribution and use in source and binary forms, with or without
19  * modification, are permitted provided that the following conditions
20  * are met:
21  * 1. Redistributions of source code must retain the above copyright
22  *    notice, this list of conditions and the following disclaimer.
23  * 2. Redistributions in binary form must reproduce the above copyright
24  *    notice, this list of conditions and the following disclaimer in the
25  *    documentation and/or other materials provided with the distribution.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37  */
38 /*
39  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
40  * Use is subject to license terms.
41  */
42 
43 /* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */
44 
45 #include "includes.h"
46 
47 #include "sys-queue.h"
48 #include "xmalloc.h"
49 #include "buffer.h"
50 #include "packet.h"
51 #include "bufaux.h"
52 #include "crc32.h"
53 #include "getput.h"
54 #include "compress.h"
55 #include "deattack.h"
56 #include "channels.h"
57 #include "compat.h"
58 #include "ssh1.h"
59 #include "ssh2.h"
60 #include "cipher.h"
61 #include "kex.h"
62 #include "mac.h"
63 #include "log.h"
64 #include "canohost.h"
65 #include "misc.h"
66 #include "ssh.h"
67 #include "engine.h"
68 
69 /* PKCS#11 engine */
70 ENGINE *e;
71 
72 #ifdef ALTPRIVSEP
73 static int packet_server = 0;
74 static int packet_monitor = 0;
75 #endif /* ALTPRIVSEP */
76 
77 #ifdef PACKET_DEBUG
78 #define DBG(x) x
79 #else
80 #define DBG(x)
81 #endif
82 
83 static void packet_send2(void);
84 
85 /*
86  * This variable contains the file descriptors used for communicating with
87  * the other side.  connection_in is used for reading; connection_out for
88  * writing.  These can be the same descriptor, in which case it is assumed to
89  * be a socket.
90  */
91 static int connection_in = -1;
92 static int connection_out = -1;
93 
94 /* Protocol flags for the remote side. */
95 static u_int remote_protocol_flags = 0;
96 
97 /* Encryption context for receiving data.  This is only used for decryption. */
98 static CipherContext receive_context;
99 
100 /* Encryption context for sending data.  This is only used for encryption. */
101 static CipherContext send_context;
102 
103 /* Buffer for raw input data from the socket. */
104 Buffer input;
105 
106 /* Buffer for raw output data going to the socket. */
107 Buffer output;
108 
109 /* Buffer for the partial outgoing packet being constructed. */
110 static Buffer outgoing_packet;
111 
112 /* Buffer for the incoming packet currently being processed. */
113 static Buffer incoming_packet;
114 
115 /* Scratch buffer for packet compression/decompression. */
116 static Buffer compression_buffer;
117 static int compression_buffer_ready = 0;
118 
119 /* Flag indicating whether packet compression/decompression is enabled. */
120 static int packet_compression = 0;
121 
122 /* default maximum packet size */
123 int max_packet_size = 32768;
124 
125 /* Flag indicating whether this module has been initialized. */
126 static int initialized = 0;
127 
128 /* Set to true if the connection is interactive. */
129 static int interactive_mode = 0;
130 
131 /* Session key information for Encryption and MAC */
132 Newkeys *newkeys[MODE_MAX];
133 static struct packet_state {
134 	u_int32_t seqnr;
135 	u_int32_t packets;
136 	u_int64_t blocks;
137 } p_read, p_send;
138 
139 static u_int64_t max_blocks_in, max_blocks_out;
140 static u_int32_t rekey_limit;
141 
142 /* Session key for protocol v1 */
143 static u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
144 static u_int ssh1_keylen;
145 
146 /* roundup current message to extra_pad bytes */
147 static u_char extra_pad = 0;
148 
149 struct packet {
150 	TAILQ_ENTRY(packet) next;
151 	u_char type;
152 	Buffer payload;
153 };
154 TAILQ_HEAD(, packet) outgoing;
155 
156 /*
157  * Part of what -f option and ~& escape sequence do in the client is that they
158  * will force it to daemonize itself. Due to the fork safety rules inherent in
159  * any PKCS#11 environment, if the engine is used we must do a key re-exchange
160  * before forking a child to negotiate the new keys. Those keys will be used to
161  * inicialize the new crypto contexts. This involves finishing the engine in the
162  * parent and reinitializing it again in both processes after fork() returns.
163  * This approach also leaves protocol 1 out since it doesn't support rekeying.
164  */
165 int will_daemonize;
166 
167 #ifdef	PACKET_DEBUG
168 /* This function dumps data onto stderr. This is for debugging only. */
169 void
170 data_dump(void *data, u_int len)
171 {
172 	Buffer buf;
173 
174 	buffer_init(&buf);
175 	buffer_append(&buf, data, len);
176 	buffer_dump(&buf);
177 	buffer_free(&buf);
178 }
179 #endif
180 
181 /*
182  * Sets the descriptors used for communication.  Disables encryption until
183  * packet_set_encryption_key is called.
184  */
185 void
186 packet_set_connection(int fd_in, int fd_out)
187 {
188 	Cipher *none = cipher_by_name("none");
189 
190 	if (none == NULL)
191 		fatal("packet_set_connection: cannot load cipher 'none'");
192 	connection_in = fd_in;
193 	connection_out = fd_out;
194 	cipher_init(&send_context, none, (unsigned char *) "", 0, NULL, 0, CIPHER_ENCRYPT);
195 	cipher_init(&receive_context, none, (unsigned char *) "", 0, NULL, 0, CIPHER_DECRYPT);
196 	newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
197 	if (!initialized) {
198 		initialized = 1;
199 		buffer_init(&input);
200 		buffer_init(&output);
201 		buffer_init(&outgoing_packet);
202 		buffer_init(&incoming_packet);
203 		TAILQ_INIT(&outgoing);
204 	} else {
205 		buffer_clear(&input);
206 		buffer_clear(&output);
207 		buffer_clear(&outgoing_packet);
208 		buffer_clear(&incoming_packet);
209 	}
210 
211 	/*
212 	 * Prime the cache for get_remote_ipaddr() while we have a
213 	 * socket on which to do a getpeername().
214 	 */
215 	(void) get_remote_ipaddr();
216 
217 	/* Kludge: arrange the close function to be called from fatal(). */
218 	fatal_add_cleanup((void (*) (void *)) packet_close, NULL);
219 }
220 
221 /* Returns 1 if remote host is connected via socket, 0 if not. */
222 
223 int
224 packet_connection_is_on_socket(void)
225 {
226 	struct sockaddr_storage from, to;
227 	socklen_t fromlen, tolen;
228 
229 	/* filedescriptors in and out are the same, so it's a socket */
230 	if (connection_in != -1 && connection_in == connection_out)
231 		return 1;
232 	fromlen = sizeof(from);
233 	memset(&from, 0, sizeof(from));
234 	if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0)
235 		return 0;
236 	tolen = sizeof(to);
237 	memset(&to, 0, sizeof(to));
238 	if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0)
239 		return 0;
240 	if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
241 		return 0;
242 	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
243 		return 0;
244 	return 1;
245 }
246 
247 /* returns 1 if connection is via ipv4 */
248 
249 int
250 packet_connection_is_ipv4(void)
251 {
252 	struct sockaddr_storage to;
253 	socklen_t tolen = sizeof(to);
254 
255 	memset(&to, 0, sizeof(to));
256 	if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
257 		return 0;
258 	if (to.ss_family == AF_INET)
259 		return 1;
260 #ifdef IPV4_IN_IPV6
261 	if (to.ss_family == AF_INET6 &&
262 	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
263 		return 1;
264 #endif
265 	return 0;
266 }
267 
268 /* Sets the connection into non-blocking mode. */
269 
270 void
271 packet_set_nonblocking(void)
272 {
273 	/* Set the socket into non-blocking mode. */
274 	if (fcntl(connection_in, F_SETFL, O_NONBLOCK) < 0)
275 		error("fcntl O_NONBLOCK: %.100s", strerror(errno));
276 
277 	if (connection_out != connection_in) {
278 		if (fcntl(connection_out, F_SETFL, O_NONBLOCK) < 0)
279 			error("fcntl O_NONBLOCK: %.100s", strerror(errno));
280 	}
281 }
282 
283 /* Returns the socket used for reading. */
284 
285 int
286 packet_get_connection_in(void)
287 {
288 	return connection_in;
289 }
290 
291 /* Returns the descriptor used for writing. */
292 
293 int
294 packet_get_connection_out(void)
295 {
296 	return connection_out;
297 }
298 
299 /* Closes the connection and clears and frees internal data structures. */
300 
301 void
302 packet_close(void)
303 {
304 	if (!initialized)
305 		return;
306 	initialized = 0;
307 	if (connection_in == connection_out) {
308 		shutdown(connection_out, SHUT_RDWR);
309 		close(connection_out);
310 	} else {
311 		close(connection_in);
312 		close(connection_out);
313 	}
314 	buffer_free(&input);
315 	buffer_free(&output);
316 	buffer_free(&outgoing_packet);
317 	buffer_free(&incoming_packet);
318 	if (compression_buffer_ready) {
319 		buffer_free(&compression_buffer);
320 		buffer_compress_uninit();
321 		compression_buffer_ready = 0;
322 	}
323 	cipher_cleanup(&send_context);
324 	cipher_cleanup(&receive_context);
325 }
326 
327 /* Sets remote side protocol flags. */
328 
329 void
330 packet_set_protocol_flags(u_int protocol_flags)
331 {
332 	remote_protocol_flags = protocol_flags;
333 }
334 
335 /* Returns the remote protocol flags set earlier by the above function. */
336 
337 u_int
338 packet_get_protocol_flags(void)
339 {
340 	return remote_protocol_flags;
341 }
342 
343 /*
344  * Starts packet compression from the next packet on in both directions.
345  * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
346  */
347 
348 static void
349 packet_init_compression(void)
350 {
351 	if (compression_buffer_ready == 1)
352 		return;
353 	compression_buffer_ready = 1;
354 	buffer_init(&compression_buffer);
355 }
356 
357 void
358 packet_start_compression(int level)
359 {
360 #ifdef ALTPRIVSEP
361 	/* shouldn't happen! */
362 	if (packet_monitor)
363 		fatal("INTERNAL ERROR: The monitor cannot compress.");
364 #endif /* ALTPRIVSEP */
365 
366 	if (packet_compression && !compat20)
367 		fatal("Compression already enabled.");
368 	packet_compression = 1;
369 	packet_init_compression();
370 	buffer_compress_init_send(level);
371 	buffer_compress_init_recv();
372 }
373 
374 /*
375  * Causes any further packets to be encrypted using the given key.  The same
376  * key is used for both sending and reception.  However, both directions are
377  * encrypted independently of each other.
378  */
379 
380 void
381 packet_set_encryption_key(const u_char *key, u_int keylen,
382     int number)
383 {
384 	Cipher *cipher = cipher_by_number(number);
385 
386 	if (cipher == NULL)
387 		fatal("packet_set_encryption_key: unknown cipher number %d", number);
388 	if (keylen < 20)
389 		fatal("packet_set_encryption_key: keylen too small: %d", keylen);
390 	if (keylen > SSH_SESSION_KEY_LENGTH)
391 		fatal("packet_set_encryption_key: keylen too big: %d", keylen);
392 	memcpy(ssh1_key, key, keylen);
393 	ssh1_keylen = keylen;
394 	cipher_init(&send_context, cipher, key, keylen, NULL, 0, CIPHER_ENCRYPT);
395 	cipher_init(&receive_context, cipher, key, keylen, NULL, 0, CIPHER_DECRYPT);
396 }
397 
398 u_int
399 packet_get_encryption_key(u_char *key)
400 {
401 	if (key == NULL)
402 		return (ssh1_keylen);
403 	memcpy(key, ssh1_key, ssh1_keylen);
404 	return (ssh1_keylen);
405 }
406 
407 /* Start constructing a packet to send. */
408 void
409 packet_start(u_char type)
410 {
411 	u_char buf[9];
412 	int len;
413 
414 	DBG(debug("packet_start[%d]", type));
415 	len = compat20 ? 6 : 9;
416 	memset(buf, 0, len - 1);
417 	buf[len - 1] = type;
418 	buffer_clear(&outgoing_packet);
419 	buffer_append(&outgoing_packet, buf, len);
420 }
421 
422 /* Append payload. */
423 void
424 packet_put_char(int value)
425 {
426 	char ch = value;
427 
428 	buffer_append(&outgoing_packet, &ch, 1);
429 }
430 
431 void
432 packet_put_int(u_int value)
433 {
434 	buffer_put_int(&outgoing_packet, value);
435 }
436 
437 void
438 packet_put_string(const void *buf, u_int len)
439 {
440 	buffer_put_string(&outgoing_packet, buf, len);
441 }
442 
443 void
444 packet_put_cstring(const char *str)
445 {
446 	buffer_put_cstring(&outgoing_packet, str);
447 }
448 
449 void
450 packet_put_utf8_cstring(const char *str)
451 {
452 	if (datafellows & SSH_BUG_STRING_ENCODING)
453 		buffer_put_cstring(&outgoing_packet, str);
454 	else
455 		buffer_put_utf8_cstring(&outgoing_packet, str);
456 }
457 
458 void
459 packet_put_utf8_string(const char *str, uint_t len)
460 {
461 	if (datafellows & SSH_BUG_STRING_ENCODING)
462 		buffer_put_string(&outgoing_packet, str, len);
463 	else
464 		buffer_put_utf8_string(&outgoing_packet, str, len);
465 }
466 
467 void
468 packet_put_raw(const void *buf, u_int len)
469 {
470 	buffer_append(&outgoing_packet, buf, len);
471 }
472 
473 void
474 packet_put_bignum(BIGNUM * value)
475 {
476 	buffer_put_bignum(&outgoing_packet, value);
477 }
478 
479 void
480 packet_put_bignum2(BIGNUM * value)
481 {
482 	buffer_put_bignum2(&outgoing_packet, value);
483 }
484 
485 /*
486  * Finalizes and sends the packet.  If the encryption key has been set,
487  * encrypts the packet before sending.
488  */
489 
490 static void
491 packet_send1(void)
492 {
493 	u_char buf[8], *cp;
494 	int i, padding, len;
495 	u_int checksum;
496 	u_int32_t rnd = 0;
497 
498 	/*
499 	 * If using packet compression, compress the payload of the outgoing
500 	 * packet.
501 	 */
502 	if (packet_compression) {
503 		buffer_clear(&compression_buffer);
504 		/* Skip padding. */
505 		buffer_consume(&outgoing_packet, 8);
506 		/* padding */
507 		buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8);
508 		buffer_compress(&outgoing_packet, &compression_buffer);
509 		buffer_clear(&outgoing_packet);
510 		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
511 		    buffer_len(&compression_buffer));
512 	}
513 	/* Compute packet length without padding (add checksum, remove padding). */
514 	len = buffer_len(&outgoing_packet) + 4 - 8;
515 
516 	/* Insert padding. Initialized to zero in packet_start1() */
517 	padding = 8 - len % 8;
518 	if (!send_context.plaintext) {
519 		cp = buffer_ptr(&outgoing_packet);
520 		for (i = 0; i < padding; i++) {
521 			if (i % 4 == 0)
522 				rnd = arc4random();
523 			cp[7 - i] = rnd & 0xff;
524 			rnd >>= 8;
525 		}
526 	}
527 	buffer_consume(&outgoing_packet, 8 - padding);
528 
529 	/* Add check bytes. */
530 	checksum = ssh_crc32(buffer_ptr(&outgoing_packet),
531 	    buffer_len(&outgoing_packet));
532 	PUT_32BIT(buf, checksum);
533 	buffer_append(&outgoing_packet, buf, 4);
534 
535 #ifdef PACKET_DEBUG
536 	fprintf(stderr, "packet_send plain: ");
537 	buffer_dump(&outgoing_packet);
538 #endif
539 
540 	/* Append to output. */
541 	PUT_32BIT(buf, len);
542 	buffer_append(&output, buf, 4);
543 	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
544 	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
545 	    buffer_len(&outgoing_packet));
546 
547 #ifdef PACKET_DEBUG
548 	debug("encrypted output queue now contains (%d bytes):\n",
549 	    buffer_len(&output));
550 	buffer_dump(&output);
551 #endif
552 
553 	buffer_clear(&outgoing_packet);
554 
555 	/*
556 	 * Note that the packet is now only buffered in output.  It won\'t be
557 	 * actually sent until packet_write_wait or packet_write_poll is
558 	 * called.
559 	 */
560 }
561 
562 void
563 set_newkeys(int mode)
564 {
565 	Enc *enc;
566 	Mac *mac;
567 	Comp *comp;
568 	CipherContext *cc;
569 	u_int64_t *max_blocks;
570 	int crypt_type;
571 
572 	debug2("set_newkeys: mode %d", mode);
573 
574 	if (mode == MODE_OUT) {
575 		cc = &send_context;
576 		crypt_type = CIPHER_ENCRYPT;
577 		p_send.packets = p_send.blocks = 0;
578 		max_blocks = &max_blocks_out;
579 	} else {
580 		cc = &receive_context;
581 		crypt_type = CIPHER_DECRYPT;
582 		p_read.packets = p_read.blocks = 0;
583 		max_blocks = &max_blocks_in;
584 	}
585 
586 	debug("set_newkeys: setting new keys for '%s' mode",
587 	    mode == MODE_IN ? "in" : "out");
588 
589 	if (newkeys[mode] != NULL) {
590 		cipher_cleanup(cc);
591 		free_keys(newkeys[mode]);
592 	}
593 
594 	newkeys[mode] = kex_get_newkeys(mode);
595 	if (newkeys[mode] == NULL)
596 		fatal("newkeys: no keys for mode %d", mode);
597 	enc  = &newkeys[mode]->enc;
598 	mac  = &newkeys[mode]->mac;
599 	comp = &newkeys[mode]->comp;
600 	if (mac_init(mac) == 0)
601 		mac->enabled = 1;
602 #ifdef	PACKET_DEBUG
603 	debug("new encryption key:\n");
604 	data_dump(enc->key, enc->key_len);
605 	debug("new encryption IV:\n");
606 	data_dump(enc->iv, enc->block_size);
607 	debug("new MAC key:\n");
608 	data_dump(mac->key, mac->key_len);
609 #endif
610 	cipher_init(cc, enc->cipher, enc->key, enc->key_len,
611 	    enc->iv, enc->block_size, crypt_type);
612 	/* Deleting the keys does not gain extra security */
613 	/* memset(enc->iv,  0, enc->block_size);
614 	   memset(enc->key, 0, enc->key_len); */
615 	if (comp->type != 0 && comp->enabled == 0) {
616 		packet_init_compression();
617 		if (mode == MODE_OUT)
618 			buffer_compress_init_send(6);
619 		else
620 			buffer_compress_init_recv();
621 		comp->enabled = 1;
622 	}
623 
624 	/*
625 	 * In accordance to the RFCs listed below we enforce the key
626 	 * re-exchange for:
627 	 *
628 	 * - every 1GB of transmitted data if the selected cipher block size
629 	 *   is less than 16 bytes (3DES, Blowfish)
630 	 * - every 2^(2*B) cipher blocks transmitted (B is block size in bytes)
631 	 *   if the cipher block size is greater than or equal to 16 bytes (AES)
632 	 * - and we never send more than 2^32 SSH packets using the same keys.
633 	 *   The recommendation of 2^31 packets is not enforced here but in
634 	 *   packet_need_rekeying(). There is also a hard check in
635 	 *   packet_send2_wrapped() that we don't send more than 2^32 packets.
636 	 *
637 	 * Note that if the SSH_BUG_NOREKEY compatibility flag is set then no
638 	 * automatic rekeying is performed nor do we enforce the 3rd rule.
639 	 * This means that we can be always forced by the opposite side to never
640 	 * initiate automatic key re-exchange. This might change in the future.
641 	 *
642 	 * The RekeyLimit option keyword may only enforce more frequent key
643 	 * renegotiation, never less. For more information on key renegotiation,
644 	 * see:
645 	 *
646 	 * - RFC 4253 (SSH Transport Layer Protocol), section "9. Key
647 	 *   Re-Exchange"
648 	 * - RFC 4344 (SSH Transport Layer Encryption Modes), sections "3.
649 	 *   Rekeying" and "6.1 Rekeying Considerations"
650 	 */
651 	if (enc->block_size >= 16)
652 		*max_blocks = (u_int64_t)1 << (enc->block_size * 2);
653 	else
654 		*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
655 
656 	if (rekey_limit)
657 		*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
658 }
659 
660 void
661 free_keys(Newkeys *keys)
662 {
663 	Enc *enc;
664 	Mac *mac;
665 	Comp *comp;
666 
667 	enc  = &keys->enc;
668 	mac  = &keys->mac;
669 	comp = &keys->comp;
670 	xfree(enc->name);
671 	xfree(enc->iv);
672 	xfree(enc->key);
673 
674 	memset(mac->key, 0, mac->key_len);
675 	xfree(mac->key);
676 	xfree(mac->name);
677 	mac_clear(mac);
678 
679 	xfree(comp->name);
680 	xfree(keys);
681 }
682 
683 /*
684  * Process SSH2_MSG_NEWKEYS message. If we are using the engine we must have
685  * both SSH2_MSG_NEWKEYS processed before we can finish the engine, fork, and
686  * reinitialize the crypto contexts. We can't fork before processing the 2nd
687  * message otherwise we couldn't encrypt/decrypt that message at all - note that
688  * parent's PKCS#11 sessions are useless after the fork and we must process
689  * both SSH2_MSG_NEWKEYS messages using the old keys.
690  */
691 void
692 process_newkeys(int mode)
693 {
694 	/* this function is for the client only */
695 	if (packet_is_server() != 0)
696 		return;
697 
698 	if (will_daemonize == FIRST_NEWKEYS_PROCESSED) {
699 		debug3("both SSH2_MSG_NEWKEYS processed, will daemonize now");
700 		cipher_cleanup(&send_context);
701 		cipher_cleanup(&receive_context);
702 		pkcs11_engine_finish(e);
703 		if (daemon(1, 1) < 0) {
704 			fatal("daemon() failed: %.200s",
705 			    strerror(errno));
706 		}
707 		e = pkcs11_engine_load(e != NULL ? 1 : 0);
708 
709 		set_newkeys(MODE_OUT);
710 		set_newkeys(MODE_IN);
711 		will_daemonize = SECOND_NEWKEYS_PROCESSED;
712 		packet_send2();
713 	} else {
714 		if (will_daemonize == DAEMONIZING_REQUESTED)
715 			will_daemonize = FIRST_NEWKEYS_PROCESSED;
716 		else
717 			set_newkeys(mode);
718 	}
719 }
720 
721 /*
722  * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
723  */
724 static void
725 packet_send2_wrapped(void)
726 {
727 	u_char type, *cp, *macbuf = NULL;
728 	u_char padlen, pad;
729 	u_int packet_length = 0;
730 	u_int i, len;
731 	u_int32_t rnd = 0;
732 	Enc *enc   = NULL;
733 	Mac *mac   = NULL;
734 	Comp *comp = NULL;
735 	int block_size;
736 
737 	if (newkeys[MODE_OUT] != NULL) {
738 		enc  = &newkeys[MODE_OUT]->enc;
739 		mac  = &newkeys[MODE_OUT]->mac;
740 		comp = &newkeys[MODE_OUT]->comp;
741 	}
742 	block_size = enc ? enc->block_size : 8;
743 
744 	cp = buffer_ptr(&outgoing_packet);
745 	type = cp[5];
746 
747 #ifdef PACKET_DEBUG
748 	debug("plain output packet to be processed (%d bytes):\n",
749 	    buffer_len(&outgoing_packet));
750 	buffer_dump(&outgoing_packet);
751 #endif
752 
753 	if (comp && comp->enabled) {
754 		len = buffer_len(&outgoing_packet);
755 		/* skip header, compress only payload */
756 		buffer_consume(&outgoing_packet, 5);
757 		buffer_clear(&compression_buffer);
758 		buffer_compress(&outgoing_packet, &compression_buffer);
759 		buffer_clear(&outgoing_packet);
760 		buffer_append(&outgoing_packet, "\0\0\0\0\0", 5);
761 		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
762 		    buffer_len(&compression_buffer));
763 		DBG(debug("compression: raw %d compressed %d", len,
764 		    buffer_len(&outgoing_packet)));
765 	}
766 
767 	/* sizeof (packet_len + pad_len + payload) */
768 	len = buffer_len(&outgoing_packet);
769 
770 	/*
771 	 * calc size of padding, alloc space, get random data,
772 	 * minimum padding is 4 bytes
773 	 */
774 	padlen = block_size - (len % block_size);
775 	if (padlen < 4)
776 		padlen += block_size;
777 	if (extra_pad) {
778 		/* will wrap if extra_pad+padlen > 255 */
779 		extra_pad  = roundup(extra_pad, block_size);
780 		pad = extra_pad - ((len + padlen) % extra_pad);
781 		debug3("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
782 		    pad, len, padlen, extra_pad);
783 		padlen += pad;
784 		extra_pad = 0;
785 	}
786 	cp = buffer_append_space(&outgoing_packet, padlen);
787 	if (enc && !send_context.plaintext) {
788 		/* random padding */
789 		for (i = 0; i < padlen; i++) {
790 			if (i % 4 == 0)
791 				rnd = arc4random();
792 			cp[i] = rnd & 0xff;
793 			rnd >>= 8;
794 		}
795 	} else {
796 		/* clear padding */
797 		memset(cp, 0, padlen);
798 	}
799 	/* packet_length includes payload, padding and padding length field */
800 	packet_length = buffer_len(&outgoing_packet) - 4;
801 	cp = buffer_ptr(&outgoing_packet);
802 	PUT_32BIT(cp, packet_length);
803 	cp[4] = padlen;
804 	DBG(debug("will send %d bytes (includes padlen %d)",
805 	    packet_length + 4, padlen));
806 
807 	/* compute MAC over seqnr and packet(length fields, payload, padding) */
808 	if (mac && mac->enabled) {
809 		macbuf = mac_compute(mac, p_send.seqnr,
810 		    buffer_ptr(&outgoing_packet),
811 		    buffer_len(&outgoing_packet));
812 		DBG(debug("done calc MAC out #%d", p_send.seqnr));
813 	}
814 	/* encrypt packet and append to output buffer. */
815 	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
816 	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
817 	    buffer_len(&outgoing_packet));
818 	/* append unencrypted MAC */
819 	if (mac && mac->enabled)
820 		buffer_append(&output, (char *)macbuf, mac->mac_len);
821 #ifdef PACKET_DEBUG
822 	debug("encrypted output queue now contains (%d bytes):\n",
823 	    buffer_len(&output));
824 	buffer_dump(&output);
825 #endif
826 	/* increment sequence number for outgoing packets */
827 	if (++p_send.seqnr == 0)
828 		log("outgoing seqnr wraps around");
829 
830 	/*
831 	 * RFC 4344: 3.1. First Rekeying Recommendation
832 	 *
833 	 * "Because of possible information leakage through the MAC tag after a
834 	 * key exchange, .... an SSH implementation SHOULD NOT send more than
835 	 * 2**32 packets before rekeying again."
836 	 *
837 	 * The code below is a hard check so that we are sure we don't go across
838 	 * the suggestion. However, since the largest cipher block size we have
839 	 * (AES) is 16 bytes we can't reach 2^32 SSH packets encrypted with the
840 	 * same key while performing periodic rekeying.
841 	 */
842 	if (++p_send.packets == 0)
843 		if (!(datafellows & SSH_BUG_NOREKEY))
844 			fatal("too many packets encrypted with same key");
845 	p_send.blocks += (packet_length + 4) / block_size;
846 	buffer_clear(&outgoing_packet);
847 
848 	if (type == SSH2_MSG_NEWKEYS) {
849 		/*
850 		 * set_newkeys(MODE_OUT) in the client. Note that in the
851 		 * unprivileged child, set_newkeys() for MODE_OUT are set after
852 		 * SSH2_MSG_NEWKEYS is read from the monitor and forwarded to
853 		 * the client side.
854 		 */
855 		process_newkeys(MODE_OUT);
856 	}
857 }
858 
859 /*
860  * Packets we deal with here are plain until we encrypt them in
861  * packet_send2_wrapped().
862  *
863  * As already mentioned in a comment at process_newkeys() function we must not
864  * fork() until both SSH2_MSG_NEWKEYS packets were processed. Until this is done
865  * we must queue all packets so that they can be encrypted with the new keys and
866  * then sent to the other side. However, what can happen here is that we get
867  * SSH2_MSG_NEWKEYS after we sent it. In that situation we must call
868  * packet_send2() anyway to empty the queue, and set the rekey flag to the
869  * finished state. If we didn't do that we would just hang and enqueue data.
870  */
871 static void
872 packet_send2(void)
873 {
874 	static int rekeying = 0;
875 	struct packet *p;
876 	u_char type, *cp;
877 
878 	if (will_daemonize != SECOND_NEWKEYS_PROCESSED) {
879 		cp = buffer_ptr(&outgoing_packet);
880 		type = cp[5];
881 
882 		/* during rekeying we can only send key exchange messages */
883 		if (rekeying) {
884 			if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
885 			    (type <= SSH2_MSG_TRANSPORT_MAX))) {
886 				debug("enqueue a plain packet because rekex in "
887 				    "progress [type %u]", type);
888 				p = xmalloc(sizeof(*p));
889 				p->type = type;
890 				memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
891 				buffer_init(&outgoing_packet);
892 				TAILQ_INSERT_TAIL(&outgoing, p, next);
893 				return;
894 			}
895 		}
896 
897 		/* rekeying starts with sending KEXINIT */
898 		if (type == SSH2_MSG_KEXINIT)
899 			rekeying = 1;
900 
901 		packet_send2_wrapped();
902 	}
903 
904 	/* after rekex is done we can process the queue of plain packets */
905 	if (will_daemonize == SECOND_NEWKEYS_PROCESSED ||
906 	    (will_daemonize == NOT_DAEMONIZING && type == SSH2_MSG_NEWKEYS)) {
907 		rekeying = 0;
908 		will_daemonize = NOT_DAEMONIZING;
909 		while ((p = TAILQ_FIRST(&outgoing)) != NULL) {
910 			type = p->type;
911 			debug("dequeuing a plain packet since rekex is over "
912 			    "[type %u]", type);
913 			buffer_free(&outgoing_packet);
914 			memcpy(&outgoing_packet, &p->payload, sizeof(Buffer));
915 			TAILQ_REMOVE(&outgoing, p, next);
916 			xfree(p);
917 			packet_send2_wrapped();
918 		}
919 	}
920 }
921 
922 void
923 packet_send(void)
924 {
925 	if (compat20)
926 		packet_send2();
927 	else
928 		packet_send1();
929 	DBG(debug("packet_send done"));
930 }
931 
932 /*
933  * Waits until a packet has been received, and returns its type.  Note that
934  * no other data is processed until this returns, so this function should not
935  * be used during the interactive session.
936  */
937 
938 int
939 packet_read_seqnr(u_int32_t *seqnr_p)
940 {
941 	int type, len;
942 	fd_set *setp;
943 	char buf[8192];
944 	DBG(debug("packet_read()"));
945 
946 	setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) *
947 	    sizeof(fd_mask));
948 
949 	/* Since we are blocking, ensure that all written packets have been sent. */
950 	packet_write_wait();
951 
952 	/* Stay in the loop until we have received a complete packet. */
953 	for (;;) {
954 		/* Try to read a packet from the buffer. */
955 		type = packet_read_poll_seqnr(seqnr_p);
956 		if (!compat20 && (
957 		    type == SSH_SMSG_SUCCESS
958 		    || type == SSH_SMSG_FAILURE
959 		    || type == SSH_CMSG_EOF
960 		    || type == SSH_CMSG_EXIT_CONFIRMATION))
961 			packet_check_eom();
962 		/* If we got a packet, return it. */
963 		if (type != SSH_MSG_NONE) {
964 			xfree(setp);
965 			return type;
966 		}
967 		/*
968 		 * Otherwise, wait for some data to arrive, add it to the
969 		 * buffer, and try again.
970 		 */
971 		memset(setp, 0, howmany(connection_in + 1, NFDBITS) *
972 		    sizeof(fd_mask));
973 		FD_SET(connection_in, setp);
974 
975 		/* Wait for some data to arrive. */
976 		while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 &&
977 		    (errno == EAGAIN || errno == EINTR))
978 			;
979 
980 		/* Read data from the socket. */
981 		len = read(connection_in, buf, sizeof(buf));
982 		if (len == 0) {
983 			log("Connection closed by %.200s", get_remote_ipaddr());
984 			fatal_cleanup();
985 		}
986 		if (len < 0)
987 			fatal("Read from socket failed: %.100s", strerror(errno));
988 		/* Append it to the buffer. */
989 		packet_process_incoming(buf, len);
990 	}
991 	/* NOTREACHED */
992 }
993 
994 int
995 packet_read(void)
996 {
997 	return packet_read_seqnr(NULL);
998 }
999 
1000 /*
1001  * Waits until a packet has been received, verifies that its type matches
1002  * that given, and gives a fatal error and exits if there is a mismatch.
1003  */
1004 
1005 void
1006 packet_read_expect(int expected_type)
1007 {
1008 	int type;
1009 
1010 	type = packet_read();
1011 	if (type != expected_type)
1012 		packet_disconnect("Protocol error: expected packet type %d, got %d",
1013 		    expected_type, type);
1014 }
1015 
1016 /* Checks if a full packet is available in the data received so far via
1017  * packet_process_incoming.  If so, reads the packet; otherwise returns
1018  * SSH_MSG_NONE.  This does not wait for data from the connection.
1019  *
1020  * SSH_MSG_DISCONNECT is handled specially here.  Also,
1021  * SSH_MSG_IGNORE messages are skipped by this function and are never returned
1022  * to higher levels.
1023  */
1024 
1025 static int
1026 packet_read_poll1(void)
1027 {
1028 	u_int len, padded_len;
1029 	u_char *cp, type;
1030 	u_int checksum, stored_checksum;
1031 
1032 	/* Check if input size is less than minimum packet size. */
1033 	if (buffer_len(&input) < 4 + 8)
1034 		return SSH_MSG_NONE;
1035 	/* Get length of incoming packet. */
1036 	cp = buffer_ptr(&input);
1037 	len = GET_32BIT(cp);
1038 	if (len < 1 + 2 + 2 || len > 256 * 1024)
1039 		packet_disconnect("Bad packet length %d.", len);
1040 	padded_len = (len + 8) & ~7;
1041 
1042 	/* Check if the packet has been entirely received. */
1043 	if (buffer_len(&input) < 4 + padded_len)
1044 		return SSH_MSG_NONE;
1045 
1046 	/* The entire packet is in buffer. */
1047 
1048 	/* Consume packet length. */
1049 	buffer_consume(&input, 4);
1050 
1051 	/*
1052 	 * Cryptographic attack detector for ssh
1053 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
1054 	 * Ariel Futoransky(futo@core-sdi.com)
1055 	 */
1056 	if (!receive_context.plaintext) {
1057 		switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
1058 		case DEATTACK_DETECTED:
1059 			packet_disconnect("crc32 compensation attack: "
1060 			    "network attack detected");
1061 			break;
1062 		case DEATTACK_DOS_DETECTED:
1063 			packet_disconnect("deattack denial of "
1064 			    "service detected");
1065 			break;
1066 		}
1067 	}
1068 
1069 	/* Decrypt data to incoming_packet. */
1070 	buffer_clear(&incoming_packet);
1071 	cp = buffer_append_space(&incoming_packet, padded_len);
1072 	cipher_crypt(&receive_context, cp, buffer_ptr(&input), padded_len);
1073 
1074 	buffer_consume(&input, padded_len);
1075 
1076 #ifdef PACKET_DEBUG
1077 	debug("read_poll plain/full:\n");
1078 	buffer_dump(&incoming_packet);
1079 #endif
1080 
1081 	/* Compute packet checksum. */
1082 	checksum = ssh_crc32(buffer_ptr(&incoming_packet),
1083 	    buffer_len(&incoming_packet) - 4);
1084 
1085 	/* Skip padding. */
1086 	buffer_consume(&incoming_packet, 8 - len % 8);
1087 
1088 	/* Test check bytes. */
1089 	if (len != buffer_len(&incoming_packet))
1090 		packet_disconnect("packet_read_poll1: len %d != buffer_len %d.",
1091 		    len, buffer_len(&incoming_packet));
1092 
1093 	cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4;
1094 	stored_checksum = GET_32BIT(cp);
1095 	if (checksum != stored_checksum)
1096 		packet_disconnect("Corrupted check bytes on input.");
1097 	buffer_consume_end(&incoming_packet, 4);
1098 
1099 	if (packet_compression) {
1100 		buffer_clear(&compression_buffer);
1101 		buffer_uncompress(&incoming_packet, &compression_buffer);
1102 		buffer_clear(&incoming_packet);
1103 		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
1104 		    buffer_len(&compression_buffer));
1105 	}
1106 	type = buffer_get_char(&incoming_packet);
1107 	return type;
1108 }
1109 
1110 static int
1111 packet_read_poll2(u_int32_t *seqnr_p)
1112 {
1113 	static u_int packet_length = 0;
1114 	u_int padlen, need;
1115 	u_char *macbuf, *cp, type;
1116 	int maclen, block_size;
1117 	Enc *enc   = NULL;
1118 	Mac *mac   = NULL;
1119 	Comp *comp = NULL;
1120 
1121 	if (newkeys[MODE_IN] != NULL) {
1122 		enc  = &newkeys[MODE_IN]->enc;
1123 		mac  = &newkeys[MODE_IN]->mac;
1124 		comp = &newkeys[MODE_IN]->comp;
1125 	}
1126 	maclen = mac && mac->enabled ? mac->mac_len : 0;
1127 	block_size = enc ? enc->block_size : 8;
1128 
1129 	if (packet_length == 0) {
1130 		/*
1131 		 * check if input size is less than the cipher block size,
1132 		 * decrypt first block and extract length of incoming packet
1133 		 */
1134 		if (buffer_len(&input) < block_size)
1135 			return SSH_MSG_NONE;
1136 #ifdef PACKET_DEBUG
1137 		debug("encrypted data we have in read queue (%d bytes):\n",
1138 		    buffer_len(&input));
1139 		buffer_dump(&input);
1140 #endif
1141 		buffer_clear(&incoming_packet);
1142 		cp = buffer_append_space(&incoming_packet, block_size);
1143 		cipher_crypt(&receive_context, cp, buffer_ptr(&input),
1144 		    block_size);
1145 		cp = buffer_ptr(&incoming_packet);
1146 		packet_length = GET_32BIT(cp);
1147 		if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
1148 			packet_disconnect("Bad packet length.");
1149 		}
1150 		DBG(debug("input: packet len %u", packet_length + 4));
1151 		buffer_consume(&input, block_size);
1152 	}
1153 	/* we have a partial packet of block_size bytes */
1154 	need = 4 + packet_length - block_size;
1155 	DBG(debug("partial packet %d, still need %d, maclen %d", block_size,
1156 	    need, maclen));
1157 	if (need % block_size != 0)
1158 		packet_disconnect("Bad packet length.");
1159 	/*
1160 	 * check if the entire packet has been received and
1161 	 * decrypt into incoming_packet
1162 	 */
1163 	if (buffer_len(&input) < need + maclen)
1164 		return SSH_MSG_NONE;
1165 #ifdef PACKET_DEBUG
1166 	debug("in read_poll, the encrypted input queue now contains "
1167 	    "(%d bytes):\n", buffer_len(&input));
1168 	buffer_dump(&input);
1169 #endif
1170 	cp = buffer_append_space(&incoming_packet, need);
1171 	cipher_crypt(&receive_context, cp, buffer_ptr(&input), need);
1172 	buffer_consume(&input, need);
1173 	/*
1174 	 * compute MAC over seqnr and packet,
1175 	 * increment sequence number for incoming packet
1176 	 */
1177 	if (mac && mac->enabled) {
1178 		macbuf = mac_compute(mac, p_read.seqnr,
1179 		    buffer_ptr(&incoming_packet),
1180 		    buffer_len(&incoming_packet));
1181 		if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
1182 			packet_disconnect("Corrupted MAC on input.");
1183 		DBG(debug("MAC #%d ok", p_read.seqnr));
1184 		buffer_consume(&input, mac->mac_len);
1185 	}
1186 	if (seqnr_p != NULL)
1187 		*seqnr_p = p_read.seqnr;
1188 	if (++p_read.seqnr == 0)
1189 		log("incoming seqnr wraps around");
1190 
1191 	/* see above for the comment on "First Rekeying Recommendation" */
1192 	if (++p_read.packets == 0)
1193 		if (!(datafellows & SSH_BUG_NOREKEY))
1194 			fatal("too many packets with same key");
1195 	p_read.blocks += (packet_length + 4) / block_size;
1196 
1197 	/* get padlen */
1198 	cp = buffer_ptr(&incoming_packet);
1199 	padlen = cp[4];
1200 	DBG(debug("input: padlen %d", padlen));
1201 	if (padlen < 4)
1202 		packet_disconnect("Corrupted padlen %d on input.", padlen);
1203 
1204 	/* skip packet size + padlen, discard padding */
1205 	buffer_consume(&incoming_packet, 4 + 1);
1206 	buffer_consume_end(&incoming_packet, padlen);
1207 
1208 	DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
1209 	if (comp && comp->enabled) {
1210 		buffer_clear(&compression_buffer);
1211 		buffer_uncompress(&incoming_packet, &compression_buffer);
1212 		buffer_clear(&incoming_packet);
1213 		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
1214 		    buffer_len(&compression_buffer));
1215 		DBG(debug("input: len after de-compress %d",
1216 		    buffer_len(&incoming_packet)));
1217 	}
1218 	/*
1219 	 * get packet type, implies consume.
1220 	 * return length of payload (without type field)
1221 	 */
1222 	type = buffer_get_char(&incoming_packet);
1223 	if (type == SSH2_MSG_NEWKEYS) {
1224 		/*
1225 		 * set_newkeys(MODE_IN) in the client because it doesn't have a
1226 		 * dispatch function for SSH2_MSG_NEWKEYS in contrast to the
1227 		 * server processes. Note that in the unprivileged child,
1228 		 * set_newkeys() for MODE_IN are set in dispatch function
1229 		 * altprivsep_rekey() after SSH2_MSG_NEWKEYS packet is received
1230 		 * from the client.
1231 		 */
1232 		process_newkeys(MODE_IN);
1233 	}
1234 
1235 #ifdef PACKET_DEBUG
1236 	debug("decrypted input packet [type %d]:\n", type);
1237 	buffer_dump(&incoming_packet);
1238 #endif
1239 	/* reset for next packet */
1240 	packet_length = 0;
1241 	return type;
1242 }
1243 
1244 /*
1245  * This tries to read a packet from the buffer of received data. Note that it
1246  * doesn't read() anything from the network socket.
1247  */
1248 int
1249 packet_read_poll_seqnr(u_int32_t *seqnr_p)
1250 {
1251 	u_int reason, seqnr;
1252 	u_char type;
1253 	char *msg;
1254 
1255 	for (;;) {
1256 		if (compat20) {
1257 			type = packet_read_poll2(seqnr_p);
1258 			DBG(debug("received packet type %d", type));
1259 			switch (type) {
1260 			case SSH2_MSG_IGNORE:
1261 				break;
1262 			case SSH2_MSG_DEBUG:
1263 				packet_get_char();
1264 				msg = packet_get_utf8_string(NULL);
1265 				msg = g11n_filter_string(msg);
1266 				debug("Remote: %.900s", msg);
1267 				xfree(msg);
1268 				msg = packet_get_string(NULL);
1269 				xfree(msg);
1270 				break;
1271 			case SSH2_MSG_DISCONNECT:
1272 				reason = packet_get_int();
1273 				msg = packet_get_utf8_string(NULL);
1274 				msg = g11n_filter_string(msg);
1275 				log("Received disconnect from %s: %u: %.400s",
1276 				    get_remote_ipaddr(), reason, msg);
1277 				xfree(msg);
1278 				fatal_cleanup();
1279 				break;
1280 			case SSH2_MSG_UNIMPLEMENTED:
1281 				seqnr = packet_get_int();
1282 				debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
1283 				    seqnr);
1284 				break;
1285 			default:
1286 				return type;
1287 				break;
1288 			}
1289 		} else {
1290 			type = packet_read_poll1();
1291 			DBG(debug("received packet type %d", type));
1292 			switch (type) {
1293 			case SSH_MSG_IGNORE:
1294 				break;
1295 			case SSH_MSG_DEBUG:
1296 				msg = packet_get_string(NULL);
1297 				debug("Remote: %.900s", msg);
1298 				xfree(msg);
1299 				break;
1300 			case SSH_MSG_DISCONNECT:
1301 				msg = packet_get_string(NULL);
1302 				log("Received disconnect from %s: %.400s",
1303 				    get_remote_ipaddr(), msg);
1304 				fatal_cleanup();
1305 				xfree(msg);
1306 				break;
1307 			default:
1308 				return type;
1309 				break;
1310 			}
1311 		}
1312 	}
1313 }
1314 
1315 int
1316 packet_read_poll(void)
1317 {
1318 	return packet_read_poll_seqnr(NULL);
1319 }
1320 
1321 /*
1322  * Buffers the given amount of input characters.  This is intended to be used
1323  * together with packet_read_poll.
1324  */
1325 
1326 void
1327 packet_process_incoming(const char *buf, u_int len)
1328 {
1329 	buffer_append(&input, buf, len);
1330 }
1331 
1332 /* Returns a character from the packet. */
1333 
1334 u_int
1335 packet_get_char(void)
1336 {
1337 	char ch;
1338 
1339 	buffer_get(&incoming_packet, &ch, 1);
1340 	return (u_char) ch;
1341 }
1342 
1343 /* Returns an integer from the packet data. */
1344 
1345 u_int
1346 packet_get_int(void)
1347 {
1348 	return buffer_get_int(&incoming_packet);
1349 }
1350 
1351 /*
1352  * Returns an arbitrary precision integer from the packet data.  The integer
1353  * must have been initialized before this call.
1354  */
1355 
1356 void
1357 packet_get_bignum(BIGNUM * value)
1358 {
1359 	buffer_get_bignum(&incoming_packet, value);
1360 }
1361 
1362 void
1363 packet_get_bignum2(BIGNUM * value)
1364 {
1365 	buffer_get_bignum2(&incoming_packet, value);
1366 }
1367 
1368 void *
1369 packet_get_raw(u_int *length_ptr)
1370 {
1371 	u_int bytes = buffer_len(&incoming_packet);
1372 
1373 	if (length_ptr != NULL)
1374 		*length_ptr = bytes;
1375 	return buffer_ptr(&incoming_packet);
1376 }
1377 
1378 int
1379 packet_remaining(void)
1380 {
1381 	return buffer_len(&incoming_packet);
1382 }
1383 
1384 /*
1385  * Returns a string from the packet data.  The string is allocated using
1386  * xmalloc; it is the responsibility of the calling program to free it when
1387  * no longer needed.  The length_ptr argument may be NULL, or point to an
1388  * integer into which the length of the string is stored.
1389  */
1390 
1391 void *
1392 packet_get_string(u_int *length_ptr)
1393 {
1394 	return buffer_get_string(&incoming_packet, length_ptr);
1395 }
1396 
1397 char *
1398 packet_get_utf8_string(uint_t *length_ptr)
1399 {
1400 	if (datafellows & SSH_BUG_STRING_ENCODING)
1401 		return (buffer_get_string(&incoming_packet, length_ptr));
1402 	else
1403 		return (buffer_get_utf8_string(&incoming_packet, length_ptr));
1404 }
1405 
1406 /*
1407  * Sends a diagnostic message from the server to the client.  This message
1408  * can be sent at any time (but not while constructing another message). The
1409  * message is printed immediately, but only if the client is being executed
1410  * in verbose mode.  These messages are primarily intended to ease debugging
1411  * authentication problems.   The length of the formatted message must not
1412  * exceed 1024 bytes.  This will automatically call packet_write_wait.
1413  */
1414 
1415 void
1416 packet_send_debug(const char *fmt,...)
1417 {
1418 	char buf[1024];
1419 	va_list args;
1420 
1421 	if (compat20 && (datafellows & SSH_BUG_DEBUG))
1422 		return;
1423 
1424 	va_start(args, fmt);
1425 	vsnprintf(buf, sizeof(buf), gettext(fmt), args);
1426 	va_end(args);
1427 
1428 #ifdef ALTPRIVSEP
1429 	/* shouldn't happen */
1430 	if (packet_monitor) {
1431 		debug("packet_send_debug: %s", buf);
1432 		return;
1433 	}
1434 #endif /* ALTPRIVSEP */
1435 
1436 	if (compat20) {
1437 		packet_start(SSH2_MSG_DEBUG);
1438 		packet_put_char(0);	/* bool: always display */
1439 		packet_put_utf8_cstring(buf);
1440 		packet_put_cstring("");
1441 	} else {
1442 		packet_start(SSH_MSG_DEBUG);
1443 		packet_put_cstring(buf);
1444 	}
1445 	packet_send();
1446 	packet_write_wait();
1447 }
1448 
1449 /*
1450  * Logs the error plus constructs and sends a disconnect packet, closes the
1451  * connection, and exits.  This function never returns. The error message
1452  * should not contain a newline.  The length of the formatted message must
1453  * not exceed 1024 bytes.
1454  */
1455 
1456 void
1457 packet_disconnect(const char *fmt,...)
1458 {
1459 	char buf[1024];
1460 	va_list args;
1461 	static int disconnecting = 0;
1462 
1463 	if (disconnecting)	/* Guard against recursive invocations. */
1464 		fatal("packet_disconnect called recursively.");
1465 	disconnecting = 1;
1466 
1467 	/*
1468 	 * Format the message.  Note that the caller must make sure the
1469 	 * message is of limited size.
1470 	 */
1471 	va_start(args, fmt);
1472 	vsnprintf(buf, sizeof(buf), fmt, args);
1473 	va_end(args);
1474 
1475 #ifdef ALTPRIVSEP
1476 	/*
1477 	 * If we packet_disconnect() in the monitor the fatal cleanups will take
1478 	 * care of the child.  See main() in sshd.c.  We don't send the packet
1479 	 * disconnect message here because: a) the child might not be looking
1480 	 * for it and b) because we don't really know if the child is compat20
1481 	 * or not as we lost that information when packet_set_monitor() was
1482 	 * called.
1483 	 */
1484 	if (packet_monitor)
1485 		goto close_stuff;
1486 #endif /* ALTPRIVSEP */
1487 
1488 	/* Send the disconnect message to the other side, and wait for it to get sent. */
1489 	if (compat20) {
1490 		packet_start(SSH2_MSG_DISCONNECT);
1491 		packet_put_int(SSH2_DISCONNECT_PROTOCOL_ERROR);
1492 		packet_put_utf8_cstring(buf);
1493 		packet_put_cstring("");
1494 	} else {
1495 		packet_start(SSH_MSG_DISCONNECT);
1496 		packet_put_cstring(buf);
1497 	}
1498 	packet_send();
1499 	packet_write_wait();
1500 
1501 #ifdef ALTPRIVSEP
1502 close_stuff:
1503 #endif /* ALTPRIVSEP */
1504 	/* Stop listening for connections. */
1505 	channel_close_all();
1506 
1507 	/* Close the connection. */
1508 	packet_close();
1509 
1510 	/* Display the error locally and exit. */
1511 	log("Disconnecting: %.100s", buf);
1512 	fatal_cleanup();
1513 }
1514 
1515 /* Checks if there is any buffered output, and tries to write some of the output. */
1516 
1517 void
1518 packet_write_poll(void)
1519 {
1520 	int len = buffer_len(&output);
1521 
1522 	if (len > 0) {
1523 		len = write(connection_out, buffer_ptr(&output), len);
1524 		if (len <= 0) {
1525 			if (errno == EAGAIN)
1526 				return;
1527 			else
1528 				fatal("Write failed: %.100s", strerror(errno));
1529 		}
1530 #ifdef PACKET_DEBUG
1531 		debug("in packet_write_poll, %d bytes just sent to the "
1532 		    "remote side", len);
1533 #endif
1534 		buffer_consume(&output, len);
1535 	}
1536 }
1537 
1538 /*
1539  * Calls packet_write_poll repeatedly until all pending output data has been
1540  * written.
1541  */
1542 
1543 void
1544 packet_write_wait(void)
1545 {
1546 	fd_set *setp;
1547 
1548 	setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) *
1549 	    sizeof(fd_mask));
1550 	packet_write_poll();
1551 	while (packet_have_data_to_write()) {
1552 		memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
1553 		    sizeof(fd_mask));
1554 		FD_SET(connection_out, setp);
1555 		while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 &&
1556 		    (errno == EAGAIN || errno == EINTR))
1557 			;
1558 		packet_write_poll();
1559 	}
1560 	xfree(setp);
1561 }
1562 
1563 /* Returns true if there is buffered data to write to the connection. */
1564 
1565 int
1566 packet_have_data_to_write(void)
1567 {
1568 	return buffer_len(&output) != 0;
1569 }
1570 
1571 /* Returns true if there is not too much data to write to the connection. */
1572 
1573 int
1574 packet_not_very_much_data_to_write(void)
1575 {
1576 	if (interactive_mode)
1577 		return buffer_len(&output) < 16384;
1578 	else
1579 		return buffer_len(&output) < 128 * 1024;
1580 }
1581 
1582 /* Informs that the current session is interactive.  Sets IP flags for that. */
1583 
1584 void
1585 packet_set_interactive(int interactive)
1586 {
1587 	static int called = 0;
1588 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1589 	int lowdelay = IPTOS_LOWDELAY;
1590 	int throughput = IPTOS_THROUGHPUT;
1591 #endif
1592 
1593 	if (called)
1594 		return;
1595 	called = 1;
1596 
1597 	/* Record that we are in interactive mode. */
1598 	interactive_mode = interactive;
1599 
1600 	/* Only set socket options if using a socket.  */
1601 	if (!packet_connection_is_on_socket())
1602 		return;
1603 	/*
1604 	 * IPTOS_LOWDELAY and IPTOS_THROUGHPUT are IPv4 only
1605 	 */
1606 	if (interactive) {
1607 		/*
1608 		 * Set IP options for an interactive connection.  Use
1609 		 * IPTOS_LOWDELAY and TCP_NODELAY.
1610 		 */
1611 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1612 		if (packet_connection_is_ipv4()) {
1613 			if (setsockopt(connection_in, IPPROTO_IP, IP_TOS,
1614 			    &lowdelay, sizeof(lowdelay)) < 0)
1615 				error("setsockopt IPTOS_LOWDELAY: %.100s",
1616 				    strerror(errno));
1617 		}
1618 #endif
1619 		set_nodelay(connection_in);
1620 	}
1621 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1622 	else if (packet_connection_is_ipv4()) {
1623 		/*
1624 		 * Set IP options for a non-interactive connection.  Use
1625 		 * IPTOS_THROUGHPUT.
1626 		 */
1627 		if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &throughput,
1628 		    sizeof(throughput)) < 0)
1629 			error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno));
1630 	}
1631 #endif
1632 }
1633 
1634 /* Returns true if the current connection is interactive. */
1635 
1636 int
1637 packet_is_interactive(void)
1638 {
1639 	return interactive_mode;
1640 }
1641 
1642 int
1643 packet_set_maxsize(int s)
1644 {
1645 	static int called = 0;
1646 
1647 	if (called) {
1648 		log("packet_set_maxsize: called twice: old %d new %d",
1649 		    max_packet_size, s);
1650 		return -1;
1651 	}
1652 	if (s < 4 * 1024 || s > 1024 * 1024) {
1653 		log("packet_set_maxsize: bad size %d", s);
1654 		return -1;
1655 	}
1656 	called = 1;
1657 	debug("packet_set_maxsize: setting to %d", s);
1658 	max_packet_size = s;
1659 	return s;
1660 }
1661 
1662 /* roundup current message to pad bytes */
1663 void
1664 packet_add_padding(u_char pad)
1665 {
1666 	extra_pad = pad;
1667 }
1668 
1669 /*
1670  * 9.2.  Ignored Data Message
1671  *
1672  *   byte      SSH_MSG_IGNORE
1673  *   string    data
1674  *
1675  * All implementations MUST understand (and ignore) this message at any
1676  * time (after receiving the protocol version). No implementation is
1677  * required to send them. This message can be used as an additional
1678  * protection measure against advanced traffic analysis techniques.
1679  */
1680 void
1681 packet_send_ignore(int nbytes)
1682 {
1683 	u_int32_t rnd = 0;
1684 	int i;
1685 
1686 #ifdef ALTPRIVSEP
1687 	/* shouldn't happen -- see packet_set_monitor() */
1688 	if (packet_monitor)
1689 		return;
1690 #endif /* ALTPRIVSEP */
1691 
1692 	packet_start(compat20 ? SSH2_MSG_IGNORE : SSH_MSG_IGNORE);
1693 	packet_put_int(nbytes);
1694 	for (i = 0; i < nbytes; i++) {
1695 		if (i % 4 == 0)
1696 			rnd = arc4random();
1697 		packet_put_char((u_char)rnd & 0xff);
1698 		rnd >>= 8;
1699 	}
1700 }
1701 
1702 #define MAX_PACKETS	(1U<<31)
1703 int
1704 packet_need_rekeying(void)
1705 {
1706 	if (datafellows & SSH_BUG_NOREKEY)
1707 		return 0;
1708 	return
1709 	    (p_send.packets > MAX_PACKETS) ||
1710 	    (p_read.packets > MAX_PACKETS) ||
1711 	    (max_blocks_out && (p_send.blocks > max_blocks_out)) ||
1712 	    (max_blocks_in  && (p_read.blocks > max_blocks_in));
1713 }
1714 
1715 void
1716 packet_set_rekey_limit(u_int32_t bytes)
1717 {
1718 	rekey_limit = bytes;
1719 }
1720 
1721 #ifdef ALTPRIVSEP
1722 void
1723 packet_set_server(void)
1724 {
1725 	packet_server = 1;
1726 }
1727 
1728 int
1729 packet_is_server(void)
1730 {
1731 	return (packet_server);
1732 }
1733 
1734 void
1735 packet_set_monitor(int pipe)
1736 {
1737 	int dup_fd;
1738 
1739 	packet_server = 1;
1740 	packet_monitor = 1;
1741 
1742 	/*
1743 	 * Awful hack follows.
1744 	 *
1745 	 * For SSHv1 the monitor does not process any SSHv1 packets, only
1746 	 * ALTPRIVSEP packets.  We take advantage of that here to keep changes
1747 	 * to packet.c to a minimum by using the SSHv2 binary packet protocol,
1748 	 * with cipher "none," mac "none" and compression alg "none," as the
1749 	 * basis for the monitor protocol.  And so to force packet.c to treat
1750 	 * packets as SSHv2 we force compat20 == 1 here.
1751 	 *
1752 	 * For completeness and to help future developers catch this we also
1753 	 * force compat20 == 1 in the monitor loop, in serverloop.c.
1754 	 */
1755 	compat20 = 1;
1756 
1757 	/*
1758 	 * NOTE:  Assumptions below!
1759 	 *
1760 	 *  - lots of packet.c code assumes that (connection_in ==
1761 	 *  connection_out) -> connection is socket
1762 	 *
1763 	 *  - packet_close() does not shutdown() the connection fildes
1764 	 *  if connection_in != connection_out
1765 	 *
1766 	 *  - other code assumes the connection is a socket if
1767 	 *  connection_in == connection_out
1768 	 */
1769 
1770 	if ((dup_fd = dup(pipe)) < 0)
1771 		fatal("Monitor failed to start: %s", strerror(errno));
1772 
1773 	/*
1774 	 * make sure that the monitor's child's socket is not shutdown(3SOCKET)
1775 	 * when we packet_close(). Setting connection_out to -1 will take care
1776 	 * of that.
1777 	 */
1778 	if (packet_connection_is_on_socket())
1779 		connection_out = -1;
1780 
1781 	/*
1782 	 * Now clean up the state related to the server socket. As a side
1783 	 * effect, we also clean up existing cipher contexts that were
1784 	 * initialized with 'none' cipher in packet_set_connection(). That
1785 	 * function was called in the child server process shortly after the
1786 	 * master SSH process forked. However, all of that is reinialized again
1787 	 * by another packet_set_connection() call right below.
1788 	 */
1789 	packet_close();
1790 
1791 	/*
1792 	 * Now make the monitor pipe look like the ssh connection which means
1793 	 * that connection_in and connection_out will be set to the
1794 	 * communication pipe descriptors.
1795 	 */
1796 	packet_set_connection(pipe, dup_fd);
1797 }
1798 
1799 /*
1800  * We temporarily need to set connection_in and connection_out descriptors so
1801  * that we can make use of existing code that gets the IP address and hostname
1802  * of the peer to write a login/logout record. It's not nice but we would have
1803  * to change more code when implementing the PKCS#11 engine support.
1804  */
1805 void
1806 packet_set_fds(int fd, int restore)
1807 {
1808 	static int stored_fd;
1809 
1810 	if (stored_fd == 0 && restore == 0) {
1811 		debug3("packet_set_fds: saving %d, installing %d",
1812 		    connection_in, fd);
1813 		stored_fd = connection_in;
1814 		/* we don't have a socket in inetd mode */
1815 		if (fd != -1)
1816 			connection_in = connection_out = fd;
1817 		return;
1818 	}
1819 
1820 	if (restore == 1) {
1821 		debug3("restoring %d to connection_in/out", stored_fd);
1822 		connection_in = connection_out = stored_fd;
1823 	}
1824 }
1825 
1826 int
1827 packet_is_monitor(void)
1828 {
1829 	return (packet_monitor);
1830 }
1831 #endif /* ALTPRIVSEP */
1832