xref: /titanic_50/usr/src/cmd/ssh/libssh/common/packet.c (revision bcde4861cca9caf5cab2b710a3241b038fec477c)
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * This file contains code implementing the packet protocol and communication
6  * with the other side.  This same code is used both on client and server side.
7  *
8  * As far as I am concerned, the code I have written for this software
9  * can be used freely for any purpose.  Any derived versions of this
10  * software must be clearly marked as such, and if the derived work is
11  * incompatible with the protocol description in the RFC file, it must be
12  * called by a name other than "ssh" or "Secure Shell".
13  *
14  *
15  * SSH2 packet format added by Markus Friedl.
16  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
17  *
18  * Redistribution and use in source and binary forms, with or without
19  * modification, are permitted provided that the following conditions
20  * are met:
21  * 1. Redistributions of source code must retain the above copyright
22  *    notice, this list of conditions and the following disclaimer.
23  * 2. Redistributions in binary form must reproduce the above copyright
24  *    notice, this list of conditions and the following disclaimer in the
25  *    documentation and/or other materials provided with the distribution.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37  */
38 /*
39  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
40  * Use is subject to license terms.
41  */
42 
43 /* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */
44 
45 #include "includes.h"
46 
47 #include "sys-queue.h"
48 #include "xmalloc.h"
49 #include "buffer.h"
50 #include "packet.h"
51 #include "bufaux.h"
52 #include "crc32.h"
53 #include "getput.h"
54 #include "compress.h"
55 #include "deattack.h"
56 #include "channels.h"
57 #include "compat.h"
58 #include "ssh1.h"
59 #include "ssh2.h"
60 #include "cipher.h"
61 #include "kex.h"
62 #include "mac.h"
63 #include "log.h"
64 #include "canohost.h"
65 #include "misc.h"
66 #include "ssh.h"
67 #include "engine.h"
68 
69 /* PKCS#11 engine */
70 ENGINE *e;
71 
72 #ifdef ALTPRIVSEP
73 static int packet_server = 0;
74 static int packet_monitor = 0;
75 #endif /* ALTPRIVSEP */
76 
77 #ifdef PACKET_DEBUG
78 #define DBG(x) x
79 #else
80 #define DBG(x)
81 #endif
82 
83 static void packet_send2(void);
84 
85 /*
86  * This variable contains the file descriptors used for communicating with
87  * the other side.  connection_in is used for reading; connection_out for
88  * writing.  These can be the same descriptor, in which case it is assumed to
89  * be a socket.
90  */
91 static int connection_in = -1;
92 static int connection_out = -1;
93 
94 /* Protocol flags for the remote side. */
95 static u_int remote_protocol_flags = 0;
96 
97 /* Encryption context for receiving data.  This is only used for decryption. */
98 static CipherContext receive_context;
99 
100 /* Encryption context for sending data.  This is only used for encryption. */
101 static CipherContext send_context;
102 
103 /* Buffer for raw input data from the socket. */
104 Buffer input;
105 
106 /* Buffer for raw output data going to the socket. */
107 Buffer output;
108 
109 /* Buffer for the partial outgoing packet being constructed. */
110 static Buffer outgoing_packet;
111 
112 /* Buffer for the incoming packet currently being processed. */
113 static Buffer incoming_packet;
114 
115 /* Scratch buffer for packet compression/decompression. */
116 static Buffer compression_buffer;
117 static int compression_buffer_ready = 0;
118 
119 /* Flag indicating whether packet compression/decompression is enabled. */
120 static int packet_compression = 0;
121 
122 /* default maximum packet size */
123 int max_packet_size = 32768;
124 
125 /* Flag indicating whether this module has been initialized. */
126 static int initialized = 0;
127 
128 /* Set to true if the connection is interactive. */
129 static int interactive_mode = 0;
130 
131 /* Session key information for Encryption and MAC */
132 Newkeys *newkeys[MODE_MAX];
133 static struct packet_state {
134 	u_int32_t seqnr;
135 	u_int32_t packets;
136 	u_int64_t blocks;
137 } p_read, p_send;
138 
139 static u_int64_t max_blocks_in, max_blocks_out;
140 static u_int32_t rekey_limit;
141 
142 /* Session key for protocol v1 */
143 static u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
144 static u_int ssh1_keylen;
145 
146 /* roundup current message to extra_pad bytes */
147 static u_char extra_pad = 0;
148 
149 struct packet {
150 	TAILQ_ENTRY(packet) next;
151 	u_char type;
152 	Buffer payload;
153 };
154 TAILQ_HEAD(, packet) outgoing;
155 
156 /*
157  * Part of what -f option and ~& escape sequence do in the client is that they
158  * will force it to daemonize itself. Due to the fork safety rules inherent in
159  * any PKCS#11 environment, if the engine is used we must do a key re-exchange
160  * before forking a child to negotiate the new keys. Those keys will be used to
161  * inicialize the new crypto contexts. This involves finishing the engine in the
162  * parent and reinitializing it again in both processes after fork() returns.
163  * This approach also leaves protocol 1 out since it doesn't support rekeying.
164  */
165 int will_daemonize;
166 
167 #ifdef	PACKET_DEBUG
168 /* This function dumps data onto stderr. This is for debugging only. */
169 void
170 data_dump(void *data, u_int len)
171 {
172 	Buffer buf;
173 
174 	buffer_init(&buf);
175 	buffer_append(&buf, data, len);
176 	buffer_dump(&buf);
177 	buffer_free(&buf);
178 }
179 #endif
180 
181 /*
182  * Sets the descriptors used for communication.  Disables encryption until
183  * packet_set_encryption_key is called.
184  */
185 void
186 packet_set_connection(int fd_in, int fd_out)
187 {
188 	Cipher *none = cipher_by_name("none");
189 
190 	if (none == NULL)
191 		fatal("packet_set_connection: cannot load cipher 'none'");
192 	connection_in = fd_in;
193 	connection_out = fd_out;
194 	cipher_init(&send_context, none, (unsigned char *) "", 0, NULL, 0, CIPHER_ENCRYPT);
195 	cipher_init(&receive_context, none, (unsigned char *) "", 0, NULL, 0, CIPHER_DECRYPT);
196 	newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
197 	if (!initialized) {
198 		initialized = 1;
199 		buffer_init(&input);
200 		buffer_init(&output);
201 		buffer_init(&outgoing_packet);
202 		buffer_init(&incoming_packet);
203 		TAILQ_INIT(&outgoing);
204 	} else {
205 		buffer_clear(&input);
206 		buffer_clear(&output);
207 		buffer_clear(&outgoing_packet);
208 		buffer_clear(&incoming_packet);
209 	}
210 
211 	/*
212 	 * Prime the cache for get_remote_ipaddr() while we have a
213 	 * socket on which to do a getpeername().
214 	 */
215 	(void) get_remote_ipaddr();
216 
217 	/* Kludge: arrange the close function to be called from fatal(). */
218 	fatal_add_cleanup((void (*) (void *)) packet_close, NULL);
219 }
220 
221 /* Returns 1 if remote host is connected via socket, 0 if not. */
222 
223 int
224 packet_connection_is_on_socket(void)
225 {
226 	struct sockaddr_storage from, to;
227 	socklen_t fromlen, tolen;
228 
229 	/* filedescriptors in and out are the same, so it's a socket */
230 	if (connection_in != -1 && connection_in == connection_out)
231 		return 1;
232 	fromlen = sizeof(from);
233 	memset(&from, 0, sizeof(from));
234 	if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0)
235 		return 0;
236 	tolen = sizeof(to);
237 	memset(&to, 0, sizeof(to));
238 	if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0)
239 		return 0;
240 	if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
241 		return 0;
242 	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
243 		return 0;
244 	return 1;
245 }
246 
247 /* returns 1 if connection is via ipv4 */
248 
249 int
250 packet_connection_is_ipv4(void)
251 {
252 	struct sockaddr_storage to;
253 	socklen_t tolen = sizeof(to);
254 
255 	memset(&to, 0, sizeof(to));
256 	if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
257 		return 0;
258 	if (to.ss_family == AF_INET)
259 		return 1;
260 #ifdef IPV4_IN_IPV6
261 	if (to.ss_family == AF_INET6 &&
262 	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
263 		return 1;
264 #endif
265 	return 0;
266 }
267 
268 /* Sets the connection into non-blocking mode. */
269 
270 void
271 packet_set_nonblocking(void)
272 {
273 	/* Set the socket into non-blocking mode. */
274 	if (fcntl(connection_in, F_SETFL, O_NONBLOCK) < 0)
275 		error("fcntl O_NONBLOCK: %.100s", strerror(errno));
276 
277 	if (connection_out != connection_in) {
278 		if (fcntl(connection_out, F_SETFL, O_NONBLOCK) < 0)
279 			error("fcntl O_NONBLOCK: %.100s", strerror(errno));
280 	}
281 }
282 
283 /* Returns the socket used for reading. */
284 
285 int
286 packet_get_connection_in(void)
287 {
288 	return connection_in;
289 }
290 
291 /* Returns the descriptor used for writing. */
292 
293 int
294 packet_get_connection_out(void)
295 {
296 	return connection_out;
297 }
298 
299 /* Closes the connection and clears and frees internal data structures. */
300 
301 void
302 packet_close(void)
303 {
304 	if (!initialized)
305 		return;
306 	initialized = 0;
307 	if (connection_in == connection_out) {
308 		shutdown(connection_out, SHUT_RDWR);
309 		close(connection_out);
310 	} else {
311 		close(connection_in);
312 		close(connection_out);
313 	}
314 	buffer_free(&input);
315 	buffer_free(&output);
316 	buffer_free(&outgoing_packet);
317 	buffer_free(&incoming_packet);
318 	if (compression_buffer_ready) {
319 		buffer_free(&compression_buffer);
320 		buffer_compress_uninit();
321 		compression_buffer_ready = 0;
322 	}
323 	cipher_cleanup(&send_context);
324 	cipher_cleanup(&receive_context);
325 }
326 
327 /* Sets remote side protocol flags. */
328 
329 void
330 packet_set_protocol_flags(u_int protocol_flags)
331 {
332 	remote_protocol_flags = protocol_flags;
333 }
334 
335 /* Returns the remote protocol flags set earlier by the above function. */
336 
337 u_int
338 packet_get_protocol_flags(void)
339 {
340 	return remote_protocol_flags;
341 }
342 
343 /*
344  * Starts packet compression from the next packet on in both directions.
345  * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
346  */
347 
348 static void
349 packet_init_compression(void)
350 {
351 	if (compression_buffer_ready == 1)
352 		return;
353 	compression_buffer_ready = 1;
354 	buffer_init(&compression_buffer);
355 }
356 
357 void
358 packet_start_compression(int level)
359 {
360 #ifdef ALTPRIVSEP
361 	/* shouldn't happen! */
362 	if (packet_monitor)
363 		fatal("INTERNAL ERROR: The monitor cannot compress.");
364 #endif /* ALTPRIVSEP */
365 
366 	if (packet_compression && !compat20)
367 		fatal("Compression already enabled.");
368 	packet_compression = 1;
369 	packet_init_compression();
370 	buffer_compress_init_send(level);
371 	buffer_compress_init_recv();
372 }
373 
374 /*
375  * Causes any further packets to be encrypted using the given key.  The same
376  * key is used for both sending and reception.  However, both directions are
377  * encrypted independently of each other.
378  */
379 
380 void
381 packet_set_encryption_key(const u_char *key, u_int keylen,
382     int number)
383 {
384 	Cipher *cipher = cipher_by_number(number);
385 
386 	if (cipher == NULL)
387 		fatal("packet_set_encryption_key: unknown cipher number %d", number);
388 	if (keylen < 20)
389 		fatal("packet_set_encryption_key: keylen too small: %d", keylen);
390 	if (keylen > SSH_SESSION_KEY_LENGTH)
391 		fatal("packet_set_encryption_key: keylen too big: %d", keylen);
392 	memcpy(ssh1_key, key, keylen);
393 	ssh1_keylen = keylen;
394 	cipher_init(&send_context, cipher, key, keylen, NULL, 0, CIPHER_ENCRYPT);
395 	cipher_init(&receive_context, cipher, key, keylen, NULL, 0, CIPHER_DECRYPT);
396 }
397 
398 u_int
399 packet_get_encryption_key(u_char *key)
400 {
401 	if (key == NULL)
402 		return (ssh1_keylen);
403 	memcpy(key, ssh1_key, ssh1_keylen);
404 	return (ssh1_keylen);
405 }
406 
407 /* Start constructing a packet to send. */
408 void
409 packet_start(u_char type)
410 {
411 	u_char buf[9];
412 	int len;
413 
414 	DBG(debug("packet_start[%d]", type));
415 	len = compat20 ? 6 : 9;
416 	memset(buf, 0, len - 1);
417 	buf[len - 1] = type;
418 	buffer_clear(&outgoing_packet);
419 	buffer_append(&outgoing_packet, buf, len);
420 }
421 
422 /* Append payload. */
423 void
424 packet_put_char(int value)
425 {
426 	char ch = value;
427 
428 	buffer_append(&outgoing_packet, &ch, 1);
429 }
430 
431 void
432 packet_put_int(u_int value)
433 {
434 	buffer_put_int(&outgoing_packet, value);
435 }
436 
437 void
438 packet_put_string(const void *buf, u_int len)
439 {
440 	buffer_put_string(&outgoing_packet, buf, len);
441 }
442 
443 void
444 packet_put_cstring(const char *str)
445 {
446 	buffer_put_cstring(&outgoing_packet, str);
447 }
448 
449 void
450 packet_put_ascii_cstring(const char *str)
451 {
452 	buffer_put_ascii_cstring(&outgoing_packet, str);
453 }
454 void
455 packet_put_utf8_cstring(const u_char *str)
456 {
457 	buffer_put_utf8_cstring(&outgoing_packet, str);
458 }
459 #if 0
460 void
461 packet_put_ascii_string(const void *buf, u_int len)
462 {
463 	buffer_put_ascii_string(&outgoing_packet, buf, len);
464 }
465 void
466 packet_put_utf8_string(const void *buf, u_int len)
467 {
468 	buffer_put_utf8_string(&outgoing_packet, buf, len);
469 }
470 #endif
471 void
472 packet_put_raw(const void *buf, u_int len)
473 {
474 	buffer_append(&outgoing_packet, buf, len);
475 }
476 
477 void
478 packet_put_bignum(BIGNUM * value)
479 {
480 	buffer_put_bignum(&outgoing_packet, value);
481 }
482 
483 void
484 packet_put_bignum2(BIGNUM * value)
485 {
486 	buffer_put_bignum2(&outgoing_packet, value);
487 }
488 
489 /*
490  * Finalizes and sends the packet.  If the encryption key has been set,
491  * encrypts the packet before sending.
492  */
493 
494 static void
495 packet_send1(void)
496 {
497 	u_char buf[8], *cp;
498 	int i, padding, len;
499 	u_int checksum;
500 	u_int32_t rnd = 0;
501 
502 	/*
503 	 * If using packet compression, compress the payload of the outgoing
504 	 * packet.
505 	 */
506 	if (packet_compression) {
507 		buffer_clear(&compression_buffer);
508 		/* Skip padding. */
509 		buffer_consume(&outgoing_packet, 8);
510 		/* padding */
511 		buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8);
512 		buffer_compress(&outgoing_packet, &compression_buffer);
513 		buffer_clear(&outgoing_packet);
514 		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
515 		    buffer_len(&compression_buffer));
516 	}
517 	/* Compute packet length without padding (add checksum, remove padding). */
518 	len = buffer_len(&outgoing_packet) + 4 - 8;
519 
520 	/* Insert padding. Initialized to zero in packet_start1() */
521 	padding = 8 - len % 8;
522 	if (!send_context.plaintext) {
523 		cp = buffer_ptr(&outgoing_packet);
524 		for (i = 0; i < padding; i++) {
525 			if (i % 4 == 0)
526 				rnd = arc4random();
527 			cp[7 - i] = rnd & 0xff;
528 			rnd >>= 8;
529 		}
530 	}
531 	buffer_consume(&outgoing_packet, 8 - padding);
532 
533 	/* Add check bytes. */
534 	checksum = ssh_crc32(buffer_ptr(&outgoing_packet),
535 	    buffer_len(&outgoing_packet));
536 	PUT_32BIT(buf, checksum);
537 	buffer_append(&outgoing_packet, buf, 4);
538 
539 #ifdef PACKET_DEBUG
540 	fprintf(stderr, "packet_send plain: ");
541 	buffer_dump(&outgoing_packet);
542 #endif
543 
544 	/* Append to output. */
545 	PUT_32BIT(buf, len);
546 	buffer_append(&output, buf, 4);
547 	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
548 	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
549 	    buffer_len(&outgoing_packet));
550 
551 #ifdef PACKET_DEBUG
552 	debug("encrypted output queue now contains (%d bytes):\n",
553 	    buffer_len(&output));
554 	buffer_dump(&output);
555 #endif
556 
557 	buffer_clear(&outgoing_packet);
558 
559 	/*
560 	 * Note that the packet is now only buffered in output.  It won\'t be
561 	 * actually sent until packet_write_wait or packet_write_poll is
562 	 * called.
563 	 */
564 }
565 
566 void
567 set_newkeys(int mode)
568 {
569 	Enc *enc;
570 	Mac *mac;
571 	Comp *comp;
572 	CipherContext *cc;
573 	u_int64_t *max_blocks;
574 	int crypt_type;
575 
576 	debug2("set_newkeys: mode %d", mode);
577 
578 	if (mode == MODE_OUT) {
579 		cc = &send_context;
580 		crypt_type = CIPHER_ENCRYPT;
581 		p_send.packets = p_send.blocks = 0;
582 		max_blocks = &max_blocks_out;
583 	} else {
584 		cc = &receive_context;
585 		crypt_type = CIPHER_DECRYPT;
586 		p_read.packets = p_read.blocks = 0;
587 		max_blocks = &max_blocks_in;
588 	}
589 
590 	debug("set_newkeys: setting new keys for '%s' mode",
591 	    mode == MODE_IN ? "in" : "out");
592 
593 	if (newkeys[mode] != NULL) {
594 		cipher_cleanup(cc);
595 		free_keys(newkeys[mode]);
596 	}
597 
598 	newkeys[mode] = kex_get_newkeys(mode);
599 	if (newkeys[mode] == NULL)
600 		fatal("newkeys: no keys for mode %d", mode);
601 	enc  = &newkeys[mode]->enc;
602 	mac  = &newkeys[mode]->mac;
603 	comp = &newkeys[mode]->comp;
604 	if (mac->md != NULL)
605 		mac->enabled = 1;
606 #ifdef	PACKET_DEBUG
607 	debug("new encryption key:\n");
608 	data_dump(enc->key, enc->key_len);
609 	debug("new encryption IV:\n");
610 	data_dump(enc->iv, enc->block_size);
611 	debug("new MAC key:\n");
612 	data_dump(mac->key, mac->key_len);
613 #endif
614 	cipher_init(cc, enc->cipher, enc->key, enc->key_len,
615 	    enc->iv, enc->block_size, crypt_type);
616 	/* Deleting the keys does not gain extra security */
617 	/* memset(enc->iv,  0, enc->block_size);
618 	   memset(enc->key, 0, enc->key_len); */
619 	if (comp->type != 0 && comp->enabled == 0) {
620 		packet_init_compression();
621 		if (mode == MODE_OUT)
622 			buffer_compress_init_send(6);
623 		else
624 			buffer_compress_init_recv();
625 		comp->enabled = 1;
626 	}
627 
628 	/*
629 	 * In accordance to the RFCs listed below we enforce the key
630 	 * re-exchange for:
631 	 *
632 	 * - every 1GB of transmitted data if the selected cipher block size
633 	 *   is less than 16 bytes (3DES, Blowfish)
634 	 * - every 2^(2*B) cipher blocks transmitted (B is block size in bytes)
635 	 *   if the cipher block size is greater than or equal to 16 bytes (AES)
636 	 * - and we never send more than 2^32 SSH packets using the same keys.
637 	 *   The recommendation of 2^31 packets is not enforced here but in
638 	 *   packet_need_rekeying(). There is also a hard check in
639 	 *   packet_send2_wrapped() that we don't send more than 2^32 packets.
640 	 *
641 	 * Note that if the SSH_BUG_NOREKEY compatibility flag is set then no
642 	 * automatic rekeying is performed nor do we enforce the 3rd rule.
643 	 * This means that we can be always forced by the opposite side to never
644 	 * initiate automatic key re-exchange. This might change in the future.
645 	 *
646 	 * The RekeyLimit option keyword may only enforce more frequent key
647 	 * renegotiation, never less. For more information on key renegotiation,
648 	 * see:
649 	 *
650 	 * - RFC 4253 (SSH Transport Layer Protocol), section "9. Key
651 	 *   Re-Exchange"
652 	 * - RFC 4344 (SSH Transport Layer Encryption Modes), sections "3.
653 	 *   Rekeying" and "6.1 Rekeying Considerations"
654 	 */
655 	if (enc->block_size >= 16)
656 		*max_blocks = (u_int64_t)1 << (enc->block_size * 2);
657 	else
658 		*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
659 
660 	if (rekey_limit)
661 		*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
662 }
663 
664 void
665 free_keys(Newkeys *keys)
666 {
667 	Enc *enc;
668 	Mac *mac;
669 	Comp *comp;
670 
671 	enc  = &keys->enc;
672 	mac  = &keys->mac;
673 	comp = &keys->comp;
674 	memset(mac->key, 0, mac->key_len);
675 	xfree(enc->name);
676 	xfree(enc->iv);
677 	xfree(enc->key);
678 	xfree(mac->name);
679 	xfree(mac->key);
680 	xfree(comp->name);
681 	xfree(keys);
682 }
683 
684 /*
685  * Process SSH2_MSG_NEWKEYS message. If we are using the engine we must have
686  * both SSH2_MSG_NEWKEYS processed before we can finish the engine, fork, and
687  * reinitialize the crypto contexts. We can't fork before processing the 2nd
688  * message otherwise we couldn't encrypt/decrypt that message at all - note that
689  * parent's PKCS#11 sessions are useless after the fork and we must process
690  * both SSH2_MSG_NEWKEYS messages using the old keys.
691  */
692 void
693 process_newkeys(int mode)
694 {
695 	if (packet_is_server() != 0)
696 		return;
697 
698 	if (will_daemonize == FIRST_NEWKEYS_PROCESSED) {
699 		debug3("both SSH2_MSG_NEWKEYS processed, will daemonize now");
700 		cipher_cleanup(&send_context);
701 		cipher_cleanup(&receive_context);
702 		pkcs11_engine_finish(e);
703 		if (daemon(1, 1) < 0) {
704 			fatal("daemon() failed: %.200s",
705 			    strerror(errno));
706 		}
707 		e = pkcs11_engine_load(e != NULL ? 1 : 0);
708 
709 		set_newkeys(MODE_OUT);
710 		set_newkeys(MODE_IN);
711 		will_daemonize = SECOND_NEWKEYS_PROCESSED;
712 		packet_send2();
713 	} else {
714 		if (will_daemonize == DAEMONIZING_REQUESTED)
715 			will_daemonize = FIRST_NEWKEYS_PROCESSED;
716 		else
717 			set_newkeys(mode);
718 	}
719 }
720 
721 /*
722  * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
723  */
724 static void
725 packet_send2_wrapped(void)
726 {
727 	u_char type, *cp, *macbuf = NULL;
728 	u_char padlen, pad;
729 	u_int packet_length = 0;
730 	u_int i, len;
731 	u_int32_t rnd = 0;
732 	Enc *enc   = NULL;
733 	Mac *mac   = NULL;
734 	Comp *comp = NULL;
735 	int block_size;
736 
737 	if (newkeys[MODE_OUT] != NULL) {
738 		enc  = &newkeys[MODE_OUT]->enc;
739 		mac  = &newkeys[MODE_OUT]->mac;
740 		comp = &newkeys[MODE_OUT]->comp;
741 	}
742 	block_size = enc ? enc->block_size : 8;
743 
744 	cp = buffer_ptr(&outgoing_packet);
745 	type = cp[5];
746 
747 #ifdef PACKET_DEBUG
748 	debug("plain output packet to be processed (%d bytes):\n",
749 	    buffer_len(&outgoing_packet));
750 	buffer_dump(&outgoing_packet);
751 #endif
752 
753 	if (comp && comp->enabled) {
754 		len = buffer_len(&outgoing_packet);
755 		/* skip header, compress only payload */
756 		buffer_consume(&outgoing_packet, 5);
757 		buffer_clear(&compression_buffer);
758 		buffer_compress(&outgoing_packet, &compression_buffer);
759 		buffer_clear(&outgoing_packet);
760 		buffer_append(&outgoing_packet, "\0\0\0\0\0", 5);
761 		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
762 		    buffer_len(&compression_buffer));
763 		DBG(debug("compression: raw %d compressed %d", len,
764 		    buffer_len(&outgoing_packet)));
765 	}
766 
767 	/* sizeof (packet_len + pad_len + payload) */
768 	len = buffer_len(&outgoing_packet);
769 
770 	/*
771 	 * calc size of padding, alloc space, get random data,
772 	 * minimum padding is 4 bytes
773 	 */
774 	padlen = block_size - (len % block_size);
775 	if (padlen < 4)
776 		padlen += block_size;
777 	if (extra_pad) {
778 		/* will wrap if extra_pad+padlen > 255 */
779 		extra_pad  = roundup(extra_pad, block_size);
780 		pad = extra_pad - ((len + padlen) % extra_pad);
781 		debug3("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
782 		    pad, len, padlen, extra_pad);
783 		padlen += pad;
784 		extra_pad = 0;
785 	}
786 	cp = buffer_append_space(&outgoing_packet, padlen);
787 	if (enc && !send_context.plaintext) {
788 		/* random padding */
789 		for (i = 0; i < padlen; i++) {
790 			if (i % 4 == 0)
791 				rnd = arc4random();
792 			cp[i] = rnd & 0xff;
793 			rnd >>= 8;
794 		}
795 	} else {
796 		/* clear padding */
797 		memset(cp, 0, padlen);
798 	}
799 	/* packet_length includes payload, padding and padding length field */
800 	packet_length = buffer_len(&outgoing_packet) - 4;
801 	cp = buffer_ptr(&outgoing_packet);
802 	PUT_32BIT(cp, packet_length);
803 	cp[4] = padlen;
804 	DBG(debug("will send %d bytes (includes padlen %d)",
805 	    packet_length + 4, padlen));
806 
807 	/* compute MAC over seqnr and packet(length fields, payload, padding) */
808 	if (mac && mac->enabled) {
809 		macbuf = mac_compute(mac, p_send.seqnr,
810 		    buffer_ptr(&outgoing_packet),
811 		    buffer_len(&outgoing_packet));
812 		DBG(debug("done calc MAC out #%d", p_send.seqnr));
813 	}
814 	/* encrypt packet and append to output buffer. */
815 	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
816 	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
817 	    buffer_len(&outgoing_packet));
818 	/* append unencrypted MAC */
819 	if (mac && mac->enabled)
820 		buffer_append(&output, (char *)macbuf, mac->mac_len);
821 #ifdef PACKET_DEBUG
822 	debug("encrypted output queue now contains (%d bytes):\n",
823 	    buffer_len(&output));
824 	buffer_dump(&output);
825 #endif
826 	/* increment sequence number for outgoing packets */
827 	if (++p_send.seqnr == 0)
828 		log("outgoing seqnr wraps around");
829 
830 	/*
831 	 * RFC 4344: 3.1. First Rekeying Recommendation
832 	 *
833 	 * "Because of possible information leakage through the MAC tag after a
834 	 * key exchange, .... an SSH implementation SHOULD NOT send more than
835 	 * 2**32 packets before rekeying again."
836 	 *
837 	 * The code below is a hard check so that we are sure we don't go across
838 	 * the suggestion. However, since the largest cipher block size we have
839 	 * (AES) is 16 bytes we can't reach 2^32 SSH packets encrypted with the
840 	 * same key while performing periodic rekeying.
841 	 */
842 	if (++p_send.packets == 0)
843 		if (!(datafellows & SSH_BUG_NOREKEY))
844 			fatal("too many packets encrypted with same key");
845 	p_send.blocks += (packet_length + 4) / block_size;
846 	buffer_clear(&outgoing_packet);
847 
848 	if (type == SSH2_MSG_NEWKEYS) {
849 		/*
850 		 * set_newkeys(MODE_OUT) in the client. Note that in the
851 		 * unprivileged child, set_newkeys() for MODE_OUT are set after
852 		 * SSH2_MSG_NEWKEYS is read from the monitor and forwarded to
853 		 * the client side.
854 		 */
855 		process_newkeys(MODE_OUT);
856 	}
857 }
858 
859 /*
860  * Packets we deal with here are plain until we encrypt them in
861  * packet_send2_wrapped().
862  *
863  * As already mentioned in a comment at process_newkeys() function we must not
864  * fork() until both SSH2_MSG_NEWKEYS packets were processed. Until this is done
865  * we must queue all packets so that they can be encrypted with the new keys and
866  * then sent to the other side. However, what can happen here is that we get
867  * SSH2_MSG_NEWKEYS after we sent it. In that situation we must call
868  * packet_send2() anyway to empty the queue, and set the rekey flag to the
869  * finished state. If we didn't do that we would just hang and enqueue data.
870  */
871 static void
872 packet_send2(void)
873 {
874 	static int rekeying = 0;
875 	struct packet *p;
876 	u_char type, *cp;
877 
878 	if (will_daemonize != SECOND_NEWKEYS_PROCESSED) {
879 		cp = buffer_ptr(&outgoing_packet);
880 		type = cp[5];
881 
882 		/* during rekeying we can only send key exchange messages */
883 		if (rekeying) {
884 			if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
885 			    (type <= SSH2_MSG_TRANSPORT_MAX))) {
886 				debug("enqueue a plain packet because rekex in "
887 				    "progress [type %u]", type);
888 				p = xmalloc(sizeof(*p));
889 				p->type = type;
890 				memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
891 				buffer_init(&outgoing_packet);
892 				TAILQ_INSERT_TAIL(&outgoing, p, next);
893 				return;
894 			}
895 		}
896 
897 		/* rekeying starts with sending KEXINIT */
898 		if (type == SSH2_MSG_KEXINIT)
899 			rekeying = 1;
900 
901 		packet_send2_wrapped();
902 	}
903 
904 	/* after rekex is done we can process the queue of plain packets */
905 	if (will_daemonize == SECOND_NEWKEYS_PROCESSED ||
906 	    (will_daemonize == NOT_DAEMONIZING && type == SSH2_MSG_NEWKEYS)) {
907 		rekeying = 0;
908 		will_daemonize = NOT_DAEMONIZING;
909 		while ((p = TAILQ_FIRST(&outgoing)) != NULL) {
910 			type = p->type;
911 			debug("dequeuing a plain packet since rekex is over "
912 			    "[type %u]", type);
913 			buffer_free(&outgoing_packet);
914 			memcpy(&outgoing_packet, &p->payload, sizeof(Buffer));
915 			TAILQ_REMOVE(&outgoing, p, next);
916 			xfree(p);
917 			packet_send2_wrapped();
918 		}
919 	}
920 }
921 
922 void
923 packet_send(void)
924 {
925 	if (compat20)
926 		packet_send2();
927 	else
928 		packet_send1();
929 	DBG(debug("packet_send done"));
930 }
931 
932 /*
933  * Waits until a packet has been received, and returns its type.  Note that
934  * no other data is processed until this returns, so this function should not
935  * be used during the interactive session.
936  */
937 
938 int
939 packet_read_seqnr(u_int32_t *seqnr_p)
940 {
941 	int type, len;
942 	fd_set *setp;
943 	char buf[8192];
944 	DBG(debug("packet_read()"));
945 
946 	setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) *
947 	    sizeof(fd_mask));
948 
949 	/* Since we are blocking, ensure that all written packets have been sent. */
950 	packet_write_wait();
951 
952 	/* Stay in the loop until we have received a complete packet. */
953 	for (;;) {
954 		/* Try to read a packet from the buffer. */
955 		type = packet_read_poll_seqnr(seqnr_p);
956 		if (!compat20 && (
957 		    type == SSH_SMSG_SUCCESS
958 		    || type == SSH_SMSG_FAILURE
959 		    || type == SSH_CMSG_EOF
960 		    || type == SSH_CMSG_EXIT_CONFIRMATION))
961 			packet_check_eom();
962 		/* If we got a packet, return it. */
963 		if (type != SSH_MSG_NONE) {
964 			xfree(setp);
965 			return type;
966 		}
967 		/*
968 		 * Otherwise, wait for some data to arrive, add it to the
969 		 * buffer, and try again.
970 		 */
971 		memset(setp, 0, howmany(connection_in + 1, NFDBITS) *
972 		    sizeof(fd_mask));
973 		FD_SET(connection_in, setp);
974 
975 		/* Wait for some data to arrive. */
976 		while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 &&
977 		    (errno == EAGAIN || errno == EINTR))
978 			;
979 
980 		/* Read data from the socket. */
981 		len = read(connection_in, buf, sizeof(buf));
982 		if (len == 0) {
983 			log("Connection closed by %.200s", get_remote_ipaddr());
984 			fatal_cleanup();
985 		}
986 		if (len < 0)
987 			fatal("Read from socket failed: %.100s", strerror(errno));
988 		/* Append it to the buffer. */
989 		packet_process_incoming(buf, len);
990 	}
991 	/* NOTREACHED */
992 }
993 
994 int
995 packet_read(void)
996 {
997 	return packet_read_seqnr(NULL);
998 }
999 
1000 /*
1001  * Waits until a packet has been received, verifies that its type matches
1002  * that given, and gives a fatal error and exits if there is a mismatch.
1003  */
1004 
1005 void
1006 packet_read_expect(int expected_type)
1007 {
1008 	int type;
1009 
1010 	type = packet_read();
1011 	if (type != expected_type)
1012 		packet_disconnect("Protocol error: expected packet type %d, got %d",
1013 		    expected_type, type);
1014 }
1015 
1016 /* Checks if a full packet is available in the data received so far via
1017  * packet_process_incoming.  If so, reads the packet; otherwise returns
1018  * SSH_MSG_NONE.  This does not wait for data from the connection.
1019  *
1020  * SSH_MSG_DISCONNECT is handled specially here.  Also,
1021  * SSH_MSG_IGNORE messages are skipped by this function and are never returned
1022  * to higher levels.
1023  */
1024 
1025 static int
1026 packet_read_poll1(void)
1027 {
1028 	u_int len, padded_len;
1029 	u_char *cp, type;
1030 	u_int checksum, stored_checksum;
1031 
1032 	/* Check if input size is less than minimum packet size. */
1033 	if (buffer_len(&input) < 4 + 8)
1034 		return SSH_MSG_NONE;
1035 	/* Get length of incoming packet. */
1036 	cp = buffer_ptr(&input);
1037 	len = GET_32BIT(cp);
1038 	if (len < 1 + 2 + 2 || len > 256 * 1024)
1039 		packet_disconnect("Bad packet length %d.", len);
1040 	padded_len = (len + 8) & ~7;
1041 
1042 	/* Check if the packet has been entirely received. */
1043 	if (buffer_len(&input) < 4 + padded_len)
1044 		return SSH_MSG_NONE;
1045 
1046 	/* The entire packet is in buffer. */
1047 
1048 	/* Consume packet length. */
1049 	buffer_consume(&input, 4);
1050 
1051 	/*
1052 	 * Cryptographic attack detector for ssh
1053 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
1054 	 * Ariel Futoransky(futo@core-sdi.com)
1055 	 */
1056 	if (!receive_context.plaintext) {
1057 		switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
1058 		case DEATTACK_DETECTED:
1059 			packet_disconnect("crc32 compensation attack: "
1060 			    "network attack detected");
1061 			break;
1062 		case DEATTACK_DOS_DETECTED:
1063 			packet_disconnect("deattack denial of "
1064 			    "service detected");
1065 			break;
1066 		}
1067 	}
1068 
1069 	/* Decrypt data to incoming_packet. */
1070 	buffer_clear(&incoming_packet);
1071 	cp = buffer_append_space(&incoming_packet, padded_len);
1072 	cipher_crypt(&receive_context, cp, buffer_ptr(&input), padded_len);
1073 
1074 	buffer_consume(&input, padded_len);
1075 
1076 #ifdef PACKET_DEBUG
1077 	debug("read_poll plain/full:\n");
1078 	buffer_dump(&incoming_packet);
1079 #endif
1080 
1081 	/* Compute packet checksum. */
1082 	checksum = ssh_crc32(buffer_ptr(&incoming_packet),
1083 	    buffer_len(&incoming_packet) - 4);
1084 
1085 	/* Skip padding. */
1086 	buffer_consume(&incoming_packet, 8 - len % 8);
1087 
1088 	/* Test check bytes. */
1089 	if (len != buffer_len(&incoming_packet))
1090 		packet_disconnect("packet_read_poll1: len %d != buffer_len %d.",
1091 		    len, buffer_len(&incoming_packet));
1092 
1093 	cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4;
1094 	stored_checksum = GET_32BIT(cp);
1095 	if (checksum != stored_checksum)
1096 		packet_disconnect("Corrupted check bytes on input.");
1097 	buffer_consume_end(&incoming_packet, 4);
1098 
1099 	if (packet_compression) {
1100 		buffer_clear(&compression_buffer);
1101 		buffer_uncompress(&incoming_packet, &compression_buffer);
1102 		buffer_clear(&incoming_packet);
1103 		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
1104 		    buffer_len(&compression_buffer));
1105 	}
1106 	type = buffer_get_char(&incoming_packet);
1107 	return type;
1108 }
1109 
1110 static int
1111 packet_read_poll2(u_int32_t *seqnr_p)
1112 {
1113 	static u_int packet_length = 0;
1114 	u_int padlen, need;
1115 	u_char *macbuf, *cp, type;
1116 	int maclen, block_size;
1117 	Enc *enc   = NULL;
1118 	Mac *mac   = NULL;
1119 	Comp *comp = NULL;
1120 
1121 	if (newkeys[MODE_IN] != NULL) {
1122 		enc  = &newkeys[MODE_IN]->enc;
1123 		mac  = &newkeys[MODE_IN]->mac;
1124 		comp = &newkeys[MODE_IN]->comp;
1125 	}
1126 	maclen = mac && mac->enabled ? mac->mac_len : 0;
1127 	block_size = enc ? enc->block_size : 8;
1128 
1129 	if (packet_length == 0) {
1130 		/*
1131 		 * check if input size is less than the cipher block size,
1132 		 * decrypt first block and extract length of incoming packet
1133 		 */
1134 		if (buffer_len(&input) < block_size)
1135 			return SSH_MSG_NONE;
1136 #ifdef PACKET_DEBUG
1137 		debug("encrypted data we have in read queue (%d bytes):\n",
1138 		    buffer_len(&input));
1139 		buffer_dump(&input);
1140 #endif
1141 		buffer_clear(&incoming_packet);
1142 		cp = buffer_append_space(&incoming_packet, block_size);
1143 		cipher_crypt(&receive_context, cp, buffer_ptr(&input),
1144 		    block_size);
1145 		cp = buffer_ptr(&incoming_packet);
1146 		packet_length = GET_32BIT(cp);
1147 		if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
1148 			error("bad packet length %d; i/o counters "
1149 			    "%llu/%llu", packet_length,
1150 			    p_read.blocks * block_size,
1151 			    p_send.blocks * block_size);
1152 			error("decrypted %d bytes follows:\n", block_size);
1153 			buffer_dump(&incoming_packet);
1154 			packet_disconnect("Bad packet length %d, i/o counters "
1155 			    "%llu/%llu.", packet_length,
1156 			    p_read.blocks * block_size,
1157 			    p_send.blocks * block_size);
1158 		}
1159 		DBG(debug("input: packet len %u", packet_length + 4));
1160 		buffer_consume(&input, block_size);
1161 	}
1162 	/* we have a partial packet of block_size bytes */
1163 	need = 4 + packet_length - block_size;
1164 	DBG(debug("partial packet %d, still need %d, maclen %d", block_size,
1165 	    need, maclen));
1166 	if (need % block_size != 0)
1167 		fatal("padding error: need %d block %d mod %d",
1168 		    need, block_size, need % block_size);
1169 	/*
1170 	 * check if the entire packet has been received and
1171 	 * decrypt into incoming_packet
1172 	 */
1173 	if (buffer_len(&input) < need + maclen)
1174 		return SSH_MSG_NONE;
1175 #ifdef PACKET_DEBUG
1176 	debug("in read_poll, the encrypted input queue now contains "
1177 	    "(%d bytes):\n", buffer_len(&input));
1178 	buffer_dump(&input);
1179 #endif
1180 	cp = buffer_append_space(&incoming_packet, need);
1181 	cipher_crypt(&receive_context, cp, buffer_ptr(&input), need);
1182 	buffer_consume(&input, need);
1183 	/*
1184 	 * compute MAC over seqnr and packet,
1185 	 * increment sequence number for incoming packet
1186 	 */
1187 	if (mac && mac->enabled) {
1188 		macbuf = mac_compute(mac, p_read.seqnr,
1189 		    buffer_ptr(&incoming_packet),
1190 		    buffer_len(&incoming_packet));
1191 		if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
1192 			packet_disconnect("Corrupted MAC on input.");
1193 		DBG(debug("MAC #%d ok", p_read.seqnr));
1194 		buffer_consume(&input, mac->mac_len);
1195 	}
1196 	if (seqnr_p != NULL)
1197 		*seqnr_p = p_read.seqnr;
1198 	if (++p_read.seqnr == 0)
1199 		log("incoming seqnr wraps around");
1200 
1201 	/* see above for the comment on "First Rekeying Recommendation" */
1202 	if (++p_read.packets == 0)
1203 		if (!(datafellows & SSH_BUG_NOREKEY))
1204 			fatal("too many packets with same key");
1205 	p_read.blocks += (packet_length + 4) / block_size;
1206 
1207 	/* get padlen */
1208 	cp = buffer_ptr(&incoming_packet);
1209 	padlen = cp[4];
1210 	DBG(debug("input: padlen %d", padlen));
1211 	if (padlen < 4)
1212 		packet_disconnect("Corrupted padlen %d on input.", padlen);
1213 
1214 	/* skip packet size + padlen, discard padding */
1215 	buffer_consume(&incoming_packet, 4 + 1);
1216 	buffer_consume_end(&incoming_packet, padlen);
1217 
1218 	DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
1219 	if (comp && comp->enabled) {
1220 		buffer_clear(&compression_buffer);
1221 		buffer_uncompress(&incoming_packet, &compression_buffer);
1222 		buffer_clear(&incoming_packet);
1223 		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
1224 		    buffer_len(&compression_buffer));
1225 		DBG(debug("input: len after de-compress %d",
1226 		    buffer_len(&incoming_packet)));
1227 	}
1228 	/*
1229 	 * get packet type, implies consume.
1230 	 * return length of payload (without type field)
1231 	 */
1232 	type = buffer_get_char(&incoming_packet);
1233 	if (type == SSH2_MSG_NEWKEYS) {
1234 		/*
1235 		 * set_newkeys(MODE_IN) in the client because it doesn't have a
1236 		 * dispatch function for SSH2_MSG_NEWKEYS in contrast to the
1237 		 * server processes. Note that in the unprivileged child,
1238 		 * set_newkeys() for MODE_IN are set in dispatch function
1239 		 * altprivsep_rekey() after SSH2_MSG_NEWKEYS packet is received
1240 		 * from the client.
1241 		 */
1242 		process_newkeys(MODE_IN);
1243 	}
1244 
1245 #ifdef PACKET_DEBUG
1246 	debug("decrypted input packet [type %d]:\n", type);
1247 	buffer_dump(&incoming_packet);
1248 #endif
1249 	/* reset for next packet */
1250 	packet_length = 0;
1251 	return type;
1252 }
1253 
1254 /*
1255  * This tries to read a packet from the buffer of received data. Note that it
1256  * doesn't read() anything from the network socket.
1257  */
1258 int
1259 packet_read_poll_seqnr(u_int32_t *seqnr_p)
1260 {
1261 	u_int reason, seqnr;
1262 	u_char type;
1263 	char *msg;
1264 
1265 	for (;;) {
1266 		if (compat20) {
1267 			type = packet_read_poll2(seqnr_p);
1268 			DBG(debug("received packet type %d", type));
1269 			switch (type) {
1270 			case SSH2_MSG_IGNORE:
1271 				break;
1272 			case SSH2_MSG_DEBUG:
1273 				packet_get_char();
1274 				msg = packet_get_string(NULL);
1275 				debug("Remote: %.900s", msg);
1276 				xfree(msg);
1277 				msg = packet_get_string(NULL);
1278 				xfree(msg);
1279 				break;
1280 			case SSH2_MSG_DISCONNECT:
1281 				reason = packet_get_int();
1282 				msg = packet_get_string(NULL);
1283 				log("Received disconnect from %s: %u: %.400s",
1284 				    get_remote_ipaddr(), reason, msg);
1285 				xfree(msg);
1286 				fatal_cleanup();
1287 				break;
1288 			case SSH2_MSG_UNIMPLEMENTED:
1289 				seqnr = packet_get_int();
1290 				debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
1291 				    seqnr);
1292 				break;
1293 			default:
1294 				return type;
1295 				break;
1296 			}
1297 		} else {
1298 			type = packet_read_poll1();
1299 			DBG(debug("received packet type %d", type));
1300 			switch (type) {
1301 			case SSH_MSG_IGNORE:
1302 				break;
1303 			case SSH_MSG_DEBUG:
1304 				msg = packet_get_string(NULL);
1305 				debug("Remote: %.900s", msg);
1306 				xfree(msg);
1307 				break;
1308 			case SSH_MSG_DISCONNECT:
1309 				msg = packet_get_string(NULL);
1310 				log("Received disconnect from %s: %.400s",
1311 				    get_remote_ipaddr(), msg);
1312 				fatal_cleanup();
1313 				xfree(msg);
1314 				break;
1315 			default:
1316 				return type;
1317 				break;
1318 			}
1319 		}
1320 	}
1321 }
1322 
1323 int
1324 packet_read_poll(void)
1325 {
1326 	return packet_read_poll_seqnr(NULL);
1327 }
1328 
1329 /*
1330  * Buffers the given amount of input characters.  This is intended to be used
1331  * together with packet_read_poll.
1332  */
1333 
1334 void
1335 packet_process_incoming(const char *buf, u_int len)
1336 {
1337 	buffer_append(&input, buf, len);
1338 }
1339 
1340 /* Returns a character from the packet. */
1341 
1342 u_int
1343 packet_get_char(void)
1344 {
1345 	char ch;
1346 
1347 	buffer_get(&incoming_packet, &ch, 1);
1348 	return (u_char) ch;
1349 }
1350 
1351 /* Returns an integer from the packet data. */
1352 
1353 u_int
1354 packet_get_int(void)
1355 {
1356 	return buffer_get_int(&incoming_packet);
1357 }
1358 
1359 /*
1360  * Returns an arbitrary precision integer from the packet data.  The integer
1361  * must have been initialized before this call.
1362  */
1363 
1364 void
1365 packet_get_bignum(BIGNUM * value)
1366 {
1367 	buffer_get_bignum(&incoming_packet, value);
1368 }
1369 
1370 void
1371 packet_get_bignum2(BIGNUM * value)
1372 {
1373 	buffer_get_bignum2(&incoming_packet, value);
1374 }
1375 
1376 void *
1377 packet_get_raw(u_int *length_ptr)
1378 {
1379 	u_int bytes = buffer_len(&incoming_packet);
1380 
1381 	if (length_ptr != NULL)
1382 		*length_ptr = bytes;
1383 	return buffer_ptr(&incoming_packet);
1384 }
1385 
1386 int
1387 packet_remaining(void)
1388 {
1389 	return buffer_len(&incoming_packet);
1390 }
1391 
1392 /*
1393  * Returns a string from the packet data.  The string is allocated using
1394  * xmalloc; it is the responsibility of the calling program to free it when
1395  * no longer needed.  The length_ptr argument may be NULL, or point to an
1396  * integer into which the length of the string is stored.
1397  */
1398 
1399 void *
1400 packet_get_string(u_int *length_ptr)
1401 {
1402 	return buffer_get_string(&incoming_packet, length_ptr);
1403 }
1404 char *
1405 packet_get_ascii_cstring()
1406 {
1407 	return buffer_get_ascii_cstring(&incoming_packet);
1408 }
1409 u_char *
1410 packet_get_utf8_cstring()
1411 {
1412 	return buffer_get_utf8_cstring(&incoming_packet);
1413 }
1414 
1415 /*
1416  * Sends a diagnostic message from the server to the client.  This message
1417  * can be sent at any time (but not while constructing another message). The
1418  * message is printed immediately, but only if the client is being executed
1419  * in verbose mode.  These messages are primarily intended to ease debugging
1420  * authentication problems.   The length of the formatted message must not
1421  * exceed 1024 bytes.  This will automatically call packet_write_wait.
1422  */
1423 
1424 void
1425 packet_send_debug(const char *fmt,...)
1426 {
1427 	char buf[1024];
1428 	va_list args;
1429 
1430 	if (compat20 && (datafellows & SSH_BUG_DEBUG))
1431 		return;
1432 
1433 	va_start(args, fmt);
1434 	vsnprintf(buf, sizeof(buf), gettext(fmt), args);
1435 	va_end(args);
1436 
1437 #ifdef ALTPRIVSEP
1438 	/* shouldn't happen */
1439 	if (packet_monitor) {
1440 		debug("packet_send_debug: %s", buf);
1441 		return;
1442 	}
1443 #endif /* ALTPRIVSEP */
1444 
1445 	if (compat20) {
1446 		packet_start(SSH2_MSG_DEBUG);
1447 		packet_put_char(0);	/* bool: always display */
1448 		packet_put_cstring(buf);
1449 		packet_put_cstring("");
1450 	} else {
1451 		packet_start(SSH_MSG_DEBUG);
1452 		packet_put_cstring(buf);
1453 	}
1454 	packet_send();
1455 	packet_write_wait();
1456 }
1457 
1458 /*
1459  * Logs the error plus constructs and sends a disconnect packet, closes the
1460  * connection, and exits.  This function never returns. The error message
1461  * should not contain a newline.  The length of the formatted message must
1462  * not exceed 1024 bytes.
1463  */
1464 
1465 void
1466 packet_disconnect(const char *fmt,...)
1467 {
1468 	char buf[1024];
1469 	va_list args;
1470 	static int disconnecting = 0;
1471 
1472 	if (disconnecting)	/* Guard against recursive invocations. */
1473 		fatal("packet_disconnect called recursively.");
1474 	disconnecting = 1;
1475 
1476 	/*
1477 	 * Format the message.  Note that the caller must make sure the
1478 	 * message is of limited size.
1479 	 */
1480 	va_start(args, fmt);
1481 	vsnprintf(buf, sizeof(buf), fmt, args);
1482 	va_end(args);
1483 
1484 #ifdef ALTPRIVSEP
1485 	/*
1486 	 * If we packet_disconnect() in the monitor the fatal cleanups will take
1487 	 * care of the child.  See main() in sshd.c.  We don't send the packet
1488 	 * disconnect message here because: a) the child might not be looking
1489 	 * for it and b) because we don't really know if the child is compat20
1490 	 * or not as we lost that information when packet_set_monitor() was
1491 	 * called.
1492 	 */
1493 	if (packet_monitor)
1494 		goto close_stuff;
1495 #endif /* ALTPRIVSEP */
1496 
1497 	/* Send the disconnect message to the other side, and wait for it to get sent. */
1498 	if (compat20) {
1499 		packet_start(SSH2_MSG_DISCONNECT);
1500 		packet_put_int(SSH2_DISCONNECT_PROTOCOL_ERROR);
1501 		packet_put_cstring(buf);
1502 		packet_put_cstring("");
1503 	} else {
1504 		packet_start(SSH_MSG_DISCONNECT);
1505 		packet_put_cstring(buf);
1506 	}
1507 	packet_send();
1508 	packet_write_wait();
1509 
1510 #ifdef ALTPRIVSEP
1511 close_stuff:
1512 #endif /* ALTPRIVSEP */
1513 	/* Stop listening for connections. */
1514 	channel_close_all();
1515 
1516 	/* Close the connection. */
1517 	packet_close();
1518 
1519 	/* Display the error locally and exit. */
1520 	log("Disconnecting: %.100s", buf);
1521 	fatal_cleanup();
1522 }
1523 
1524 /* Checks if there is any buffered output, and tries to write some of the output. */
1525 
1526 void
1527 packet_write_poll(void)
1528 {
1529 	int len = buffer_len(&output);
1530 
1531 	if (len > 0) {
1532 		len = write(connection_out, buffer_ptr(&output), len);
1533 		if (len <= 0) {
1534 			if (errno == EAGAIN)
1535 				return;
1536 			else
1537 				fatal("Write failed: %.100s", strerror(errno));
1538 		}
1539 #ifdef PACKET_DEBUG
1540 		debug("in packet_write_poll, %d bytes just sent to the "
1541 		    "remote side", len);
1542 #endif
1543 		buffer_consume(&output, len);
1544 	}
1545 }
1546 
1547 /*
1548  * Calls packet_write_poll repeatedly until all pending output data has been
1549  * written.
1550  */
1551 
1552 void
1553 packet_write_wait(void)
1554 {
1555 	fd_set *setp;
1556 
1557 	setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) *
1558 	    sizeof(fd_mask));
1559 	packet_write_poll();
1560 	while (packet_have_data_to_write()) {
1561 		memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
1562 		    sizeof(fd_mask));
1563 		FD_SET(connection_out, setp);
1564 		while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 &&
1565 		    (errno == EAGAIN || errno == EINTR))
1566 			;
1567 		packet_write_poll();
1568 	}
1569 	xfree(setp);
1570 }
1571 
1572 /* Returns true if there is buffered data to write to the connection. */
1573 
1574 int
1575 packet_have_data_to_write(void)
1576 {
1577 	return buffer_len(&output) != 0;
1578 }
1579 
1580 /* Returns true if there is not too much data to write to the connection. */
1581 
1582 int
1583 packet_not_very_much_data_to_write(void)
1584 {
1585 	if (interactive_mode)
1586 		return buffer_len(&output) < 16384;
1587 	else
1588 		return buffer_len(&output) < 128 * 1024;
1589 }
1590 
1591 /* Informs that the current session is interactive.  Sets IP flags for that. */
1592 
1593 void
1594 packet_set_interactive(int interactive)
1595 {
1596 	static int called = 0;
1597 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1598 	int lowdelay = IPTOS_LOWDELAY;
1599 	int throughput = IPTOS_THROUGHPUT;
1600 #endif
1601 
1602 	if (called)
1603 		return;
1604 	called = 1;
1605 
1606 	/* Record that we are in interactive mode. */
1607 	interactive_mode = interactive;
1608 
1609 	/* Only set socket options if using a socket.  */
1610 	if (!packet_connection_is_on_socket())
1611 		return;
1612 	/*
1613 	 * IPTOS_LOWDELAY and IPTOS_THROUGHPUT are IPv4 only
1614 	 */
1615 	if (interactive) {
1616 		/*
1617 		 * Set IP options for an interactive connection.  Use
1618 		 * IPTOS_LOWDELAY and TCP_NODELAY.
1619 		 */
1620 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1621 		if (packet_connection_is_ipv4()) {
1622 			if (setsockopt(connection_in, IPPROTO_IP, IP_TOS,
1623 			    &lowdelay, sizeof(lowdelay)) < 0)
1624 				error("setsockopt IPTOS_LOWDELAY: %.100s",
1625 				    strerror(errno));
1626 		}
1627 #endif
1628 		set_nodelay(connection_in);
1629 	}
1630 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
1631 	else if (packet_connection_is_ipv4()) {
1632 		/*
1633 		 * Set IP options for a non-interactive connection.  Use
1634 		 * IPTOS_THROUGHPUT.
1635 		 */
1636 		if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &throughput,
1637 		    sizeof(throughput)) < 0)
1638 			error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno));
1639 	}
1640 #endif
1641 }
1642 
1643 /* Returns true if the current connection is interactive. */
1644 
1645 int
1646 packet_is_interactive(void)
1647 {
1648 	return interactive_mode;
1649 }
1650 
1651 int
1652 packet_set_maxsize(int s)
1653 {
1654 	static int called = 0;
1655 
1656 	if (called) {
1657 		log("packet_set_maxsize: called twice: old %d new %d",
1658 		    max_packet_size, s);
1659 		return -1;
1660 	}
1661 	if (s < 4 * 1024 || s > 1024 * 1024) {
1662 		log("packet_set_maxsize: bad size %d", s);
1663 		return -1;
1664 	}
1665 	called = 1;
1666 	debug("packet_set_maxsize: setting to %d", s);
1667 	max_packet_size = s;
1668 	return s;
1669 }
1670 
1671 /* roundup current message to pad bytes */
1672 void
1673 packet_add_padding(u_char pad)
1674 {
1675 	extra_pad = pad;
1676 }
1677 
1678 /*
1679  * 9.2.  Ignored Data Message
1680  *
1681  *   byte      SSH_MSG_IGNORE
1682  *   string    data
1683  *
1684  * All implementations MUST understand (and ignore) this message at any
1685  * time (after receiving the protocol version). No implementation is
1686  * required to send them. This message can be used as an additional
1687  * protection measure against advanced traffic analysis techniques.
1688  */
1689 void
1690 packet_send_ignore(int nbytes)
1691 {
1692 	u_int32_t rnd = 0;
1693 	int i;
1694 
1695 #ifdef ALTPRIVSEP
1696 	/* shouldn't happen -- see packet_set_monitor() */
1697 	if (packet_monitor)
1698 		return;
1699 #endif /* ALTPRIVSEP */
1700 
1701 	packet_start(compat20 ? SSH2_MSG_IGNORE : SSH_MSG_IGNORE);
1702 	packet_put_int(nbytes);
1703 	for (i = 0; i < nbytes; i++) {
1704 		if (i % 4 == 0)
1705 			rnd = arc4random();
1706 		packet_put_char((u_char)rnd & 0xff);
1707 		rnd >>= 8;
1708 	}
1709 }
1710 
1711 #define MAX_PACKETS	(1U<<31)
1712 int
1713 packet_need_rekeying(void)
1714 {
1715 	if (datafellows & SSH_BUG_NOREKEY)
1716 		return 0;
1717 	return
1718 	    (p_send.packets > MAX_PACKETS) ||
1719 	    (p_read.packets > MAX_PACKETS) ||
1720 	    (max_blocks_out && (p_send.blocks > max_blocks_out)) ||
1721 	    (max_blocks_in  && (p_read.blocks > max_blocks_in));
1722 }
1723 
1724 void
1725 packet_set_rekey_limit(u_int32_t bytes)
1726 {
1727 	rekey_limit = bytes;
1728 }
1729 
1730 #ifdef ALTPRIVSEP
1731 void
1732 packet_set_server(void)
1733 {
1734 	packet_server = 1;
1735 }
1736 
1737 int
1738 packet_is_server(void)
1739 {
1740 	return (packet_server);
1741 }
1742 
1743 void
1744 packet_set_monitor(int pipe)
1745 {
1746 	int dup_fd;
1747 
1748 	packet_server = 1;
1749 	packet_monitor = 1;
1750 
1751 	/*
1752 	 * Awful hack follows.
1753 	 *
1754 	 * For SSHv1 the monitor does not process any SSHv1 packets, only
1755 	 * ALTPRIVSEP packets.  We take advantage of that here to keep changes
1756 	 * to packet.c to a minimum by using the SSHv2 binary packet protocol,
1757 	 * with cipher "none," mac "none" and compression alg "none," as the
1758 	 * basis for the monitor protocol.  And so to force packet.c to treat
1759 	 * packets as SSHv2 we force compat20 == 1 here.
1760 	 *
1761 	 * For completeness and to help future developers catch this we also
1762 	 * force compat20 == 1 in the monitor loop, in serverloop.c.
1763 	 */
1764 	compat20 = 1;
1765 
1766 	/*
1767 	 * NOTE:  Assumptions below!
1768 	 *
1769 	 *  - lots of packet.c code assumes that (connection_in ==
1770 	 *  connection_out) -> connection is socket
1771 	 *
1772 	 *  - packet_close() does not shutdown() the connection fildes
1773 	 *  if connection_in != connection_out
1774 	 *
1775 	 *  - other code assumes the connection is a socket if
1776 	 *  connection_in == connection_out
1777 	 */
1778 
1779 	if ((dup_fd = dup(pipe)) < 0)
1780 		fatal("Monitor failed to start: %s", strerror(errno));
1781 
1782 	/*
1783 	 * make sure that the monitor's child's socket is not shutdown(3SOCKET)
1784 	 * when we packet_close(). Setting connection_out to -1 will take care
1785 	 * of that.
1786 	 */
1787 	if (packet_connection_is_on_socket())
1788 		connection_out = -1;
1789 
1790 	/*
1791 	 * Now clean up the state related to the server socket. As a side
1792 	 * effect, we also clean up existing cipher contexts that were
1793 	 * initialized with 'none' cipher in packet_set_connection(). That
1794 	 * function was called in the child server process shortly after the
1795 	 * master SSH process forked. However, all of that is reinialized again
1796 	 * by another packet_set_connection() call right below.
1797 	 */
1798 	packet_close();
1799 
1800 	/*
1801 	 * Now make the monitor pipe look like the ssh connection which means
1802 	 * that connection_in and connection_out will be set to the
1803 	 * communication pipe descriptors.
1804 	 */
1805 	packet_set_connection(pipe, dup_fd);
1806 }
1807 
1808 /*
1809  * We temporarily need to set connection_in and connection_out descriptors so
1810  * that we can make use of existing code that gets the IP address and hostname
1811  * of the peer to write a login/logout record. It's not nice but we would have
1812  * to change more code when implementing the PKCS#11 engine support.
1813  */
1814 void
1815 packet_set_fds(int fd, int restore)
1816 {
1817 	static int stored_fd;
1818 
1819 	if (stored_fd == 0 && restore == 0) {
1820 		debug3("packet_set_fds: saving %d, installing %d",
1821 		    connection_in, fd);
1822 		stored_fd = connection_in;
1823 		/* we don't have a socket in inetd mode */
1824 		if (fd != -1)
1825 			connection_in = connection_out = fd;
1826 		return;
1827 	}
1828 
1829 	if (restore == 1) {
1830 		debug3("restoring %d to connection_in/out", stored_fd);
1831 		connection_in = connection_out = stored_fd;
1832 	}
1833 }
1834 
1835 int
1836 packet_is_monitor(void)
1837 {
1838 	return (packet_monitor);
1839 }
1840 #endif /* ALTPRIVSEP */
1841