1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * This file contains code implementing the packet protocol and communication 6 * with the other side. This same code is used both on client and server side. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 * 14 * 15 * SSH2 packet format added by Markus Friedl. 16 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 17 * 18 * Redistribution and use in source and binary forms, with or without 19 * modification, are permitted provided that the following conditions 20 * are met: 21 * 1. Redistributions of source code must retain the above copyright 22 * notice, this list of conditions and the following disclaimer. 23 * 2. Redistributions in binary form must reproduce the above copyright 24 * notice, this list of conditions and the following disclaimer in the 25 * documentation and/or other materials provided with the distribution. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37 */ 38 39 #include "includes.h" 40 RCSID("$OpenBSD: packet.c,v 1.69 2001/06/25 08:25:38 markus Exp $"); 41 42 #include "xmalloc.h" 43 #include "buffer.h" 44 #include "packet.h" 45 #include "bufaux.h" 46 #include "crc32.h" 47 #include "getput.h" 48 49 #include "compress.h" 50 #include "deattack.h" 51 #include "channels.h" 52 53 #include "compat.h" 54 #include "ssh1.h" 55 #include "ssh2.h" 56 57 #include "cipher.h" 58 #include "kex.h" 59 #include "mac.h" 60 #include "log.h" 61 #include "canohost.h" 62 63 #ifdef PACKET_DEBUG 64 #define DBG(x) x 65 #else 66 #define DBG(x) 67 #endif 68 69 /* 70 * This variable contains the file descriptors used for communicating with 71 * the other side. connection_in is used for reading; connection_out for 72 * writing. These can be the same descriptor, in which case it is assumed to 73 * be a socket. 74 */ 75 static int connection_in = -1; 76 static int connection_out = -1; 77 78 /* Protocol flags for the remote side. */ 79 static u_int remote_protocol_flags = 0; 80 81 /* Encryption context for receiving data. This is only used for decryption. */ 82 static CipherContext receive_context; 83 84 /* Encryption context for sending data. This is only used for encryption. */ 85 static CipherContext send_context; 86 87 /* Buffer for raw input data from the socket. */ 88 static Buffer input; 89 90 /* Buffer for raw output data going to the socket. */ 91 static Buffer output; 92 93 /* Buffer for the partial outgoing packet being constructed. */ 94 static Buffer outgoing_packet; 95 96 /* Buffer for the incoming packet currently being processed. */ 97 static Buffer incoming_packet; 98 99 /* Scratch buffer for packet compression/decompression. */ 100 static Buffer compression_buffer; 101 static int compression_buffer_ready = 0; 102 103 /* Flag indicating whether packet compression/decompression is enabled. */ 104 static int packet_compression = 0; 105 106 /* default maximum packet size */ 107 int max_packet_size = 32768; 108 109 /* Flag indicating whether this module has been initialized. */ 110 static int initialized = 0; 111 112 /* Set to true if the connection is interactive. */ 113 static int interactive_mode = 0; 114 115 /* Session key information for Encryption and MAC */ 116 Newkeys *newkeys[MODE_MAX]; 117 118 /* 119 * Sets the descriptors used for communication. Disables encryption until 120 * packet_set_encryption_key is called. 121 */ 122 void 123 packet_set_connection(int fd_in, int fd_out) 124 { 125 Cipher *none = cipher_by_name("none"); 126 if (none == NULL) 127 fatal("packet_set_connection: cannot load cipher 'none'"); 128 connection_in = fd_in; 129 connection_out = fd_out; 130 cipher_init(&send_context, none, (u_char *) "", 0, NULL, 0); 131 cipher_init(&receive_context, none, (u_char *) "", 0, NULL, 0); 132 newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL; 133 if (!initialized) { 134 initialized = 1; 135 buffer_init(&input); 136 buffer_init(&output); 137 buffer_init(&outgoing_packet); 138 buffer_init(&incoming_packet); 139 } 140 /* Kludge: arrange the close function to be called from fatal(). */ 141 fatal_add_cleanup((void (*) (void *)) packet_close, NULL); 142 } 143 144 /* Returns 1 if remote host is connected via socket, 0 if not. */ 145 146 int 147 packet_connection_is_on_socket() 148 { 149 struct sockaddr_storage from, to; 150 socklen_t fromlen, tolen; 151 152 /* filedescriptors in and out are the same, so it's a socket */ 153 if (connection_in == connection_out) 154 return 1; 155 fromlen = sizeof(from); 156 memset(&from, 0, sizeof(from)); 157 if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0) 158 return 0; 159 tolen = sizeof(to); 160 memset(&to, 0, sizeof(to)); 161 if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0) 162 return 0; 163 if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0) 164 return 0; 165 if (from.ss_family != AF_INET && from.ss_family != AF_INET6) 166 return 0; 167 return 1; 168 } 169 170 /* returns 1 if connection is via ipv4 */ 171 172 int 173 packet_connection_is_ipv4() 174 { 175 struct sockaddr_storage to; 176 socklen_t tolen = sizeof(to); 177 178 memset(&to, 0, sizeof(to)); 179 if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0) 180 return 0; 181 if (to.ss_family != AF_INET) 182 return 0; 183 return 1; 184 } 185 186 /* Sets the connection into non-blocking mode. */ 187 188 void 189 packet_set_nonblocking() 190 { 191 /* Set the socket into non-blocking mode. */ 192 if (fcntl(connection_in, F_SETFL, O_NONBLOCK) < 0) 193 error("fcntl O_NONBLOCK: %.100s", strerror(errno)); 194 195 if (connection_out != connection_in) { 196 if (fcntl(connection_out, F_SETFL, O_NONBLOCK) < 0) 197 error("fcntl O_NONBLOCK: %.100s", strerror(errno)); 198 } 199 } 200 201 /* Returns the socket used for reading. */ 202 203 int 204 packet_get_connection_in() 205 { 206 return connection_in; 207 } 208 209 /* Returns the descriptor used for writing. */ 210 211 int 212 packet_get_connection_out() 213 { 214 return connection_out; 215 } 216 217 /* Closes the connection and clears and frees internal data structures. */ 218 219 void 220 packet_close() 221 { 222 if (!initialized) 223 return; 224 initialized = 0; 225 if (connection_in == connection_out) { 226 shutdown(connection_out, SHUT_RDWR); 227 close(connection_out); 228 } else { 229 close(connection_in); 230 close(connection_out); 231 } 232 buffer_free(&input); 233 buffer_free(&output); 234 buffer_free(&outgoing_packet); 235 buffer_free(&incoming_packet); 236 if (compression_buffer_ready) { 237 buffer_free(&compression_buffer); 238 buffer_compress_uninit(); 239 } 240 } 241 242 /* Sets remote side protocol flags. */ 243 244 void 245 packet_set_protocol_flags(u_int protocol_flags) 246 { 247 remote_protocol_flags = protocol_flags; 248 } 249 250 /* Returns the remote protocol flags set earlier by the above function. */ 251 252 u_int 253 packet_get_protocol_flags() 254 { 255 return remote_protocol_flags; 256 } 257 258 /* 259 * Starts packet compression from the next packet on in both directions. 260 * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip. 261 */ 262 263 static void 264 packet_init_compression(void) 265 { 266 if (compression_buffer_ready == 1) 267 return; 268 compression_buffer_ready = 1; 269 buffer_init(&compression_buffer); 270 } 271 272 void 273 packet_start_compression(int level) 274 { 275 if (packet_compression && !compat20) 276 fatal("Compression already enabled."); 277 packet_compression = 1; 278 packet_init_compression(); 279 buffer_compress_init_send(level); 280 buffer_compress_init_recv(); 281 } 282 283 /* 284 * Causes any further packets to be encrypted using the given key. The same 285 * key is used for both sending and reception. However, both directions are 286 * encrypted independently of each other. 287 */ 288 void 289 packet_set_encryption_key(const u_char *key, u_int keylen, 290 int number) 291 { 292 Cipher *cipher = cipher_by_number(number); 293 if (cipher == NULL) 294 fatal("packet_set_encryption_key: unknown cipher number %d", number); 295 if (keylen < 20) 296 fatal("packet_set_encryption_key: keylen too small: %d", keylen); 297 cipher_init(&receive_context, cipher, key, keylen, NULL, 0); 298 cipher_init(&send_context, cipher, key, keylen, NULL, 0); 299 } 300 301 /* Start constructing a packet to send. */ 302 void 303 packet_start(u_char type) 304 { 305 u_char buf[9]; 306 int len; 307 308 DBG(debug("packet_start[%d]", type)); 309 len = compat20 ? 6 : 9; 310 memset(buf, 0, len - 1); 311 buf[len - 1] = type; 312 buffer_clear(&outgoing_packet); 313 buffer_append(&outgoing_packet, buf, len); 314 } 315 316 /* Append payload. */ 317 void 318 packet_put_char(int value) 319 { 320 char ch = value; 321 buffer_append(&outgoing_packet, &ch, 1); 322 } 323 void 324 packet_put_int(u_int value) 325 { 326 buffer_put_int(&outgoing_packet, value); 327 } 328 void 329 packet_put_string(const char *buf, u_int len) 330 { 331 buffer_put_string(&outgoing_packet, buf, len); 332 } 333 void 334 packet_put_cstring(const char *str) 335 { 336 buffer_put_cstring(&outgoing_packet, str); 337 } 338 void 339 packet_put_raw(const char *buf, u_int len) 340 { 341 buffer_append(&outgoing_packet, buf, len); 342 } 343 void 344 packet_put_bignum(BIGNUM * value) 345 { 346 buffer_put_bignum(&outgoing_packet, value); 347 } 348 void 349 packet_put_bignum2(BIGNUM * value) 350 { 351 buffer_put_bignum2(&outgoing_packet, value); 352 } 353 354 /* 355 * Finalizes and sends the packet. If the encryption key has been set, 356 * encrypts the packet before sending. 357 */ 358 359 static void 360 packet_send1(void) 361 { 362 char buf[8], *cp; 363 int i, padding, len; 364 u_int checksum; 365 u_int32_t rand = 0; 366 367 /* 368 * If using packet compression, compress the payload of the outgoing 369 * packet. 370 */ 371 if (packet_compression) { 372 buffer_clear(&compression_buffer); 373 /* Skip padding. */ 374 buffer_consume(&outgoing_packet, 8); 375 /* padding */ 376 buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8); 377 buffer_compress(&outgoing_packet, &compression_buffer); 378 buffer_clear(&outgoing_packet); 379 buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer), 380 buffer_len(&compression_buffer)); 381 } 382 /* Compute packet length without padding (add checksum, remove padding). */ 383 len = buffer_len(&outgoing_packet) + 4 - 8; 384 385 /* Insert padding. Initialized to zero in packet_start1() */ 386 padding = 8 - len % 8; 387 if (send_context.cipher->number != SSH_CIPHER_NONE) { 388 cp = buffer_ptr(&outgoing_packet); 389 for (i = 0; i < padding; i++) { 390 if (i % 4 == 0) 391 rand = arc4random(); 392 cp[7 - i] = rand & 0xff; 393 rand >>= 8; 394 } 395 } 396 buffer_consume(&outgoing_packet, 8 - padding); 397 398 /* Add check bytes. */ 399 checksum = ssh_crc32((u_char *) buffer_ptr(&outgoing_packet), 400 buffer_len(&outgoing_packet)); 401 PUT_32BIT(buf, checksum); 402 buffer_append(&outgoing_packet, buf, 4); 403 404 #ifdef PACKET_DEBUG 405 fprintf(stderr, "packet_send plain: "); 406 buffer_dump(&outgoing_packet); 407 #endif 408 409 /* Append to output. */ 410 PUT_32BIT(buf, len); 411 buffer_append(&output, buf, 4); 412 buffer_append_space(&output, &cp, buffer_len(&outgoing_packet)); 413 cipher_encrypt(&send_context, cp, buffer_ptr(&outgoing_packet), 414 buffer_len(&outgoing_packet)); 415 416 #ifdef PACKET_DEBUG 417 fprintf(stderr, "encrypted: "); 418 buffer_dump(&output); 419 #endif 420 421 buffer_clear(&outgoing_packet); 422 423 /* 424 * Note that the packet is now only buffered in output. It won\'t be 425 * actually sent until packet_write_wait or packet_write_poll is 426 * called. 427 */ 428 } 429 430 static void 431 set_newkeys(int mode) 432 { 433 Enc *enc; 434 Mac *mac; 435 Comp *comp; 436 CipherContext *cc; 437 438 debug("newkeys: mode %d", mode); 439 440 cc = (mode == MODE_OUT) ? &send_context : &receive_context; 441 if (newkeys[mode] != NULL) { 442 debug("newkeys: rekeying"); 443 /* todo: free old keys, reset compression/cipher-ctxt; */ 444 memset(cc, 0, sizeof(*cc)); 445 enc = &newkeys[mode]->enc; 446 mac = &newkeys[mode]->mac; 447 comp = &newkeys[mode]->comp; 448 memset(mac->key, 0, mac->key_len); 449 xfree(enc->name); 450 xfree(enc->iv); 451 xfree(enc->key); 452 xfree(mac->name); 453 xfree(mac->key); 454 xfree(comp->name); 455 xfree(newkeys[mode]); 456 } 457 newkeys[mode] = kex_get_newkeys(mode); 458 if (newkeys[mode] == NULL) 459 fatal("newkeys: no keys for mode %d", mode); 460 enc = &newkeys[mode]->enc; 461 mac = &newkeys[mode]->mac; 462 comp = &newkeys[mode]->comp; 463 if (mac->md != NULL) 464 mac->enabled = 1; 465 DBG(debug("cipher_init_context: %d", mode)); 466 cipher_init(cc, enc->cipher, enc->key, enc->cipher->key_len, 467 enc->iv, enc->cipher->block_size); 468 memset(enc->iv, 0, enc->cipher->block_size); 469 memset(enc->key, 0, enc->cipher->key_len); 470 if (comp->type != 0 && comp->enabled == 0) { 471 packet_init_compression(); 472 if (mode == MODE_OUT) 473 buffer_compress_init_send(6); 474 else 475 buffer_compress_init_recv(); 476 comp->enabled = 1; 477 } 478 } 479 480 /* 481 * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) 482 */ 483 static void 484 packet_send2(void) 485 { 486 static u_int32_t seqnr = 0; 487 u_char type, *ucp, *macbuf = NULL; 488 char *cp; 489 u_int packet_length = 0; 490 u_int i, padlen, len; 491 u_int32_t rand = 0; 492 Enc *enc = NULL; 493 Mac *mac = NULL; 494 Comp *comp = NULL; 495 int block_size; 496 497 if (newkeys[MODE_OUT] != NULL) { 498 enc = &newkeys[MODE_OUT]->enc; 499 mac = &newkeys[MODE_OUT]->mac; 500 comp = &newkeys[MODE_OUT]->comp; 501 } 502 block_size = enc ? enc->cipher->block_size : 8; 503 504 ucp = (u_char *) buffer_ptr(&outgoing_packet); 505 type = ucp[5]; 506 507 #ifdef PACKET_DEBUG 508 fprintf(stderr, "plain: "); 509 buffer_dump(&outgoing_packet); 510 #endif 511 512 if (comp && comp->enabled) { 513 len = buffer_len(&outgoing_packet); 514 /* skip header, compress only payload */ 515 buffer_consume(&outgoing_packet, 5); 516 buffer_clear(&compression_buffer); 517 buffer_compress(&outgoing_packet, &compression_buffer); 518 buffer_clear(&outgoing_packet); 519 buffer_append(&outgoing_packet, "\0\0\0\0\0", 5); 520 buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer), 521 buffer_len(&compression_buffer)); 522 DBG(debug("compression: raw %d compressed %d", len, 523 buffer_len(&outgoing_packet))); 524 } 525 526 /* sizeof (packet_len + pad_len + payload) */ 527 len = buffer_len(&outgoing_packet); 528 529 /* 530 * calc size of padding, alloc space, get random data, 531 * minimum padding is 4 bytes 532 */ 533 padlen = block_size - (len % block_size); 534 if (padlen < 4) 535 padlen += block_size; 536 buffer_append_space(&outgoing_packet, &cp, padlen); 537 if (enc && enc->cipher->number != SSH_CIPHER_NONE) { 538 /* random padding */ 539 for (i = 0; i < padlen; i++) { 540 if (i % 4 == 0) 541 rand = arc4random(); 542 cp[i] = rand & 0xff; 543 rand >>= 8; 544 } 545 } else { 546 /* clear padding */ 547 memset(cp, 0, padlen); 548 } 549 /* packet_length includes payload, padding and padding length field */ 550 packet_length = buffer_len(&outgoing_packet) - 4; 551 ucp = (u_char *)buffer_ptr(&outgoing_packet); 552 PUT_32BIT(ucp, packet_length); 553 ucp[4] = padlen; 554 DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen)); 555 556 /* compute MAC over seqnr and packet(length fields, payload, padding) */ 557 if (mac && mac->enabled) { 558 macbuf = mac_compute(mac, seqnr, 559 (u_char *) buffer_ptr(&outgoing_packet), 560 buffer_len(&outgoing_packet)); 561 DBG(debug("done calc MAC out #%d", seqnr)); 562 } 563 /* encrypt packet and append to output buffer. */ 564 buffer_append_space(&output, &cp, buffer_len(&outgoing_packet)); 565 cipher_encrypt(&send_context, cp, buffer_ptr(&outgoing_packet), 566 buffer_len(&outgoing_packet)); 567 /* append unencrypted MAC */ 568 if (mac && mac->enabled) 569 buffer_append(&output, (char *)macbuf, mac->mac_len); 570 #ifdef PACKET_DEBUG 571 fprintf(stderr, "encrypted: "); 572 buffer_dump(&output); 573 #endif 574 /* increment sequence number for outgoing packets */ 575 if (++seqnr == 0) 576 log("outgoing seqnr wraps around"); 577 buffer_clear(&outgoing_packet); 578 579 if (type == SSH2_MSG_NEWKEYS) 580 set_newkeys(MODE_OUT); 581 } 582 583 void 584 packet_send() 585 { 586 if (compat20) 587 packet_send2(); 588 else 589 packet_send1(); 590 DBG(debug("packet_send done")); 591 } 592 593 /* 594 * Waits until a packet has been received, and returns its type. Note that 595 * no other data is processed until this returns, so this function should not 596 * be used during the interactive session. 597 */ 598 599 int 600 packet_read(int *payload_len_ptr) 601 { 602 int type, len; 603 fd_set *setp; 604 char buf[8192]; 605 DBG(debug("packet_read()")); 606 607 setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) * 608 sizeof(fd_mask)); 609 610 /* Since we are blocking, ensure that all written packets have been sent. */ 611 packet_write_wait(); 612 613 /* Stay in the loop until we have received a complete packet. */ 614 for (;;) { 615 /* Try to read a packet from the buffer. */ 616 type = packet_read_poll(payload_len_ptr); 617 if (!compat20 && ( 618 type == SSH_SMSG_SUCCESS 619 || type == SSH_SMSG_FAILURE 620 || type == SSH_CMSG_EOF 621 || type == SSH_CMSG_EXIT_CONFIRMATION)) 622 packet_integrity_check(*payload_len_ptr, 0, type); 623 /* If we got a packet, return it. */ 624 if (type != SSH_MSG_NONE) { 625 xfree(setp); 626 return type; 627 } 628 /* 629 * Otherwise, wait for some data to arrive, add it to the 630 * buffer, and try again. 631 */ 632 memset(setp, 0, howmany(connection_in + 1, NFDBITS) * 633 sizeof(fd_mask)); 634 FD_SET(connection_in, setp); 635 636 /* Wait for some data to arrive. */ 637 while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 && 638 (errno == EAGAIN || errno == EINTR)) 639 ; 640 641 /* Read data from the socket. */ 642 len = read(connection_in, buf, sizeof(buf)); 643 if (len == 0) { 644 log("Connection closed by %.200s", get_remote_ipaddr()); 645 fatal_cleanup(); 646 } 647 if (len < 0) 648 fatal("Read from socket failed: %.100s", strerror(errno)); 649 /* Append it to the buffer. */ 650 packet_process_incoming(buf, len); 651 } 652 /* NOTREACHED */ 653 } 654 655 /* 656 * Waits until a packet has been received, verifies that its type matches 657 * that given, and gives a fatal error and exits if there is a mismatch. 658 */ 659 660 void 661 packet_read_expect(int *payload_len_ptr, int expected_type) 662 { 663 int type; 664 665 type = packet_read(payload_len_ptr); 666 if (type != expected_type) 667 packet_disconnect("Protocol error: expected packet type %d, got %d", 668 expected_type, type); 669 } 670 671 /* Checks if a full packet is available in the data received so far via 672 * packet_process_incoming. If so, reads the packet; otherwise returns 673 * SSH_MSG_NONE. This does not wait for data from the connection. 674 * 675 * SSH_MSG_DISCONNECT is handled specially here. Also, 676 * SSH_MSG_IGNORE messages are skipped by this function and are never returned 677 * to higher levels. 678 * 679 * The returned payload_len does include space consumed by: 680 * Packet length 681 * Padding 682 * Packet type 683 * Check bytes 684 */ 685 686 static int 687 packet_read_poll1(int *payload_len_ptr) 688 { 689 u_int len, padded_len; 690 u_char *ucp, type; 691 char *cp; 692 u_int checksum, stored_checksum; 693 694 /* Check if input size is less than minimum packet size. */ 695 if (buffer_len(&input) < 4 + 8) 696 return SSH_MSG_NONE; 697 /* Get length of incoming packet. */ 698 ucp = (u_char *) buffer_ptr(&input); 699 len = GET_32BIT(ucp); 700 if (len < 1 + 2 + 2 || len > 256 * 1024) 701 packet_disconnect("Bad packet length %d.", len); 702 padded_len = (len + 8) & ~7; 703 704 /* Check if the packet has been entirely received. */ 705 if (buffer_len(&input) < 4 + padded_len) 706 return SSH_MSG_NONE; 707 708 /* The entire packet is in buffer. */ 709 710 /* Consume packet length. */ 711 buffer_consume(&input, 4); 712 713 /* 714 * Cryptographic attack detector for ssh 715 * (C)1998 CORE-SDI, Buenos Aires Argentina 716 * Ariel Futoransky(futo@core-sdi.com) 717 */ 718 if (receive_context.cipher->number != SSH_CIPHER_NONE && 719 detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED) 720 packet_disconnect("crc32 compensation attack: network attack detected"); 721 722 /* Decrypt data to incoming_packet. */ 723 buffer_clear(&incoming_packet); 724 buffer_append_space(&incoming_packet, &cp, padded_len); 725 cipher_decrypt(&receive_context, cp, buffer_ptr(&input), padded_len); 726 727 buffer_consume(&input, padded_len); 728 729 #ifdef PACKET_DEBUG 730 fprintf(stderr, "read_poll plain: "); 731 buffer_dump(&incoming_packet); 732 #endif 733 734 /* Compute packet checksum. */ 735 checksum = ssh_crc32((u_char *) buffer_ptr(&incoming_packet), 736 buffer_len(&incoming_packet) - 4); 737 738 /* Skip padding. */ 739 buffer_consume(&incoming_packet, 8 - len % 8); 740 741 /* Test check bytes. */ 742 if (len != buffer_len(&incoming_packet)) 743 packet_disconnect("packet_read_poll: len %d != buffer_len %d.", 744 len, buffer_len(&incoming_packet)); 745 746 ucp = (u_char *) buffer_ptr(&incoming_packet) + len - 4; 747 stored_checksum = GET_32BIT(ucp); 748 if (checksum != stored_checksum) 749 packet_disconnect("Corrupted check bytes on input."); 750 buffer_consume_end(&incoming_packet, 4); 751 752 if (packet_compression) { 753 buffer_clear(&compression_buffer); 754 buffer_uncompress(&incoming_packet, &compression_buffer); 755 buffer_clear(&incoming_packet); 756 buffer_append(&incoming_packet, buffer_ptr(&compression_buffer), 757 buffer_len(&compression_buffer)); 758 } 759 type = buffer_get_char(&incoming_packet); 760 *payload_len_ptr = buffer_len(&incoming_packet); 761 return type; 762 } 763 764 static int 765 packet_read_poll2(int *payload_len_ptr) 766 { 767 static u_int32_t seqnr = 0; 768 static u_int packet_length = 0; 769 u_int padlen, need; 770 u_char *macbuf, *ucp, type; 771 char *cp; 772 int maclen, block_size; 773 Enc *enc = NULL; 774 Mac *mac = NULL; 775 Comp *comp = NULL; 776 777 if (newkeys[MODE_IN] != NULL) { 778 enc = &newkeys[MODE_IN]->enc; 779 mac = &newkeys[MODE_IN]->mac; 780 comp = &newkeys[MODE_IN]->comp; 781 } 782 maclen = mac && mac->enabled ? mac->mac_len : 0; 783 block_size = enc ? enc->cipher->block_size : 8; 784 785 if (packet_length == 0) { 786 /* 787 * check if input size is less than the cipher block size, 788 * decrypt first block and extract length of incoming packet 789 */ 790 if (buffer_len(&input) < block_size) 791 return SSH_MSG_NONE; 792 buffer_clear(&incoming_packet); 793 buffer_append_space(&incoming_packet, &cp, block_size); 794 cipher_decrypt(&receive_context, cp, buffer_ptr(&input), 795 block_size); 796 ucp = (u_char *) buffer_ptr(&incoming_packet); 797 packet_length = GET_32BIT(ucp); 798 if (packet_length < 1 + 4 || packet_length > 256 * 1024) { 799 buffer_dump(&incoming_packet); 800 packet_disconnect("Bad packet length %d.", packet_length); 801 } 802 DBG(debug("input: packet len %d", packet_length+4)); 803 buffer_consume(&input, block_size); 804 } 805 /* we have a partial packet of block_size bytes */ 806 need = 4 + packet_length - block_size; 807 DBG(debug("partial packet %d, need %d, maclen %d", block_size, 808 need, maclen)); 809 if (need % block_size != 0) 810 fatal("padding error: need %d block %d mod %d", 811 need, block_size, need % block_size); 812 /* 813 * check if the entire packet has been received and 814 * decrypt into incoming_packet 815 */ 816 if (buffer_len(&input) < need + maclen) 817 return SSH_MSG_NONE; 818 #ifdef PACKET_DEBUG 819 fprintf(stderr, "read_poll enc/full: "); 820 buffer_dump(&input); 821 #endif 822 buffer_append_space(&incoming_packet, &cp, need); 823 cipher_decrypt(&receive_context, cp, buffer_ptr(&input), need); 824 buffer_consume(&input, need); 825 /* 826 * compute MAC over seqnr and packet, 827 * increment sequence number for incoming packet 828 */ 829 if (mac && mac->enabled) { 830 macbuf = mac_compute(mac, seqnr, 831 (u_char *) buffer_ptr(&incoming_packet), 832 buffer_len(&incoming_packet)); 833 if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0) 834 packet_disconnect("Corrupted MAC on input."); 835 DBG(debug("MAC #%d ok", seqnr)); 836 buffer_consume(&input, mac->mac_len); 837 } 838 if (++seqnr == 0) 839 log("incoming seqnr wraps around"); 840 841 /* get padlen */ 842 cp = buffer_ptr(&incoming_packet) + 4; 843 padlen = (u_char) *cp; 844 DBG(debug("input: padlen %d", padlen)); 845 if (padlen < 4) 846 packet_disconnect("Corrupted padlen %d on input.", padlen); 847 848 /* skip packet size + padlen, discard padding */ 849 buffer_consume(&incoming_packet, 4 + 1); 850 buffer_consume_end(&incoming_packet, padlen); 851 852 DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet))); 853 if (comp && comp->enabled) { 854 buffer_clear(&compression_buffer); 855 buffer_uncompress(&incoming_packet, &compression_buffer); 856 buffer_clear(&incoming_packet); 857 buffer_append(&incoming_packet, buffer_ptr(&compression_buffer), 858 buffer_len(&compression_buffer)); 859 DBG(debug("input: len after de-compress %d", buffer_len(&incoming_packet))); 860 } 861 /* 862 * get packet type, implies consume. 863 * return length of payload (without type field) 864 */ 865 type = buffer_get_char(&incoming_packet); 866 if (type == SSH2_MSG_NEWKEYS) 867 set_newkeys(MODE_IN); 868 *payload_len_ptr = buffer_len(&incoming_packet); 869 #ifdef PACKET_DEBUG 870 fprintf(stderr, "read/plain[%d]:\r\n", type); 871 buffer_dump(&incoming_packet); 872 #endif 873 /* reset for next packet */ 874 packet_length = 0; 875 return type; 876 } 877 878 int 879 packet_read_poll(int *payload_len_ptr) 880 { 881 int reason; 882 u_char type; 883 char *msg; 884 885 for (;;) { 886 if (compat20) { 887 type = packet_read_poll2(payload_len_ptr); 888 if (type) 889 DBG(debug("received packet type %d", type)); 890 switch(type) { 891 case SSH2_MSG_IGNORE: 892 break; 893 case SSH2_MSG_DEBUG: 894 packet_get_char(); 895 msg = packet_get_string(NULL); 896 debug("Remote: %.900s", msg); 897 xfree(msg); 898 msg = packet_get_string(NULL); 899 xfree(msg); 900 break; 901 case SSH2_MSG_DISCONNECT: 902 reason = packet_get_int(); 903 msg = packet_get_string(NULL); 904 log("Received disconnect from %s: %d: %.400s", get_remote_ipaddr(), 905 reason, msg); 906 xfree(msg); 907 fatal_cleanup(); 908 break; 909 default: 910 return type; 911 break; 912 } 913 } else { 914 type = packet_read_poll1(payload_len_ptr); 915 switch(type) { 916 case SSH_MSG_IGNORE: 917 break; 918 case SSH_MSG_DEBUG: 919 msg = packet_get_string(NULL); 920 debug("Remote: %.900s", msg); 921 xfree(msg); 922 break; 923 case SSH_MSG_DISCONNECT: 924 msg = packet_get_string(NULL); 925 log("Received disconnect from %s: %.400s", get_remote_ipaddr(), 926 msg); 927 fatal_cleanup(); 928 xfree(msg); 929 break; 930 default: 931 if (type) 932 DBG(debug("received packet type %d", type)); 933 return type; 934 break; 935 } 936 } 937 } 938 } 939 940 /* 941 * Buffers the given amount of input characters. This is intended to be used 942 * together with packet_read_poll. 943 */ 944 945 void 946 packet_process_incoming(const char *buf, u_int len) 947 { 948 buffer_append(&input, buf, len); 949 } 950 951 /* Returns a character from the packet. */ 952 953 u_int 954 packet_get_char() 955 { 956 char ch; 957 buffer_get(&incoming_packet, &ch, 1); 958 return (u_char) ch; 959 } 960 961 /* Returns an integer from the packet data. */ 962 963 u_int 964 packet_get_int() 965 { 966 return buffer_get_int(&incoming_packet); 967 } 968 969 /* 970 * Returns an arbitrary precision integer from the packet data. The integer 971 * must have been initialized before this call. 972 */ 973 974 void 975 packet_get_bignum(BIGNUM * value, int *length_ptr) 976 { 977 *length_ptr = buffer_get_bignum(&incoming_packet, value); 978 } 979 980 void 981 packet_get_bignum2(BIGNUM * value, int *length_ptr) 982 { 983 *length_ptr = buffer_get_bignum2(&incoming_packet, value); 984 } 985 986 char * 987 packet_get_raw(int *length_ptr) 988 { 989 int bytes = buffer_len(&incoming_packet); 990 if (length_ptr != NULL) 991 *length_ptr = bytes; 992 return buffer_ptr(&incoming_packet); 993 } 994 995 int 996 packet_remaining(void) 997 { 998 return buffer_len(&incoming_packet); 999 } 1000 1001 /* 1002 * Returns a string from the packet data. The string is allocated using 1003 * xmalloc; it is the responsibility of the calling program to free it when 1004 * no longer needed. The length_ptr argument may be NULL, or point to an 1005 * integer into which the length of the string is stored. 1006 */ 1007 1008 char * 1009 packet_get_string(u_int *length_ptr) 1010 { 1011 return buffer_get_string(&incoming_packet, length_ptr); 1012 } 1013 1014 /* 1015 * Sends a diagnostic message from the server to the client. This message 1016 * can be sent at any time (but not while constructing another message). The 1017 * message is printed immediately, but only if the client is being executed 1018 * in verbose mode. These messages are primarily intended to ease debugging 1019 * authentication problems. The length of the formatted message must not 1020 * exceed 1024 bytes. This will automatically call packet_write_wait. 1021 */ 1022 1023 void 1024 packet_send_debug(const char *fmt,...) 1025 { 1026 char buf[1024]; 1027 va_list args; 1028 1029 if (compat20 && (datafellows & SSH_BUG_DEBUG)) 1030 return; 1031 1032 va_start(args, fmt); 1033 vsnprintf(buf, sizeof(buf), fmt, args); 1034 va_end(args); 1035 1036 if (compat20) { 1037 packet_start(SSH2_MSG_DEBUG); 1038 packet_put_char(0); /* bool: always display */ 1039 packet_put_cstring(buf); 1040 packet_put_cstring(""); 1041 } else { 1042 packet_start(SSH_MSG_DEBUG); 1043 packet_put_cstring(buf); 1044 } 1045 packet_send(); 1046 packet_write_wait(); 1047 } 1048 1049 /* 1050 * Logs the error plus constructs and sends a disconnect packet, closes the 1051 * connection, and exits. This function never returns. The error message 1052 * should not contain a newline. The length of the formatted message must 1053 * not exceed 1024 bytes. 1054 */ 1055 1056 void 1057 packet_disconnect(const char *fmt,...) 1058 { 1059 char buf[1024]; 1060 va_list args; 1061 static int disconnecting = 0; 1062 if (disconnecting) /* Guard against recursive invocations. */ 1063 fatal("packet_disconnect called recursively."); 1064 disconnecting = 1; 1065 1066 /* 1067 * Format the message. Note that the caller must make sure the 1068 * message is of limited size. 1069 */ 1070 va_start(args, fmt); 1071 vsnprintf(buf, sizeof(buf), fmt, args); 1072 va_end(args); 1073 1074 /* Send the disconnect message to the other side, and wait for it to get sent. */ 1075 if (compat20) { 1076 packet_start(SSH2_MSG_DISCONNECT); 1077 packet_put_int(SSH2_DISCONNECT_PROTOCOL_ERROR); 1078 packet_put_cstring(buf); 1079 packet_put_cstring(""); 1080 } else { 1081 packet_start(SSH_MSG_DISCONNECT); 1082 packet_put_cstring(buf); 1083 } 1084 packet_send(); 1085 packet_write_wait(); 1086 1087 /* Stop listening for connections. */ 1088 channel_close_all(); 1089 1090 /* Close the connection. */ 1091 packet_close(); 1092 1093 /* Display the error locally and exit. */ 1094 log("Disconnecting: %.100s", buf); 1095 fatal_cleanup(); 1096 } 1097 1098 /* Checks if there is any buffered output, and tries to write some of the output. */ 1099 1100 void 1101 packet_write_poll() 1102 { 1103 int len = buffer_len(&output); 1104 if (len > 0) { 1105 len = write(connection_out, buffer_ptr(&output), len); 1106 if (len <= 0) { 1107 if (errno == EAGAIN) 1108 return; 1109 else 1110 fatal("Write failed: %.100s", strerror(errno)); 1111 } 1112 buffer_consume(&output, len); 1113 } 1114 } 1115 1116 /* 1117 * Calls packet_write_poll repeatedly until all pending output data has been 1118 * written. 1119 */ 1120 1121 void 1122 packet_write_wait() 1123 { 1124 fd_set *setp; 1125 1126 setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) * 1127 sizeof(fd_mask)); 1128 packet_write_poll(); 1129 while (packet_have_data_to_write()) { 1130 memset(setp, 0, howmany(connection_out + 1, NFDBITS) * 1131 sizeof(fd_mask)); 1132 FD_SET(connection_out, setp); 1133 while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 && 1134 (errno == EAGAIN || errno == EINTR)) 1135 ; 1136 packet_write_poll(); 1137 } 1138 xfree(setp); 1139 } 1140 1141 /* Returns true if there is buffered data to write to the connection. */ 1142 1143 int 1144 packet_have_data_to_write() 1145 { 1146 return buffer_len(&output) != 0; 1147 } 1148 1149 /* Returns true if there is not too much data to write to the connection. */ 1150 1151 int 1152 packet_not_very_much_data_to_write() 1153 { 1154 if (interactive_mode) 1155 return buffer_len(&output) < 16384; 1156 else 1157 return buffer_len(&output) < 128 * 1024; 1158 } 1159 1160 /* Informs that the current session is interactive. Sets IP flags for that. */ 1161 1162 void 1163 packet_set_interactive(int interactive) 1164 { 1165 static int called = 0; 1166 int lowdelay = IPTOS_LOWDELAY; 1167 int throughput = IPTOS_THROUGHPUT; 1168 int on = 1; 1169 1170 if (called) 1171 return; 1172 called = 1; 1173 1174 /* Record that we are in interactive mode. */ 1175 interactive_mode = interactive; 1176 1177 /* Only set socket options if using a socket. */ 1178 if (!packet_connection_is_on_socket()) 1179 return; 1180 /* 1181 * IPTOS_LOWDELAY and IPTOS_THROUGHPUT are IPv4 only 1182 */ 1183 if (interactive) { 1184 /* 1185 * Set IP options for an interactive connection. Use 1186 * IPTOS_LOWDELAY and TCP_NODELAY. 1187 */ 1188 if (packet_connection_is_ipv4()) { 1189 if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, 1190 (void *) &lowdelay, sizeof(lowdelay)) < 0) 1191 error("setsockopt IPTOS_LOWDELAY: %.100s", 1192 strerror(errno)); 1193 } 1194 if (setsockopt(connection_in, IPPROTO_TCP, TCP_NODELAY, (void *) &on, 1195 sizeof(on)) < 0) 1196 error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); 1197 } else if (packet_connection_is_ipv4()) { 1198 /* 1199 * Set IP options for a non-interactive connection. Use 1200 * IPTOS_THROUGHPUT. 1201 */ 1202 if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &throughput, 1203 sizeof(throughput)) < 0) 1204 error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno)); 1205 } 1206 } 1207 1208 /* Returns true if the current connection is interactive. */ 1209 1210 int 1211 packet_is_interactive() 1212 { 1213 return interactive_mode; 1214 } 1215 1216 int 1217 packet_set_maxsize(int s) 1218 { 1219 static int called = 0; 1220 if (called) { 1221 log("packet_set_maxsize: called twice: old %d new %d", 1222 max_packet_size, s); 1223 return -1; 1224 } 1225 if (s < 4 * 1024 || s > 1024 * 1024) { 1226 log("packet_set_maxsize: bad size %d", s); 1227 return -1; 1228 } 1229 debug("packet_set_maxsize: setting to %d", s); 1230 max_packet_size = s; 1231 return s; 1232 } 1233 1234 /* 1235 * 9.2. Ignored Data Message 1236 * 1237 * byte SSH_MSG_IGNORE 1238 * string data 1239 * 1240 * All implementations MUST understand (and ignore) this message at any 1241 * time (after receiving the protocol version). No implementation is 1242 * required to send them. This message can be used as an additional 1243 * protection measure against advanced traffic analysis techniques. 1244 */ 1245 /* size of current + ignore message should be n*sumlen bytes (w/o mac) */ 1246 void 1247 packet_inject_ignore(int sumlen) 1248 { 1249 int blocksize, padlen, have, need, nb, mini, nbytes; 1250 Enc *enc = NULL; 1251 1252 if (compat20 == 0) 1253 return; 1254 1255 have = buffer_len(&outgoing_packet); 1256 debug2("packet_inject_ignore: current %d", have); 1257 if (newkeys[MODE_OUT] != NULL) 1258 enc = &newkeys[MODE_OUT]->enc; 1259 blocksize = enc ? enc->cipher->block_size : 8; 1260 padlen = blocksize - (have % blocksize); 1261 if (padlen < 4) 1262 padlen += blocksize; 1263 have += padlen; 1264 have /= blocksize; /* # of blocks for current message */ 1265 1266 nb = roundup(sumlen, blocksize) / blocksize; /* blocks for both */ 1267 mini = roundup(5+1+4+4, blocksize) / blocksize; /* minsize ignore msg */ 1268 need = nb - (have % nb); /* blocks for ignore */ 1269 if (need <= mini) 1270 need += nb; 1271 nbytes = (need - mini) * blocksize; /* size of ignore payload */ 1272 debug2("packet_inject_ignore: block %d have %d nb %d mini %d need %d", 1273 blocksize, have, nb, mini, need); 1274 1275 /* enqueue current message and append a ignore message */ 1276 packet_send(); 1277 packet_send_ignore(nbytes); 1278 } 1279 1280 void 1281 packet_send_ignore(int nbytes) 1282 { 1283 u_int32_t rand = 0; 1284 int i; 1285 1286 packet_start(compat20 ? SSH2_MSG_IGNORE : SSH_MSG_IGNORE); 1287 packet_put_int(nbytes); 1288 for(i = 0; i < nbytes; i++) { 1289 if (i % 4 == 0) 1290 rand = arc4random(); 1291 packet_put_char(rand & 0xff); 1292 rand >>= 8; 1293 } 1294 } 1295