libssh2
1/* Copyright (C) The Written Word, Inc.2* Copyright (C) Daniel Stenberg3* All rights reserved.4*5* Redistribution and use in source and binary forms,6* with or without modification, are permitted provided7* that the following conditions are met:8*9* Redistributions of source code must retain the above10* copyright notice, this list of conditions and the11* following disclaimer.12*13* Redistributions in binary form must reproduce the above14* copyright notice, this list of conditions and the following15* disclaimer in the documentation and/or other materials16* provided with the distribution.17*18* Neither the name of the copyright holder nor the names19* of any other contributors may be used to endorse or20* promote products derived from this software without21* specific prior written permission.22*23* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND24* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,25* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES26* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE27* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR28* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,29* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,30* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR31* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS32* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,33* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING34* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE35* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY36* OF SUCH DAMAGE.37*38* SPDX-License-Identifier: BSD-3-Clause39*/40/*42* This file handles reading and writing to the SECSH transport layer. RFC4253.43*/44{60size_t i;61size_t c;62unsigned int width = 0x10;63char buffer[256]; /* Must be enough for width*4 + about 30 or so */64size_t used;65static const char *hex_chars = "0123456789ABCDEF";66}117#else118#define debugdump(a,x,y,z) do {} while(0)119#endif120/* decrypt() decrypts 'len' bytes from 'source' to 'dest' in units of123* blocksize.124*125* returns 0 on success and negative on failure126*/127{132struct transportpacket *p = &session->packet;133int blocksize = session->remote.crypt->blocksize;134we risk losing those extra bytes. AAD is an exception, since those first137few bytes aren't encrypted so it throws off the rest of the count. */138if(!CRYPT_FLAG_L(session, PKTLEN_AAD))139assert((len % blocksize) == 0);140length of the remainder of the block) and takes priority. When the146length finally gets to the last blocksize bytes, and there's no147more data to come, it's the end. */148int lowerfirstlast = IS_FIRST(firstlast) ? FIRST_BLOCK :149((len <= blocksize) ? firstlast : MIDDLE_BLOCK);150/* If the last block would be less than a whole blocksize, combine it151with the previous block to make it larger. This ensures that the152whole MAC is included in a single decrypt call. */153if(CRYPT_FLAG_L(session, PKTLEN_AAD) && IS_LAST(firstlast)154&& (len < blocksize*2)) {155decryptlen = len;156lowerfirstlast = LAST_BLOCK;157}158wouldn't have to memcpy() and we could avoid this memcpy()168too */169memcpy(dest, source, decryptlen);170}177/*179* fullpacket() gets called when a full packet has been received and properly180* collected.181*/182static int183fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )184{185unsigned char macbuf[MAX_MACSIZE];186struct transportpacket *p = &session->packet;187int rc;188int compressed;189uint32_t seq = session->remote.seqno;190* the network. The read one is at the very end of the payload220* buffer. Note that 'payload_len' here is the packet_length221* field which includes the padding but not the MAC.222*/223if(memcmp(macbuf, p->payload + p->total_num - mac_len, mac_len)) {224_libssh2_debug((session, LIBSSH2_TRACE_SOCKET,225"Failed MAC check"));226session->fullpacket_macstate = LIBSSH2_MAC_INVALID;227contains padding length since this allows us to decrypt232all other blocks to the right location in memory233avoiding moving a larger block of memory one byte. */234unsigned char first_block[MAX_BLOCKSIZE];235ssize_t decrypt_size;236unsigned char *decrypt_buffer;237int blocksize = session->remote.crypt->blocksize;238into target buffer */254p->padding_length = first_block[0];255if(blocksize > 1) {256memcpy(decrypt_buffer, first_block + 1, blocksize - 1);257}258* The buffer for the decompression (remote.comp_abstract) is290* initialised in time when it is needed so as long it is NULL we291* cannot decompress.292*/293}339/*342* _libssh2_transport_read343*344* Collect a packet into the input queue.345*346* Returns packet type added to input queue (0 if nothing added), or a347* negative error number.348*/349/*351* This function reads the binary stream as specified in chapter 6 of RFC4253352* "The Secure Shell (SSH) Transport Layer Protocol"353*354* DOES NOT call _libssh2_error() for ANY error case.355*/356int _libssh2_transport_read(LIBSSH2_SESSION * session)357{358int rc;359struct transportpacket *p = &session->packet;360ssize_t remainpack; /* how much there is left to add to the current payload361package */362ssize_t remainbuf; /* how much data there is remaining in the buffer to363deal with before we should read more from the364network */365ssize_t numbytes; /* how much data to deal with from the buffer on this366iteration through the loop */367ssize_t numdecrypt; /* number of bytes to decrypt this iteration */368unsigned char block[MAX_BLOCKSIZE]; /* working block buffer */369int blocksize; /* minimum number of bytes we need before we can370use them */371int encrypted = 1; /* whether the packet is encrypted or not */372int firstlast = FIRST_BLOCK; /* if the first or last block to decrypt */373* All channels, systems, subsystems, etc eventually make it down here379* when looking for more incoming data. If a key exchange is going on380* (LIBSSH2_STATE_EXCHANGING_KEYS bit is set) then the remote end will381* ONLY send key exchange related traffic. In non-blocking mode, there is382* a chance to break out of the kex_exchange function with an EAGAIN383* status, and never come back to it. If LIBSSH2_STATE_EXCHANGING_KEYS is384* active, then we must redirect to the key exchange. However, if385* kex_exchange is active (as in it is the one that calls this execution386* of packet_read, then don't redirect, as that would be an infinite loop!387*/388* is done!394*/395_libssh2_debug((session, LIBSSH2_TRACE_TRANS, "Redirecting into the"396" key re-exchange from _libssh2_transport_read"));397rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state);398if(rc)399return rc;400}401* =============================== NOTE ===============================404* I know this is very ugly and not a really good use of "goto", but405* this case statement would be even uglier to do it any other way406*/407if(session->readPack_state == libssh2_NB_state_jump1) {408session->readPack_state = libssh2_NB_state_idle;409encrypted = session->readPack_encrypted;410goto libssh2_transport_read_point1;411}412make the checks below work fine still */426}427the LIBSSH2_SESSION struct. We will decrypt data from that432buffer into the packet buffer so this temp one doesn't have433to be able to keep a whole SSH packet, just be large enough434so that we can read big chunks from the network layer. */435before we should read more from the network */438remainbuf = p->writeidx - p->readidx;439little data to deal with, read more */446ssize_t nread;447that we can do a full refill */450if(remainbuf) {451memmove(p->buf, &p->buf[p->readidx], remainbuf);452p->readidx = 0;453p->writeidx = remainbuf;454}455else {456/* nothing to move, just zero the indexes */457p->readidx = p->writeidx = 0;458}459return code if so, error out normally otherwise */467if((nread < 0) && (nread == -EAGAIN)) {468session->socket_block_directions |=469LIBSSH2_SESSION_BLOCK_INBOUND;470return LIBSSH2_ERROR_EAGAIN;471}472_libssh2_debug((session, LIBSSH2_TRACE_SOCKET,473"Error recving %ld bytes (got %ld)",474(long)(PACKETBUFSIZE - remainbuf),475(long)-nread));476return LIBSSH2_ERROR_SOCKET_RECV;477}478_libssh2_debug((session, LIBSSH2_TRACE_SOCKET,479"Recved %ld/%ld bytes to %p+%ld", (long)nread,480(long)(PACKETBUFSIZE - remainbuf), (void *)p->buf,481(long)remainbuf));482(5 bytes) packet length and padding length498fields */499and we donøt need to decrypt first block */502ssize_t required_size = etm ? 4 : blocksize;503size of this payload, we need enough to decrypt the first506blocksize data. */507check is only done for the initial block since once we have511got the start of a block we can in fact deal with fractions512*/513session->socket_block_directions |=514LIBSSH2_SESSION_BLOCK_INBOUND;515return LIBSSH2_ERROR_EAGAIN;516}517used in the hash calculation later down.531This is ignored in the INTEGRATED_MAC case. */532memcpy(p->init, block, 5);533}534else {535/* the data is plain, just copy it verbatim to536the working block buffer */537memcpy(block, &p->buf[p->readidx], blocksize);538}539* and we can extract packet and padding length from it545*/546p->packet_length = _libssh2_ntohu32(block);547}548packet length field that we run MAC over */559total_num = 4 + p->packet_length +560session->remote.mac->mac_len;561}562else {563/* padding_length has not been authenticated yet, but it won't564actually be used (except for the sanity check immediately565following) until after the entire packet is authenticated,566so this is safe. */567p->padding_length = block[4];568if(p->padding_length > p->packet_length - 1) {569return LIBSSH2_ERROR_DECRYPT;570}571(5 bytes) packet length and padding length fields */574total_num = p->packet_length - 1 +575(encrypted ? session->remote.mac->mac_len : 0);576}577*580* "All implementations MUST be able to process581* packets with uncompressed payload length of 32768582* bytes or less and total packet size of 35000 bytes583* or less (including length, padding length, payload,584* padding, and MAC.)."585*/586if(total_num > LIBSSH2_PACKET_MAXPAYLOAD || total_num == 0) {587return LIBSSH2_ERROR_OUT_OF_BOUNDARY;588}589hold all data, including padding and MAC. */592p->payload = LIBSSH2_ALLOC(session, total_num);593if(!p->payload) {594return LIBSSH2_ERROR_ALLOC;595}596p->total_num = total_num;597/* init write pointer to start of payload buffer */598p->wptr = p->payload;599the blocksize from the temporary buffer to603the start of the decrypted buffer */604if(blocksize - 5 <= (int) total_num) {605memcpy(p->wptr, &block[5], blocksize - 5);606p->wptr += blocksize - 5; /* advance write pointer */607if(etm) {608/* advance past unencrypted packet length */609p->wptr += 4;610}611}612else {613if(p->payload)614LIBSSH2_FREE(session, p->payload);615return LIBSSH2_ERROR_OUT_OF_BOUNDARY;616}617}618the package read so far */621p->data_num = p->wptr - p->payload;622package */630remainpack = p->total_num - p->data_num;631particular packet, we limit this round to this packet only */635numbytes = remainpack;636}637and we don't want to decrypt that since we need it641"raw". We MUST however decrypt the padding data642since it is used for the hash later on. */643int skip = session->remote.mac->mac_len;644decryption so it can be authenticated. */648skip = 0;649total minus the skip margin, we should lower the652amount to decrypt even more */653if((p->data_num + numbytes) >= (p->total_num - skip)) {654/* decrypt the entire rest of the package */655numdecrypt = LIBSSH2_MAX(0,656(int)(p->total_num - skip) - (int)p->data_num);657firstlast = LAST_BLOCK;658}659else {660ssize_t frac;661numdecrypt = numbytes;662frac = numdecrypt % blocksize;663if(frac) {664/* not an aligned amount of blocks, align it by reducing665the number of bytes processed this loop */666numdecrypt -= frac;667/* and make it no unencrypted data668after it */669numbytes = 0;670}671if(CRYPT_FLAG_R(session, INTEGRATED_MAC)) {672/* Make sure that we save enough bytes to make the last673* block large enough to hold the entire integrated MAC */674numdecrypt = LIBSSH2_MIN(numdecrypt,675(int)(p->total_num - skip - blocksize - p->data_num));676numbytes = 0;677}678firstlast = MIDDLE_BLOCK;679}680}681else {682/* unencrypted data should not be decrypted at all */683numdecrypt = 0;684}685assert(numdecrypt >= 0);686copy them as-is to the target buffer */710if(numbytes > 0) {711current packet */731remainpack = p->total_num - p->data_num;732* libssh2_packet_add() returns LIBSSH2_ERROR_EAGAIN. If742* that returns LIBSSH2_ERROR_EAGAIN but the packAdd_state743* is idle, then the packet has been added to the brigade,744* but some immediate action that was taken based on the745* packet type (such as key re-exchange) is not yet746* complete. Clear the way for a new packet to be read747* in.748*/749session->readPack_encrypted = encrypted;750session->readPack_state = libssh2_NB_state_jump1;751}752}764{769ssize_t rc;770ssize_t length;771struct transportpacket *p = &session->packet;772that the caller doesn't try to send a new/different packet since782we don't add this one up until the previous one has been sent. To783make the caller really notice his/hers flaw, we return error for784this case */785_libssh2_debug((session, LIBSSH2_TRACE_SOCKET,786"Address is different, but will resume nonetheless"));787}788a send success now, so that we don't risk sending EAGAIN later814which then would confuse the parent function */815return LIBSSH2_ERROR_NONE;816}832/*834* libssh2_transport_send835*836* Send a packet, encrypting it and adding a MAC code if necessary837* Returns 0 on success, non-zero on failure.838*839* The data is provided as _two_ data areas that are combined by this840* function. The 'data' part is sent immediately before 'data2'. 'data2' may841* be set to NULL to only use a single part.842*843* Returns LIBSSH2_ERROR_EAGAIN if it would block or if the whole packet was844* not sent yet. If it does so, the caller should call this function again as845* soon as it is likely that more data can be sent, and this function MUST846* then be called with the same argument set (same data pointer and same847* data_len) until ERROR_NONE or failure is returned.848*849* This function DOES NOT call _libssh2_error() on any errors.850*/851int _libssh2_transport_send(LIBSSH2_SESSION *session,852const unsigned char *data, size_t data_len,853const unsigned char *data2, size_t data2_len)854{855int blocksize =856(session->state & LIBSSH2_STATE_NEWKEYS) ?857session->local.crypt->blocksize : 8;858ssize_t padding_length;859size_t packet_length;860ssize_t total_length;861#ifdef LIBSSH2_RANDOM_PADDING862int rand_max;863int seed = data[0]; /* FIXME: make this random */864#endif865struct transportpacket *p = &session->packet;866int encrypted;867int compressed;868int etm;869ssize_t ret;870int rc;871const unsigned char *orgdata = data;872size_t orgdata_len = data_len;873size_t crypt_offset, etm_crypt_offset;874* If the last read operation was interrupted in the middle of a key877* exchange, we must complete that key exchange before continuing to write878* further data.879*880* See the similar block in _libssh2_transport_read for more details.881*/882if(session->state & LIBSSH2_STATE_EXCHANGING_KEYS &&883!(session->state & LIBSSH2_STATE_KEX_ACTIVE)) {884/* Don't write any new packets if we're still in the middle of a key885* exchange. */886_libssh2_debug((session, LIBSSH2_TRACE_TRANS, "Redirecting into the"887" key re-exchange from _libssh2_transport_send"));888rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state);889if(rc)890return rc;891}892only sanity-check data and data_len and not data2 and data2_len! */899rc = send_existing(session, data, data_len, &ret);900if(rc)901return rc;902larger than what fits in the assigned buffer so thus they don't921check the input size as we don't know how much it compresses */922size_t dest_len = MAX_SSH_PACKET_LEN-5-256;923size_t dest2_len = dest_len;924previous call put data */936dest2_len -= dest_len;937function split it up and send multiple SSH packets */955return LIBSSH2_ERROR_INVAL;956'packet_length', 'padding_length', 'payload', and 'random padding'967MUST be a multiple of the cipher block size or 8, whichever is968larger. */9694 for the packet_length field */974/* subtract 4 bytes of the packet_length field when padding AES-GCM975or with ETM */976crypt_offset = (etm || (encrypted && CRYPT_FLAG_R(session, PKTLEN_AAD)))977? 4 : 0;978etm_crypt_offset = etm ? 4 : 0;979block size */984padding_length = blocksize - ((packet_length - crypt_offset) % blocksize);985of it (taken from the original libssh2 where it didn't have any988real explanation) */989if(padding_length < 4) {990padding_length += blocksize;991}992#ifdef LIBSSH2_RANDOM_PADDING993/* FIXME: we can add padding here, but that also makes the packets994bigger etc */995(to "help thwart traffic analysis") but it must be less than 255 in998total */999rand_max = (255 - padding_length) / blocksize + 1;1000padding_length += blocksize * (seed % rand_max);1001#endif1002the MAC and the packet_length field itself */1011_libssh2_htonu32(p->outbuf, (uint32_t)(packet_length - 4));1012/* store padding_length */1013p->outbuf[4] = (unsigned char)padding_length;1014since that size includes the whole packet. The MAC is1026calculated on the entire unencrypted packet, including all1027fields except the MAC field itself. This is skipped in the1028INTEGRATED_MAC case, where the crypto algorithm also does its1029own hash. */1030if(!etm && !CRYPT_FLAG_R(session, INTEGRATED_MAC)) {1031if(session->local.mac->hash(session, p->outbuf + packet_length,1032session->local.seqno, p->outbuf,1033packet_length, NULL, 0,1034&session->local.mac_abstract))1035return _libssh2_error(session, LIBSSH2_ERROR_MAC_FAILURE,1036"Failed to calculate MAC");1037}1038The MAC field is not encrypted unless INTEGRATED_MAC. */1041/* Some crypto back-ends could handle a single crypt() call for1042encryption, but (presumably) others cannot, so break it up1043into blocksize-sized chunks to satisfy them all. */1044for(i = etm_crypt_offset; i < packet_length;1045i += session->local.crypt->blocksize) {1046unsigned char *ptr = &p->outbuf[i];1047size_t bsize = LIBSSH2_MIN(session->local.crypt->blocksize,1048(int)(packet_length-i));1049/* The INTEGRATED_MAC case always has an extra call below, so it1050will never be LAST_BLOCK up here. */1051int firstlast = i == 0 ? FIRST_BLOCK :1052(!CRYPT_FLAG_L(session, INTEGRATED_MAC)1053&& (i == packet_length - session->local.crypt->blocksize)1054? LAST_BLOCK: MIDDLE_BLOCK);1055/* In the AAD case, the last block would be only 4 bytes because1056everything is offset by 4 since the initial packet_length isn't1057encrypted. In this case, combine that last short packet with the1058previous one since AES-GCM crypt() assumes that the entire MAC1059is available in that packet so it can set that to the1060authentication tag. */1061if(!CRYPT_FLAG_L(session, INTEGRATED_MAC))1062if(i > packet_length - 2*bsize) {1063/* increase the final block size */1064bsize = packet_length - i;1065/* advance the loop counter by the extra amount */1066i += bsize - session->local.crypt->blocksize;1067}1068_libssh2_debug((session, LIBSSH2_TRACE_SOCKET,1069"crypting bytes %lu-%lu", (unsigned long)i,1070(unsigned long)(i + bsize - 1)));1071if(session->local.crypt->crypt(session, ptr,1072bsize,1073&session->local.crypt_abstract,1074firstlast))1075return LIBSSH2_ERROR_ENCRYPT; /* encryption failure */1076}1077/* Call crypt() one last time so it can be filled in with the MAC */1078if(CRYPT_FLAG_L(session, INTEGRATED_MAC)) {1079int authlen = session->local.mac->mac_len;1080assert((size_t)total_length <=1081packet_length + session->local.crypt->blocksize);1082if(session->local.crypt->crypt(session, &p->outbuf[packet_length],1083authlen,1084&session->local.crypt_abstract,1085LAST_BLOCK))1086return LIBSSH2_ERROR_ENCRYPT; /* encryption failure */1087}1088since that size includes the whole packet. The MAC is1092calculated on the entire packet (length plain the rest1093encrypted), including all fields except the MAC field1094itself. */1095if(session->local.mac->hash(session, p->outbuf + packet_length,1096session->local.seqno, p->outbuf,1097packet_length, NULL, 0,1098&session->local.mac_abstract))1099return _libssh2_error(session, LIBSSH2_ERROR_MAC_FAILURE,1100"Failed to calculate MAC");1101}1102}1103}1142