From 39af7b444db28c1cb01b7ea468a4f574a44f375b Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 11 Oct 2016 21:47:45 +0000 Subject: [PATCH] upstream commit Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@ Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc --- packet.c | 17 ++++++++++++++++- packet.h | 7 ++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/packet.c b/packet.c index 783ae5bd4..ad1f6b497 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.242 2016/09/30 09:19:13 markus Exp $ */ +/* $OpenBSD: packet.c,v 1.243 2016/10/11 21:47:45 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -219,6 +219,10 @@ struct session_state { /* SSH1 CRC compensation attack detector */ struct deattack_ctx deattack; + /* Hook for fuzzing inbound packets */ + ssh_packet_hook_fn *hook_in; + void *hook_in_ctx; + TAILQ_HEAD(, packet) outgoing; }; @@ -263,6 +267,13 @@ ssh_alloc_session_state(void) return NULL; } +void +ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx) +{ + ssh->state->hook_in = hook; + ssh->state->hook_in_ctx = ctx; +} + /* Returns nonzero if rekeying is in progress */ int ssh_packet_is_rekeying(struct ssh *ssh) @@ -1884,6 +1895,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) return r; return SSH_ERR_PROTOCOL_ERROR; } + if (state->hook_in != NULL && + (r = state->hook_in(ssh, state->incoming_packet, typep, + state->hook_in_ctx)) != 0) + return r; if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) r = ssh_packet_enable_delayed_compress(ssh); else diff --git a/packet.h b/packet.h index 0a64eb2a5..bfe7da615 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.73 2016/09/30 09:19:13 markus Exp $ */ +/* $OpenBSD: packet.h,v 1.74 2016/10/11 21:47:45 djm Exp $ */ /* * Author: Tatu Ylonen @@ -78,6 +78,9 @@ struct ssh { void *app_data; }; +typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *, + u_char *, void *); + struct ssh *ssh_alloc_session_state(void); struct ssh *ssh_packet_set_connection(struct ssh *, int, int); void ssh_packet_set_timeout(struct ssh *, int, int); @@ -88,6 +91,8 @@ int ssh_packet_get_connection_in(struct ssh *); int ssh_packet_get_connection_out(struct ssh *); void ssh_packet_close(struct ssh *); void ssh_packet_set_encryption_key(struct ssh *, const u_char *, u_int, int); +void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *); + int ssh_packet_is_rekeying(struct ssh *); void ssh_packet_set_protocol_flags(struct ssh *, u_int); u_int ssh_packet_get_protocol_flags(struct ssh *);