+static int
+packet_read_poll2(u_int32_t *seqnr_p)
+{
+ static u_int packet_length = 0;
+ u_int padlen, need;
+ u_char *macbuf, *cp, type;
+ int maclen, block_size;
+ Enc *enc = NULL;
+ Mac *mac = NULL;
+ Comp *comp = NULL;
+
+ if (newkeys[MODE_IN] != NULL) {
+ enc = &newkeys[MODE_IN]->enc;
+ mac = &newkeys[MODE_IN]->mac;
+ comp = &newkeys[MODE_IN]->comp;
+ }
+ maclen = mac && mac->enabled ? mac->mac_len : 0;
+ block_size = enc ? enc->block_size : 8;
+
+ if (packet_length == 0) {
+ /*
+ * check if input size is less than the cipher block size,
+ * decrypt first block and extract length of incoming packet
+ */
+ if (buffer_len(&input) < block_size)
+ return SSH_MSG_NONE;
+ buffer_clear(&incoming_packet);
+ cp = buffer_append_space(&incoming_packet, block_size);
+ cipher_crypt(&receive_context, cp, buffer_ptr(&input),
+ block_size);
+ cp = buffer_ptr(&incoming_packet);
+ packet_length = GET_32BIT(cp);
+ if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
+ buffer_dump(&incoming_packet);
+ packet_disconnect("Bad packet length %u.", packet_length);
+ }
+ DBG(debug("input: packet len %u", packet_length+4));
+ buffer_consume(&input, block_size);
+ }
+ /* we have a partial packet of block_size bytes */
+ need = 4 + packet_length - block_size;
+ DBG(debug("partial packet %d, need %d, maclen %d", block_size,
+ need, maclen));
+ if (need % block_size != 0)
+ fatal("padding error: need %d block %d mod %d",
+ need, block_size, need % block_size);
+ /*
+ * check if the entire packet has been received and
+ * decrypt into incoming_packet
+ */
+ if (buffer_len(&input) < need + maclen)
+ return SSH_MSG_NONE;
+#ifdef PACKET_DEBUG
+ fprintf(stderr, "read_poll enc/full: ");
+ buffer_dump(&input);
+#endif
+ cp = buffer_append_space(&incoming_packet, need);
+ cipher_crypt(&receive_context, cp, buffer_ptr(&input), need);
+ buffer_consume(&input, need);
+ /*
+ * compute MAC over seqnr and packet,
+ * increment sequence number for incoming packet
+ */
+ if (mac && mac->enabled) {
+ macbuf = mac_compute(mac, p_read.seqnr,
+ buffer_ptr(&incoming_packet),
+ buffer_len(&incoming_packet));
+ if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
+ packet_disconnect("Corrupted MAC on input.");
+ DBG(debug("MAC #%d ok", p_read.seqnr));
+ buffer_consume(&input, mac->mac_len);
+ }
+ if (seqnr_p != NULL)
+ *seqnr_p = p_read.seqnr;
+ if (++p_read.seqnr == 0)
+ log("incoming seqnr wraps around");
+ if (++p_read.packets == 0)
+ if (!(datafellows & SSH_BUG_NOREKEY))
+ fatal("XXX too many packets with same key");
+ p_read.blocks += (packet_length + 4) / block_size;
+
+ /* get padlen */
+ cp = buffer_ptr(&incoming_packet);
+ padlen = cp[4];
+ DBG(debug("input: padlen %d", padlen));
+ if (padlen < 4)
+ packet_disconnect("Corrupted padlen %d on input.", padlen);
+
+ /* skip packet size + padlen, discard padding */
+ buffer_consume(&incoming_packet, 4 + 1);
+ buffer_consume_end(&incoming_packet, padlen);
+
+ DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
+ if (comp && comp->enabled) {
+ buffer_clear(&compression_buffer);
+ buffer_uncompress(&incoming_packet, &compression_buffer);
+ buffer_clear(&incoming_packet);
+ buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
+ buffer_len(&compression_buffer));
+ DBG(debug("input: len after de-compress %d",
+ buffer_len(&incoming_packet)));
+ }
+ /*
+ * get packet type, implies consume.
+ * return length of payload (without type field)
+ */
+ type = buffer_get_char(&incoming_packet);
+ if (type == SSH2_MSG_NEWKEYS)
+ set_newkeys(MODE_IN);
+#ifdef PACKET_DEBUG
+ fprintf(stderr, "read/plain[%d]:\r\n", type);
+ buffer_dump(&incoming_packet);
+#endif
+ /* reset for next packet */
+ packet_length = 0;
+ return type;
+}