X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/30460aeb3d3c027b85eba1e4d45de75fb4b9d356..b8af55e54c7882aef9ee2d6505b2425e21b9caa5:/openssh/kex.c?ds=sidebyside

diff --git a/openssh/kex.c b/openssh/kex.c
index b4685a6..2633171 100644
--- a/openssh/kex.c
+++ b/openssh/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: kex.c,v 1.79 2007/06/05 06:52:37 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -48,6 +48,7 @@
 #include "match.h"
 #include "dispatch.h"
 #include "monitor.h"
+#include "canohost.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -68,6 +69,7 @@ static void kex_kexinit_finish(Kex *);
 static void kex_choose_conf(Kex *);
 
 /* put algorithm proposal into buffer */
+/* used in sshconnect.c as well as kex.c */
 void
 kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
 {
@@ -91,7 +93,7 @@ static char **
 kex_buf2prop(Buffer *raw, int *first_kex_follows)
 {
 	Buffer b;
-	int i;
+	u_int i;
 	char **proposal;
 
 	proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
@@ -112,7 +114,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
 		*first_kex_follows = i;
 	debug2("kex_parse_kexinit: first_kex_follows %d ", i);
 	i = buffer_get_int(&b);
-	debug2("kex_parse_kexinit: reserved %d ", i);
+	debug2("kex_parse_kexinit: reserved %u ", i);
 	buffer_free(&b);
 	return proposal;
 }
@@ -127,6 +129,7 @@ kex_prop_free(char **proposal)
 	xfree(proposal);
 }
 
+/* ARGSUSED */
 static void
 kex_protocol_error(int type, u_int32_t seq, void *ctxt)
 {
@@ -198,6 +201,7 @@ kex_send_kexinit(Kex *kex)
 	kex->flags |= KEX_INIT_SENT;
 }
 
+/* ARGSUSED */
 void
 kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
 {
@@ -262,7 +266,8 @@ choose_enc(Enc *enc, char *client, char *server)
 {
 	char *name = match_list(client, server, NULL);
 	if (name == NULL)
-		fatal("no matching cipher found: client %s server %s", client, server);
+		fatal("no matching cipher found: client %s server %s",
+		    client, server);
 	if ((enc->cipher = cipher_by_name(name)) == NULL)
 		fatal("matching cipher is not supported: %s", name);
 	enc->name = name;
@@ -278,8 +283,9 @@ choose_mac(Mac *mac, char *client, char *server)
 {
 	char *name = match_list(client, server, NULL);
 	if (name == NULL)
-		fatal("no matching mac found: client %s server %s", client, server);
-	if (mac_init(mac, name) < 0)
+		fatal("no matching mac found: client %s server %s",
+		    client, server);
+	if (mac_setup(mac, name) < 0)
 		fatal("unsupported mac %s", name);
 	/* truncate the key */
 	if (datafellows & SSH_BUG_HMAC)
@@ -312,7 +318,7 @@ choose_kex(Kex *k, char *client, char *server)
 {
 	k->name = match_list(client, server, NULL);
 	if (k->name == NULL)
-		fatal("no kex alg");
+		fatal("Unable to negotiate a key exchange method");
 	if (strcmp(k->name, KEX_DH1) == 0) {
 		k->kex_type = KEX_DH_GRP1_SHA1;
 		k->evp_md = EVP_sha1();
@@ -322,20 +328,24 @@ choose_kex(Kex *k, char *client, char *server)
 	} else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
 		k->kex_type = KEX_DH_GEX_SHA1;
 		k->evp_md = EVP_sha1();
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
+		k->kex_type = KEX_DH_GEX_SHA256;
+		k->evp_md = evp_ssh_sha256();
+#endif
 #ifdef GSSAPI
 	} else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
-	    sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
+	    sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
 		k->kex_type = KEX_GSS_GEX_SHA1;
 		k->evp_md = EVP_sha1();
 	} else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
-	    sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
+	    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
 		k->kex_type = KEX_GSS_GRP1_SHA1;
 		k->evp_md = EVP_sha1();
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
-		k->kex_type = KEX_DH_GEX_SHA256;
-		k->evp_md = evp_ssh_sha256();
+	} else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
+	    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
+		k->kex_type = KEX_GSS_GRP14_SHA1;
+		k->evp_md = EVP_sha1();
 #endif
 	} else
 		fatal("bad kex alg %s", k->name);
@@ -386,6 +396,13 @@ kex_choose_conf(Kex *kex)
 	int nenc, nmac, ncomp;
 	u_int mode, ctos, need;
 	int first_kex_follows, type;
+	int log_flag = 0;
+
+	int auth_flag;
+
+	auth_flag = packet_authentication_state();
+
+	debug ("AUTH STATE IS %d", auth_flag);
 
 	my   = kex_buf2prop(&kex->my, NULL);
 	peer = kex_buf2prop(&kex->peer, &first_kex_follows);
@@ -402,18 +419,42 @@ kex_choose_conf(Kex *kex)
 	for (mode = 0; mode < MODE_MAX; mode++) {
 		newkeys = xcalloc(1, sizeof(*newkeys));
 		kex->newkeys[mode] = newkeys;
-		ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
+		ctos = (!kex->server && mode == MODE_OUT) ||
+		    (kex->server && mode == MODE_IN);
 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
 		choose_enc (&newkeys->enc,  cprop[nenc],  sprop[nenc]);
 		choose_mac (&newkeys->mac,  cprop[nmac],  sprop[nmac]);
 		choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
+		debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+		if (strcmp(newkeys->enc.name, "none") == 0) {
+				debug("Requesting NONE. Authflag is %d", auth_flag);			
+			if (auth_flag == 1) {
+				debug("None requested post authentication.");
+			} else {
+				fatal("Pre-authentication none cipher requests are not allowed.");
+			}
+		} 
 		debug("kex: %s %s %s %s",
 		    ctos ? "client->server" : "server->client",
 		    newkeys->enc.name,
 		    newkeys->mac.name,
 		    newkeys->comp.name);
+		/* client starts withctos = 0 && log flag = 0 and no log*/
+		/* 2nd client pass ctos=1 and flag = 1 so no log*/
+		/* server starts with ctos =1 && log_flag = 0 so log */
+		/* 2nd sever pass ctos = 1 && log flag = 1 so no log*/
+		/* -cjr*/
+		if (ctos && !log_flag) {
+			logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
+			      get_remote_ipaddr(),
+			      get_remote_port(),
+			      newkeys->enc.name,
+			      newkeys->mac.name,
+			      newkeys->comp.name);
+		}
+		log_flag = 1;
 	}
 	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
 	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
@@ -566,7 +607,7 @@ dump_digest(char *msg, u_char *digest, int len)
 	u_int i;
 
 	fprintf(stderr, "%s\n", msg);
-	for (i = 0; i< len; i++) {
+	for (i = 0; i < len; i++) {
 		fprintf(stderr, "%02x", digest[i]);
 		if (i%32 == 31)
 			fprintf(stderr, "\n");