- markus@cvs.openbsd.org 2001/04/04 14:34:58

     [clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]
     enable server side rekeying + some rekey related clientup.
     todo: we should not send any non-KEX messages after we send KEXINIT

diff --git a/ChangeLog b/ChangeLog
index 51505e8f4f0a468eb8791217b119881b88bf2d6e..7974406818f6ea2a2fd91b9a876ab1836aaa683b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@
      don't sent multiple kexinit-requests.                       
      send newkeys, block while waiting for newkeys.              
      fix comments.                                               
+   - markus@cvs.openbsd.org 2001/04/04 14:34:58                         
+     [clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]       
+     enable server side rekeying + some rekey related clientup.         
+     todo: we should not send any non-KEX messages after we send KEXINIT
 
 20010404
  - OpenBSD CVS Sync

diff --git a/clientloop.c b/clientloop.c
index 1ed245e22ff6de4c07f8134d6f7a4619a2e9e38f..1d09a8dd9fe60d937cc2e866a0543d871fbc1c78 100644 (file)
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.54 2001/04/04 00:06:53 markus Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.55 2001/04/04 14:34:58 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -1205,10 +1205,7 @@ client_input_channel_req(int type, int plen, void *ctxt)
 void
 client_init_dispatch_20(void)
 {
-       int i;
-       /* dispatch_init(&dispatch_protocol_error); */
-       for (i = 50; i <= 254; i++)
-               dispatch_set(i, &dispatch_protocol_error);
+       dispatch_init(&dispatch_protocol_error);
        dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
        dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
        dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
@@ -1218,6 +1215,9 @@ client_init_dispatch_20(void)
        dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
        dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
        dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+
+       /* rekeying */
+       dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
 }
 void
 client_init_dispatch_13(void)

diff --git a/kex.c b/kex.c
index 1314270d4965d94790172c4989c8caeebc7c4432..ee1e17e02a6a4b4a7591b59979bef5def413d97d 100644 (file)
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.28 2001/04/04 09:48:34 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.29 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/crypto.h>
 
@@ -111,10 +111,22 @@ kex_protocol_error(int type, int plen, void *ctxt)
         error("Hm, kex protocol error: type %d plen %d", type, plen);
 }
 
+void
+kex_clear_dispatch(void)
+{
+       int i;
+
+       /* Numbers 30-49 are used for kex packets */
+       for (i = 30; i <= 49; i++)
+               dispatch_set(i, &kex_protocol_error);
+}
+
 void
 kex_finish(Kex *kex)
 {
-       int i, plen;
+       int plen;
+
+       kex_clear_dispatch();
 
        packet_start(SSH2_MSG_NEWKEYS);
        packet_send();
@@ -125,8 +137,6 @@ kex_finish(Kex *kex)
         packet_read_expect(&plen, SSH2_MSG_NEWKEYS);
        debug("SSH2_MSG_NEWKEYS received");
        kex->newkeys = 1;
-       for (i = 30; i <= 49; i++)
-               dispatch_set(i, &kex_protocol_error);
        buffer_clear(&kex->peer);
        /* buffer_clear(&kex->my); */
        kex->flags &= ~KEX_INIT_SENT;
@@ -135,6 +145,10 @@ kex_finish(Kex *kex)
 void
 kex_send_kexinit(Kex *kex)
 {
+       if (kex == NULL) {
+               error("kex_send_kexinit: no kex, cannot rekey");
+               return;
+       }
        if (kex->flags & KEX_INIT_SENT) {
                debug("KEX_INIT_SENT");
                return;
@@ -154,6 +168,8 @@ kex_input_kexinit(int type, int plen, void *ctxt)
        Kex *kex = (Kex *)ctxt;
 
        debug("SSH2_MSG_KEXINIT received");
+       if (kex == NULL)
+               fatal("kex_input_kexinit: no kex, cannot rekey");
 
        ptr = packet_get_raw(&dlen);
        buffer_append(&kex->peer, ptr, dlen);
@@ -165,7 +181,6 @@ Kex *
 kex_setup(char *proposal[PROPOSAL_MAX])
 {
        Kex *kex;
-       int i;
 
        kex = xmalloc(sizeof(*kex));
        memset(kex, 0, sizeof(*kex));
@@ -175,11 +190,9 @@ kex_setup(char *proposal[PROPOSAL_MAX])
        kex->newkeys = 0;
 
        kex_send_kexinit(kex);                                  /* we start */
-       /* Numbers 30-49 are used for kex packets */
-       for (i = 30; i <= 49; i++)
-               dispatch_set(i, kex_protocol_error);
-
+       kex_clear_dispatch();
        dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
+
        return kex;
 }
 

diff --git a/kex.h b/kex.h
index c37d3aa5fdb2c271b10b18b82557befbb3beb8e5..54134221ff0a120662bdda83a9d1e71ca2ea2861 100644 (file)
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kex.h,v 1.20 2001/04/04 09:48:34 markus Exp $ */
+/*     $OpenBSD: kex.h,v 1.21 2001/04/04 14:34:58 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -115,7 +115,7 @@ Kex *kex_setup(char *proposal[PROPOSAL_MAX]);
 void   kex_finish(Kex *kex);
 
 void   kex_send_kexinit(Kex *kex);
-void   kex_protocol_error(int type, int plen, void *ctxt);
+void   kex_input_kexinit(int type, int plen, void *ctxt);
 void   kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret);
 
 void   kexdh(Kex *);

diff --git a/serverloop.c b/serverloop.c
index d1290ff228b1c450422072671da976923c6ca0e2..4ae02fd1007d28ddb238a4e5fe1e37f339e637c7 100644 (file)
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.56 2001/04/04 14:34:58 markus Exp $");
 
 #include "xmalloc.h"
 #include "packet.h"
@@ -53,9 +53,13 @@ RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
 #include "auth-options.h"
 #include "serverloop.h"
 #include "misc.h"
+#include "kex.h"
 
 extern ServerOptions options;
 
+/* XXX */
+extern Kex *xxx_kex;
+
 static Buffer stdin_buffer;    /* Buffer for stdin data. */
 static Buffer stdout_buffer;   /* Buffer for stdout data. */
 static Buffer stderr_buffer;   /* Buffer for stderr data. */
@@ -391,7 +395,7 @@ drain_output(void)
 void
 process_buffered_input_packets(void)
 {
-       dispatch_run(DISPATCH_NONBLOCK, NULL, NULL);
+       dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL);
 }
 
 /*
@@ -905,6 +909,9 @@ server_init_dispatch_20(void)
        dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
        dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
        dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
+
+       /* rekeying */
+       dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
 }
 void
 server_init_dispatch_13(void)

diff --git a/sshconnect2.c b/sshconnect2.c
index 895156704a740dc83b60d885bac6fe225b3f73b4..2f26aa5699711438bbf3518304dc61e8b11d418e 100644 (file)
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.64 2001/04/04 09:48:35 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.65 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -111,6 +111,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
        }
 
+       /* start key exchange */
        kex = kex_setup(myproposal);
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;
@@ -118,7 +119,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 
        xxx_kex = kex;
 
-       /* start key exchange */
        dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
 
        session_id2 = kex->session_id;
@@ -213,7 +213,6 @@ ssh_userauth2(const char *server_user, char *host)
        Authctxt authctxt;
        int type;
        int plen;
-       int i;
 
        if (options.challenge_reponse_authentication)
                options.kbd_interactive_authentication = 1;
@@ -254,10 +253,7 @@ ssh_userauth2(const char *server_user, char *host)
        /* initial userauth request */
        userauth_none(&authctxt);
 
-       /* dispatch_init(&input_userauth_error); */
-        for (i = 50; i <= 254; i++) {
-                dispatch_set(i, &input_userauth_error);
-        }
+       dispatch_init(&input_userauth_error);
        dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
        dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
        dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);

diff --git a/sshd.c b/sshd.c
index 0bb4269d5a8a0cfacf2791109836ee3f762a727d..ea29e75ac304ea9fbc289aae985fbe28d96f19f5 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.188 2001/04/04 09:48:35 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.189 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -141,6 +141,9 @@ int num_listen_socks = 0;
 char *client_version_string = NULL;
 char *server_version_string = NULL;
 
+/* for rekeying XXX fixme */
+Kex *xxx_kex;
+
 /*
  * Any really sensitive data in the application is contained in this
  * structure. The idea is that this structure could be locked into memory so
@@ -1425,13 +1428,15 @@ do_ssh2_kex(void)
        }
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
+       /* start key exchange */
        kex = kex_setup(myproposal);
        kex->server = 1;
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;
        kex->load_host_key=&get_hostkey_by_type;
 
-       /* start key exchange */
+       xxx_kex = kex;
+
        dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
 
        session_id2 = kex->session_id;