don't sent multiple kexinit-requests.
send newkeys, block while waiting for newkeys.
fix comments.
+ - markus@cvs.openbsd.org 2001/04/04 14:34:58
+ [clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]
+ enable server side rekeying + some rekey related clientup.
+ todo: we should not send any non-KEX messages after we send KEXINIT
20010404
- OpenBSD CVS Sync
*/
#include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.54 2001/04/04 00:06:53 markus Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.55 2001/04/04 14:34:58 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
void
client_init_dispatch_20(void)
{
- int i;
- /* dispatch_init(&dispatch_protocol_error); */
- for (i = 50; i <= 254; i++)
- dispatch_set(i, &dispatch_protocol_error);
+ dispatch_init(&dispatch_protocol_error);
dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+
+ /* rekeying */
+ dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
}
void
client_init_dispatch_13(void)
*/
#include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.28 2001/04/04 09:48:34 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.29 2001/04/04 14:34:58 markus Exp $");
#include <openssl/crypto.h>
error("Hm, kex protocol error: type %d plen %d", type, plen);
}
+void
+kex_clear_dispatch(void)
+{
+ int i;
+
+ /* Numbers 30-49 are used for kex packets */
+ for (i = 30; i <= 49; i++)
+ dispatch_set(i, &kex_protocol_error);
+}
+
void
kex_finish(Kex *kex)
{
- int i, plen;
+ int plen;
+
+ kex_clear_dispatch();
packet_start(SSH2_MSG_NEWKEYS);
packet_send();
packet_read_expect(&plen, SSH2_MSG_NEWKEYS);
debug("SSH2_MSG_NEWKEYS received");
kex->newkeys = 1;
- for (i = 30; i <= 49; i++)
- dispatch_set(i, &kex_protocol_error);
buffer_clear(&kex->peer);
/* buffer_clear(&kex->my); */
kex->flags &= ~KEX_INIT_SENT;
void
kex_send_kexinit(Kex *kex)
{
+ if (kex == NULL) {
+ error("kex_send_kexinit: no kex, cannot rekey");
+ return;
+ }
if (kex->flags & KEX_INIT_SENT) {
debug("KEX_INIT_SENT");
return;
Kex *kex = (Kex *)ctxt;
debug("SSH2_MSG_KEXINIT received");
+ if (kex == NULL)
+ fatal("kex_input_kexinit: no kex, cannot rekey");
ptr = packet_get_raw(&dlen);
buffer_append(&kex->peer, ptr, dlen);
kex_setup(char *proposal[PROPOSAL_MAX])
{
Kex *kex;
- int i;
kex = xmalloc(sizeof(*kex));
memset(kex, 0, sizeof(*kex));
kex->newkeys = 0;
kex_send_kexinit(kex); /* we start */
- /* Numbers 30-49 are used for kex packets */
- for (i = 30; i <= 49; i++)
- dispatch_set(i, kex_protocol_error);
-
+ kex_clear_dispatch();
dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
+
return kex;
}
-/* $OpenBSD: kex.h,v 1.20 2001/04/04 09:48:34 markus Exp $ */
+/* $OpenBSD: kex.h,v 1.21 2001/04/04 14:34:58 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
void kex_finish(Kex *kex);
void kex_send_kexinit(Kex *kex);
-void kex_protocol_error(int type, int plen, void *ctxt);
+void kex_input_kexinit(int type, int plen, void *ctxt);
void kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret);
void kexdh(Kex *);
*/
#include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.56 2001/04/04 14:34:58 markus Exp $");
#include "xmalloc.h"
#include "packet.h"
#include "auth-options.h"
#include "serverloop.h"
#include "misc.h"
+#include "kex.h"
extern ServerOptions options;
+/* XXX */
+extern Kex *xxx_kex;
+
static Buffer stdin_buffer; /* Buffer for stdin data. */
static Buffer stdout_buffer; /* Buffer for stdout data. */
static Buffer stderr_buffer; /* Buffer for stderr data. */
void
process_buffered_input_packets(void)
{
- dispatch_run(DISPATCH_NONBLOCK, NULL, NULL);
+ dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL);
}
/*
dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
+
+ /* rekeying */
+ dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
}
void
server_init_dispatch_13(void)
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.64 2001/04/04 09:48:35 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.65 2001/04/04 14:34:58 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
}
+ /* start key exchange */
kex = kex_setup(myproposal);
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
xxx_kex = kex;
- /* start key exchange */
dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
session_id2 = kex->session_id;
Authctxt authctxt;
int type;
int plen;
- int i;
if (options.challenge_reponse_authentication)
options.kbd_interactive_authentication = 1;
/* initial userauth request */
userauth_none(&authctxt);
- /* dispatch_init(&input_userauth_error); */
- for (i = 50; i <= 254; i++) {
- dispatch_set(i, &input_userauth_error);
- }
+ dispatch_init(&input_userauth_error);
dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.188 2001/04/04 09:48:35 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.189 2001/04/04 14:34:58 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
char *client_version_string = NULL;
char *server_version_string = NULL;
+/* for rekeying XXX fixme */
+Kex *xxx_kex;
+
/*
* Any really sensitive data in the application is contained in this
* structure. The idea is that this structure could be locked into memory so
}
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
+ /* start key exchange */
kex = kex_setup(myproposal);
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->load_host_key=&get_hostkey_by_type;
- /* start key exchange */
+ xxx_kex = kex;
+
dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
session_id2 = kex->session_id;