mirror of
git://anongit.mindrot.org/openssh.git
synced 2025-01-30 13:42:01 +00:00
- markus@cvs.openbsd.org 2001/04/04 14:34:58
[clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]
enable server side rekeying + some rekey related clientup.
todo: we should not send any non-KEX messages after we send KEXINIT
This commit is contained in:
Ben Lindstrom
parent
238abf6a14
commit
8ac9106c3d
@ -5,6 +5,10 @@
|
||||
don't sent multiple kexinit-requests.
|
||||
send newkeys, block while waiting for newkeys.
|
||||
fix comments.
|
||||
- markus@cvs.openbsd.org 2001/04/04 14:34:58
|
||||
[clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]
|
||||
enable server side rekeying + some rekey related clientup.
|
||||
todo: we should not send any non-KEX messages after we send KEXINIT
|
||||
|
||||
20010404
|
||||
- OpenBSD CVS Sync
|
||||
@ -4844,4 +4848,4 @@
|
||||
- Wrote replacements for strlcpy and mkdtemp
|
||||
- Released 1.0pre1
|
||||
|
||||
$Id: ChangeLog,v 1.1055 2001/04/04 17:52:53 mouring Exp $
|
||||
$Id: ChangeLog,v 1.1056 2001/04/04 17:57:54 mouring Exp $
|
||||
|
||||
10
clientloop.c
10
clientloop.c
@ -59,7 +59,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: clientloop.c,v 1.54 2001/04/04 00:06:53 markus Exp $");
|
||||
RCSID("$OpenBSD: clientloop.c,v 1.55 2001/04/04 14:34:58 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
@ -1205,10 +1205,7 @@ client_input_channel_req(int type, int plen, void *ctxt)
|
||||
void
|
||||
client_init_dispatch_20(void)
|
||||
{
|
||||
int i;
|
||||
/* dispatch_init(&dispatch_protocol_error); */
|
||||
for (i = 50; i <= 254; i++)
|
||||
dispatch_set(i, &dispatch_protocol_error);
|
||||
dispatch_init(&dispatch_protocol_error);
|
||||
dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
|
||||
dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
|
||||
dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
|
||||
@ -1218,6 +1215,9 @@ client_init_dispatch_20(void)
|
||||
dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
|
||||
dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
|
||||
dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
|
||||
|
||||
/* rekeying */
|
||||
dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
|
||||
}
|
||||
void
|
||||
client_init_dispatch_13(void)
|
||||
|
||||
31
kex.c
31
kex.c
@ -23,7 +23,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kex.c,v 1.28 2001/04/04 09:48:34 markus Exp $");
|
||||
RCSID("$OpenBSD: kex.c,v 1.29 2001/04/04 14:34:58 markus Exp $");
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
@ -111,10 +111,22 @@ kex_protocol_error(int type, int plen, void *ctxt)
|
||||
error("Hm, kex protocol error: type %d plen %d", type, plen);
|
||||
}
|
||||
|
||||
void
|
||||
kex_clear_dispatch(void)
|
||||
{
|
||||
int i;
|
||||
|
||||
/* Numbers 30-49 are used for kex packets */
|
||||
for (i = 30; i <= 49; i++)
|
||||
dispatch_set(i, &kex_protocol_error);
|
||||
}
|
||||
|
||||
void
|
||||
kex_finish(Kex *kex)
|
||||
{
|
||||
int i, plen;
|
||||
int plen;
|
||||
|
||||
kex_clear_dispatch();
|
||||
|
||||
packet_start(SSH2_MSG_NEWKEYS);
|
||||
packet_send();
|
||||
@ -125,8 +137,6 @@ kex_finish(Kex *kex)
|
||||
packet_read_expect(&plen, SSH2_MSG_NEWKEYS);
|
||||
debug("SSH2_MSG_NEWKEYS received");
|
||||
kex->newkeys = 1;
|
||||
for (i = 30; i <= 49; i++)
|
||||
dispatch_set(i, &kex_protocol_error);
|
||||
buffer_clear(&kex->peer);
|
||||
/* buffer_clear(&kex->my); */
|
||||
kex->flags &= ~KEX_INIT_SENT;
|
||||
@ -135,6 +145,10 @@ kex_finish(Kex *kex)
|
||||
void
|
||||
kex_send_kexinit(Kex *kex)
|
||||
{
|
||||
if (kex == NULL) {
|
||||
error("kex_send_kexinit: no kex, cannot rekey");
|
||||
return;
|
||||
}
|
||||
if (kex->flags & KEX_INIT_SENT) {
|
||||
debug("KEX_INIT_SENT");
|
||||
return;
|
||||
@ -154,6 +168,8 @@ kex_input_kexinit(int type, int plen, void *ctxt)
|
||||
Kex *kex = (Kex *)ctxt;
|
||||
|
||||
debug("SSH2_MSG_KEXINIT received");
|
||||
if (kex == NULL)
|
||||
fatal("kex_input_kexinit: no kex, cannot rekey");
|
||||
|
||||
ptr = packet_get_raw(&dlen);
|
||||
buffer_append(&kex->peer, ptr, dlen);
|
||||
@ -165,7 +181,6 @@ Kex *
|
||||
kex_setup(char *proposal[PROPOSAL_MAX])
|
||||
{
|
||||
Kex *kex;
|
||||
int i;
|
||||
|
||||
kex = xmalloc(sizeof(*kex));
|
||||
memset(kex, 0, sizeof(*kex));
|
||||
@ -175,11 +190,9 @@ kex_setup(char *proposal[PROPOSAL_MAX])
|
||||
kex->newkeys = 0;
|
||||
|
||||
kex_send_kexinit(kex); /* we start */
|
||||
/* Numbers 30-49 are used for kex packets */
|
||||
for (i = 30; i <= 49; i++)
|
||||
dispatch_set(i, kex_protocol_error);
|
||||
|
||||
kex_clear_dispatch();
|
||||
dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
|
||||
|
||||
return kex;
|
||||
}
|
||||
|
||||
|
||||
4
kex.h
4
kex.h
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex.h,v 1.20 2001/04/04 09:48:34 markus Exp $ */
|
||||
/* $OpenBSD: kex.h,v 1.21 2001/04/04 14:34:58 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -115,7 +115,7 @@ Kex *kex_setup(char *proposal[PROPOSAL_MAX]);
|
||||
void kex_finish(Kex *kex);
|
||||
|
||||
void kex_send_kexinit(Kex *kex);
|
||||
void kex_protocol_error(int type, int plen, void *ctxt);
|
||||
void kex_input_kexinit(int type, int plen, void *ctxt);
|
||||
void kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret);
|
||||
|
||||
void kexdh(Kex *);
|
||||
|
||||
11
serverloop.c
11
serverloop.c
@ -35,7 +35,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
|
||||
RCSID("$OpenBSD: serverloop.c,v 1.56 2001/04/04 14:34:58 markus Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "packet.h"
|
||||
@ -53,9 +53,13 @@ RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
|
||||
#include "auth-options.h"
|
||||
#include "serverloop.h"
|
||||
#include "misc.h"
|
||||
#include "kex.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
/* XXX */
|
||||
extern Kex *xxx_kex;
|
||||
|
||||
static Buffer stdin_buffer; /* Buffer for stdin data. */
|
||||
static Buffer stdout_buffer; /* Buffer for stdout data. */
|
||||
static Buffer stderr_buffer; /* Buffer for stderr data. */
|
||||
@ -391,7 +395,7 @@ drain_output(void)
|
||||
void
|
||||
process_buffered_input_packets(void)
|
||||
{
|
||||
dispatch_run(DISPATCH_NONBLOCK, NULL, NULL);
|
||||
dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -905,6 +909,9 @@ server_init_dispatch_20(void)
|
||||
dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
|
||||
dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
|
||||
dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
|
||||
|
||||
/* rekeying */
|
||||
dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
|
||||
}
|
||||
void
|
||||
server_init_dispatch_13(void)
|
||||
|
||||
@ -23,7 +23,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshconnect2.c,v 1.64 2001/04/04 09:48:35 markus Exp $");
|
||||
RCSID("$OpenBSD: sshconnect2.c,v 1.65 2001/04/04 14:34:58 markus Exp $");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
@ -111,6 +111,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
}
|
||||
|
||||
/* start key exchange */
|
||||
kex = kex_setup(myproposal);
|
||||
kex->client_version_string=client_version_string;
|
||||
kex->server_version_string=server_version_string;
|
||||
@ -118,7 +119,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
|
||||
|
||||
xxx_kex = kex;
|
||||
|
||||
/* start key exchange */
|
||||
dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
|
||||
|
||||
session_id2 = kex->session_id;
|
||||
@ -213,7 +213,6 @@ ssh_userauth2(const char *server_user, char *host)
|
||||
Authctxt authctxt;
|
||||
int type;
|
||||
int plen;
|
||||
int i;
|
||||
|
||||
if (options.challenge_reponse_authentication)
|
||||
options.kbd_interactive_authentication = 1;
|
||||
@ -254,10 +253,7 @@ ssh_userauth2(const char *server_user, char *host)
|
||||
/* initial userauth request */
|
||||
userauth_none(&authctxt);
|
||||
|
||||
/* dispatch_init(&input_userauth_error); */
|
||||
for (i = 50; i <= 254; i++) {
|
||||
dispatch_set(i, &input_userauth_error);
|
||||
}
|
||||
dispatch_init(&input_userauth_error);
|
||||
dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
|
||||
dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
|
||||
dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
|
||||
|
||||
9
sshd.c
9
sshd.c
@ -40,7 +40,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshd.c,v 1.188 2001/04/04 09:48:35 markus Exp $");
|
||||
RCSID("$OpenBSD: sshd.c,v 1.189 2001/04/04 14:34:58 markus Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
@ -141,6 +141,9 @@ int num_listen_socks = 0;
|
||||
char *client_version_string = NULL;
|
||||
char *server_version_string = NULL;
|
||||
|
||||
/* for rekeying XXX fixme */
|
||||
Kex *xxx_kex;
|
||||
|
||||
/*
|
||||
* Any really sensitive data in the application is contained in this
|
||||
* structure. The idea is that this structure could be locked into memory so
|
||||
@ -1425,13 +1428,15 @@ do_ssh2_kex(void)
|
||||
}
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
|
||||
|
||||
/* start key exchange */
|
||||
kex = kex_setup(myproposal);
|
||||
kex->server = 1;
|
||||
kex->client_version_string=client_version_string;
|
||||
kex->server_version_string=server_version_string;
|
||||
kex->load_host_key=&get_hostkey_by_type;
|
||||
|
||||
/* start key exchange */
|
||||
xxx_kex = kex;
|
||||
|
||||
dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
|
||||
|
||||
session_id2 = kex->session_id;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user