diff --git a/ChangeLog b/ChangeLog index 4ca9cf0b0..0cc84157d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments. + - markus@cvs.openbsd.org 2001/04/04 14:34:58 + [clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c] + enable server side rekeying + some rekey related clientup. + todo: we should not send any non-KEX messages after we send KEXINIT 20010404 - OpenBSD CVS Sync @@ -4844,4 +4848,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1055 2001/04/04 17:52:53 mouring Exp $ +$Id: ChangeLog,v 1.1056 2001/04/04 17:57:54 mouring Exp $ diff --git a/clientloop.c b/clientloop.c index 1ed245e22..1d09a8dd9 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.54 2001/04/04 00:06:53 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.55 2001/04/04 14:34:58 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1205,10 +1205,7 @@ client_input_channel_req(int type, int plen, void *ctxt) void client_init_dispatch_20(void) { - int i; - /* dispatch_init(&dispatch_protocol_error); */ - for (i = 50; i <= 254; i++) - dispatch_set(i, &dispatch_protocol_error); + dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data); dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); @@ -1218,6 +1215,9 @@ client_init_dispatch_20(void) dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); + + /* rekeying */ + dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); } void client_init_dispatch_13(void) diff --git a/kex.c b/kex.c index 1314270d4..ee1e17e02 100644 --- a/kex.c +++ b/kex.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.28 2001/04/04 09:48:34 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.29 2001/04/04 14:34:58 markus Exp $"); #include @@ -111,10 +111,22 @@ kex_protocol_error(int type, int plen, void *ctxt) error("Hm, kex protocol error: type %d plen %d", type, plen); } +void +kex_clear_dispatch(void) +{ + int i; + + /* Numbers 30-49 are used for kex packets */ + for (i = 30; i <= 49; i++) + dispatch_set(i, &kex_protocol_error); +} + void kex_finish(Kex *kex) { - int i, plen; + int plen; + + kex_clear_dispatch(); packet_start(SSH2_MSG_NEWKEYS); packet_send(); @@ -125,8 +137,6 @@ kex_finish(Kex *kex) packet_read_expect(&plen, SSH2_MSG_NEWKEYS); debug("SSH2_MSG_NEWKEYS received"); kex->newkeys = 1; - for (i = 30; i <= 49; i++) - dispatch_set(i, &kex_protocol_error); buffer_clear(&kex->peer); /* buffer_clear(&kex->my); */ kex->flags &= ~KEX_INIT_SENT; @@ -135,6 +145,10 @@ kex_finish(Kex *kex) void kex_send_kexinit(Kex *kex) { + if (kex == NULL) { + error("kex_send_kexinit: no kex, cannot rekey"); + return; + } if (kex->flags & KEX_INIT_SENT) { debug("KEX_INIT_SENT"); return; @@ -154,6 +168,8 @@ kex_input_kexinit(int type, int plen, void *ctxt) Kex *kex = (Kex *)ctxt; debug("SSH2_MSG_KEXINIT received"); + if (kex == NULL) + fatal("kex_input_kexinit: no kex, cannot rekey"); ptr = packet_get_raw(&dlen); buffer_append(&kex->peer, ptr, dlen); @@ -165,7 +181,6 @@ Kex * kex_setup(char *proposal[PROPOSAL_MAX]) { Kex *kex; - int i; kex = xmalloc(sizeof(*kex)); memset(kex, 0, sizeof(*kex)); @@ -175,11 +190,9 @@ kex_setup(char *proposal[PROPOSAL_MAX]) kex->newkeys = 0; kex_send_kexinit(kex); /* we start */ - /* Numbers 30-49 are used for kex packets */ - for (i = 30; i <= 49; i++) - dispatch_set(i, kex_protocol_error); - + kex_clear_dispatch(); dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); + return kex; } diff --git a/kex.h b/kex.h index c37d3aa5f..54134221f 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.20 2001/04/04 09:48:34 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.21 2001/04/04 14:34:58 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -115,7 +115,7 @@ Kex *kex_setup(char *proposal[PROPOSAL_MAX]); void kex_finish(Kex *kex); void kex_send_kexinit(Kex *kex); -void kex_protocol_error(int type, int plen, void *ctxt); +void kex_input_kexinit(int type, int plen, void *ctxt); void kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret); void kexdh(Kex *); diff --git a/serverloop.c b/serverloop.c index d1290ff22..4ae02fd10 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.56 2001/04/04 14:34:58 markus Exp $"); #include "xmalloc.h" #include "packet.h" @@ -53,9 +53,13 @@ RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $"); #include "auth-options.h" #include "serverloop.h" #include "misc.h" +#include "kex.h" extern ServerOptions options; +/* XXX */ +extern Kex *xxx_kex; + static Buffer stdin_buffer; /* Buffer for stdin data. */ static Buffer stdout_buffer; /* Buffer for stdout data. */ static Buffer stderr_buffer; /* Buffer for stderr data. */ @@ -391,7 +395,7 @@ drain_output(void) void process_buffered_input_packets(void) { - dispatch_run(DISPATCH_NONBLOCK, NULL, NULL); + dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL); } /* @@ -905,6 +909,9 @@ server_init_dispatch_20(void) dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); + + /* rekeying */ + dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); } void server_init_dispatch_13(void) diff --git a/sshconnect2.c b/sshconnect2.c index 895156704..2f26aa569 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.64 2001/04/04 09:48:35 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.65 2001/04/04 14:34:58 markus Exp $"); #include #include @@ -111,6 +111,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; } + /* start key exchange */ kex = kex_setup(myproposal); kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; @@ -118,7 +119,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) xxx_kex = kex; - /* start key exchange */ dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex); session_id2 = kex->session_id; @@ -213,7 +213,6 @@ ssh_userauth2(const char *server_user, char *host) Authctxt authctxt; int type; int plen; - int i; if (options.challenge_reponse_authentication) options.kbd_interactive_authentication = 1; @@ -254,10 +253,7 @@ ssh_userauth2(const char *server_user, char *host) /* initial userauth request */ userauth_none(&authctxt); - /* dispatch_init(&input_userauth_error); */ - for (i = 50; i <= 254; i++) { - dispatch_set(i, &input_userauth_error); - } + dispatch_init(&input_userauth_error); dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success); dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure); dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner); diff --git a/sshd.c b/sshd.c index 0bb4269d5..ea29e75ac 100644 --- a/sshd.c +++ b/sshd.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.188 2001/04/04 09:48:35 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.189 2001/04/04 14:34:58 markus Exp $"); #include #include @@ -141,6 +141,9 @@ int num_listen_socks = 0; char *client_version_string = NULL; char *server_version_string = NULL; +/* for rekeying XXX fixme */ +Kex *xxx_kex; + /* * Any really sensitive data in the application is contained in this * structure. The idea is that this structure could be locked into memory so @@ -1425,13 +1428,15 @@ do_ssh2_kex(void) } myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); + /* start key exchange */ kex = kex_setup(myproposal); kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; kex->load_host_key=&get_hostkey_by_type; - /* start key exchange */ + xxx_kex = kex; + dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex); session_id2 = kex->session_id;