diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2001-04-04 17:57:54 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-04-04 17:57:54 +0000 |
commit | 8ac9106c3dfbc1f02ddf237067cccd54ffac4e8d (patch) | |
tree | f7ec941db419252643adbf7a1b13895c92bca0d9 | |
parent | 238abf6a14d6ed038918fa35f618089230e68fd6 (diff) |
- markus@cvs.openbsd.org 2001/04/04 14:34:58
[clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]
enable server side rekeying + some rekey related clientup.
todo: we should not send any non-KEX messages after we send KEXINIT
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | clientloop.c | 10 | ||||
-rw-r--r-- | kex.c | 31 | ||||
-rw-r--r-- | kex.h | 4 | ||||
-rw-r--r-- | serverloop.c | 11 | ||||
-rw-r--r-- | sshconnect2.c | 10 | ||||
-rw-r--r-- | sshd.c | 9 |
7 files changed, 53 insertions, 28 deletions
@@ -5,6 +5,10 @@ | |||
5 | don't sent multiple kexinit-requests. | 5 | don't sent multiple kexinit-requests. |
6 | send newkeys, block while waiting for newkeys. | 6 | send newkeys, block while waiting for newkeys. |
7 | fix comments. | 7 | fix comments. |
8 | - markus@cvs.openbsd.org 2001/04/04 14:34:58 | ||
9 | [clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c] | ||
10 | enable server side rekeying + some rekey related clientup. | ||
11 | todo: we should not send any non-KEX messages after we send KEXINIT | ||
8 | 12 | ||
9 | 20010404 | 13 | 20010404 |
10 | - OpenBSD CVS Sync | 14 | - OpenBSD CVS Sync |
@@ -4844,4 +4848,4 @@ | |||
4844 | - Wrote replacements for strlcpy and mkdtemp | 4848 | - Wrote replacements for strlcpy and mkdtemp |
4845 | - Released 1.0pre1 | 4849 | - Released 1.0pre1 |
4846 | 4850 | ||
4847 | $Id: ChangeLog,v 1.1055 2001/04/04 17:52:53 mouring Exp $ | 4851 | $Id: ChangeLog,v 1.1056 2001/04/04 17:57:54 mouring Exp $ |
diff --git a/clientloop.c b/clientloop.c index 1ed245e22..1d09a8dd9 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -59,7 +59,7 @@ | |||
59 | */ | 59 | */ |
60 | 60 | ||
61 | #include "includes.h" | 61 | #include "includes.h" |
62 | RCSID("$OpenBSD: clientloop.c,v 1.54 2001/04/04 00:06:53 markus Exp $"); | 62 | RCSID("$OpenBSD: clientloop.c,v 1.55 2001/04/04 14:34:58 markus Exp $"); |
63 | 63 | ||
64 | #include "ssh.h" | 64 | #include "ssh.h" |
65 | #include "ssh1.h" | 65 | #include "ssh1.h" |
@@ -1205,10 +1205,7 @@ client_input_channel_req(int type, int plen, void *ctxt) | |||
1205 | void | 1205 | void |
1206 | client_init_dispatch_20(void) | 1206 | client_init_dispatch_20(void) |
1207 | { | 1207 | { |
1208 | int i; | 1208 | dispatch_init(&dispatch_protocol_error); |
1209 | /* dispatch_init(&dispatch_protocol_error); */ | ||
1210 | for (i = 50; i <= 254; i++) | ||
1211 | dispatch_set(i, &dispatch_protocol_error); | ||
1212 | dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); | 1209 | dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); |
1213 | dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data); | 1210 | dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data); |
1214 | dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); | 1211 | dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); |
@@ -1218,6 +1215,9 @@ client_init_dispatch_20(void) | |||
1218 | dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); | 1215 | dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); |
1219 | dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); | 1216 | dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req); |
1220 | dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); | 1217 | dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); |
1218 | |||
1219 | /* rekeying */ | ||
1220 | dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); | ||
1221 | } | 1221 | } |
1222 | void | 1222 | void |
1223 | client_init_dispatch_13(void) | 1223 | client_init_dispatch_13(void) |
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: kex.c,v 1.28 2001/04/04 09:48:34 markus Exp $"); | 26 | RCSID("$OpenBSD: kex.c,v 1.29 2001/04/04 14:34:58 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/crypto.h> | 28 | #include <openssl/crypto.h> |
29 | 29 | ||
@@ -112,9 +112,21 @@ kex_protocol_error(int type, int plen, void *ctxt) | |||
112 | } | 112 | } |
113 | 113 | ||
114 | void | 114 | void |
115 | kex_clear_dispatch(void) | ||
116 | { | ||
117 | int i; | ||
118 | |||
119 | /* Numbers 30-49 are used for kex packets */ | ||
120 | for (i = 30; i <= 49; i++) | ||
121 | dispatch_set(i, &kex_protocol_error); | ||
122 | } | ||
123 | |||
124 | void | ||
115 | kex_finish(Kex *kex) | 125 | kex_finish(Kex *kex) |
116 | { | 126 | { |
117 | int i, plen; | 127 | int plen; |
128 | |||
129 | kex_clear_dispatch(); | ||
118 | 130 | ||
119 | packet_start(SSH2_MSG_NEWKEYS); | 131 | packet_start(SSH2_MSG_NEWKEYS); |
120 | packet_send(); | 132 | packet_send(); |
@@ -125,8 +137,6 @@ kex_finish(Kex *kex) | |||
125 | packet_read_expect(&plen, SSH2_MSG_NEWKEYS); | 137 | packet_read_expect(&plen, SSH2_MSG_NEWKEYS); |
126 | debug("SSH2_MSG_NEWKEYS received"); | 138 | debug("SSH2_MSG_NEWKEYS received"); |
127 | kex->newkeys = 1; | 139 | kex->newkeys = 1; |
128 | for (i = 30; i <= 49; i++) | ||
129 | dispatch_set(i, &kex_protocol_error); | ||
130 | buffer_clear(&kex->peer); | 140 | buffer_clear(&kex->peer); |
131 | /* buffer_clear(&kex->my); */ | 141 | /* buffer_clear(&kex->my); */ |
132 | kex->flags &= ~KEX_INIT_SENT; | 142 | kex->flags &= ~KEX_INIT_SENT; |
@@ -135,6 +145,10 @@ kex_finish(Kex *kex) | |||
135 | void | 145 | void |
136 | kex_send_kexinit(Kex *kex) | 146 | kex_send_kexinit(Kex *kex) |
137 | { | 147 | { |
148 | if (kex == NULL) { | ||
149 | error("kex_send_kexinit: no kex, cannot rekey"); | ||
150 | return; | ||
151 | } | ||
138 | if (kex->flags & KEX_INIT_SENT) { | 152 | if (kex->flags & KEX_INIT_SENT) { |
139 | debug("KEX_INIT_SENT"); | 153 | debug("KEX_INIT_SENT"); |
140 | return; | 154 | return; |
@@ -154,6 +168,8 @@ kex_input_kexinit(int type, int plen, void *ctxt) | |||
154 | Kex *kex = (Kex *)ctxt; | 168 | Kex *kex = (Kex *)ctxt; |
155 | 169 | ||
156 | debug("SSH2_MSG_KEXINIT received"); | 170 | debug("SSH2_MSG_KEXINIT received"); |
171 | if (kex == NULL) | ||
172 | fatal("kex_input_kexinit: no kex, cannot rekey"); | ||
157 | 173 | ||
158 | ptr = packet_get_raw(&dlen); | 174 | ptr = packet_get_raw(&dlen); |
159 | buffer_append(&kex->peer, ptr, dlen); | 175 | buffer_append(&kex->peer, ptr, dlen); |
@@ -165,7 +181,6 @@ Kex * | |||
165 | kex_setup(char *proposal[PROPOSAL_MAX]) | 181 | kex_setup(char *proposal[PROPOSAL_MAX]) |
166 | { | 182 | { |
167 | Kex *kex; | 183 | Kex *kex; |
168 | int i; | ||
169 | 184 | ||
170 | kex = xmalloc(sizeof(*kex)); | 185 | kex = xmalloc(sizeof(*kex)); |
171 | memset(kex, 0, sizeof(*kex)); | 186 | memset(kex, 0, sizeof(*kex)); |
@@ -175,11 +190,9 @@ kex_setup(char *proposal[PROPOSAL_MAX]) | |||
175 | kex->newkeys = 0; | 190 | kex->newkeys = 0; |
176 | 191 | ||
177 | kex_send_kexinit(kex); /* we start */ | 192 | kex_send_kexinit(kex); /* we start */ |
178 | /* Numbers 30-49 are used for kex packets */ | 193 | kex_clear_dispatch(); |
179 | for (i = 30; i <= 49; i++) | ||
180 | dispatch_set(i, kex_protocol_error); | ||
181 | |||
182 | dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); | 194 | dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); |
195 | |||
183 | return kex; | 196 | return kex; |
184 | } | 197 | } |
185 | 198 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.h,v 1.20 2001/04/04 09:48:34 markus Exp $ */ | 1 | /* $OpenBSD: kex.h,v 1.21 2001/04/04 14:34:58 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -115,7 +115,7 @@ Kex *kex_setup(char *proposal[PROPOSAL_MAX]); | |||
115 | void kex_finish(Kex *kex); | 115 | void kex_finish(Kex *kex); |
116 | 116 | ||
117 | void kex_send_kexinit(Kex *kex); | 117 | void kex_send_kexinit(Kex *kex); |
118 | void kex_protocol_error(int type, int plen, void *ctxt); | 118 | void kex_input_kexinit(int type, int plen, void *ctxt); |
119 | void kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret); | 119 | void kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret); |
120 | 120 | ||
121 | void kexdh(Kex *); | 121 | void kexdh(Kex *); |
diff --git a/serverloop.c b/serverloop.c index d1290ff22..4ae02fd10 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -35,7 +35,7 @@ | |||
35 | */ | 35 | */ |
36 | 36 | ||
37 | #include "includes.h" | 37 | #include "includes.h" |
38 | RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $"); | 38 | RCSID("$OpenBSD: serverloop.c,v 1.56 2001/04/04 14:34:58 markus Exp $"); |
39 | 39 | ||
40 | #include "xmalloc.h" | 40 | #include "xmalloc.h" |
41 | #include "packet.h" | 41 | #include "packet.h" |
@@ -53,9 +53,13 @@ RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $"); | |||
53 | #include "auth-options.h" | 53 | #include "auth-options.h" |
54 | #include "serverloop.h" | 54 | #include "serverloop.h" |
55 | #include "misc.h" | 55 | #include "misc.h" |
56 | #include "kex.h" | ||
56 | 57 | ||
57 | extern ServerOptions options; | 58 | extern ServerOptions options; |
58 | 59 | ||
60 | /* XXX */ | ||
61 | extern Kex *xxx_kex; | ||
62 | |||
59 | static Buffer stdin_buffer; /* Buffer for stdin data. */ | 63 | static Buffer stdin_buffer; /* Buffer for stdin data. */ |
60 | static Buffer stdout_buffer; /* Buffer for stdout data. */ | 64 | static Buffer stdout_buffer; /* Buffer for stdout data. */ |
61 | static Buffer stderr_buffer; /* Buffer for stderr data. */ | 65 | static Buffer stderr_buffer; /* Buffer for stderr data. */ |
@@ -391,7 +395,7 @@ drain_output(void) | |||
391 | void | 395 | void |
392 | process_buffered_input_packets(void) | 396 | process_buffered_input_packets(void) |
393 | { | 397 | { |
394 | dispatch_run(DISPATCH_NONBLOCK, NULL, NULL); | 398 | dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL); |
395 | } | 399 | } |
396 | 400 | ||
397 | /* | 401 | /* |
@@ -905,6 +909,9 @@ server_init_dispatch_20(void) | |||
905 | dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request); | 909 | dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request); |
906 | dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); | 910 | dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); |
907 | dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); | 911 | dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); |
912 | |||
913 | /* rekeying */ | ||
914 | dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); | ||
908 | } | 915 | } |
909 | void | 916 | void |
910 | server_init_dispatch_13(void) | 917 | server_init_dispatch_13(void) |
diff --git a/sshconnect2.c b/sshconnect2.c index 895156704..2f26aa569 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.64 2001/04/04 09:48:35 markus Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.65 2001/04/04 14:34:58 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/bn.h> | 28 | #include <openssl/bn.h> |
29 | #include <openssl/md5.h> | 29 | #include <openssl/md5.h> |
@@ -111,6 +111,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
111 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; | 111 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; |
112 | } | 112 | } |
113 | 113 | ||
114 | /* start key exchange */ | ||
114 | kex = kex_setup(myproposal); | 115 | kex = kex_setup(myproposal); |
115 | kex->client_version_string=client_version_string; | 116 | kex->client_version_string=client_version_string; |
116 | kex->server_version_string=server_version_string; | 117 | kex->server_version_string=server_version_string; |
@@ -118,7 +119,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
118 | 119 | ||
119 | xxx_kex = kex; | 120 | xxx_kex = kex; |
120 | 121 | ||
121 | /* start key exchange */ | ||
122 | dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex); | 122 | dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex); |
123 | 123 | ||
124 | session_id2 = kex->session_id; | 124 | session_id2 = kex->session_id; |
@@ -213,7 +213,6 @@ ssh_userauth2(const char *server_user, char *host) | |||
213 | Authctxt authctxt; | 213 | Authctxt authctxt; |
214 | int type; | 214 | int type; |
215 | int plen; | 215 | int plen; |
216 | int i; | ||
217 | 216 | ||
218 | if (options.challenge_reponse_authentication) | 217 | if (options.challenge_reponse_authentication) |
219 | options.kbd_interactive_authentication = 1; | 218 | options.kbd_interactive_authentication = 1; |
@@ -254,10 +253,7 @@ ssh_userauth2(const char *server_user, char *host) | |||
254 | /* initial userauth request */ | 253 | /* initial userauth request */ |
255 | userauth_none(&authctxt); | 254 | userauth_none(&authctxt); |
256 | 255 | ||
257 | /* dispatch_init(&input_userauth_error); */ | 256 | dispatch_init(&input_userauth_error); |
258 | for (i = 50; i <= 254; i++) { | ||
259 | dispatch_set(i, &input_userauth_error); | ||
260 | } | ||
261 | dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success); | 257 | dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success); |
262 | dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure); | 258 | dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure); |
263 | dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner); | 259 | dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner); |
@@ -40,7 +40,7 @@ | |||
40 | */ | 40 | */ |
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | RCSID("$OpenBSD: sshd.c,v 1.188 2001/04/04 09:48:35 markus Exp $"); | 43 | RCSID("$OpenBSD: sshd.c,v 1.189 2001/04/04 14:34:58 markus Exp $"); |
44 | 44 | ||
45 | #include <openssl/dh.h> | 45 | #include <openssl/dh.h> |
46 | #include <openssl/bn.h> | 46 | #include <openssl/bn.h> |
@@ -141,6 +141,9 @@ int num_listen_socks = 0; | |||
141 | char *client_version_string = NULL; | 141 | char *client_version_string = NULL; |
142 | char *server_version_string = NULL; | 142 | char *server_version_string = NULL; |
143 | 143 | ||
144 | /* for rekeying XXX fixme */ | ||
145 | Kex *xxx_kex; | ||
146 | |||
144 | /* | 147 | /* |
145 | * Any really sensitive data in the application is contained in this | 148 | * Any really sensitive data in the application is contained in this |
146 | * structure. The idea is that this structure could be locked into memory so | 149 | * structure. The idea is that this structure could be locked into memory so |
@@ -1425,13 +1428,15 @@ do_ssh2_kex(void) | |||
1425 | } | 1428 | } |
1426 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 1429 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
1427 | 1430 | ||
1431 | /* start key exchange */ | ||
1428 | kex = kex_setup(myproposal); | 1432 | kex = kex_setup(myproposal); |
1429 | kex->server = 1; | 1433 | kex->server = 1; |
1430 | kex->client_version_string=client_version_string; | 1434 | kex->client_version_string=client_version_string; |
1431 | kex->server_version_string=server_version_string; | 1435 | kex->server_version_string=server_version_string; |
1432 | kex->load_host_key=&get_hostkey_by_type; | 1436 | kex->load_host_key=&get_hostkey_by_type; |
1433 | 1437 | ||
1434 | /* start key exchange */ | 1438 | xxx_kex = kex; |
1439 | |||
1435 | dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex); | 1440 | dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex); |
1436 | 1441 | ||
1437 | session_id2 = kex->session_id; | 1442 | session_id2 = kex->session_id; |