7 files changed, 53 insertions, 28 deletions

diff --git a/ChangeLog b/ChangeLog
index 4ca9cf0b0..0cc84157d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@
      don't sent multiple kexinit-requests.                       
      send newkeys, block while waiting for newkeys.              
      fix comments.                                               
+   - markus@cvs.openbsd.org 2001/04/04 14:34:58                         
+     [clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]       
+     enable server side rekeying + some rekey related clientup.         
+     todo: we should not send any non-KEX messages after we send KEXINIT
 
 20010404
  - OpenBSD CVS Sync
@@ -4844,4 +4848,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1055 2001/04/04 17:52:53 mouring Exp $
+$Id: ChangeLog,v 1.1056 2001/04/04 17:57:54 mouring Exp $
diff --git a/clientloop.c b/clientloop.c
index 1ed245e22..1d09a8dd9 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.54 2001/04/04 00:06:53 markus Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.55 2001/04/04 14:34:58 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -1205,10 +1205,7 @@ client_input_channel_req(int type, int plen, void *ctxt)
 void
 client_init_dispatch_20(void)
 {
-        int i;
-        /* dispatch_init(&dispatch_protocol_error); */
-        for (i = 50; i <= 254; i++)
-                dispatch_set(i, &dispatch_protocol_error);
+        dispatch_init(&dispatch_protocol_error);
         dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
         dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
         dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
@@ -1218,6 +1215,9 @@ client_init_dispatch_20(void)
         dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
         dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
         dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+
+        /* rekeying */
+        dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
 }
 void
 client_init_dispatch_13(void)
diff --git a/kex.c b/kex.c
index 1314270d4..ee1e17e02 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.28 2001/04/04 09:48:34 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.29 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/crypto.h>
 
@@ -112,9 +112,21 @@ kex_protocol_error(int type, int plen, void *ctxt)
 }
 
 void
+kex_clear_dispatch(void)
+{
+        int i;
+
+        /* Numbers 30-49 are used for kex packets */
+        for (i = 30; i <= 49; i++)
+                dispatch_set(i, &kex_protocol_error);
+}
+
+void
 kex_finish(Kex *kex)
 {
-        int i, plen;
+        int plen;
+
+        kex_clear_dispatch();
 
         packet_start(SSH2_MSG_NEWKEYS);
         packet_send();
@@ -125,8 +137,6 @@ kex_finish(Kex *kex)
         packet_read_expect(&plen, SSH2_MSG_NEWKEYS);
         debug("SSH2_MSG_NEWKEYS received");
         kex->newkeys = 1;
-        for (i = 30; i <= 49; i++)
-                dispatch_set(i, &kex_protocol_error);
         buffer_clear(&kex->peer);
         /* buffer_clear(&kex->my); */
         kex->flags &= ~KEX_INIT_SENT;
@@ -135,6 +145,10 @@ kex_finish(Kex *kex)
 void
 kex_send_kexinit(Kex *kex)
 {
+        if (kex == NULL) {
+                error("kex_send_kexinit: no kex, cannot rekey");
+                return;
+        }
         if (kex->flags & KEX_INIT_SENT) {
                 debug("KEX_INIT_SENT");
                 return;
@@ -154,6 +168,8 @@ kex_input_kexinit(int type, int plen, void *ctxt)
         Kex *kex = (Kex *)ctxt;
 
         debug("SSH2_MSG_KEXINIT received");
+        if (kex == NULL)
+                fatal("kex_input_kexinit: no kex, cannot rekey");
 
         ptr = packet_get_raw(&dlen);
         buffer_append(&kex->peer, ptr, dlen);
@@ -165,7 +181,6 @@ Kex *
 kex_setup(char *proposal[PROPOSAL_MAX])
 {
         Kex *kex;
-        int i;
 
         kex = xmalloc(sizeof(*kex));
         memset(kex, 0, sizeof(*kex));
@@ -175,11 +190,9 @@ kex_setup(char *proposal[PROPOSAL_MAX])
         kex->newkeys = 0;
 
         kex_send_kexinit(kex);                                  /* we start */
-        /* Numbers 30-49 are used for kex packets */
-        for (i = 30; i <= 49; i++)
-                dispatch_set(i, kex_protocol_error);
-
+        kex_clear_dispatch();
         dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
+
         return kex;
 }
 
diff --git a/kex.h b/kex.h
index c37d3aa5f..54134221f 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: kex.h,v 1.20 2001/04/04 09:48:34 markus Exp $ */
+/*      $OpenBSD: kex.h,v 1.21 2001/04/04 14:34:58 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -115,7 +115,7 @@ Kex	*kex_setup(char *proposal[PROPOSAL_MAX]);
 void    kex_finish(Kex *kex);
 
 void    kex_send_kexinit(Kex *kex);
-void    kex_protocol_error(int type, int plen, void *ctxt);
+void    kex_input_kexinit(int type, int plen, void *ctxt);
 void    kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret);
 
 void    kexdh(Kex *);
diff --git a/serverloop.c b/serverloop.c
index d1290ff22..4ae02fd10 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.56 2001/04/04 14:34:58 markus Exp $");
 
 #include "xmalloc.h"
 #include "packet.h"
@@ -53,9 +53,13 @@ RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
 #include "auth-options.h"
 #include "serverloop.h"
 #include "misc.h"
+#include "kex.h"
 
 extern ServerOptions options;
 
+/* XXX */
+extern Kex *xxx_kex;
+
 static Buffer stdin_buffer;     /* Buffer for stdin data. */
 static Buffer stdout_buffer;    /* Buffer for stdout data. */
 static Buffer stderr_buffer;    /* Buffer for stderr data. */
@@ -391,7 +395,7 @@ drain_output(void)
 void
 process_buffered_input_packets(void)
 {
-        dispatch_run(DISPATCH_NONBLOCK, NULL, NULL);
+        dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL);
 }
 
 /*
@@ -905,6 +909,9 @@ server_init_dispatch_20(void)
         dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
         dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
         dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
+
+        /* rekeying */
+        dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
 }
 void
 server_init_dispatch_13(void)
diff --git a/sshconnect2.c b/sshconnect2.c
index 895156704..2f26aa569 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.64 2001/04/04 09:48:35 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.65 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -111,6 +111,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
         }
 
+        /* start key exchange */
         kex = kex_setup(myproposal);
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
@@ -118,7 +119,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 
         xxx_kex = kex;
 
-        /* start key exchange */
         dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
 
         session_id2 = kex->session_id;
@@ -213,7 +213,6 @@ ssh_userauth2(const char *server_user, char *host)
         Authctxt authctxt;
         int type;
         int plen;
-        int i;
 
         if (options.challenge_reponse_authentication)
                 options.kbd_interactive_authentication = 1;
@@ -254,10 +253,7 @@ ssh_userauth2(const char *server_user, char *host)
         /* initial userauth request */
         userauth_none(&authctxt);
 
-        /* dispatch_init(&input_userauth_error); */
-        for (i = 50; i <= 254; i++) {
-                dispatch_set(i, &input_userauth_error);
-        }
+        dispatch_init(&input_userauth_error);
         dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
         dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
         dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
diff --git a/sshd.c b/sshd.c
index 0bb4269d5..ea29e75ac 100644
--- a/sshd.c
+++ b/sshd.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.188 2001/04/04 09:48:35 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.189 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -141,6 +141,9 @@ int num_listen_socks = 0;
 char *client_version_string = NULL;
 char *server_version_string = NULL;
 
+/* for rekeying XXX fixme */
+Kex *xxx_kex;
+
 /*
  * Any really sensitive data in the application is contained in this
  * structure. The idea is that this structure could be locked into memory so
@@ -1425,13 +1428,15 @@ do_ssh2_kex(void)
         }
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
+        /* start key exchange */
         kex = kex_setup(myproposal);
         kex->server = 1;
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
         kex->load_host_key=&get_hostkey_by_type;
 
-        /* start key exchange */
+        xxx_kex = kex;
+
         dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
 
         session_id2 = kex->session_id;