From 9fced11d5fcbd1680f8326a93d5c6f460bbd1464 Mon Sep 17 00:00:00 2001
From: Markus Friedl <markus@cvs.openbsd.org>
Date: Wed, 4 Apr 2001 14:34:59 +0000
Subject: enable server side rekeying + some rekey related clientup. todo: we
 should not send any non-KEX messages after we send KEXINIT

---
 usr.bin/ssh/clientloop.c  | 10 +++++-----
 usr.bin/ssh/kex.c         | 31 ++++++++++++++++++++++---------
 usr.bin/ssh/kex.h         |  4 ++--
 usr.bin/ssh/serverloop.c  | 11 +++++++++--
 usr.bin/ssh/sshconnect2.c | 10 +++-------
 usr.bin/ssh/sshd.c        |  9 +++++++--
 6 files changed, 48 insertions(+), 27 deletions(-)

(limited to 'usr.bin')

diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c
index 1ed245e22ff..1d09a8dd9fe 100644
--- a/usr.bin/ssh/clientloop.c
+++ b/usr.bin/ssh/clientloop.c
@@ -59,7 +59,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.54 2001/04/04 00:06:53 markus Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.55 2001/04/04 14:34:58 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -1205,10 +1205,7 @@ client_input_channel_req(int type, int plen, void *ctxt)
 void
 client_init_dispatch_20(void)
 {
-	int i;
-	/* dispatch_init(&dispatch_protocol_error); */
-	for (i = 50; i <= 254; i++)
-		dispatch_set(i, &dispatch_protocol_error);
+	dispatch_init(&dispatch_protocol_error);
 	dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
 	dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
 	dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
@@ -1218,6 +1215,9 @@ client_init_dispatch_20(void)
 	dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
 	dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
 	dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+
+	/* rekeying */
+	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
 }
 void
 client_init_dispatch_13(void)
diff --git a/usr.bin/ssh/kex.c b/usr.bin/ssh/kex.c
index 1314270d496..ee1e17e02a6 100644
--- a/usr.bin/ssh/kex.c
+++ b/usr.bin/ssh/kex.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.28 2001/04/04 09:48:34 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.29 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/crypto.h>
 
@@ -111,10 +111,22 @@ kex_protocol_error(int type, int plen, void *ctxt)
         error("Hm, kex protocol error: type %d plen %d", type, plen);
 }
 
+void
+kex_clear_dispatch(void)
+{
+	int i;
+
+	/* Numbers 30-49 are used for kex packets */
+	for (i = 30; i <= 49; i++)
+		dispatch_set(i, &kex_protocol_error);
+}
+
 void
 kex_finish(Kex *kex)
 {
-	int i, plen;
+	int plen;
+
+	kex_clear_dispatch();
 
 	packet_start(SSH2_MSG_NEWKEYS);
 	packet_send();
@@ -125,8 +137,6 @@ kex_finish(Kex *kex)
         packet_read_expect(&plen, SSH2_MSG_NEWKEYS);
 	debug("SSH2_MSG_NEWKEYS received");
 	kex->newkeys = 1;
-	for (i = 30; i <= 49; i++)
-		dispatch_set(i, &kex_protocol_error);
 	buffer_clear(&kex->peer);
 	/* buffer_clear(&kex->my); */
 	kex->flags &= ~KEX_INIT_SENT;
@@ -135,6 +145,10 @@ kex_finish(Kex *kex)
 void
 kex_send_kexinit(Kex *kex)
 {
+	if (kex == NULL) {
+		error("kex_send_kexinit: no kex, cannot rekey");
+		return;
+	}
 	if (kex->flags & KEX_INIT_SENT) {
 		debug("KEX_INIT_SENT");
 		return;
@@ -154,6 +168,8 @@ kex_input_kexinit(int type, int plen, void *ctxt)
 	Kex *kex = (Kex *)ctxt;
 
 	debug("SSH2_MSG_KEXINIT received");
+	if (kex == NULL)
+		fatal("kex_input_kexinit: no kex, cannot rekey");
 
 	ptr = packet_get_raw(&dlen);
 	buffer_append(&kex->peer, ptr, dlen);
@@ -165,7 +181,6 @@ Kex *
 kex_setup(char *proposal[PROPOSAL_MAX])
 {
 	Kex *kex;
-	int i;
 
 	kex = xmalloc(sizeof(*kex));
 	memset(kex, 0, sizeof(*kex));
@@ -175,11 +190,9 @@ kex_setup(char *proposal[PROPOSAL_MAX])
 	kex->newkeys = 0;
 
 	kex_send_kexinit(kex);					/* we start */
-	/* Numbers 30-49 are used for kex packets */
-	for (i = 30; i <= 49; i++)
-		dispatch_set(i, kex_protocol_error);
-
+	kex_clear_dispatch();
 	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
+
 	return kex;
 }
 
diff --git a/usr.bin/ssh/kex.h b/usr.bin/ssh/kex.h
index c37d3aa5fdb..54134221ff0 100644
--- a/usr.bin/ssh/kex.h
+++ b/usr.bin/ssh/kex.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kex.h,v 1.20 2001/04/04 09:48:34 markus Exp $	*/
+/*	$OpenBSD: kex.h,v 1.21 2001/04/04 14:34:58 markus Exp $	*/
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -115,7 +115,7 @@ Kex	*kex_setup(char *proposal[PROPOSAL_MAX]);
 void	kex_finish(Kex *kex);
 
 void	kex_send_kexinit(Kex *kex);
-void	kex_protocol_error(int type, int plen, void *ctxt);
+void	kex_input_kexinit(int type, int plen, void *ctxt);
 void	kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret);
 
 void	kexdh(Kex *);
diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c
index f20c9ed11b1..b1948611299 100644
--- a/usr.bin/ssh/serverloop.c
+++ b/usr.bin/ssh/serverloop.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.56 2001/04/04 14:34:58 markus Exp $");
 
 #include "xmalloc.h"
 #include "packet.h"
@@ -53,9 +53,13 @@ RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
 #include "auth-options.h"
 #include "serverloop.h"
 #include "misc.h"
+#include "kex.h"
 
 extern ServerOptions options;
 
+/* XXX */
+extern Kex *xxx_kex;
+
 static Buffer stdin_buffer;	/* Buffer for stdin data. */
 static Buffer stdout_buffer;	/* Buffer for stdout data. */
 static Buffer stderr_buffer;	/* Buffer for stderr data. */
@@ -391,7 +395,7 @@ drain_output(void)
 void
 process_buffered_input_packets(void)
 {
-	dispatch_run(DISPATCH_NONBLOCK, NULL, NULL);
+	dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL);
 }
 
 /*
@@ -905,6 +909,9 @@ server_init_dispatch_20(void)
 	dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
 	dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
 	dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
+
+	/* rekeying */
+	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
 }
 void
 server_init_dispatch_13(void)
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index 895156704a7..2f26aa56997 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.64 2001/04/04 09:48:35 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.65 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -111,6 +111,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
 	}
 
+	/* start key exchange */
 	kex = kex_setup(myproposal);
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
@@ -118,7 +119,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 
 	xxx_kex = kex;
 
-	/* start key exchange */
 	dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
 
 	session_id2 = kex->session_id;
@@ -213,7 +213,6 @@ ssh_userauth2(const char *server_user, char *host)
 	Authctxt authctxt;
 	int type;
 	int plen;
-	int i;
 
 	if (options.challenge_reponse_authentication)
 		options.kbd_interactive_authentication = 1;
@@ -254,10 +253,7 @@ ssh_userauth2(const char *server_user, char *host)
 	/* initial userauth request */
 	userauth_none(&authctxt);
 
-	/* dispatch_init(&input_userauth_error); */
-        for (i = 50; i <= 254; i++) {
-                dispatch_set(i, &input_userauth_error);
-        }
+	dispatch_init(&input_userauth_error);
 	dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
 	dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
 	dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index ed3b92ed85d..af7f9bbe78d 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.188 2001/04/04 09:48:35 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.189 2001/04/04 14:34:58 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -132,6 +132,9 @@ int num_listen_socks = 0;
 char *client_version_string = NULL;
 char *server_version_string = NULL;
 
+/* for rekeying XXX fixme */
+Kex *xxx_kex;
+
 /*
  * Any really sensitive data in the application is contained in this
  * structure. The idea is that this structure could be locked into memory so
@@ -1399,13 +1402,15 @@ do_ssh2_kex(void)
 	}
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
+	/* start key exchange */
 	kex = kex_setup(myproposal);
 	kex->server = 1;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
 	kex->load_host_key=&get_hostkey_by_type;
 
-	/* start key exchange */
+	xxx_kex = kex;
+
 	dispatch_run(DISPATCH_BLOCK, &kex->newkeys, kex);
 
 	session_id2 = kex->session_id;
-- 
cgit v1.2.3