diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | packet.c | 124 | ||||
-rw-r--r-- | packet.h | 12 |
3 files changed, 124 insertions, 17 deletions
@@ -47,6 +47,9 @@ - markus@cvs.openbsd.org 2002/03/18 17:13:15 [cipher.c cipher.h] export/import cipher states; needed by ssh-privsep + - markus@cvs.openbsd.org 2002/03/18 17:16:38 + [packet.c packet.h] + export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep 20020317 - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted, @@ -7893,4 +7896,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1938 2002/03/22 01:39:44 mouring Exp $ +$Id: ChangeLog,v 1.1939 2002/03/22 01:42:04 mouring Exp $ @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.90 2002/02/27 21:23:13 stevesk Exp $"); +RCSID("$OpenBSD: packet.c,v 1.91 2002/03/18 17:16:38 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -86,10 +86,10 @@ static CipherContext receive_context; static CipherContext send_context; /* Buffer for raw input data from the socket. */ -static Buffer input; +Buffer input; /* Buffer for raw output data going to the socket. */ -static Buffer output; +Buffer output; /* Buffer for the partial outgoing packet being constructed. */ static Buffer outgoing_packet; @@ -115,6 +115,8 @@ static int interactive_mode = 0; /* Session key information for Encryption and MAC */ Newkeys *newkeys[MODE_MAX]; +static u_int32_t read_seqnr = 0; +static u_int32_t send_seqnr = 0; /* roundup current message to extra_pad bytes */ static u_char extra_pad = 0; @@ -171,6 +173,99 @@ packet_connection_is_on_socket(void) return 1; } +/* + * Exports an IV from the CipherContext required to export the key + * state back from the unprivileged child to the privileged parent + * process. + */ + +void +packet_get_keyiv(int mode, u_char *iv, u_int len) +{ + CipherContext *cc; + + if (mode == MODE_OUT) + cc = &send_context; + else + cc = &receive_context; + + cipher_get_keyiv(cc, iv, len); +} + +int +packet_get_keycontext(int mode, u_char *dat) +{ + CipherContext *cc; + + if (mode == MODE_OUT) + cc = &send_context; + else + cc = &receive_context; + + return (cipher_get_keycontext(cc, dat)); +} + +void +packet_set_keycontext(int mode, u_char *dat) +{ + CipherContext *cc; + + if (mode == MODE_OUT) + cc = &send_context; + else + cc = &receive_context; + + cipher_set_keycontext(cc, dat); +} + +int +packet_get_keyiv_len(int mode) +{ + CipherContext *cc; + + if (mode == MODE_OUT) + cc = &send_context; + else + cc = &receive_context; + + return (cipher_get_keyiv_len(cc)); +} +void +packet_set_iv(int mode, u_char *dat) +{ + CipherContext *cc; + + if (mode == MODE_OUT) + cc = &send_context; + else + cc = &receive_context; + + cipher_set_keyiv(cc, dat); +} +int +packet_get_ssh1_cipher() +{ + return (cipher_get_number(receive_context.cipher)); +} + + +u_int32_t +packet_get_seqnr(int mode) +{ + return (mode == MODE_IN ? read_seqnr : send_seqnr); +} + +void +packet_set_seqnr(int mode, u_int32_t seqnr) +{ + if (mode == MODE_IN) + read_seqnr = seqnr; + else if (mode == MODE_OUT) + send_seqnr = seqnr; + else + fatal("%s: bad mode %d", __FUNCTION__, mode); +} + /* returns 1 if connection is via ipv4 */ int @@ -433,7 +528,7 @@ packet_send1(void) */ } -static void +void set_newkeys(int mode) { Enc *enc; @@ -477,8 +572,9 @@ set_newkeys(int mode) DBG(debug("cipher_init_context: %d", mode)); cipher_init(cc, enc->cipher, enc->key, enc->key_len, enc->iv, enc->block_size, encrypt); - memset(enc->iv, 0, enc->block_size); - memset(enc->key, 0, enc->key_len); + /* Deleting the keys does not gain extra security */ + /* memset(enc->iv, 0, enc->block_size); + memset(enc->key, 0, enc->key_len); */ if (comp->type != 0 && comp->enabled == 0) { packet_init_compression(); if (mode == MODE_OUT) @@ -495,7 +591,6 @@ set_newkeys(int mode) static void packet_send2(void) { - static u_int32_t seqnr = 0; u_char type, *cp, *macbuf = NULL; u_char padlen, pad; u_int packet_length = 0; @@ -576,10 +671,10 @@ packet_send2(void) /* compute MAC over seqnr and packet(length fields, payload, padding) */ if (mac && mac->enabled) { - macbuf = mac_compute(mac, seqnr, + macbuf = mac_compute(mac, send_seqnr, buffer_ptr(&outgoing_packet), buffer_len(&outgoing_packet)); - DBG(debug("done calc MAC out #%d", seqnr)); + DBG(debug("done calc MAC out #%d", send_seqnr)); } /* encrypt packet and append to output buffer. */ cp = buffer_append_space(&output, buffer_len(&outgoing_packet)); @@ -593,7 +688,7 @@ packet_send2(void) buffer_dump(&output); #endif /* increment sequence number for outgoing packets */ - if (++seqnr == 0) + if (++send_seqnr == 0) log("outgoing seqnr wraps around"); buffer_clear(&outgoing_packet); @@ -783,7 +878,6 @@ packet_read_poll1(void) static int packet_read_poll2(u_int32_t *seqnr_p) { - static u_int32_t seqnr = 0; static u_int packet_length = 0; u_int padlen, need; u_char *macbuf, *cp, type; @@ -845,17 +939,17 @@ packet_read_poll2(u_int32_t *seqnr_p) * increment sequence number for incoming packet */ if (mac && mac->enabled) { - macbuf = mac_compute(mac, seqnr, + macbuf = mac_compute(mac, read_seqnr, buffer_ptr(&incoming_packet), buffer_len(&incoming_packet)); if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0) packet_disconnect("Corrupted MAC on input."); - DBG(debug("MAC #%d ok", seqnr)); + DBG(debug("MAC #%d ok", read_seqnr)); buffer_consume(&input, mac->mac_len); } if (seqnr_p != NULL) - *seqnr_p = seqnr; - if (++seqnr == 0) + *seqnr_p = read_seqnr; + if (++read_seqnr == 0) log("incoming seqnr wraps around"); /* get padlen */ @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.33 2002/03/04 17:27:39 stevesk Exp $ */ +/* $OpenBSD: packet.h,v 1.34 2002/03/18 17:16:38 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -56,6 +56,16 @@ void *packet_get_string(u_int *length_ptr); void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); +void set_newkeys(int mode); +int packet_get_keyiv_len(int); +void packet_get_keyiv(int, u_char *, u_int); +int packet_get_keycontext(int, u_char *); +void packet_set_keycontext(int, u_char *); +u_int32_t packet_get_seqnr(int); +void packet_set_seqnr(int, u_int32_t); +int packet_get_ssh1_cipher(void); +void packet_set_iv(int, u_char *); + void packet_write_poll(void); void packet_write_wait(void); int packet_have_data_to_write(void); |