Uppity: get cipher directions the right way round!

The very first thing I tried to test with the new KEXINIT override was
to select a non-default cipher in only one of the two connection
directions. It failed because both client and server tried to send AES
and receive ChaCha20, which doesn't work very well!

The server-readiness tweaks in ssh2transport.c included a switching
system so that when we scan both KEXINITs to determine the chosen
cipher, we can change which one we think is client and which is
server. But I'd forgotten to put in a similar switch for the
structures into which we put the selected algorithms for
client->server and server->client directions. Ahem.
This commit is contained in:
Simon Tatham 2019-03-31 08:45:30 +01:00
Родитель b494ecfcfc
Коммит b5ccdebfb3
2 изменённых файлов: 7 добавлений и 3 удалений

Просмотреть файл

@ -156,10 +156,14 @@ PacketProtocolLayer *ssh2_transport_new(
s->ssc = ssc; s->ssc = ssc;
s->client_kexinit = s->incoming_kexinit; s->client_kexinit = s->incoming_kexinit;
s->server_kexinit = s->outgoing_kexinit; s->server_kexinit = s->outgoing_kexinit;
s->cstrans = &s->in;
s->sctrans = &s->out;
s->out.mkkey_adjust = 1; s->out.mkkey_adjust = 1;
} else { } else {
s->client_kexinit = s->outgoing_kexinit; s->client_kexinit = s->outgoing_kexinit;
s->server_kexinit = s->incoming_kexinit; s->server_kexinit = s->incoming_kexinit;
s->cstrans = &s->out;
s->sctrans = &s->in;
s->in.mkkey_adjust = 1; s->in.mkkey_adjust = 1;
} }
@ -1129,8 +1133,8 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
if (!ssh2_scan_kexinits( if (!ssh2_scan_kexinits(
ptrlen_from_strbuf(s->client_kexinit), ptrlen_from_strbuf(s->client_kexinit),
ptrlen_from_strbuf(s->server_kexinit), ptrlen_from_strbuf(s->server_kexinit),
s->kexlists, &s->kex_alg, &s->hostkey_alg, &s->out, &s->in, s->kexlists, &s->kex_alg, &s->hostkey_alg, s->cstrans,
&s->warn_kex, &s->warn_hk, &s->warn_cscipher, s->sctrans, &s->warn_kex, &s->warn_hk, &s->warn_cscipher,
&s->warn_sccipher, s->ppl.ssh, NULL, &s->ignorepkt, &nhk, hks)) &s->warn_sccipher, s->ppl.ssh, NULL, &s->ignorepkt, &nhk, hks))
return; /* false means a fatal error function was called */ return; /* false means a fatal error function was called */

Просмотреть файл

@ -167,7 +167,7 @@ struct ssh2_transport_state {
strbuf *outgoing_kexinit, *incoming_kexinit; strbuf *outgoing_kexinit, *incoming_kexinit;
strbuf *client_kexinit, *server_kexinit; /* aliases to the above */ strbuf *client_kexinit, *server_kexinit; /* aliases to the above */
int kex_init_value, kex_reply_value; int kex_init_value, kex_reply_value;
transport_direction in, out; transport_direction in, out, *cstrans, *sctrans;
ptrlen hostkeydata, sigdata; ptrlen hostkeydata, sigdata;
strbuf *hostkeyblob; strbuf *hostkeyblob;
char *keystr, *fingerprint; char *keystr, *fingerprint;