changeset 775:2f1c199b6e4b

requirenext fixup for firstkexfollows
author Matt Johnston <matt@ucc.asn.au>
date Sun, 14 Apr 2013 23:16:16 +0800
parents e8b2ca448928
children f7c8b786e595
files CHANGES cli-kex.c common-kex.c common-session.c debug.h process-packet.c session.h svr-kex.c
diffstat 8 files changed, 53 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES	Sun Apr 14 23:08:57 2013 +0800
+++ b/CHANGES	Sun Apr 14 23:16:16 2013 +0800
@@ -1,3 +1,39 @@
+2013.57 - 
+
+- Improved initial connection time particularly with high latency connections.
+  The number of round trips has been reduced for both client and server. 
+  CPU time hasn't been changed.
+
+- Client will attempt to send an initial key exchange packet to save a round
+  trip. Dropbear implements an extension [email protected] to allow
+  the first packet guess to succeed in wider circumstances than the standard
+  behaviour. When communicating with other implementations the standard
+  behaviour is used.
+
+- Client side: when public key or password authentication with
+  $DROPBEAR_PASSWORD is used, an initial authentication request will
+  be sent immediately rather than querying the list of available methods.
+  This behaviour is enabled by CLI_IMMEDIATE_AUTH option (on by default),
+  please let the Dropbear author know if it causes any interoperability
+  problems.
+
+- Implement client escape characters ~. (terminate session) and 
+  ~^Z (background session)
+
+- Server will more reliably clean up utmp when connection is closed
+
+- Don't crash if /dev/urandom isn't writable (RHEL5), thanks to Scott Case
+
+- Add "-y -y" client option to skip host key checking, thanks to Hans Harder
+
+- scp didn't work properly on systems using vfork(), thanks to Frank Van Uffelen
+
+- Added IUTF8 terminal mode support. Not yet standardised though seems that it
+  will soon be
+
+- Some verbose DROPBEAR_TRACE output is now hidden unless $DROPBEAR_TRACE2
+  enviroment variable is set 
+
 2013.56 - Thursday 21 March 2013
 
 - Allow specifying cipher (-c) and MAC (-m) lists for dbclient
--- a/cli-kex.c	Sun Apr 14 23:08:57 2013 +0800
+++ b/cli-kex.c	Sun Apr 14 23:16:16 2013 +0800
@@ -61,8 +61,8 @@
 	buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT);
 	buf_putmpint(ses.writepayload, cli_ses.dh_e);
 	encrypt_packet();
-	// XXX fixme
-	//ses.requirenext = SSH_MSG_KEXDH_REPLY;
+	ses.requirenext[0] = SSH_MSG_KEXDH_REPLY;
+	ses.requirenext[1] = SSH_MSG_KEXINIT;
 }
 
 /* Handle a diffie-hellman key exchange reply. */
@@ -118,7 +118,8 @@
 	hostkey = NULL;
 
 	send_msg_newkeys();
-	ses.requirenext = SSH_MSG_NEWKEYS;
+	ses.requirenext[0] = SSH_MSG_NEWKEYS;
+	ses.requirenext[1] = 0;
 	TRACE(("leave recv_msg_kexdh_init"))
 }
 
--- a/common-kex.c	Sun Apr 14 23:08:57 2013 +0800
+++ b/common-kex.c	Sun Apr 14 23:16:16 2013 +0800
@@ -542,7 +542,7 @@
 	    buf_putstring(ses.kexhashbuf,
 			ses.transkexinit->data, ses.transkexinit->len);
 
-		ses.requirenext = SSH_MSG_KEXDH_INIT;
+		ses.requirenext[0] = SSH_MSG_KEXDH_INIT;
 	}
 
 	buf_free(ses.transkexinit);
--- a/common-session.c	Sun Apr 14 23:08:57 2013 +0800
+++ b/common-session.c	Sun Apr 14 23:16:16 2013 +0800
@@ -82,7 +82,7 @@
 
 	initqueue(&ses.writequeue);
 
-	ses.requirenext = SSH_MSG_KEXINIT;
+	ses.requirenext[0] = SSH_MSG_KEXINIT;
 	ses.dataallowed = 1; /* we can send data until we actually 
 							send the SSH_MSG_KEXINIT */
 	ses.ignorenext = 0;
--- a/debug.h	Sun Apr 14 23:08:57 2013 +0800
+++ b/debug.h	Sun Apr 14 23:16:16 2013 +0800
@@ -39,7 +39,7 @@
  * Caution: Don't use this in an unfriendly environment (ie unfirewalled),
  * since the printing may not sanitise strings etc. This will add a reasonable
  * amount to your executable size. */
-#define DEBUG_TRACE
+/* #define DEBUG_TRACE */
 
 /* All functions writing to the cleartext payload buffer call
  * CHECKCLEARTOWRITE() before writing. This is only really useful if you're
--- a/process-packet.c	Sun Apr 14 23:08:57 2013 +0800
+++ b/process-packet.c	Sun Apr 14 23:16:16 2013 +0800
@@ -74,14 +74,15 @@
 
 	/* This applies for KEX, where the spec says the next packet MUST be
 	 * NEWKEYS */
-	if (ses.requirenext != 0) {
-		if (ses.requirenext != type) {
-			/* TODO send disconnect? */
+	if (ses.requirenext[0] != 0) {
+		if (ses.requirenext[0] != type
+				&& (ses.requirenext[1] == 0 || ses.requirenext[1] != type)) {
 			dropbear_exit("Unexpected packet type %d, expected %d", type,
 					ses.requirenext);
 		} else {
 			/* Got what we expected */
-			ses.requirenext = 0;
+			ses.requirenext[0] = 0;
+			ses.requirenext[1] = 0;
 		}
 	}
 
--- a/session.h	Sun Apr 14 23:08:57 2013 +0800
+++ b/session.h	Sun Apr 14 23:16:16 2013 +0800
@@ -135,8 +135,9 @@
 	unsigned dataallowed : 1; /* whether we can send data packets or we are in
 								 the middle of a KEX or something */
 
-	unsigned char requirenext; /* byte indicating what packet we require next, 
-								or 0x00 for any */
+	unsigned char requirenext[2]; /* bytes indicating what packets we require next, 
+									 or 0x00 for any. Second option can only be
+									 used if the first byte is also set */
 
 	unsigned char ignorenext; /* whether to ignore the next packet,
 								 used for kex_follows stuff */
--- a/svr-kex.c	Sun Apr 14 23:08:57 2013 +0800
+++ b/svr-kex.c	Sun Apr 14 23:16:16 2013 +0800
@@ -61,7 +61,8 @@
 	mp_clear(&dh_e);
 
 	send_msg_newkeys();
-	ses.requirenext = SSH_MSG_NEWKEYS;
+	ses.requirenext[0] = SSH_MSG_NEWKEYS;
+	ses.requirenext[1] = 0;
 	TRACE(("leave recv_msg_kexdh_init"))
 }