|
 |
d1a70f |
From e6e8335847d4870c99c07f511b4a24ae9e053326 Mon Sep 17 00:00:00 2001
|
|
|
d1a70f |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
d1a70f |
Date: Thu, 15 Nov 2018 11:03:56 +0100
|
|
|
d1a70f |
Subject: [PATCH] packet: Adjust the packet filter to allow client-initialized
|
|
|
d1a70f |
rekey
|
|
|
d1a70f |
|
|
|
d1a70f |
If the rekey is initialized by client, it sends the first KEXINIT
|
|
|
d1a70f |
message, changes to the INIT_SENT state and waits for the KEXINIT
|
|
|
d1a70f |
message from the server. This was not covered in the current filter.
|
|
|
d1a70f |
|
|
|
d1a70f |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
|
d1a70f |
Reviewed-by: Daiki Ueno <dueno@redhat.com>
|
|
|
d1a70f |
---
|
|
|
d1a70f |
src/packet.c | 2 ++
|
|
|
d1a70f |
1 file changed, 2 insertions(+)
|
|
|
d1a70f |
|
|
|
d1a70f |
diff --git a/src/packet.c b/src/packet.c
|
|
|
d1a70f |
index 9b7b9b8f..86314961 100644
|
|
|
d1a70f |
--- a/src/packet.c
|
|
|
d1a70f |
+++ b/src/packet.c
|
|
|
d1a70f |
@@ -292,6 +292,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
|
|
|
d1a70f |
* - session_state == SSH_SESSION_STATE_AUTHENTICATED
|
|
|
d1a70f |
* or session_state == SSH_SESSION_STATE_INITIAL_KEX
|
|
|
d1a70f |
* - dh_handshake_state == DH_STATE_INIT
|
|
|
d1a70f |
+ * or dh_handshake_state == DH_STATE_INIT_SENT (re-exchange)
|
|
|
d1a70f |
* or dh_handshake_state == DH_STATE_FINISHED (re-exchange)
|
|
|
d1a70f |
*
|
|
|
d1a70f |
* Transitions:
|
|
|
d1a70f |
@@ -310,6 +311,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
|
|
|
d1a70f |
}
|
|
|
d1a70f |
|
|
|
d1a70f |
if ((session->dh_handshake_state != DH_STATE_INIT) &&
|
|
|
d1a70f |
+ (session->dh_handshake_state != DH_STATE_INIT_SENT) &&
|
|
|
d1a70f |
(session->dh_handshake_state != DH_STATE_FINISHED))
|
|
|
d1a70f |
{
|
|
|
d1a70f |
rc = SSH_PACKET_DENIED;
|
|
|
d1a70f |
--
|
|
|
d1a70f |
2.19.1
|
|
|
d1a70f |
|