- provos@cvs.openbsd.org 2002/03/18 17:50:31

     [auth-bsdauth.c auth-options.c auth-rh-rsa.c auth-rsa.c auth-skey.c auth.h
      auth1.c auth2-chall.c auth2.c kex.c kex.h kexdh.c kexgex.c servconf.c
      session.h servconf.h serverloop.c session.c sshd.c]
     integrate privilege separated openssh; its turned off by default for now.
     work done by me and markus@

applied, but outside of ensure that smaller code bits migrated with
their owners.. no work was tried to 'fix' it to work. =)  Later project!

1 files changed, 6 insertions, 3 deletions

diff --git a/kexgex.c b/kexgex.c
index 61896e6ed..7379e8d10 100644
--- a/kexgex.c
+++ b/kexgex.c
@@ -24,7 +24,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexgex.c,v 1.20 2002/02/28 15:46:33 markus Exp $");
+RCSID("$OpenBSD: kexgex.c,v 1.21 2002/03/18 17:50:31 provos Exp $");
 
 #include <openssl/bn.h>
 
@@ -38,6 +38,7 @@ RCSID("$OpenBSD: kexgex.c,v 1.20 2002/02/28 15:46:33 markus Exp $");
 #include "dh.h"
 #include "ssh2.h"
 #include "compat.h"
+#include "monitor_wrap.h"
 
 static u_char *
 kexgex_hash(
@@ -296,7 +297,8 @@ kexgex_server(Kex *kex)
                 fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
                     min, nbits, max);
 
-        dh = choose_dh(min, nbits, max);
+        /* Contact privileged parent */
+        dh = PRIVSEP(choose_dh(min, nbits, max));
         if (dh == NULL)
                 packet_disconnect("Protocol error: no matching DH grp found");
 
@@ -379,7 +381,7 @@ kexgex_server(Kex *kex)
 
         /* sign H */
         /* XXX hashlen depends on KEX */
-        key_sign(server_host_key, &signature, &slen, hash, 20);
+        PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
 
         /* destroy_sensitive_data(); */
 
@@ -390,6 +392,7 @@ kexgex_server(Kex *kex)
         packet_put_bignum2(dh->pub_key);        /* f */
         packet_put_string(signature, slen);
         packet_send();
+
         xfree(signature);
         xfree(server_host_key_blob);
         /* have keys, free DH */