upstream: sshd: switch monitor to sshbuf API; lots of help & ok

djm@ OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48
author: markus@openbsd.org <markus@openbsd.org> 2018-07-09 21:53:45 +0000
committer: Damien Miller <djm@mindrot.org> 2018-07-10 16:40:18 +1000
commit: 235c7c4e3bf046982c2d8242f30aacffa01073d1 (patch)
tree: fd07c3d2ef2b932e23f26bbfdb4336e1fcfef3a9 /monitor.c
parent: b8d9214d969775e409e1408ecdf0d58fad99b344 (diff)
1 files changed, 278 insertions, 216 deletions
diff --git a/monitor.c b/monitor.c
index 11f96b72d..bf83f3b56 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.182 2018/07/09 21:35:50 markus Exp $ */
+/* $OpenBSD: monitor.c,v 1.183 2018/07/09 21:53:45 markus Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -69,7 +69,7 @@
 #include "xmalloc.h"
 #include "ssh.h"
 #include "key.h"
-#include "buffer.h"
+#include "sshbuf.h"
 #include "hostfile.h"
 #include "auth.h"
 #include "cipher.h"
@@ -121,46 +121,46 @@ static struct sshbuf *child_state;
 /* Functions on the monitor that answer unprivileged requests */
-int mm_answer_moduli(int, Buffer *);
+int mm_answer_moduli(int, struct sshbuf *);
-int mm_answer_sign(int, Buffer *);
+int mm_answer_sign(int, struct sshbuf *);
-int mm_answer_pwnamallow(int, Buffer *);
+int mm_answer_pwnamallow(int, struct sshbuf *);
-int mm_answer_auth2_read_banner(int, Buffer *);
+int mm_answer_auth2_read_banner(int, struct sshbuf *);
-int mm_answer_authserv(int, Buffer *);
+int mm_answer_authserv(int, struct sshbuf *);
-int mm_answer_authpassword(int, Buffer *);
+int mm_answer_authpassword(int, struct sshbuf *);
-int mm_answer_bsdauthquery(int, Buffer *);
+int mm_answer_bsdauthquery(int, struct sshbuf *);
-int mm_answer_bsdauthrespond(int, Buffer *);
+int mm_answer_bsdauthrespond(int, struct sshbuf *);
-int mm_answer_skeyquery(int, Buffer *);
+int mm_answer_skeyquery(int, struct sshbuf *);
-int mm_answer_skeyrespond(int, Buffer *);
+int mm_answer_skeyrespond(int, struct sshbuf *);
-int mm_answer_keyallowed(int, Buffer *);
+int mm_answer_keyallowed(int, struct sshbuf *);
-int mm_answer_keyverify(int, Buffer *);
+int mm_answer_keyverify(int, struct sshbuf *);
-int mm_answer_pty(int, Buffer *);
+int mm_answer_pty(int, struct sshbuf *);
-int mm_answer_pty_cleanup(int, Buffer *);
+int mm_answer_pty_cleanup(int, struct sshbuf *);
-int mm_answer_term(int, Buffer *);
+int mm_answer_term(int, struct sshbuf *);
-int mm_answer_rsa_keyallowed(int, Buffer *);
+int mm_answer_rsa_keyallowed(int, struct sshbuf *);
-int mm_answer_rsa_challenge(int, Buffer *);
+int mm_answer_rsa_challenge(int, struct sshbuf *);
-int mm_answer_rsa_response(int, Buffer *);
+int mm_answer_rsa_response(int, struct sshbuf *);
-int mm_answer_sesskey(int, Buffer *);
+int mm_answer_sesskey(int, struct sshbuf *);
-int mm_answer_sessid(int, Buffer *);
+int mm_answer_sessid(int, struct sshbuf *);
 #ifdef USE_PAM
-int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_start(int, struct sshbuf *);
-int mm_answer_pam_account(int, Buffer *);
+int mm_answer_pam_account(int, struct sshbuf *);
-int mm_answer_pam_init_ctx(int, Buffer *);
+int mm_answer_pam_init_ctx(int, struct sshbuf *);
-int mm_answer_pam_query(int, Buffer *);
+int mm_answer_pam_query(int, struct sshbuf *);
-int mm_answer_pam_respond(int, Buffer *);
+int mm_answer_pam_respond(int, struct sshbuf *);
-int mm_answer_pam_free_ctx(int, Buffer *);
+int mm_answer_pam_free_ctx(int, struct sshbuf *);
 #endif
 #ifdef GSSAPI
-int mm_answer_gss_setup_ctx(int, Buffer *);
+int mm_answer_gss_setup_ctx(int, struct sshbuf *);
-int mm_answer_gss_accept_ctx(int, Buffer *);
+int mm_answer_gss_accept_ctx(int, struct sshbuf *);
-int mm_answer_gss_userok(int, Buffer *);
+int mm_answer_gss_userok(int, struct sshbuf *);
-int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_checkmic(int, struct sshbuf *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
-int mm_answer_audit_event(int, Buffer *);
+int mm_answer_audit_event(int, struct sshbuf *);
-int mm_answer_audit_command(int, Buffer *);
+int mm_answer_audit_command(int, struct sshbuf *);
 #endif
 static int monitor_read_log(struct monitor *);
@@ -169,7 +169,7 @@ static Authctxt *authctxt;
 /* local state for key verify */
 static u_char *key_blob = NULL;
-static u_int key_bloblen = 0;
+static size_t key_bloblen = 0;
 static int key_blobtype = MM_NOKEY;
 static struct sshauthopt *key_opts = NULL;
 static char *hostbased_cuser = NULL;
@@ -183,7 +183,7 @@ static pid_t monitor_child_pid;
 struct mon_table {
        enum monitor_reqtype type;
        int flags;
-        int (*f)(int, Buffer *);
+        int (*f)(int, struct sshbuf *);
 };
 #define MON_ISAUTH      0x0004  /* Required for Authentication */
@@ -426,18 +426,21 @@ monitor_child_postauth(struct monitor *pmonitor)
 static int
 monitor_read_log(struct monitor *pmonitor)
 {
-        Buffer logmsg;
+        struct sshbuf *logmsg;
        u_int len, level;
        char *msg;
+        u_char *p;
+        int r;
-        buffer_init(&logmsg);
+        if ((logmsg = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new", __func__);
        /* Read length */
-        buffer_append_space(&logmsg, 4);
+        if ((r = sshbuf_reserve(logmsg, 4, &p)) != 0)
-        if (atomicio(read, pmonitor->m_log_recvfd,
+                fatal("%s: reserve: %s", __func__, ssh_err(r));
-            buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) {
+        if (atomicio(read, pmonitor->m_log_recvfd, p, 4) != 4) {
                if (errno == EPIPE) {
-                        buffer_free(&logmsg);
+                        sshbuf_free(logmsg);
                        debug("%s: child log fd closed", __func__);
                        close(pmonitor->m_log_recvfd);
                        pmonitor->m_log_recvfd = -1;
@@ -445,26 +448,28 @@ monitor_read_log(struct monitor *pmonitor)
                }
                fatal("%s: log fd read: %s", __func__, strerror(errno));
        }
-        len = buffer_get_int(&logmsg);
+        if ((r = sshbuf_get_u32(logmsg, &len)) != 0)
+                fatal("%s: get len: %s", __func__, ssh_err(r));
        if (len <= 4 || len > 8192)
                fatal("%s: invalid log message length %u", __func__, len);
        /* Read severity, message */
-        buffer_clear(&logmsg);
+        sshbuf_reset(logmsg);
-        buffer_append_space(&logmsg, len);
+        if ((r = sshbuf_reserve(logmsg, len, &p)) != 0)
-        if (atomicio(read, pmonitor->m_log_recvfd,
+                fatal("%s: reserve: %s", __func__, ssh_err(r));
-            buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg))
+        if (atomicio(read, pmonitor->m_log_recvfd, p, len) != len)
                fatal("%s: log fd read: %s", __func__, strerror(errno));
+        if ((r = sshbuf_get_u32(logmsg, &level)) != 0 ||
+            (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0)
+                fatal("%s: decode: %s", __func__, ssh_err(r));
        /* Log it */
-        level = buffer_get_int(&logmsg);
-        msg = buffer_get_string(&logmsg, NULL);
        if (log_level_name(level) == NULL)
                fatal("%s: invalid log level %u (corrupted message?)",
                    __func__, level);
        do_log2(level, "%s [preauth]", msg);
-        buffer_free(&logmsg);
+        sshbuf_free(logmsg);
        free(msg);
        return 0;
@@ -474,8 +479,8 @@ int
 monitor_read(struct monitor *pmonitor, struct mon_table *ent,
    struct mon_table **pent)
 {
-        Buffer m;
+        struct sshbuf *m;
-        int ret;
+        int r, ret;
        u_char type;
        struct pollfd pfd[2];
@@ -502,10 +507,12 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent,
                        break;  /* Continues below */
        }
-        buffer_init(&m);
+        if ((m = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new", __func__);
-        mm_request_receive(pmonitor->m_sendfd, &m);
+        mm_request_receive(pmonitor->m_sendfd, m);
-        type = buffer_get_char(&m);
+        if ((r = sshbuf_get_u8(m, &type)) != 0)
+                fatal("%s: decode: %s", __func__, ssh_err(r));
        debug3("%s: checking request %d", __func__, type);
@@ -519,8 +526,8 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent,
                if (!(ent->flags & MON_PERMIT))
                        fatal("%s: unpermitted request %d", __func__,
                            type);
-                ret = (*ent->f)(pmonitor->m_sendfd, &m);
+                ret = (*ent->f)(pmonitor->m_sendfd, m);
-                buffer_free(&m);
+                sshbuf_free(m);
                /* The child may use this request only once, disable it */
                if (ent->flags & MON_ONCE) {
@@ -570,14 +577,16 @@ monitor_reset_key_state(void)
 #ifdef WITH_OPENSSL
 int
-mm_answer_moduli(int sock, Buffer *m)
+mm_answer_moduli(int sock, struct sshbuf *m)
 {
        DH *dh;
-        int min, want, max;
+        int r;
+        u_int min, want, max;
-        min = buffer_get_int(m);
+        if ((r = sshbuf_get_u32(m, &min)) != 0 ||
-        want = buffer_get_int(m);
+            (r = sshbuf_get_u32(m, &want)) != 0 ||
-        max = buffer_get_int(m);
+            (r = sshbuf_get_u32(m, &max)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        debug3("%s: got parameters: %d %d %d",
            __func__, min, want, max);
@@ -586,17 +595,19 @@ mm_answer_moduli(int sock, Buffer *m)
                fatal("%s: bad parameters: %d %d %d",
                    __func__, min, want, max);
-        buffer_clear(m);
+        sshbuf_reset(m);
        dh = choose_dh(min, want, max);
        if (dh == NULL) {
-                buffer_put_char(m, 0);
+                if ((r = sshbuf_put_u8(m, 0)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
                return (0);
        } else {
                /* Send first bignum */
-                buffer_put_char(m, 1);
+                if ((r = sshbuf_put_u8(m, 1)) != 0 ||
-                buffer_put_bignum2(m, dh->p);
+                    (r = sshbuf_put_bignum2(m, dh->p)) != 0 ||
-                buffer_put_bignum2(m, dh->g);
+                    (r = sshbuf_put_bignum2(m, dh->g)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
                DH_free(dh);
        }
@@ -606,7 +617,7 @@ mm_answer_moduli(int sock, Buffer *m)
 #endif
 int
-mm_answer_sign(int sock, Buffer *m)
+mm_answer_sign(int sock, struct sshbuf *m)
 {
        struct ssh *ssh = active_state;         /* XXX */
        extern int auth_sock;                   /* XXX move to state struct? */
@@ -708,12 +719,12 @@ mm_answer_sign(int sock, Buffer *m)
 /* Retrieves the password entry and also checks if the user is permitted */
 int
-mm_answer_pwnamallow(int sock, Buffer *m)
+mm_answer_pwnamallow(int sock, struct sshbuf *m)
 {
        struct ssh *ssh = active_state; /* XXX */
        char *username;
        struct passwd *pwent;
-        int allowed = 0;
+        int r, allowed = 0;
        u_int i;
        debug3("%s", __func__);
@@ -721,7 +732,8 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        if (authctxt->attempt++ != 0)
                fatal("%s: multiple attempts for getpwnam", __func__);
-        username = buffer_get_string(m, NULL);
+        if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        pwent = getpwnamallow(username);
@@ -729,10 +741,11 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        setproctitle("%s [priv]", pwent ? username : "unknown");
        free(username);
-        buffer_clear(m);
+        sshbuf_reset(m);
        if (pwent == NULL) {
-                buffer_put_char(m, 0);
+                if ((r = sshbuf_put_u8(m, 0)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
                authctxt->pw = fakepw();
                goto out;
        }
@@ -741,31 +754,40 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        authctxt->pw = pwent;
        authctxt->valid = 1;
-        buffer_put_char(m, 1);
+        /* XXX don't sent pwent to unpriv; send fake class/dir/shell too */
-        buffer_put_string(m, pwent, sizeof(struct passwd));
+        if ((r = sshbuf_put_u8(m, 1)) != 0 ||
-        buffer_put_cstring(m, pwent->pw_name);
+            (r = sshbuf_put_string(m, pwent, sizeof(*pwent))) != 0 ||
-        buffer_put_cstring(m, "*");
+            (r = sshbuf_put_cstring(m, pwent->pw_name)) != 0 ||
+            (r = sshbuf_put_cstring(m, "*")) != 0 ||
 #ifdef HAVE_STRUCT_PASSWD_PW_GECOS
-        buffer_put_cstring(m, pwent->pw_gecos);
+            (r = sshbuf_put_cstring(m, pwent->pw_gecos)) != 0 ||
 #endif
 #ifdef HAVE_STRUCT_PASSWD_PW_CLASS
-        buffer_put_cstring(m, pwent->pw_class);
+            (r = sshbuf_put_cstring(m, pwent->pw_class)) != 0 ||
 #endif
-        buffer_put_cstring(m, pwent->pw_dir);
+            (r = sshbuf_put_cstring(m, pwent->pw_dir)) != 0 ||
-        buffer_put_cstring(m, pwent->pw_shell);
+            (r = sshbuf_put_cstring(m, pwent->pw_shell)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
 out:
        ssh_packet_set_log_preamble(ssh, "%suser %s",
            authctxt->valid ? "authenticating" : "invalid ", authctxt->user);
-        buffer_put_string(m, &options, sizeof(options));
+        if ((r = sshbuf_put_string(m, &options, sizeof(options))) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
 #define M_CP_STROPT(x) do { \
-                if (options.x != NULL) \
+                if (options.x != NULL) { \
-                        buffer_put_cstring(m, options.x); \
+                        if ((r = sshbuf_put_cstring(m, options.x)) != 0) \
+                                fatal("%s: buffer error: %s", \
+                                    __func__, ssh_err(r)); \
+                } \
        } while (0)
 #define M_CP_STRARRAYOPT(x, nx) do { \
-                for (i = 0; i < options.nx; i++) \
+                for (i = 0; i < options.nx; i++) { \
-                        buffer_put_cstring(m, options.x[i]); \
+                        if ((r = sshbuf_put_cstring(m, options.x[i])) != 0) \
+                                fatal("%s: buffer error: %s", \
+                                    __func__, ssh_err(r)); \
+                } \
        } while (0)
        /* See comment in servconf.h */
        COPY_MATCH_STRING_OPTS();
@@ -797,13 +819,15 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        return (0);
 }
-int mm_answer_auth2_read_banner(int sock, Buffer *m)
+int mm_answer_auth2_read_banner(int sock, struct sshbuf *m)
 {
        char *banner;
+        int r;
-        buffer_clear(m);
+        sshbuf_reset(m);
        banner = auth2_read_banner();
-        buffer_put_cstring(m, banner != NULL ? banner : "");
+        if ((r = sshbuf_put_cstring(m, banner != NULL ? banner : "")) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
        free(banner);
@@ -811,12 +835,15 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m)
 }
 int
-mm_answer_authserv(int sock, Buffer *m)
+mm_answer_authserv(int sock, struct sshbuf *m)
 {
+        int r;
        monitor_permit_authentications(1);
-        authctxt->service = buffer_get_string(m, NULL);
+        if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
-        authctxt->style = buffer_get_string(m, NULL);
+            (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        debug3("%s: service=%s, style=%s",
            __func__, authctxt->service, authctxt->style);
@@ -829,27 +856,30 @@ mm_answer_authserv(int sock, Buffer *m)
 }
 int
-mm_answer_authpassword(int sock, Buffer *m)
+mm_answer_authpassword(int sock, struct sshbuf *m)
 {
        struct ssh *ssh = active_state; /* XXX */
        static int call_count;
        char *passwd;
-        int authenticated;
+        int r, authenticated;
-        u_int plen;
+        size_t plen;
        if (!options.password_authentication)
                fatal("%s: password authentication not enabled", __func__);
-        passwd = buffer_get_string(m, &plen);
+        if ((r = sshbuf_get_cstring(m, &passwd, &plen)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        /* Only authenticate if the context is valid */
        authenticated = options.password_authentication &&
            auth_password(ssh, passwd);
-        explicit_bzero(passwd, strlen(passwd));
+        explicit_bzero(passwd, plen);
        free(passwd);
-        buffer_clear(m);
+        sshbuf_reset(m);
-        buffer_put_int(m, authenticated);
+        if ((r = sshbuf_put_u32(m, authenticated)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
 #ifdef USE_PAM
-        buffer_put_int(m, sshpam_get_maxtries_reached());
+        if ((r = sshbuf_put_u32(m, sshpam_get_maxtries_reached())) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
 #endif
        debug3("%s: sending result %d", __func__, authenticated);
@@ -867,23 +897,25 @@ mm_answer_authpassword(int sock, Buffer *m)
 #ifdef BSD_AUTH
 int
-mm_answer_bsdauthquery(int sock, Buffer *m)
+mm_answer_bsdauthquery(int sock, struct sshbuf *m)
 {
        char *name, *infotxt;
-        u_int numprompts;
+        u_int numprompts, *echo_on, success;
-        u_int *echo_on;
        char **prompts;
-        u_int success;
+        int r;
        if (!options.kbd_interactive_authentication)
                fatal("%s: kbd-int authentication not enabled", __func__);
        success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
            &prompts, &echo_on) < 0 ? 0 : 1;
-        buffer_clear(m);
+        sshbuf_reset(m);
-        buffer_put_int(m, success);
+        if ((r = sshbuf_put_u32(m, success)) != 0)
-        if (success)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-                buffer_put_cstring(m, prompts[0]);
+        if (success) {
+                if ((r = sshbuf_put_cstring(m, prompts[0])) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        }
        debug3("%s: sending challenge success: %u", __func__, success);
        mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
@@ -899,25 +931,27 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
 }
 int
-mm_answer_bsdauthrespond(int sock, Buffer *m)
+mm_answer_bsdauthrespond(int sock, struct sshbuf *m)
 {
        char *response;
-        int authok;
+        int r, authok;
        if (!options.kbd_interactive_authentication)
                fatal("%s: kbd-int authentication not enabled", __func__);
        if (authctxt->as == NULL)
                fatal("%s: no bsd auth session", __func__);
-        response = buffer_get_string(m, NULL);
+        if ((r = sshbuf_get_cstring(m, &response, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        authok = options.challenge_response_authentication &&
            auth_userresponse(authctxt->as, response, 0);
        authctxt->as = NULL;
        debug3("%s: <%s> = <%d>", __func__, response, authok);
        free(response);
-        buffer_clear(m);
+        sshbuf_reset(m);
-        buffer_put_int(m, authok);
+        if ((r = sshbuf_put_u32(m, authok)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        debug3("%s: sending authenticated: %d", __func__, authok);
        mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
@@ -1131,25 +1165,23 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
 #endif
 int
-mm_answer_keyallowed(int sock, Buffer *m)
+mm_answer_keyallowed(int sock, struct sshbuf *m)
 {
        struct ssh *ssh = active_state; /* XXX */
-        struct sshkey *key;
+        struct sshkey *key = NULL;
        char *cuser, *chost;
-        u_char *blob;
+        u_int pubkey_auth_attempt;
-        u_int bloblen, pubkey_auth_attempt;
        enum mm_keytype type = 0;
        int r, allowed = 0;
        struct sshauthopt *opts = NULL;
        debug3("%s entering", __func__);
-        type = buffer_get_int(m);
+        if ((r = sshbuf_get_u32(m, &type)) != 0 ||
-        cuser = buffer_get_string(m, NULL);
+            (r = sshbuf_get_cstring(m, &cuser, NULL)) != 0 ||
-        chost = buffer_get_string(m, NULL);
+            (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 ||
-        blob = buffer_get_string(m, &bloblen);
+            (r = sshkey_froms(m, &key)) != 0 ||
-        pubkey_auth_attempt = buffer_get_int(m);
+            (r = sshbuf_get_u32(m, &pubkey_auth_attempt)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        key = key_from_blob(blob, bloblen);
        debug3("%s: key_from_blob: %p", __func__, key);
@@ -1199,15 +1231,14 @@ mm_answer_keyallowed(int sock, Buffer *m)
            allowed ? "allowed" : "not allowed");
        auth2_record_key(authctxt, 0, key);
-        sshkey_free(key);
        /* clear temporarily storage (used by verify) */
        monitor_reset_key_state();
        if (allowed) {
                /* Save temporarily for comparison in verify */
-                key_blob = blob;
+                if ((r = sshkey_to_blob(key, &key_blob, &key_bloblen)) != 0)
-                key_bloblen = bloblen;
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
                key_blobtype = type;
                key_opts = opts;
                hostbased_cuser = cuser;
@@ -1215,13 +1246,14 @@ mm_answer_keyallowed(int sock, Buffer *m)
        } else {
                /* Log failed attempt */
                auth_log(authctxt, 0, 0, auth_method, NULL);
-                free(blob);
                free(cuser);
                free(chost);
        }
+        sshkey_free(key);
-        buffer_clear(m);
+        sshbuf_reset(m);
-        buffer_put_int(m, allowed);
+        if ((r = sshbuf_put_u32(m, allowed)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if (opts != NULL && (r = sshauthopt_serialise(opts, m, 1)) != 0)
                fatal("%s: sshauthopt_serialise: %s", __func__, ssh_err(r));
        mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);
@@ -1235,34 +1267,41 @@ mm_answer_keyallowed(int sock, Buffer *m)
 static int
 monitor_valid_userblob(u_char *data, u_int datalen)
 {
-        Buffer b;
+        struct sshbuf *b;
-        u_char *p;
+        const u_char *p;
        char *userstyle, *cp;
-        u_int len;
+        size_t len;
-        int fail = 0;
+        u_char type;
+        int r, fail = 0;
-        buffer_init(&b);
+        if ((b = sshbuf_new()) == NULL)
-        buffer_append(&b, data, datalen);
+                fatal("%s: sshbuf_new", __func__);
+        if ((r = sshbuf_put(b, data, datalen)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if (datafellows & SSH_OLD_SESSIONID) {
-                p = buffer_ptr(&b);
+                p = sshbuf_ptr(b);
-                len = buffer_len(&b);
+                len = sshbuf_len(b);
                if ((session_id2 == NULL) ||
                    (len < session_id2_len) ||
                    (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
                        fail++;
-                buffer_consume(&b, session_id2_len);
+                if ((r = sshbuf_consume(b, session_id2_len)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
        } else {
-                p = buffer_get_string(&b, &len);
+                if ((r = sshbuf_get_string_direct(b, &p, &len)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
                if ((session_id2 == NULL) ||
                    (len != session_id2_len) ||
                    (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
                        fail++;
-                free(p);
        }
-        if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
+        if ((r = sshbuf_get_u8(b, &type)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (type != SSH2_MSG_USERAUTH_REQUEST)
                fail++;
-        cp = buffer_get_cstring(&b, NULL);
+        if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        xasprintf(&userstyle, "%s%s%s", authctxt->user,
            authctxt->style ? ":" : "",
            authctxt->style ? authctxt->style : "");
@@ -1273,18 +1312,22 @@ monitor_valid_userblob(u_char *data, u_int datalen)
        }
        free(userstyle);
        free(cp);
-        buffer_skip_string(&b);
+        if ((r = sshbuf_skip_string(b)) != 0 || /* service */
-        cp = buffer_get_cstring(&b, NULL);
+            (r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if (strcmp("publickey", cp) != 0)
                fail++;
        free(cp);
-        if (!buffer_get_char(&b))
+        if ((r = sshbuf_get_u8(b, &type)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (type == 0)
                fail++;
-        buffer_skip_string(&b);
+        if ((r = sshbuf_skip_string(b)) != 0 || /* pkalg */
-        buffer_skip_string(&b);
+            (r = sshbuf_skip_string(b)) != 0)   /* pkblob */
-        if (buffer_len(&b) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (sshbuf_len(b) != 0)
                fail++;
-        buffer_free(&b);
+        sshbuf_free(b);
        return (fail == 0);
 }
@@ -1292,59 +1335,69 @@ static int
 monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
    char *chost)
 {
-        Buffer b;
+        struct sshbuf *b;
-        char *p, *userstyle;
+        const u_char *p;
-        u_int len;
+        char *cp, *userstyle;
-        int fail = 0;
+        size_t len;
+        int r, fail = 0;
+        u_char type;
-        buffer_init(&b);
+        if ((b = sshbuf_new()) == NULL)
-        buffer_append(&b, data, datalen);
+                fatal("%s: sshbuf_new", __func__);
+        if ((r = sshbuf_put(b, data, datalen)) != 0 ||
+            (r = sshbuf_get_string_direct(b, &p, &len)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        p = buffer_get_string(&b, &len);
        if ((session_id2 == NULL) ||
            (len != session_id2_len) ||
            (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
                fail++;
-        free(p);
-        if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
+        if ((r = sshbuf_get_u8(b, &type)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (type != SSH2_MSG_USERAUTH_REQUEST)
                fail++;
-        p = buffer_get_cstring(&b, NULL);
+        if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        xasprintf(&userstyle, "%s%s%s", authctxt->user,
            authctxt->style ? ":" : "",
            authctxt->style ? authctxt->style : "");
-        if (strcmp(userstyle, p) != 0) {
+        if (strcmp(userstyle, cp) != 0) {
-                logit("wrong user name passed to monitor: expected %s != %.100s",
+                logit("wrong user name passed to monitor: "
-                    userstyle, p);
+                    "expected %s != %.100s", userstyle, cp);
                fail++;
        }
        free(userstyle);
-        free(p);
+        free(cp);
-        buffer_skip_string(&b); /* service */
+        if ((r = sshbuf_skip_string(b)) != 0 || /* service */
-        p = buffer_get_cstring(&b, NULL);
+            (r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
-        if (strcmp(p, "hostbased") != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (strcmp(cp, "hostbased") != 0)
                fail++;
-        free(p);
+        free(cp);
-        buffer_skip_string(&b); /* pkalg */
+        if ((r = sshbuf_skip_string(b)) != 0 || /* pkalg */
-        buffer_skip_string(&b); /* pkblob */
+            (r = sshbuf_skip_string(b)) != 0)   /* pkblob */
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        /* verify client host, strip trailing dot if necessary */
-        p = buffer_get_string(&b, NULL);
+        if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
-        if (((len = strlen(p)) > 0) && p[len - 1] == '.')
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-                p[len - 1] = '\0';
+        if (((len = strlen(cp)) > 0) && cp[len - 1] == '.')
-        if (strcmp(p, chost) != 0)
+                cp[len - 1] = '\0';
+        if (strcmp(cp, chost) != 0)
                fail++;
-        free(p);
+        free(cp);
        /* verify client user */
-        p = buffer_get_string(&b, NULL);
+        if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
-        if (strcmp(p, cuser) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (strcmp(cp, cuser) != 0)
                fail++;
-        free(p);
+        free(cp);
-        if (buffer_len(&b) != 0)
+        if (sshbuf_len(b) != 0)
                fail++;
-        buffer_free(&b);
+        sshbuf_free(b);
        return (fail == 0);
 }
@@ -1460,15 +1513,15 @@ mm_session_close(Session *s)
 }
 int
-mm_answer_pty(int sock, Buffer *m)
+mm_answer_pty(int sock, struct sshbuf *m)
 {
        extern struct monitor *pmonitor;
        Session *s;
-        int res, fd0;
+        int r, res, fd0;
        debug3("%s entering", __func__);
-        buffer_clear(m);
+        sshbuf_reset(m);
        s = session_new();
        if (s == NULL)
                goto error;
@@ -1480,8 +1533,9 @@ mm_answer_pty(int sock, Buffer *m)
                goto error;
        pty_setowner(authctxt->pw, s->tty);
-        buffer_put_int(m, 1);
+        if ((r = sshbuf_put_u32(m, 1)) != 0 ||
-        buffer_put_cstring(m, s->tty);
+            (r = sshbuf_put_cstring(m, s->tty)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        /* We need to trick ttyslot */
        if (dup2(s->ttyfd, 0) == -1)
@@ -1493,8 +1547,9 @@ mm_answer_pty(int sock, Buffer *m)
        close(0);
        /* send messages generated by record_login */
-        buffer_put_string(m, buffer_ptr(loginmsg), buffer_len(loginmsg));
+        if ((r = sshbuf_put_stringb(m, loginmsg)) != 0)
-        buffer_clear(loginmsg);
+                fatal("%s: put login message: %s", __func__, ssh_err(r));
+        sshbuf_reset(loginmsg);
        mm_request_send(sock, MONITOR_ANS_PTY, m);
@@ -1521,29 +1576,32 @@ mm_answer_pty(int sock, Buffer *m)
 error:
        if (s != NULL)
                mm_session_close(s);
-        buffer_put_int(m, 0);
+        if ((r = sshbuf_put_u32(m, 0)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        mm_request_send(sock, MONITOR_ANS_PTY, m);
        return (0);
 }
 int
-mm_answer_pty_cleanup(int sock, Buffer *m)
+mm_answer_pty_cleanup(int sock, struct sshbuf *m)
 {
        Session *s;
        char *tty;
+        int r;
        debug3("%s entering", __func__);
-        tty = buffer_get_string(m, NULL);
+        if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if ((s = session_by_tty(tty)) != NULL)
                mm_session_close(s);
-        buffer_clear(m);
+        sshbuf_reset(m);
        free(tty);
        return (0);
 }
 int
-mm_answer_term(int sock, Buffer *req)
+mm_answer_term(int sock, struct sshbuf *req)
 {
        struct ssh *ssh = active_state; /* XXX */
        extern struct monitor *pmonitor;
@@ -1732,24 +1790,27 @@ monitor_reinit(struct monitor *mon)
 #ifdef GSSAPI
 int
-mm_answer_gss_setup_ctx(int sock, Buffer *m)
+mm_answer_gss_setup_ctx(int sock, struct sshbuf *m)
 {
        gss_OID_desc goid;
        OM_uint32 major;
-        u_int len;
+        size_t len;
+        int r;
        if (!options.gss_authentication)
                fatal("%s: GSSAPI authentication not enabled", __func__);
-        goid.elements = buffer_get_string(m, &len);
+        if ((r = sshbuf_get_string(m, &goid.elements, &len)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        goid.length = len;
        major = ssh_gssapi_server_ctx(&gsscontext, &goid);
        free(goid.elements);
-        buffer_clear(m);
+        sshbuf_reset(m);
-        buffer_put_int(m, major);
+        if ((r = sshbuf_put_u32(m, major)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        mm_request_send(sock, MONITOR_ANS_GSSSETUP, m);
@@ -1760,26 +1821,27 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
 }
 int
-mm_answer_gss_accept_ctx(int sock, Buffer *m)
+mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
 {
        gss_buffer_desc in;
        gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
        OM_uint32 major, minor;
        OM_uint32 flags = 0; /* GSI needs this */
-        u_int len;
+        int r;
        if (!options.gss_authentication)
                fatal("%s: GSSAPI authentication not enabled", __func__);
-        in.value = buffer_get_string(m, &len);
+        if ((r = sshbuf_get_string(m, &in.value, &in.length)) != 0)
-        in.length = len;
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
        free(in.value);
-        buffer_clear(m);
+        sshbuf_reset(m);
-        buffer_put_int(m, major);
+        if ((r = sshbuf_put_u32(m, major)) != 0 ||
-        buffer_put_string(m, out.value, out.length);
+            (r = sshbuf_put_string(m, out.value, out.length)) != 0 ||
-        buffer_put_int(m, flags);
+            (r = sshbuf_put_u32(m, flags)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
        gss_release_buffer(&minor, &out);
@@ -1793,27 +1855,26 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
 }
 int
-mm_answer_gss_checkmic(int sock, Buffer *m)
+mm_answer_gss_checkmic(int sock, struct sshbuf *m)
 {
        gss_buffer_desc gssbuf, mic;
        OM_uint32 ret;
-        u_int len;
        if (!options.gss_authentication)
                fatal("%s: GSSAPI authentication not enabled", __func__);
-        gssbuf.value = buffer_get_string(m, &len);
+        if ((r = sshbuf_get_string(m, &gssbuf.value, &gssbuf.length)) != 0 ||
-        gssbuf.length = len;
+            (r = sshbuf_get_string(m, &mic.value, &mic.length)) != 0)
-        mic.value = buffer_get_string(m, &len);
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        mic.length = len;
        ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
        free(gssbuf.value);
        free(mic.value);
-        buffer_clear(m);
+        sshbuf_reset(m);
-        buffer_put_int(m, ret);
+        if ((r = sshbuf_put_u32(m, ret)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m);
@@ -1824,7 +1885,7 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
 }
 int
-mm_answer_gss_userok(int sock, Buffer *m)
+mm_answer_gss_userok(int sock, struct sshbuf *m)
 {
        int authenticated;
        const char *displayname;
@@ -1834,8 +1895,9 @@ mm_answer_gss_userok(int sock, Buffer *m)
        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
-        buffer_clear(m);
+        sshbuf_reset(m);
-        buffer_put_int(m, authenticated);
+        if ((r = sshbuf_put_u32(m, authenticated)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        debug3("%s: sending result %d", __func__, authenticated);
        mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
author	markus@openbsd.org <markus@openbsd.org>	2018-07-09 21:53:45 +0000
committer	Damien Miller <djm@mindrot.org>	2018-07-10 16:40:18 +1000
commit	235c7c4e3bf046982c2d8242f30aacffa01073d1 (patch)
tree	fd07c3d2ef2b932e23f26bbfdb4336e1fcfef3a9 /monitor.c
parent	b8d9214d969775e409e1408ecdf0d58fad99b344 (diff)