diff options
author | Colin Watson <cjwatson@debian.org> | 2019-06-05 06:41:44 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-06-05 06:41:44 +0100 |
commit | 102062f825fb26a74295a1c089c00c4c4c76b68a (patch) | |
tree | 3db66bc8c8483cce66516dff36f6ef56065143d9 /monitor.c | |
parent | 3d246f10429fc9a37b98eabef94fe8dc7c61002b (diff) | |
parent | fd0fa130ecf06d7d092932adcd5d77f1549bfc8d (diff) |
Import openssh_8.0p1.orig.tar.gz
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 234 |
1 files changed, 129 insertions, 105 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.197 2019/01/21 10:38:54 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -112,48 +112,48 @@ static struct sshbuf *child_state; | |||
112 | 112 | ||
113 | /* Functions on the monitor that answer unprivileged requests */ | 113 | /* Functions on the monitor that answer unprivileged requests */ |
114 | 114 | ||
115 | int mm_answer_moduli(int, struct sshbuf *); | 115 | int mm_answer_moduli(struct ssh *, int, struct sshbuf *); |
116 | int mm_answer_sign(int, struct sshbuf *); | 116 | int mm_answer_sign(struct ssh *, int, struct sshbuf *); |
117 | int mm_answer_pwnamallow(int, struct sshbuf *); | 117 | int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); |
118 | int mm_answer_auth2_read_banner(int, struct sshbuf *); | 118 | int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); |
119 | int mm_answer_authserv(int, struct sshbuf *); | 119 | int mm_answer_authserv(struct ssh *, int, struct sshbuf *); |
120 | int mm_answer_authpassword(int, struct sshbuf *); | 120 | int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); |
121 | int mm_answer_bsdauthquery(int, struct sshbuf *); | 121 | int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); |
122 | int mm_answer_bsdauthrespond(int, struct sshbuf *); | 122 | int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); |
123 | int mm_answer_keyallowed(int, struct sshbuf *); | 123 | int mm_answer_skeyquery(struct ssh *, int, struct sshbuf *); |
124 | int mm_answer_keyverify(int, struct sshbuf *); | 124 | int mm_answer_skeyrespond(struct ssh *, int, struct sshbuf *); |
125 | int mm_answer_pty(int, struct sshbuf *); | 125 | int mm_answer_keyallowed(struct ssh *, int, struct sshbuf *); |
126 | int mm_answer_pty_cleanup(int, struct sshbuf *); | 126 | int mm_answer_keyverify(struct ssh *, int, struct sshbuf *); |
127 | int mm_answer_term(int, struct sshbuf *); | 127 | int mm_answer_pty(struct ssh *, int, struct sshbuf *); |
128 | int mm_answer_rsa_keyallowed(int, struct sshbuf *); | 128 | int mm_answer_pty_cleanup(struct ssh *, int, struct sshbuf *); |
129 | int mm_answer_rsa_challenge(int, struct sshbuf *); | 129 | int mm_answer_term(struct ssh *, int, struct sshbuf *); |
130 | int mm_answer_rsa_response(int, struct sshbuf *); | 130 | int mm_answer_rsa_keyallowed(struct ssh *, int, struct sshbuf *); |
131 | int mm_answer_sesskey(int, struct sshbuf *); | 131 | int mm_answer_rsa_challenge(struct ssh *, int, struct sshbuf *); |
132 | int mm_answer_sessid(int, struct sshbuf *); | 132 | int mm_answer_rsa_response(struct ssh *, int, struct sshbuf *); |
133 | int mm_answer_sesskey(struct ssh *, int, struct sshbuf *); | ||
134 | int mm_answer_sessid(struct ssh *, int, struct sshbuf *); | ||
133 | 135 | ||
134 | #ifdef USE_PAM | 136 | #ifdef USE_PAM |
135 | int mm_answer_pam_start(int, struct sshbuf *); | 137 | int mm_answer_pam_start(struct ssh *, int, struct sshbuf *); |
136 | int mm_answer_pam_account(int, struct sshbuf *); | 138 | int mm_answer_pam_account(struct ssh *, int, struct sshbuf *); |
137 | int mm_answer_pam_init_ctx(int, struct sshbuf *); | 139 | int mm_answer_pam_init_ctx(struct ssh *, int, struct sshbuf *); |
138 | int mm_answer_pam_query(int, struct sshbuf *); | 140 | int mm_answer_pam_query(struct ssh *, int, struct sshbuf *); |
139 | int mm_answer_pam_respond(int, struct sshbuf *); | 141 | int mm_answer_pam_respond(struct ssh *, int, struct sshbuf *); |
140 | int mm_answer_pam_free_ctx(int, struct sshbuf *); | 142 | int mm_answer_pam_free_ctx(struct ssh *, int, struct sshbuf *); |
141 | #endif | 143 | #endif |
142 | 144 | ||
143 | #ifdef GSSAPI | 145 | #ifdef GSSAPI |
144 | int mm_answer_gss_setup_ctx(int, struct sshbuf *); | 146 | int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); |
145 | int mm_answer_gss_accept_ctx(int, struct sshbuf *); | 147 | int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); |
146 | int mm_answer_gss_userok(int, struct sshbuf *); | 148 | int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); |
147 | int mm_answer_gss_checkmic(int, struct sshbuf *); | 149 | int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *); |
148 | #endif | 150 | #endif |
149 | 151 | ||
150 | #ifdef SSH_AUDIT_EVENTS | 152 | #ifdef SSH_AUDIT_EVENTS |
151 | int mm_answer_audit_event(int, struct sshbuf *); | 153 | int mm_answer_audit_event(struct ssh *, int, struct sshbuf *); |
152 | int mm_answer_audit_command(int, struct sshbuf *); | 154 | int mm_answer_audit_command(struct ssh *, int, struct sshbuf *); |
153 | #endif | 155 | #endif |
154 | 156 | ||
155 | static int monitor_read_log(struct monitor *); | ||
156 | |||
157 | static Authctxt *authctxt; | 157 | static Authctxt *authctxt; |
158 | 158 | ||
159 | /* local state for key verify */ | 159 | /* local state for key verify */ |
@@ -172,7 +172,7 @@ static pid_t monitor_child_pid; | |||
172 | struct mon_table { | 172 | struct mon_table { |
173 | enum monitor_reqtype type; | 173 | enum monitor_reqtype type; |
174 | int flags; | 174 | int flags; |
175 | int (*f)(int, struct sshbuf *); | 175 | int (*f)(struct ssh *, int, struct sshbuf *); |
176 | }; | 176 | }; |
177 | 177 | ||
178 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ | 178 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ |
@@ -184,6 +184,10 @@ struct mon_table { | |||
184 | 184 | ||
185 | #define MON_PERMIT 0x1000 /* Request is permitted */ | 185 | #define MON_PERMIT 0x1000 /* Request is permitted */ |
186 | 186 | ||
187 | static int monitor_read(struct ssh *, struct monitor *, struct mon_table *, | ||
188 | struct mon_table **); | ||
189 | static int monitor_read_log(struct monitor *); | ||
190 | |||
187 | struct mon_table mon_dispatch_proto20[] = { | 191 | struct mon_table mon_dispatch_proto20[] = { |
188 | #ifdef WITH_OPENSSL | 192 | #ifdef WITH_OPENSSL |
189 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, | 193 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, |
@@ -265,9 +269,8 @@ monitor_permit_authentications(int permit) | |||
265 | } | 269 | } |
266 | 270 | ||
267 | void | 271 | void |
268 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 272 | monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) |
269 | { | 273 | { |
270 | struct ssh *ssh = active_state; /* XXX */ | ||
271 | struct mon_table *ent; | 274 | struct mon_table *ent; |
272 | int authenticated = 0, partial = 0; | 275 | int authenticated = 0, partial = 0; |
273 | 276 | ||
@@ -279,7 +282,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
279 | close(pmonitor->m_log_sendfd); | 282 | close(pmonitor->m_log_sendfd); |
280 | pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; | 283 | pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; |
281 | 284 | ||
282 | authctxt = _authctxt; | 285 | authctxt = (Authctxt *)ssh->authctxt; |
283 | memset(authctxt, 0, sizeof(*authctxt)); | 286 | memset(authctxt, 0, sizeof(*authctxt)); |
284 | ssh->authctxt = authctxt; | 287 | ssh->authctxt = authctxt; |
285 | 288 | ||
@@ -297,7 +300,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
297 | auth_submethod = NULL; | 300 | auth_submethod = NULL; |
298 | auth2_authctxt_reset_info(authctxt); | 301 | auth2_authctxt_reset_info(authctxt); |
299 | 302 | ||
300 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 303 | authenticated = (monitor_read(ssh, pmonitor, |
304 | mon_dispatch, &ent) == 1); | ||
301 | 305 | ||
302 | /* Special handling for multiple required authentications */ | 306 | /* Special handling for multiple required authentications */ |
303 | if (options.num_auth_methods != 0) { | 307 | if (options.num_auth_methods != 0) { |
@@ -329,13 +333,13 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
329 | mm_request_receive_expect(pmonitor->m_sendfd, | 333 | mm_request_receive_expect(pmonitor->m_sendfd, |
330 | MONITOR_REQ_PAM_ACCOUNT, m); | 334 | MONITOR_REQ_PAM_ACCOUNT, m); |
331 | authenticated = mm_answer_pam_account( | 335 | authenticated = mm_answer_pam_account( |
332 | pmonitor->m_sendfd, m); | 336 | ssh, pmonitor->m_sendfd, m); |
333 | sshbuf_free(m); | 337 | sshbuf_free(m); |
334 | } | 338 | } |
335 | #endif | 339 | #endif |
336 | } | 340 | } |
337 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 341 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
338 | auth_log(authctxt, authenticated, partial, | 342 | auth_log(ssh, authenticated, partial, |
339 | auth_method, auth_submethod); | 343 | auth_method, auth_submethod); |
340 | if (!partial && !authenticated) | 344 | if (!partial && !authenticated) |
341 | authctxt->failures++; | 345 | authctxt->failures++; |
@@ -356,7 +360,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
356 | ssh->authctxt = NULL; | 360 | ssh->authctxt = NULL; |
357 | ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); | 361 | ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); |
358 | 362 | ||
359 | mm_get_keystate(pmonitor); | 363 | mm_get_keystate(ssh, pmonitor); |
360 | 364 | ||
361 | /* Drain any buffered messages from the child */ | 365 | /* Drain any buffered messages from the child */ |
362 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | 366 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) |
@@ -382,7 +386,7 @@ monitor_child_handler(int sig) | |||
382 | } | 386 | } |
383 | 387 | ||
384 | void | 388 | void |
385 | monitor_child_postauth(struct monitor *pmonitor) | 389 | monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) |
386 | { | 390 | { |
387 | close(pmonitor->m_recvfd); | 391 | close(pmonitor->m_recvfd); |
388 | pmonitor->m_recvfd = -1; | 392 | pmonitor->m_recvfd = -1; |
@@ -408,7 +412,7 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
408 | } | 412 | } |
409 | 413 | ||
410 | for (;;) | 414 | for (;;) |
411 | monitor_read(pmonitor, mon_dispatch, NULL); | 415 | monitor_read(ssh, pmonitor, mon_dispatch, NULL); |
412 | } | 416 | } |
413 | 417 | ||
414 | static int | 418 | static int |
@@ -463,8 +467,8 @@ monitor_read_log(struct monitor *pmonitor) | |||
463 | return 0; | 467 | return 0; |
464 | } | 468 | } |
465 | 469 | ||
466 | int | 470 | static int |
467 | monitor_read(struct monitor *pmonitor, struct mon_table *ent, | 471 | monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent, |
468 | struct mon_table **pent) | 472 | struct mon_table **pent) |
469 | { | 473 | { |
470 | struct sshbuf *m; | 474 | struct sshbuf *m; |
@@ -514,7 +518,7 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent, | |||
514 | if (!(ent->flags & MON_PERMIT)) | 518 | if (!(ent->flags & MON_PERMIT)) |
515 | fatal("%s: unpermitted request %d", __func__, | 519 | fatal("%s: unpermitted request %d", __func__, |
516 | type); | 520 | type); |
517 | ret = (*ent->f)(pmonitor->m_sendfd, m); | 521 | ret = (*ent->f)(ssh, pmonitor->m_sendfd, m); |
518 | sshbuf_free(m); | 522 | sshbuf_free(m); |
519 | 523 | ||
520 | /* The child may use this request only once, disable it */ | 524 | /* The child may use this request only once, disable it */ |
@@ -565,7 +569,7 @@ monitor_reset_key_state(void) | |||
565 | 569 | ||
566 | #ifdef WITH_OPENSSL | 570 | #ifdef WITH_OPENSSL |
567 | int | 571 | int |
568 | mm_answer_moduli(int sock, struct sshbuf *m) | 572 | mm_answer_moduli(struct ssh *ssh, int sock, struct sshbuf *m) |
569 | { | 573 | { |
570 | DH *dh; | 574 | DH *dh; |
571 | const BIGNUM *dh_p, *dh_g; | 575 | const BIGNUM *dh_p, *dh_g; |
@@ -607,9 +611,8 @@ mm_answer_moduli(int sock, struct sshbuf *m) | |||
607 | #endif | 611 | #endif |
608 | 612 | ||
609 | int | 613 | int |
610 | mm_answer_sign(int sock, struct sshbuf *m) | 614 | mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m) |
611 | { | 615 | { |
612 | struct ssh *ssh = active_state; /* XXX */ | ||
613 | extern int auth_sock; /* XXX move to state struct? */ | 616 | extern int auth_sock; /* XXX move to state struct? */ |
614 | struct sshkey *key; | 617 | struct sshkey *key; |
615 | struct sshbuf *sigbuf = NULL; | 618 | struct sshbuf *sigbuf = NULL; |
@@ -710,9 +713,8 @@ mm_answer_sign(int sock, struct sshbuf *m) | |||
710 | /* Retrieves the password entry and also checks if the user is permitted */ | 713 | /* Retrieves the password entry and also checks if the user is permitted */ |
711 | 714 | ||
712 | int | 715 | int |
713 | mm_answer_pwnamallow(int sock, struct sshbuf *m) | 716 | mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) |
714 | { | 717 | { |
715 | struct ssh *ssh = active_state; /* XXX */ | ||
716 | char *username; | 718 | char *username; |
717 | struct passwd *pwent; | 719 | struct passwd *pwent; |
718 | int r, allowed = 0; | 720 | int r, allowed = 0; |
@@ -726,7 +728,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | |||
726 | if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0) | 728 | if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0) |
727 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 729 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
728 | 730 | ||
729 | pwent = getpwnamallow(username); | 731 | pwent = getpwnamallow(ssh, username); |
730 | 732 | ||
731 | authctxt->user = xstrdup(username); | 733 | authctxt->user = xstrdup(username); |
732 | setproctitle("%s [priv]", pwent ? username : "unknown"); | 734 | setproctitle("%s [priv]", pwent ? username : "unknown"); |
@@ -810,7 +812,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | |||
810 | return (0); | 812 | return (0); |
811 | } | 813 | } |
812 | 814 | ||
813 | int mm_answer_auth2_read_banner(int sock, struct sshbuf *m) | 815 | int mm_answer_auth2_read_banner(struct ssh *ssh, int sock, struct sshbuf *m) |
814 | { | 816 | { |
815 | char *banner; | 817 | char *banner; |
816 | int r; | 818 | int r; |
@@ -826,7 +828,7 @@ int mm_answer_auth2_read_banner(int sock, struct sshbuf *m) | |||
826 | } | 828 | } |
827 | 829 | ||
828 | int | 830 | int |
829 | mm_answer_authserv(int sock, struct sshbuf *m) | 831 | mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m) |
830 | { | 832 | { |
831 | int r; | 833 | int r; |
832 | 834 | ||
@@ -846,10 +848,38 @@ mm_answer_authserv(int sock, struct sshbuf *m) | |||
846 | return (0); | 848 | return (0); |
847 | } | 849 | } |
848 | 850 | ||
851 | /* | ||
852 | * Check that the key type appears in the supplied pattern list, ignoring | ||
853 | * mismatches in the signature algorithm. (Signature algorithm checks are | ||
854 | * performed in the unprivileged authentication code). | ||
855 | * Returns 1 on success, 0 otherwise. | ||
856 | */ | ||
857 | static int | ||
858 | key_base_type_match(const char *method, const struct sshkey *key, | ||
859 | const char *list) | ||
860 | { | ||
861 | char *s, *l, *ol = xstrdup(list); | ||
862 | int found = 0; | ||
863 | |||
864 | l = ol; | ||
865 | for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { | ||
866 | if (sshkey_type_from_name(s) == key->type) { | ||
867 | found = 1; | ||
868 | break; | ||
869 | } | ||
870 | } | ||
871 | if (!found) { | ||
872 | error("%s key type %s is not in permitted list %s", method, | ||
873 | sshkey_ssh_name(key), list); | ||
874 | } | ||
875 | |||
876 | free(ol); | ||
877 | return found; | ||
878 | } | ||
879 | |||
849 | int | 880 | int |
850 | mm_answer_authpassword(int sock, struct sshbuf *m) | 881 | mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) |
851 | { | 882 | { |
852 | struct ssh *ssh = active_state; /* XXX */ | ||
853 | static int call_count; | 883 | static int call_count; |
854 | char *passwd; | 884 | char *passwd; |
855 | int r, authenticated; | 885 | int r, authenticated; |
@@ -888,7 +918,7 @@ mm_answer_authpassword(int sock, struct sshbuf *m) | |||
888 | 918 | ||
889 | #ifdef BSD_AUTH | 919 | #ifdef BSD_AUTH |
890 | int | 920 | int |
891 | mm_answer_bsdauthquery(int sock, struct sshbuf *m) | 921 | mm_answer_bsdauthquery(struct ssh *ssh, int sock, struct sshbuf *m) |
892 | { | 922 | { |
893 | char *name, *infotxt; | 923 | char *name, *infotxt; |
894 | u_int numprompts, *echo_on, success; | 924 | u_int numprompts, *echo_on, success; |
@@ -922,7 +952,7 @@ mm_answer_bsdauthquery(int sock, struct sshbuf *m) | |||
922 | } | 952 | } |
923 | 953 | ||
924 | int | 954 | int |
925 | mm_answer_bsdauthrespond(int sock, struct sshbuf *m) | 955 | mm_answer_bsdauthrespond(struct ssh *ssh, int sock, struct sshbuf *m) |
926 | { | 956 | { |
927 | char *response; | 957 | char *response; |
928 | int r, authok; | 958 | int r, authok; |
@@ -956,12 +986,12 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m) | |||
956 | 986 | ||
957 | #ifdef USE_PAM | 987 | #ifdef USE_PAM |
958 | int | 988 | int |
959 | mm_answer_pam_start(int sock, struct sshbuf *m) | 989 | mm_answer_pam_start(struct ssh *ssh, int sock, struct sshbuf *m) |
960 | { | 990 | { |
961 | if (!options.use_pam) | 991 | if (!options.use_pam) |
962 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | 992 | fatal("UsePAM not set, but ended up in %s anyway", __func__); |
963 | 993 | ||
964 | start_pam(authctxt); | 994 | start_pam(ssh); |
965 | 995 | ||
966 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); | 996 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); |
967 | if (options.kbd_interactive_authentication) | 997 | if (options.kbd_interactive_authentication) |
@@ -971,7 +1001,7 @@ mm_answer_pam_start(int sock, struct sshbuf *m) | |||
971 | } | 1001 | } |
972 | 1002 | ||
973 | int | 1003 | int |
974 | mm_answer_pam_account(int sock, struct sshbuf *m) | 1004 | mm_answer_pam_account(struct ssh *ssh, int sock, struct sshbuf *m) |
975 | { | 1005 | { |
976 | u_int ret; | 1006 | u_int ret; |
977 | int r; | 1007 | int r; |
@@ -994,7 +1024,7 @@ static void *sshpam_ctxt, *sshpam_authok; | |||
994 | extern KbdintDevice sshpam_device; | 1024 | extern KbdintDevice sshpam_device; |
995 | 1025 | ||
996 | int | 1026 | int |
997 | mm_answer_pam_init_ctx(int sock, struct sshbuf *m) | 1027 | mm_answer_pam_init_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
998 | { | 1028 | { |
999 | u_int ok = 0; | 1029 | u_int ok = 0; |
1000 | int r; | 1030 | int r; |
@@ -1019,7 +1049,7 @@ mm_answer_pam_init_ctx(int sock, struct sshbuf *m) | |||
1019 | } | 1049 | } |
1020 | 1050 | ||
1021 | int | 1051 | int |
1022 | mm_answer_pam_query(int sock, struct sshbuf *m) | 1052 | mm_answer_pam_query(struct ssh *ssh, int sock, struct sshbuf *m) |
1023 | { | 1053 | { |
1024 | char *name = NULL, *info = NULL, **prompts = NULL; | 1054 | char *name = NULL, *info = NULL, **prompts = NULL; |
1025 | u_int i, num = 0, *echo_on = 0; | 1055 | u_int i, num = 0, *echo_on = 0; |
@@ -1060,7 +1090,7 @@ mm_answer_pam_query(int sock, struct sshbuf *m) | |||
1060 | } | 1090 | } |
1061 | 1091 | ||
1062 | int | 1092 | int |
1063 | mm_answer_pam_respond(int sock, struct sshbuf *m) | 1093 | mm_answer_pam_respond(struct ssh *ssh, int sock, struct sshbuf *m) |
1064 | { | 1094 | { |
1065 | char **resp; | 1095 | char **resp; |
1066 | u_int i, num; | 1096 | u_int i, num; |
@@ -1098,7 +1128,7 @@ mm_answer_pam_respond(int sock, struct sshbuf *m) | |||
1098 | } | 1128 | } |
1099 | 1129 | ||
1100 | int | 1130 | int |
1101 | mm_answer_pam_free_ctx(int sock, struct sshbuf *m) | 1131 | mm_answer_pam_free_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1102 | { | 1132 | { |
1103 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | 1133 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; |
1104 | 1134 | ||
@@ -1118,9 +1148,8 @@ mm_answer_pam_free_ctx(int sock, struct sshbuf *m) | |||
1118 | #endif | 1148 | #endif |
1119 | 1149 | ||
1120 | int | 1150 | int |
1121 | mm_answer_keyallowed(int sock, struct sshbuf *m) | 1151 | mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) |
1122 | { | 1152 | { |
1123 | struct ssh *ssh = active_state; /* XXX */ | ||
1124 | struct sshkey *key = NULL; | 1153 | struct sshkey *key = NULL; |
1125 | char *cuser, *chost; | 1154 | char *cuser, *chost; |
1126 | u_int pubkey_auth_attempt; | 1155 | u_int pubkey_auth_attempt; |
@@ -1151,8 +1180,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1151 | break; | 1180 | break; |
1152 | if (auth2_key_already_used(authctxt, key)) | 1181 | if (auth2_key_already_used(authctxt, key)) |
1153 | break; | 1182 | break; |
1154 | if (match_pattern_list(sshkey_ssh_name(key), | 1183 | if (!key_base_type_match(auth_method, key, |
1155 | options.pubkey_key_types, 0) != 1) | 1184 | options.pubkey_key_types)) |
1156 | break; | 1185 | break; |
1157 | allowed = user_key_allowed(ssh, authctxt->pw, key, | 1186 | allowed = user_key_allowed(ssh, authctxt->pw, key, |
1158 | pubkey_auth_attempt, &opts); | 1187 | pubkey_auth_attempt, &opts); |
@@ -1163,10 +1192,10 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1163 | break; | 1192 | break; |
1164 | if (auth2_key_already_used(authctxt, key)) | 1193 | if (auth2_key_already_used(authctxt, key)) |
1165 | break; | 1194 | break; |
1166 | if (match_pattern_list(sshkey_ssh_name(key), | 1195 | if (!key_base_type_match(auth_method, key, |
1167 | options.hostbased_key_types, 0) != 1) | 1196 | options.hostbased_key_types)) |
1168 | break; | 1197 | break; |
1169 | allowed = hostbased_key_allowed(authctxt->pw, | 1198 | allowed = hostbased_key_allowed(ssh, authctxt->pw, |
1170 | cuser, chost, key); | 1199 | cuser, chost, key); |
1171 | auth2_record_info(authctxt, | 1200 | auth2_record_info(authctxt, |
1172 | "client user \"%.100s\", client host \"%.100s\"", | 1201 | "client user \"%.100s\", client host \"%.100s\"", |
@@ -1198,7 +1227,7 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1198 | hostbased_chost = chost; | 1227 | hostbased_chost = chost; |
1199 | } else { | 1228 | } else { |
1200 | /* Log failed attempt */ | 1229 | /* Log failed attempt */ |
1201 | auth_log(authctxt, 0, 0, auth_method, NULL); | 1230 | auth_log(ssh, 0, 0, auth_method, NULL); |
1202 | free(cuser); | 1231 | free(cuser); |
1203 | free(chost); | 1232 | free(chost); |
1204 | } | 1233 | } |
@@ -1355,9 +1384,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, | |||
1355 | } | 1384 | } |
1356 | 1385 | ||
1357 | int | 1386 | int |
1358 | mm_answer_keyverify(int sock, struct sshbuf *m) | 1387 | mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) |
1359 | { | 1388 | { |
1360 | struct ssh *ssh = active_state; /* XXX */ | ||
1361 | struct sshkey *key; | 1389 | struct sshkey *key; |
1362 | u_char *signature, *data, *blob; | 1390 | u_char *signature, *data, *blob; |
1363 | char *sigalg; | 1391 | char *sigalg; |
@@ -1402,7 +1430,7 @@ mm_answer_keyverify(int sock, struct sshbuf *m) | |||
1402 | fatal("%s: bad signature data blob", __func__); | 1430 | fatal("%s: bad signature data blob", __func__); |
1403 | 1431 | ||
1404 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, | 1432 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, |
1405 | sigalg, active_state->compat); | 1433 | sigalg, ssh->compat); |
1406 | debug3("%s: %s %p signature %s", __func__, auth_method, key, | 1434 | debug3("%s: %s %p signature %s", __func__, auth_method, key, |
1407 | (ret == 0) ? "verified" : "unverified"); | 1435 | (ret == 0) ? "verified" : "unverified"); |
1408 | auth2_record_key(authctxt, ret == 0, key); | 1436 | auth2_record_key(authctxt, ret == 0, key); |
@@ -1429,9 +1457,8 @@ mm_answer_keyverify(int sock, struct sshbuf *m) | |||
1429 | } | 1457 | } |
1430 | 1458 | ||
1431 | static void | 1459 | static void |
1432 | mm_record_login(Session *s, struct passwd *pw) | 1460 | mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw) |
1433 | { | 1461 | { |
1434 | struct ssh *ssh = active_state; /* XXX */ | ||
1435 | socklen_t fromlen; | 1462 | socklen_t fromlen; |
1436 | struct sockaddr_storage from; | 1463 | struct sockaddr_storage from; |
1437 | 1464 | ||
@@ -1441,8 +1468,8 @@ mm_record_login(Session *s, struct passwd *pw) | |||
1441 | */ | 1468 | */ |
1442 | memset(&from, 0, sizeof(from)); | 1469 | memset(&from, 0, sizeof(from)); |
1443 | fromlen = sizeof(from); | 1470 | fromlen = sizeof(from); |
1444 | if (packet_connection_is_on_socket()) { | 1471 | if (ssh_packet_connection_is_on_socket(ssh)) { |
1445 | if (getpeername(packet_get_connection_in(), | 1472 | if (getpeername(ssh_packet_get_connection_in(ssh), |
1446 | (struct sockaddr *)&from, &fromlen) < 0) { | 1473 | (struct sockaddr *)&from, &fromlen) < 0) { |
1447 | debug("getpeername: %.100s", strerror(errno)); | 1474 | debug("getpeername: %.100s", strerror(errno)); |
1448 | cleanup_exit(255); | 1475 | cleanup_exit(255); |
@@ -1466,7 +1493,7 @@ mm_session_close(Session *s) | |||
1466 | } | 1493 | } |
1467 | 1494 | ||
1468 | int | 1495 | int |
1469 | mm_answer_pty(int sock, struct sshbuf *m) | 1496 | mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) |
1470 | { | 1497 | { |
1471 | extern struct monitor *pmonitor; | 1498 | extern struct monitor *pmonitor; |
1472 | Session *s; | 1499 | Session *s; |
@@ -1494,7 +1521,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | |||
1494 | if (dup2(s->ttyfd, 0) == -1) | 1521 | if (dup2(s->ttyfd, 0) == -1) |
1495 | fatal("%s: dup2", __func__); | 1522 | fatal("%s: dup2", __func__); |
1496 | 1523 | ||
1497 | mm_record_login(s, authctxt->pw); | 1524 | mm_record_login(ssh, s, authctxt->pw); |
1498 | 1525 | ||
1499 | /* Now we can close the file descriptor again */ | 1526 | /* Now we can close the file descriptor again */ |
1500 | close(0); | 1527 | close(0); |
@@ -1536,7 +1563,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | |||
1536 | } | 1563 | } |
1537 | 1564 | ||
1538 | int | 1565 | int |
1539 | mm_answer_pty_cleanup(int sock, struct sshbuf *m) | 1566 | mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m) |
1540 | { | 1567 | { |
1541 | Session *s; | 1568 | Session *s; |
1542 | char *tty; | 1569 | char *tty; |
@@ -1554,9 +1581,8 @@ mm_answer_pty_cleanup(int sock, struct sshbuf *m) | |||
1554 | } | 1581 | } |
1555 | 1582 | ||
1556 | int | 1583 | int |
1557 | mm_answer_term(int sock, struct sshbuf *req) | 1584 | mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req) |
1558 | { | 1585 | { |
1559 | struct ssh *ssh = active_state; /* XXX */ | ||
1560 | extern struct monitor *pmonitor; | 1586 | extern struct monitor *pmonitor; |
1561 | int res, status; | 1587 | int res, status; |
1562 | 1588 | ||
@@ -1583,7 +1609,7 @@ mm_answer_term(int sock, struct sshbuf *req) | |||
1583 | #ifdef SSH_AUDIT_EVENTS | 1609 | #ifdef SSH_AUDIT_EVENTS |
1584 | /* Report that an audit event occurred */ | 1610 | /* Report that an audit event occurred */ |
1585 | int | 1611 | int |
1586 | mm_answer_audit_event(int socket, struct sshbuf *m) | 1612 | mm_answer_audit_event(struct ssh *ssh, int socket, struct sshbuf *m) |
1587 | { | 1613 | { |
1588 | u_int n; | 1614 | u_int n; |
1589 | ssh_audit_event_t event; | 1615 | ssh_audit_event_t event; |
@@ -1602,7 +1628,7 @@ mm_answer_audit_event(int socket, struct sshbuf *m) | |||
1602 | case SSH_LOGIN_ROOT_DENIED: | 1628 | case SSH_LOGIN_ROOT_DENIED: |
1603 | case SSH_CONNECTION_CLOSE: | 1629 | case SSH_CONNECTION_CLOSE: |
1604 | case SSH_INVALID_USER: | 1630 | case SSH_INVALID_USER: |
1605 | audit_event(event); | 1631 | audit_event(ssh, event); |
1606 | break; | 1632 | break; |
1607 | default: | 1633 | default: |
1608 | fatal("Audit event type %d not permitted", event); | 1634 | fatal("Audit event type %d not permitted", event); |
@@ -1612,7 +1638,7 @@ mm_answer_audit_event(int socket, struct sshbuf *m) | |||
1612 | } | 1638 | } |
1613 | 1639 | ||
1614 | int | 1640 | int |
1615 | mm_answer_audit_command(int socket, struct sshbuf *m) | 1641 | mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m) |
1616 | { | 1642 | { |
1617 | char *cmd; | 1643 | char *cmd; |
1618 | int r; | 1644 | int r; |
@@ -1628,10 +1654,8 @@ mm_answer_audit_command(int socket, struct sshbuf *m) | |||
1628 | #endif /* SSH_AUDIT_EVENTS */ | 1654 | #endif /* SSH_AUDIT_EVENTS */ |
1629 | 1655 | ||
1630 | void | 1656 | void |
1631 | monitor_clear_keystate(struct monitor *pmonitor) | 1657 | monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor) |
1632 | { | 1658 | { |
1633 | struct ssh *ssh = active_state; /* XXX */ | ||
1634 | |||
1635 | ssh_clear_newkeys(ssh, MODE_IN); | 1659 | ssh_clear_newkeys(ssh, MODE_IN); |
1636 | ssh_clear_newkeys(ssh, MODE_OUT); | 1660 | ssh_clear_newkeys(ssh, MODE_OUT); |
1637 | sshbuf_free(child_state); | 1661 | sshbuf_free(child_state); |
@@ -1639,9 +1663,8 @@ monitor_clear_keystate(struct monitor *pmonitor) | |||
1639 | } | 1663 | } |
1640 | 1664 | ||
1641 | void | 1665 | void |
1642 | monitor_apply_keystate(struct monitor *pmonitor) | 1666 | monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) |
1643 | { | 1667 | { |
1644 | struct ssh *ssh = active_state; /* XXX */ | ||
1645 | struct kex *kex; | 1668 | struct kex *kex; |
1646 | int r; | 1669 | int r; |
1647 | 1670 | ||
@@ -1654,18 +1677,19 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
1654 | if ((kex = ssh->kex) != NULL) { | 1677 | if ((kex = ssh->kex) != NULL) { |
1655 | /* XXX set callbacks */ | 1678 | /* XXX set callbacks */ |
1656 | #ifdef WITH_OPENSSL | 1679 | #ifdef WITH_OPENSSL |
1657 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 1680 | kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server; |
1658 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1681 | kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server; |
1659 | kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server; | 1682 | kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server; |
1660 | kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server; | 1683 | kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server; |
1661 | kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server; | 1684 | kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server; |
1662 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1685 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1663 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1686 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1664 | # ifdef OPENSSL_HAS_ECC | 1687 | # ifdef OPENSSL_HAS_ECC |
1665 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 1688 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
1666 | # endif | 1689 | # endif |
1667 | #endif /* WITH_OPENSSL */ | 1690 | #endif /* WITH_OPENSSL */ |
1668 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1691 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
1692 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; | ||
1669 | kex->load_host_public_key=&get_hostkey_public_by_type; | 1693 | kex->load_host_public_key=&get_hostkey_public_by_type; |
1670 | kex->load_host_private_key=&get_hostkey_private_by_type; | 1694 | kex->load_host_private_key=&get_hostkey_private_by_type; |
1671 | kex->host_key_index=&get_hostkey_index; | 1695 | kex->host_key_index=&get_hostkey_index; |
@@ -1676,7 +1700,7 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
1676 | /* This function requries careful sanity checking */ | 1700 | /* This function requries careful sanity checking */ |
1677 | 1701 | ||
1678 | void | 1702 | void |
1679 | mm_get_keystate(struct monitor *pmonitor) | 1703 | mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor) |
1680 | { | 1704 | { |
1681 | debug3("%s: Waiting for new keys", __func__); | 1705 | debug3("%s: Waiting for new keys", __func__); |
1682 | 1706 | ||
@@ -1748,7 +1772,7 @@ monitor_reinit(struct monitor *mon) | |||
1748 | 1772 | ||
1749 | #ifdef GSSAPI | 1773 | #ifdef GSSAPI |
1750 | int | 1774 | int |
1751 | mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) | 1775 | mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1752 | { | 1776 | { |
1753 | gss_OID_desc goid; | 1777 | gss_OID_desc goid; |
1754 | OM_uint32 major; | 1778 | OM_uint32 major; |
@@ -1781,7 +1805,7 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) | |||
1781 | } | 1805 | } |
1782 | 1806 | ||
1783 | int | 1807 | int |
1784 | mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) | 1808 | mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1785 | { | 1809 | { |
1786 | gss_buffer_desc in; | 1810 | gss_buffer_desc in; |
1787 | gss_buffer_desc out = GSS_C_EMPTY_BUFFER; | 1811 | gss_buffer_desc out = GSS_C_EMPTY_BUFFER; |
@@ -1815,7 +1839,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) | |||
1815 | } | 1839 | } |
1816 | 1840 | ||
1817 | int | 1841 | int |
1818 | mm_answer_gss_checkmic(int sock, struct sshbuf *m) | 1842 | mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
1819 | { | 1843 | { |
1820 | gss_buffer_desc gssbuf, mic; | 1844 | gss_buffer_desc gssbuf, mic; |
1821 | OM_uint32 ret; | 1845 | OM_uint32 ret; |
@@ -1846,7 +1870,7 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m) | |||
1846 | } | 1870 | } |
1847 | 1871 | ||
1848 | int | 1872 | int |
1849 | mm_answer_gss_userok(int sock, struct sshbuf *m) | 1873 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
1850 | { | 1874 | { |
1851 | int r, authenticated; | 1875 | int r, authenticated; |
1852 | const char *displayname; | 1876 | const char *displayname; |