diff options
| author | Damien Miller <djm@mindrot.org> | 2014-05-15 14:24:09 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2014-05-15 14:24:09 +1000 |
| commit | 1f0311c7c7d10c94ff7f823de9c5b2ed79368b14 (patch) | |
| tree | ae708c2a25f84a04bcb04f2dbf3e8039e0f692bc /monitor.c | |
| parent | c5893785564498cea73cb60d2cf199490483e080 (diff) | |
- markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
[kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
[roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
[ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 23 |
1 files changed, 22 insertions, 1 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.132 2014/04/29 18:01:49 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -56,7 +56,9 @@ | |||
| 56 | #include <skey.h> | 56 | #include <skey.h> |
| 57 | #endif | 57 | #endif |
| 58 | 58 | ||
| 59 | #ifdef WITH_OPENSSL | ||
| 59 | #include <openssl/dh.h> | 60 | #include <openssl/dh.h> |
| 61 | #endif | ||
| 60 | 62 | ||
| 61 | #include "openbsd-compat/sys-queue.h" | 63 | #include "openbsd-compat/sys-queue.h" |
| 62 | #include "atomicio.h" | 64 | #include "atomicio.h" |
| @@ -185,7 +187,10 @@ int mm_answer_audit_command(int, Buffer *); | |||
| 185 | static int monitor_read_log(struct monitor *); | 187 | static int monitor_read_log(struct monitor *); |
| 186 | 188 | ||
| 187 | static Authctxt *authctxt; | 189 | static Authctxt *authctxt; |
| 190 | |||
| 191 | #ifdef WITH_SSH1 | ||
| 188 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | 192 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ |
| 193 | #endif | ||
| 189 | 194 | ||
| 190 | /* local state for key verify */ | 195 | /* local state for key verify */ |
| 191 | static u_char *key_blob = NULL; | 196 | static u_char *key_blob = NULL; |
| @@ -215,7 +220,9 @@ struct mon_table { | |||
| 215 | #define MON_PERMIT 0x1000 /* Request is permitted */ | 220 | #define MON_PERMIT 0x1000 /* Request is permitted */ |
| 216 | 221 | ||
| 217 | struct mon_table mon_dispatch_proto20[] = { | 222 | struct mon_table mon_dispatch_proto20[] = { |
| 223 | #ifdef WITH_OPENSSL | ||
| 218 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, | 224 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, |
| 225 | #endif | ||
| 219 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 226 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
| 220 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 227 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
| 221 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 228 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
| @@ -252,7 +259,9 @@ struct mon_table mon_dispatch_proto20[] = { | |||
| 252 | }; | 259 | }; |
| 253 | 260 | ||
| 254 | struct mon_table mon_dispatch_postauth20[] = { | 261 | struct mon_table mon_dispatch_postauth20[] = { |
| 262 | #ifdef WITH_OPENSSL | ||
| 255 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 263 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
| 264 | #endif | ||
| 256 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 265 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
| 257 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 266 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
| 258 | {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, | 267 | {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, |
| @@ -265,6 +274,7 @@ struct mon_table mon_dispatch_postauth20[] = { | |||
| 265 | }; | 274 | }; |
| 266 | 275 | ||
| 267 | struct mon_table mon_dispatch_proto15[] = { | 276 | struct mon_table mon_dispatch_proto15[] = { |
| 277 | #ifdef WITH_SSH1 | ||
| 268 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 278 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
| 269 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, | 279 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, |
| 270 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, | 280 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, |
| @@ -292,10 +302,12 @@ struct mon_table mon_dispatch_proto15[] = { | |||
| 292 | #ifdef SSH_AUDIT_EVENTS | 302 | #ifdef SSH_AUDIT_EVENTS |
| 293 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 303 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
| 294 | #endif | 304 | #endif |
| 305 | #endif /* WITH_SSH1 */ | ||
| 295 | {0, 0, NULL} | 306 | {0, 0, NULL} |
| 296 | }; | 307 | }; |
| 297 | 308 | ||
| 298 | struct mon_table mon_dispatch_postauth15[] = { | 309 | struct mon_table mon_dispatch_postauth15[] = { |
| 310 | #ifdef WITH_SSH1 | ||
| 299 | {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, | 311 | {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, |
| 300 | {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, | 312 | {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, |
| 301 | {MONITOR_REQ_TERM, 0, mm_answer_term}, | 313 | {MONITOR_REQ_TERM, 0, mm_answer_term}, |
| @@ -303,6 +315,7 @@ struct mon_table mon_dispatch_postauth15[] = { | |||
| 303 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 315 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
| 304 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, | 316 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, |
| 305 | #endif | 317 | #endif |
| 318 | #endif /* WITH_SSH1 */ | ||
| 306 | {0, 0, NULL} | 319 | {0, 0, NULL} |
| 307 | }; | 320 | }; |
| 308 | 321 | ||
| @@ -630,6 +643,7 @@ monitor_reset_key_state(void) | |||
| 630 | hostbased_chost = NULL; | 643 | hostbased_chost = NULL; |
| 631 | } | 644 | } |
| 632 | 645 | ||
| 646 | #ifdef WITH_OPENSSL | ||
| 633 | int | 647 | int |
| 634 | mm_answer_moduli(int sock, Buffer *m) | 648 | mm_answer_moduli(int sock, Buffer *m) |
| 635 | { | 649 | { |
| @@ -664,6 +678,7 @@ mm_answer_moduli(int sock, Buffer *m) | |||
| 664 | mm_request_send(sock, MONITOR_ANS_MODULI, m); | 678 | mm_request_send(sock, MONITOR_ANS_MODULI, m); |
| 665 | return (0); | 679 | return (0); |
| 666 | } | 680 | } |
| 681 | #endif | ||
| 667 | 682 | ||
| 668 | extern AuthenticationConnection *auth_conn; | 683 | extern AuthenticationConnection *auth_conn; |
| 669 | 684 | ||
| @@ -1166,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1166 | cuser, chost); | 1181 | cuser, chost); |
| 1167 | auth_method = "hostbased"; | 1182 | auth_method = "hostbased"; |
| 1168 | break; | 1183 | break; |
| 1184 | #ifdef WITH_SSH1 | ||
| 1169 | case MM_RSAHOSTKEY: | 1185 | case MM_RSAHOSTKEY: |
| 1170 | key->type = KEY_RSA1; /* XXX */ | 1186 | key->type = KEY_RSA1; /* XXX */ |
| 1171 | allowed = options.rhosts_rsa_authentication && | 1187 | allowed = options.rhosts_rsa_authentication && |
| @@ -1175,6 +1191,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1175 | auth_clear_options(); | 1191 | auth_clear_options(); |
| 1176 | auth_method = "rsa"; | 1192 | auth_method = "rsa"; |
| 1177 | break; | 1193 | break; |
| 1194 | #endif | ||
| 1178 | default: | 1195 | default: |
| 1179 | fatal("%s: unknown key type %d", __func__, type); | 1196 | fatal("%s: unknown key type %d", __func__, type); |
| 1180 | break; | 1197 | break; |
| @@ -1511,6 +1528,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m) | |||
| 1511 | return (0); | 1528 | return (0); |
| 1512 | } | 1529 | } |
| 1513 | 1530 | ||
| 1531 | #ifdef WITH_SSH1 | ||
| 1514 | int | 1532 | int |
| 1515 | mm_answer_sesskey(int sock, Buffer *m) | 1533 | mm_answer_sesskey(int sock, Buffer *m) |
| 1516 | { | 1534 | { |
| @@ -1688,6 +1706,7 @@ mm_answer_rsa_response(int sock, Buffer *m) | |||
| 1688 | 1706 | ||
| 1689 | return (success); | 1707 | return (success); |
| 1690 | } | 1708 | } |
| 1709 | #endif | ||
| 1691 | 1710 | ||
| 1692 | int | 1711 | int |
| 1693 | mm_answer_term(int sock, Buffer *req) | 1712 | mm_answer_term(int sock, Buffer *req) |
| @@ -1828,11 +1847,13 @@ mm_get_kex(Buffer *m) | |||
| 1828 | timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) | 1847 | timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) |
| 1829 | fatal("mm_get_get: internal error: bad session id"); | 1848 | fatal("mm_get_get: internal error: bad session id"); |
| 1830 | kex->we_need = buffer_get_int(m); | 1849 | kex->we_need = buffer_get_int(m); |
| 1850 | #ifdef WITH_OPENSSL | ||
| 1831 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 1851 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
| 1832 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1852 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
| 1833 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1853 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
| 1834 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1854 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
| 1835 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 1855 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
| 1856 | #endif | ||
| 1836 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1857 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
| 1837 | kex->server = 1; | 1858 | kex->server = 1; |
| 1838 | kex->hostkey_type = buffer_get_int(m); | 1859 | kex->hostkey_type = buffer_get_int(m); |