diff options
author | Damien Miller <djm@mindrot.org> | 2014-05-15 14:24:09 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-05-15 14:24:09 +1000 |
commit | 1f0311c7c7d10c94ff7f823de9c5b2ed79368b14 (patch) | |
tree | ae708c2a25f84a04bcb04f2dbf3e8039e0f692bc /monitor.c | |
parent | c5893785564498cea73cb60d2cf199490483e080 (diff) |
- markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
[kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
[roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
[ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 23 |
1 files changed, 22 insertions, 1 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.132 2014/04/29 18:01:49 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -56,7 +56,9 @@ | |||
56 | #include <skey.h> | 56 | #include <skey.h> |
57 | #endif | 57 | #endif |
58 | 58 | ||
59 | #ifdef WITH_OPENSSL | ||
59 | #include <openssl/dh.h> | 60 | #include <openssl/dh.h> |
61 | #endif | ||
60 | 62 | ||
61 | #include "openbsd-compat/sys-queue.h" | 63 | #include "openbsd-compat/sys-queue.h" |
62 | #include "atomicio.h" | 64 | #include "atomicio.h" |
@@ -185,7 +187,10 @@ int mm_answer_audit_command(int, Buffer *); | |||
185 | static int monitor_read_log(struct monitor *); | 187 | static int monitor_read_log(struct monitor *); |
186 | 188 | ||
187 | static Authctxt *authctxt; | 189 | static Authctxt *authctxt; |
190 | |||
191 | #ifdef WITH_SSH1 | ||
188 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | 192 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ |
193 | #endif | ||
189 | 194 | ||
190 | /* local state for key verify */ | 195 | /* local state for key verify */ |
191 | static u_char *key_blob = NULL; | 196 | static u_char *key_blob = NULL; |
@@ -215,7 +220,9 @@ struct mon_table { | |||
215 | #define MON_PERMIT 0x1000 /* Request is permitted */ | 220 | #define MON_PERMIT 0x1000 /* Request is permitted */ |
216 | 221 | ||
217 | struct mon_table mon_dispatch_proto20[] = { | 222 | struct mon_table mon_dispatch_proto20[] = { |
223 | #ifdef WITH_OPENSSL | ||
218 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, | 224 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, |
225 | #endif | ||
219 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 226 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
220 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 227 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
221 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 228 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -252,7 +259,9 @@ struct mon_table mon_dispatch_proto20[] = { | |||
252 | }; | 259 | }; |
253 | 260 | ||
254 | struct mon_table mon_dispatch_postauth20[] = { | 261 | struct mon_table mon_dispatch_postauth20[] = { |
262 | #ifdef WITH_OPENSSL | ||
255 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 263 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
264 | #endif | ||
256 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 265 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
257 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 266 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
258 | {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, | 267 | {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, |
@@ -265,6 +274,7 @@ struct mon_table mon_dispatch_postauth20[] = { | |||
265 | }; | 274 | }; |
266 | 275 | ||
267 | struct mon_table mon_dispatch_proto15[] = { | 276 | struct mon_table mon_dispatch_proto15[] = { |
277 | #ifdef WITH_SSH1 | ||
268 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 278 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
269 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, | 279 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, |
270 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, | 280 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, |
@@ -292,10 +302,12 @@ struct mon_table mon_dispatch_proto15[] = { | |||
292 | #ifdef SSH_AUDIT_EVENTS | 302 | #ifdef SSH_AUDIT_EVENTS |
293 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 303 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
294 | #endif | 304 | #endif |
305 | #endif /* WITH_SSH1 */ | ||
295 | {0, 0, NULL} | 306 | {0, 0, NULL} |
296 | }; | 307 | }; |
297 | 308 | ||
298 | struct mon_table mon_dispatch_postauth15[] = { | 309 | struct mon_table mon_dispatch_postauth15[] = { |
310 | #ifdef WITH_SSH1 | ||
299 | {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, | 311 | {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, |
300 | {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, | 312 | {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, |
301 | {MONITOR_REQ_TERM, 0, mm_answer_term}, | 313 | {MONITOR_REQ_TERM, 0, mm_answer_term}, |
@@ -303,6 +315,7 @@ struct mon_table mon_dispatch_postauth15[] = { | |||
303 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 315 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
304 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, | 316 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, |
305 | #endif | 317 | #endif |
318 | #endif /* WITH_SSH1 */ | ||
306 | {0, 0, NULL} | 319 | {0, 0, NULL} |
307 | }; | 320 | }; |
308 | 321 | ||
@@ -630,6 +643,7 @@ monitor_reset_key_state(void) | |||
630 | hostbased_chost = NULL; | 643 | hostbased_chost = NULL; |
631 | } | 644 | } |
632 | 645 | ||
646 | #ifdef WITH_OPENSSL | ||
633 | int | 647 | int |
634 | mm_answer_moduli(int sock, Buffer *m) | 648 | mm_answer_moduli(int sock, Buffer *m) |
635 | { | 649 | { |
@@ -664,6 +678,7 @@ mm_answer_moduli(int sock, Buffer *m) | |||
664 | mm_request_send(sock, MONITOR_ANS_MODULI, m); | 678 | mm_request_send(sock, MONITOR_ANS_MODULI, m); |
665 | return (0); | 679 | return (0); |
666 | } | 680 | } |
681 | #endif | ||
667 | 682 | ||
668 | extern AuthenticationConnection *auth_conn; | 683 | extern AuthenticationConnection *auth_conn; |
669 | 684 | ||
@@ -1166,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1166 | cuser, chost); | 1181 | cuser, chost); |
1167 | auth_method = "hostbased"; | 1182 | auth_method = "hostbased"; |
1168 | break; | 1183 | break; |
1184 | #ifdef WITH_SSH1 | ||
1169 | case MM_RSAHOSTKEY: | 1185 | case MM_RSAHOSTKEY: |
1170 | key->type = KEY_RSA1; /* XXX */ | 1186 | key->type = KEY_RSA1; /* XXX */ |
1171 | allowed = options.rhosts_rsa_authentication && | 1187 | allowed = options.rhosts_rsa_authentication && |
@@ -1175,6 +1191,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1175 | auth_clear_options(); | 1191 | auth_clear_options(); |
1176 | auth_method = "rsa"; | 1192 | auth_method = "rsa"; |
1177 | break; | 1193 | break; |
1194 | #endif | ||
1178 | default: | 1195 | default: |
1179 | fatal("%s: unknown key type %d", __func__, type); | 1196 | fatal("%s: unknown key type %d", __func__, type); |
1180 | break; | 1197 | break; |
@@ -1511,6 +1528,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m) | |||
1511 | return (0); | 1528 | return (0); |
1512 | } | 1529 | } |
1513 | 1530 | ||
1531 | #ifdef WITH_SSH1 | ||
1514 | int | 1532 | int |
1515 | mm_answer_sesskey(int sock, Buffer *m) | 1533 | mm_answer_sesskey(int sock, Buffer *m) |
1516 | { | 1534 | { |
@@ -1688,6 +1706,7 @@ mm_answer_rsa_response(int sock, Buffer *m) | |||
1688 | 1706 | ||
1689 | return (success); | 1707 | return (success); |
1690 | } | 1708 | } |
1709 | #endif | ||
1691 | 1710 | ||
1692 | int | 1711 | int |
1693 | mm_answer_term(int sock, Buffer *req) | 1712 | mm_answer_term(int sock, Buffer *req) |
@@ -1828,11 +1847,13 @@ mm_get_kex(Buffer *m) | |||
1828 | timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) | 1847 | timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) |
1829 | fatal("mm_get_get: internal error: bad session id"); | 1848 | fatal("mm_get_get: internal error: bad session id"); |
1830 | kex->we_need = buffer_get_int(m); | 1849 | kex->we_need = buffer_get_int(m); |
1850 | #ifdef WITH_OPENSSL | ||
1831 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 1851 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
1832 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1852 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
1833 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1853 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1834 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1854 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1835 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 1855 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
1856 | #endif | ||
1836 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1857 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
1837 | kex->server = 1; | 1858 | kex->server = 1; |
1838 | kex->hostkey_type = buffer_get_int(m); | 1859 | kex->hostkey_type = buffer_get_int(m); |