summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-08-06 10:49:58 +0100
committerColin Watson <cjwatson@debian.org>2016-08-06 10:49:58 +0100
commita8ed8d256b2e2c05b0c15565a7938028c5192277 (patch)
tree87abbdc914a38b43e4e5bb9581ad1f46eabbf88e /monitor.c
parentf0329aac23c61e1a5197d6d57349a63f459bccb0 (diff)
parent99522ba7ec6963a05c04a156bf20e3ba3605987c (diff)
Import openssh_7.3p1.orig.tar.gz
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c45
1 files changed, 30 insertions, 15 deletions
diff --git a/monitor.c b/monitor.c
index ac7dd3099..cb57bd066 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.157 2016/02/15 23:32:37 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.161 2016/07/22 03:39:13 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -34,6 +34,7 @@
34 34
35#include <errno.h> 35#include <errno.h>
36#include <fcntl.h> 36#include <fcntl.h>
37#include <limits.h>
37#ifdef HAVE_PATHS_H 38#ifdef HAVE_PATHS_H
38#include <paths.h> 39#include <paths.h>
39#endif 40#endif
@@ -74,6 +75,7 @@
74#include "cipher.h" 75#include "cipher.h"
75#include "kex.h" 76#include "kex.h"
76#include "dh.h" 77#include "dh.h"
78#include "auth-pam.h"
77#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ 79#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
78#undef TARGET_OS_MAC 80#undef TARGET_OS_MAC
79#include "zlib.h" 81#include "zlib.h"
@@ -688,7 +690,8 @@ mm_answer_sign(int sock, Buffer *m)
688 u_char *p = NULL, *signature = NULL; 690 u_char *p = NULL, *signature = NULL;
689 char *alg = NULL; 691 char *alg = NULL;
690 size_t datlen, siglen, alglen; 692 size_t datlen, siglen, alglen;
691 int r, keyid, is_proof = 0; 693 int r, is_proof = 0;
694 u_int keyid;
692 const char proof_req[] = "hostkeys-prove-00@openssh.com"; 695 const char proof_req[] = "hostkeys-prove-00@openssh.com";
693 696
694 debug3("%s", __func__); 697 debug3("%s", __func__);
@@ -697,6 +700,8 @@ mm_answer_sign(int sock, Buffer *m)
697 (r = sshbuf_get_string(m, &p, &datlen)) != 0 || 700 (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
698 (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) 701 (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
699 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 702 fatal("%s: buffer error: %s", __func__, ssh_err(r));
703 if (keyid > INT_MAX)
704 fatal("%s: invalid key ID", __func__);
700 705
701 /* 706 /*
702 * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes), 707 * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes),
@@ -916,6 +921,9 @@ mm_answer_authpassword(int sock, Buffer *m)
916 921
917 buffer_clear(m); 922 buffer_clear(m);
918 buffer_put_int(m, authenticated); 923 buffer_put_int(m, authenticated);
924#ifdef USE_PAM
925 buffer_put_int(m, sshpam_get_maxtries_reached());
926#endif
919 927
920 debug3("%s: sending result %d", __func__, authenticated); 928 debug3("%s: sending result %d", __func__, authenticated);
921 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m); 929 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);
@@ -1115,6 +1123,7 @@ mm_answer_pam_query(int sock, Buffer *m)
1115 free(name); 1123 free(name);
1116 buffer_put_cstring(m, info); 1124 buffer_put_cstring(m, info);
1117 free(info); 1125 free(info);
1126 buffer_put_int(m, sshpam_get_maxtries_reached());
1118 buffer_put_int(m, num); 1127 buffer_put_int(m, num);
1119 for (i = 0; i < num; ++i) { 1128 for (i = 0; i < num; ++i) {
1120 buffer_put_cstring(m, prompts[i]); 1129 buffer_put_cstring(m, prompts[i]);
@@ -1249,6 +1258,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
1249 break; 1258 break;
1250 } 1259 }
1251 } 1260 }
1261
1262 debug3("%s: key %p is %s",
1263 __func__, key, allowed ? "allowed" : "not allowed");
1264
1252 if (key != NULL) 1265 if (key != NULL)
1253 key_free(key); 1266 key_free(key);
1254 1267
@@ -1270,9 +1283,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
1270 free(chost); 1283 free(chost);
1271 } 1284 }
1272 1285
1273 debug3("%s: key %p is %s",
1274 __func__, key, allowed ? "allowed" : "not allowed");
1275
1276 buffer_clear(m); 1286 buffer_clear(m);
1277 buffer_put_int(m, allowed); 1287 buffer_put_int(m, allowed);
1278 buffer_put_int(m, forced_command != NULL); 1288 buffer_put_int(m, forced_command != NULL);
@@ -1289,7 +1299,8 @@ static int
1289monitor_valid_userblob(u_char *data, u_int datalen) 1299monitor_valid_userblob(u_char *data, u_int datalen)
1290{ 1300{
1291 Buffer b; 1301 Buffer b;
1292 char *p, *userstyle; 1302 u_char *p;
1303 char *userstyle, *cp;
1293 u_int len; 1304 u_int len;
1294 int fail = 0; 1305 int fail = 0;
1295 1306
@@ -1314,26 +1325,26 @@ monitor_valid_userblob(u_char *data, u_int datalen)
1314 } 1325 }
1315 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1326 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1316 fail++; 1327 fail++;
1317 p = buffer_get_cstring(&b, NULL); 1328 cp = buffer_get_cstring(&b, NULL);
1318 xasprintf(&userstyle, "%s%s%s", authctxt->user, 1329 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1319 authctxt->style ? ":" : "", 1330 authctxt->style ? ":" : "",
1320 authctxt->style ? authctxt->style : ""); 1331 authctxt->style ? authctxt->style : "");
1321 if (strcmp(userstyle, p) != 0) { 1332 if (strcmp(userstyle, cp) != 0) {
1322 logit("wrong user name passed to monitor: expected %s != %.100s", 1333 logit("wrong user name passed to monitor: "
1323 userstyle, p); 1334 "expected %s != %.100s", userstyle, cp);
1324 fail++; 1335 fail++;
1325 } 1336 }
1326 free(userstyle); 1337 free(userstyle);
1327 free(p); 1338 free(cp);
1328 buffer_skip_string(&b); 1339 buffer_skip_string(&b);
1329 if (datafellows & SSH_BUG_PKAUTH) { 1340 if (datafellows & SSH_BUG_PKAUTH) {
1330 if (!buffer_get_char(&b)) 1341 if (!buffer_get_char(&b))
1331 fail++; 1342 fail++;
1332 } else { 1343 } else {
1333 p = buffer_get_cstring(&b, NULL); 1344 cp = buffer_get_cstring(&b, NULL);
1334 if (strcmp("publickey", p) != 0) 1345 if (strcmp("publickey", cp) != 0)
1335 fail++; 1346 fail++;
1336 free(p); 1347 free(cp);
1337 if (!buffer_get_char(&b)) 1348 if (!buffer_get_char(&b))
1338 fail++; 1349 fail++;
1339 buffer_skip_string(&b); 1350 buffer_skip_string(&b);
@@ -1469,6 +1480,7 @@ mm_answer_keyverify(int sock, Buffer *m)
1469static void 1480static void
1470mm_record_login(Session *s, struct passwd *pw) 1481mm_record_login(Session *s, struct passwd *pw)
1471{ 1482{
1483 struct ssh *ssh = active_state; /* XXX */
1472 socklen_t fromlen; 1484 socklen_t fromlen;
1473 struct sockaddr_storage from; 1485 struct sockaddr_storage from;
1474 1486
@@ -1490,7 +1502,7 @@ mm_record_login(Session *s, struct passwd *pw)
1490 } 1502 }
1491 /* Record that there was a login on that tty from the remote host. */ 1503 /* Record that there was a login on that tty from the remote host. */
1492 record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, 1504 record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
1493 get_remote_name_or_ip(utmp_len, options.use_dns), 1505 session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
1494 (struct sockaddr *)&from, fromlen); 1506 (struct sockaddr *)&from, fromlen);
1495} 1507}
1496 1508
@@ -1854,6 +1866,9 @@ monitor_apply_keystate(struct monitor *pmonitor)
1854#ifdef WITH_OPENSSL 1866#ifdef WITH_OPENSSL
1855 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 1867 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1856 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 1868 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1869 kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server;
1870 kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server;
1871 kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server;
1857 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1872 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1858 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 1873 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1859# ifdef OPENSSL_HAS_ECC 1874# ifdef OPENSSL_HAS_ECC
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-05 19:03:27 +0000