diff options
-rw-r--r-- | monitor.c | 169 | ||||
-rw-r--r-- | monitor.h | 12 | ||||
-rw-r--r-- | monitor_wrap.c | 3 | ||||
-rw-r--r-- | monitor_wrap.h | 4 | ||||
-rw-r--r-- | sshd.c | 11 |
5 files changed, 94 insertions, 105 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.190 2019/01/19 21:41:18 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.191 2019/01/19 21:43:07 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -96,9 +96,6 @@ | |||
96 | #include "match.h" | 96 | #include "match.h" |
97 | #include "ssherr.h" | 97 | #include "ssherr.h" |
98 | 98 | ||
99 | #include "opacket.h" /* XXX */ | ||
100 | extern struct ssh *active_state; /* XXX */ | ||
101 | |||
102 | #ifdef GSSAPI | 99 | #ifdef GSSAPI |
103 | static Gssctxt *gsscontext = NULL; | 100 | static Gssctxt *gsscontext = NULL; |
104 | #endif | 101 | #endif |
@@ -115,48 +112,48 @@ static struct sshbuf *child_state; | |||
115 | 112 | ||
116 | /* Functions on the monitor that answer unprivileged requests */ | 113 | /* Functions on the monitor that answer unprivileged requests */ |
117 | 114 | ||
118 | int mm_answer_moduli(int, struct sshbuf *); | 115 | int mm_answer_moduli(struct ssh *, int, struct sshbuf *); |
119 | int mm_answer_sign(int, struct sshbuf *); | 116 | int mm_answer_sign(struct ssh *, int, struct sshbuf *); |
120 | int mm_answer_pwnamallow(int, struct sshbuf *); | 117 | int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); |
121 | int mm_answer_auth2_read_banner(int, struct sshbuf *); | 118 | int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); |
122 | int mm_answer_authserv(int, struct sshbuf *); | 119 | int mm_answer_authserv(struct ssh *, int, struct sshbuf *); |
123 | int mm_answer_authpassword(int, struct sshbuf *); | 120 | int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); |
124 | int mm_answer_bsdauthquery(int, struct sshbuf *); | 121 | int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); |
125 | int mm_answer_bsdauthrespond(int, struct sshbuf *); | 122 | int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); |
126 | int mm_answer_keyallowed(int, struct sshbuf *); | 123 | int mm_answer_skeyquery(struct ssh *, int, struct sshbuf *); |
127 | int mm_answer_keyverify(int, struct sshbuf *); | 124 | int mm_answer_skeyrespond(struct ssh *, int, struct sshbuf *); |
128 | int mm_answer_pty(int, struct sshbuf *); | 125 | int mm_answer_keyallowed(struct ssh *, int, struct sshbuf *); |
129 | int mm_answer_pty_cleanup(int, struct sshbuf *); | 126 | int mm_answer_keyverify(struct ssh *, int, struct sshbuf *); |
130 | int mm_answer_term(int, struct sshbuf *); | 127 | int mm_answer_pty(struct ssh *, int, struct sshbuf *); |
131 | int mm_answer_rsa_keyallowed(int, struct sshbuf *); | 128 | int mm_answer_pty_cleanup(struct ssh *, int, struct sshbuf *); |
132 | int mm_answer_rsa_challenge(int, struct sshbuf *); | 129 | int mm_answer_term(struct ssh *, int, struct sshbuf *); |
133 | int mm_answer_rsa_response(int, struct sshbuf *); | 130 | int mm_answer_rsa_keyallowed(struct ssh *, int, struct sshbuf *); |
134 | int mm_answer_sesskey(int, struct sshbuf *); | 131 | int mm_answer_rsa_challenge(struct ssh *, int, struct sshbuf *); |
135 | int mm_answer_sessid(int, struct sshbuf *); | 132 | int mm_answer_rsa_response(struct ssh *, int, struct sshbuf *); |
133 | int mm_answer_sesskey(struct ssh *, int, struct sshbuf *); | ||
134 | int mm_answer_sessid(struct ssh *, int, struct sshbuf *); | ||
136 | 135 | ||
137 | #ifdef USE_PAM | 136 | #ifdef USE_PAM |
138 | int mm_answer_pam_start(int, struct sshbuf *); | 137 | int mm_answer_pam_start(struct ssh *, int, struct sshbuf *); |
139 | int mm_answer_pam_account(int, struct sshbuf *); | 138 | int mm_answer_pam_account(struct ssh *, int, struct sshbuf *); |
140 | int mm_answer_pam_init_ctx(int, struct sshbuf *); | 139 | int mm_answer_pam_init_ctx(struct ssh *, int, struct sshbuf *); |
141 | int mm_answer_pam_query(int, struct sshbuf *); | 140 | int mm_answer_pam_query(struct ssh *, int, struct sshbuf *); |
142 | int mm_answer_pam_respond(int, struct sshbuf *); | 141 | int mm_answer_pam_respond(struct ssh *, int, struct sshbuf *); |
143 | int mm_answer_pam_free_ctx(int, struct sshbuf *); | 142 | int mm_answer_pam_free_ctx(struct ssh *, int, struct sshbuf *); |
144 | #endif | 143 | #endif |
145 | 144 | ||
146 | #ifdef GSSAPI | 145 | #ifdef GSSAPI |
147 | int mm_answer_gss_setup_ctx(int, struct sshbuf *); | 146 | int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); |
148 | int mm_answer_gss_accept_ctx(int, struct sshbuf *); | 147 | int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); |
149 | int mm_answer_gss_userok(int, struct sshbuf *); | 148 | int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); |
150 | int mm_answer_gss_checkmic(int, struct sshbuf *); | 149 | int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *); |
151 | #endif | 150 | #endif |
152 | 151 | ||
153 | #ifdef SSH_AUDIT_EVENTS | 152 | #ifdef SSH_AUDIT_EVENTS |
154 | int mm_answer_audit_event(int, struct sshbuf *); | 153 | int mm_answer_audit_event(struct ssh *, int, struct sshbuf *); |
155 | int mm_answer_audit_command(int, struct sshbuf *); | 154 | int mm_answer_audit_command(struct ssh *, int, struct sshbuf *); |
156 | #endif | 155 | #endif |
157 | 156 | ||
158 | static int monitor_read_log(struct monitor *); | ||
159 | |||
160 | static Authctxt *authctxt; | 157 | static Authctxt *authctxt; |
161 | 158 | ||
162 | /* local state for key verify */ | 159 | /* local state for key verify */ |
@@ -175,7 +172,7 @@ static pid_t monitor_child_pid; | |||
175 | struct mon_table { | 172 | struct mon_table { |
176 | enum monitor_reqtype type; | 173 | enum monitor_reqtype type; |
177 | int flags; | 174 | int flags; |
178 | int (*f)(int, struct sshbuf *); | 175 | int (*f)(struct ssh *, int, struct sshbuf *); |
179 | }; | 176 | }; |
180 | 177 | ||
181 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ | 178 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ |
@@ -187,6 +184,10 @@ struct mon_table { | |||
187 | 184 | ||
188 | #define MON_PERMIT 0x1000 /* Request is permitted */ | 185 | #define MON_PERMIT 0x1000 /* Request is permitted */ |
189 | 186 | ||
187 | static int monitor_read(struct ssh *, struct monitor *, struct mon_table *, | ||
188 | struct mon_table **); | ||
189 | static int monitor_read_log(struct monitor *); | ||
190 | |||
190 | struct mon_table mon_dispatch_proto20[] = { | 191 | struct mon_table mon_dispatch_proto20[] = { |
191 | #ifdef WITH_OPENSSL | 192 | #ifdef WITH_OPENSSL |
192 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, | 193 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, |
@@ -268,9 +269,8 @@ monitor_permit_authentications(int permit) | |||
268 | } | 269 | } |
269 | 270 | ||
270 | void | 271 | void |
271 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 272 | monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) |
272 | { | 273 | { |
273 | struct ssh *ssh = active_state; /* XXX */ | ||
274 | struct mon_table *ent; | 274 | struct mon_table *ent; |
275 | int authenticated = 0, partial = 0; | 275 | int authenticated = 0, partial = 0; |
276 | 276 | ||
@@ -282,7 +282,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
282 | close(pmonitor->m_log_sendfd); | 282 | close(pmonitor->m_log_sendfd); |
283 | pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; | 283 | pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; |
284 | 284 | ||
285 | authctxt = _authctxt; | 285 | authctxt = (Authctxt *)ssh->authctxt; |
286 | memset(authctxt, 0, sizeof(*authctxt)); | 286 | memset(authctxt, 0, sizeof(*authctxt)); |
287 | ssh->authctxt = authctxt; | 287 | ssh->authctxt = authctxt; |
288 | 288 | ||
@@ -300,7 +300,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
300 | auth_submethod = NULL; | 300 | auth_submethod = NULL; |
301 | auth2_authctxt_reset_info(authctxt); | 301 | auth2_authctxt_reset_info(authctxt); |
302 | 302 | ||
303 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 303 | authenticated = (monitor_read(ssh, pmonitor, |
304 | mon_dispatch, &ent) == 1); | ||
304 | 305 | ||
305 | /* Special handling for multiple required authentications */ | 306 | /* Special handling for multiple required authentications */ |
306 | if (options.num_auth_methods != 0) { | 307 | if (options.num_auth_methods != 0) { |
@@ -332,7 +333,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
332 | mm_request_receive_expect(pmonitor->m_sendfd, | 333 | mm_request_receive_expect(pmonitor->m_sendfd, |
333 | MONITOR_REQ_PAM_ACCOUNT, m); | 334 | MONITOR_REQ_PAM_ACCOUNT, m); |
334 | authenticated = mm_answer_pam_account( | 335 | authenticated = mm_answer_pam_account( |
335 | pmonitor->m_sendfd, m); | 336 | ssh, pmonitor->m_sendfd, m); |
336 | sshbuf_free(m); | 337 | sshbuf_free(m); |
337 | } | 338 | } |
338 | #endif | 339 | #endif |
@@ -385,7 +386,7 @@ monitor_child_handler(int sig) | |||
385 | } | 386 | } |
386 | 387 | ||
387 | void | 388 | void |
388 | monitor_child_postauth(struct monitor *pmonitor) | 389 | monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) |
389 | { | 390 | { |
390 | close(pmonitor->m_recvfd); | 391 | close(pmonitor->m_recvfd); |
391 | pmonitor->m_recvfd = -1; | 392 | pmonitor->m_recvfd = -1; |
@@ -411,7 +412,7 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
411 | } | 412 | } |
412 | 413 | ||
413 | for (;;) | 414 | for (;;) |
414 | monitor_read(pmonitor, mon_dispatch, NULL); | 415 | monitor_read(ssh, pmonitor, mon_dispatch, NULL); |
415 | } | 416 | } |
416 | 417 | ||
417 | static int | 418 | static int |
@@ -466,8 +467,8 @@ monitor_read_log(struct monitor *pmonitor) | |||
466 | return 0; | 467 | return 0; |
467 | } | 468 | } |
468 | 469 | ||
469 | int | 470 | static int |
470 | monitor_read(struct monitor *pmonitor, struct mon_table *ent, | 471 | monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent, |
471 | struct mon_table **pent) | 472 | struct mon_table **pent) |
472 | { | 473 | { |
473 | struct sshbuf *m; | 474 | struct sshbuf *m; |
@@ -517,7 +518,7 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent, | |||
517 | if (!(ent->flags & MON_PERMIT)) | 518 | if (!(ent->flags & MON_PERMIT)) |
518 | fatal("%s: unpermitted request %d", __func__, | 519 | fatal("%s: unpermitted request %d", __func__, |
519 | type); | 520 | type); |
520 | ret = (*ent->f)(pmonitor->m_sendfd, m); | 521 | ret = (*ent->f)(ssh, pmonitor->m_sendfd, m); |
521 | sshbuf_free(m); | 522 | sshbuf_free(m); |
522 | 523 | ||
523 | /* The child may use this request only once, disable it */ | 524 | /* The child may use this request only once, disable it */ |
@@ -568,7 +569,7 @@ monitor_reset_key_state(void) | |||
568 | 569 | ||
569 | #ifdef WITH_OPENSSL | 570 | #ifdef WITH_OPENSSL |
570 | int | 571 | int |
571 | mm_answer_moduli(int sock, struct sshbuf *m) | 572 | mm_answer_moduli(struct ssh *ssh, int sock, struct sshbuf *m) |
572 | { | 573 | { |
573 | DH *dh; | 574 | DH *dh; |
574 | const BIGNUM *dh_p, *dh_g; | 575 | const BIGNUM *dh_p, *dh_g; |
@@ -610,9 +611,8 @@ mm_answer_moduli(int sock, struct sshbuf *m) | |||
610 | #endif | 611 | #endif |
611 | 612 | ||
612 | int | 613 | int |
613 | mm_answer_sign(int sock, struct sshbuf *m) | 614 | mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m) |
614 | { | 615 | { |
615 | struct ssh *ssh = active_state; /* XXX */ | ||
616 | extern int auth_sock; /* XXX move to state struct? */ | 616 | extern int auth_sock; /* XXX move to state struct? */ |
617 | struct sshkey *key; | 617 | struct sshkey *key; |
618 | struct sshbuf *sigbuf = NULL; | 618 | struct sshbuf *sigbuf = NULL; |
@@ -713,9 +713,8 @@ mm_answer_sign(int sock, struct sshbuf *m) | |||
713 | /* Retrieves the password entry and also checks if the user is permitted */ | 713 | /* Retrieves the password entry and also checks if the user is permitted */ |
714 | 714 | ||
715 | int | 715 | int |
716 | mm_answer_pwnamallow(int sock, struct sshbuf *m) | 716 | mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) |
717 | { | 717 | { |
718 | struct ssh *ssh = active_state; /* XXX */ | ||
719 | char *username; | 718 | char *username; |
720 | struct passwd *pwent; | 719 | struct passwd *pwent; |
721 | int r, allowed = 0; | 720 | int r, allowed = 0; |
@@ -813,7 +812,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | |||
813 | return (0); | 812 | return (0); |
814 | } | 813 | } |
815 | 814 | ||
816 | int mm_answer_auth2_read_banner(int sock, struct sshbuf *m) | 815 | int mm_answer_auth2_read_banner(struct ssh *ssh, int sock, struct sshbuf *m) |
817 | { | 816 | { |
818 | char *banner; | 817 | char *banner; |
819 | int r; | 818 | int r; |
@@ -829,7 +828,7 @@ int mm_answer_auth2_read_banner(int sock, struct sshbuf *m) | |||
829 | } | 828 | } |
830 | 829 | ||
831 | int | 830 | int |
832 | mm_answer_authserv(int sock, struct sshbuf *m) | 831 | mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m) |
833 | { | 832 | { |
834 | int r; | 833 | int r; |
835 | 834 | ||
@@ -879,9 +878,8 @@ key_base_type_match(const char *method, const struct sshkey *key, | |||
879 | } | 878 | } |
880 | 879 | ||
881 | int | 880 | int |
882 | mm_answer_authpassword(int sock, struct sshbuf *m) | 881 | mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) |
883 | { | 882 | { |
884 | struct ssh *ssh = active_state; /* XXX */ | ||
885 | static int call_count; | 883 | static int call_count; |
886 | char *passwd; | 884 | char *passwd; |
887 | int r, authenticated; | 885 | int r, authenticated; |
@@ -920,7 +918,7 @@ mm_answer_authpassword(int sock, struct sshbuf *m) | |||
920 | 918 | ||
921 | #ifdef BSD_AUTH | 919 | #ifdef BSD_AUTH |
922 | int | 920 | int |
923 | mm_answer_bsdauthquery(int sock, struct sshbuf *m) | 921 | mm_answer_bsdauthquery(struct ssh *ssh, int sock, struct sshbuf *m) |
924 | { | 922 | { |
925 | char *name, *infotxt; | 923 | char *name, *infotxt; |
926 | u_int numprompts, *echo_on, success; | 924 | u_int numprompts, *echo_on, success; |
@@ -954,7 +952,7 @@ mm_answer_bsdauthquery(int sock, struct sshbuf *m) | |||
954 | } | 952 | } |
955 | 953 | ||
956 | int | 954 | int |
957 | mm_answer_bsdauthrespond(int sock, struct sshbuf *m) | 955 | mm_answer_bsdauthrespond(struct ssh *ssh, int sock, struct sshbuf *m) |
958 | { | 956 | { |
959 | char *response; | 957 | char *response; |
960 | int r, authok; | 958 | int r, authok; |
@@ -988,7 +986,7 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m) | |||
988 | 986 | ||
989 | #ifdef USE_PAM | 987 | #ifdef USE_PAM |
990 | int | 988 | int |
991 | mm_answer_pam_start(int sock, struct sshbuf *m) | 989 | mm_answer_pam_start(struct ssh *ssh, int sock, struct sshbuf *m) |
992 | { | 990 | { |
993 | if (!options.use_pam) | 991 | if (!options.use_pam) |
994 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | 992 | fatal("UsePAM not set, but ended up in %s anyway", __func__); |
@@ -1003,7 +1001,7 @@ mm_answer_pam_start(int sock, struct sshbuf *m) | |||
1003 | } | 1001 | } |
1004 | 1002 | ||
1005 | int | 1003 | int |
1006 | mm_answer_pam_account(int sock, struct sshbuf *m) | 1004 | mm_answer_pam_account(struct ssh *ssh, int sock, struct sshbuf *m) |
1007 | { | 1005 | { |
1008 | u_int ret; | 1006 | u_int ret; |
1009 | int r; | 1007 | int r; |
@@ -1026,7 +1024,7 @@ static void *sshpam_ctxt, *sshpam_authok; | |||
1026 | extern KbdintDevice sshpam_device; | 1024 | extern KbdintDevice sshpam_device; |
1027 | 1025 | ||
1028 | int | 1026 | int |
1029 | mm_answer_pam_init_ctx(int sock, struct sshbuf *m) | 1027 | mm_answer_pam_init_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1030 | { | 1028 | { |
1031 | u_int ok = 0; | 1029 | u_int ok = 0; |
1032 | int r; | 1030 | int r; |
@@ -1051,7 +1049,7 @@ mm_answer_pam_init_ctx(int sock, struct sshbuf *m) | |||
1051 | } | 1049 | } |
1052 | 1050 | ||
1053 | int | 1051 | int |
1054 | mm_answer_pam_query(int sock, struct sshbuf *m) | 1052 | mm_answer_pam_query(struct ssh *ssh, int sock, struct sshbuf *m) |
1055 | { | 1053 | { |
1056 | char *name = NULL, *info = NULL, **prompts = NULL; | 1054 | char *name = NULL, *info = NULL, **prompts = NULL; |
1057 | u_int i, num = 0, *echo_on = 0; | 1055 | u_int i, num = 0, *echo_on = 0; |
@@ -1092,7 +1090,7 @@ mm_answer_pam_query(int sock, struct sshbuf *m) | |||
1092 | } | 1090 | } |
1093 | 1091 | ||
1094 | int | 1092 | int |
1095 | mm_answer_pam_respond(int sock, struct sshbuf *m) | 1093 | mm_answer_pam_respond(struct ssh *ssh, int sock, struct sshbuf *m) |
1096 | { | 1094 | { |
1097 | char **resp; | 1095 | char **resp; |
1098 | u_int i, num; | 1096 | u_int i, num; |
@@ -1130,7 +1128,7 @@ mm_answer_pam_respond(int sock, struct sshbuf *m) | |||
1130 | } | 1128 | } |
1131 | 1129 | ||
1132 | int | 1130 | int |
1133 | mm_answer_pam_free_ctx(int sock, struct sshbuf *m) | 1131 | mm_answer_pam_free_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1134 | { | 1132 | { |
1135 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | 1133 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; |
1136 | 1134 | ||
@@ -1150,9 +1148,8 @@ mm_answer_pam_free_ctx(int sock, struct sshbuf *m) | |||
1150 | #endif | 1148 | #endif |
1151 | 1149 | ||
1152 | int | 1150 | int |
1153 | mm_answer_keyallowed(int sock, struct sshbuf *m) | 1151 | mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) |
1154 | { | 1152 | { |
1155 | struct ssh *ssh = active_state; /* XXX */ | ||
1156 | struct sshkey *key = NULL; | 1153 | struct sshkey *key = NULL; |
1157 | char *cuser, *chost; | 1154 | char *cuser, *chost; |
1158 | u_int pubkey_auth_attempt; | 1155 | u_int pubkey_auth_attempt; |
@@ -1387,9 +1384,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, | |||
1387 | } | 1384 | } |
1388 | 1385 | ||
1389 | int | 1386 | int |
1390 | mm_answer_keyverify(int sock, struct sshbuf *m) | 1387 | mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) |
1391 | { | 1388 | { |
1392 | struct ssh *ssh = active_state; /* XXX */ | ||
1393 | struct sshkey *key; | 1389 | struct sshkey *key; |
1394 | u_char *signature, *data, *blob; | 1390 | u_char *signature, *data, *blob; |
1395 | char *sigalg; | 1391 | char *sigalg; |
@@ -1434,7 +1430,7 @@ mm_answer_keyverify(int sock, struct sshbuf *m) | |||
1434 | fatal("%s: bad signature data blob", __func__); | 1430 | fatal("%s: bad signature data blob", __func__); |
1435 | 1431 | ||
1436 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, | 1432 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, |
1437 | sigalg, active_state->compat); | 1433 | sigalg, ssh->compat); |
1438 | debug3("%s: %s %p signature %s", __func__, auth_method, key, | 1434 | debug3("%s: %s %p signature %s", __func__, auth_method, key, |
1439 | (ret == 0) ? "verified" : "unverified"); | 1435 | (ret == 0) ? "verified" : "unverified"); |
1440 | auth2_record_key(authctxt, ret == 0, key); | 1436 | auth2_record_key(authctxt, ret == 0, key); |
@@ -1461,9 +1457,8 @@ mm_answer_keyverify(int sock, struct sshbuf *m) | |||
1461 | } | 1457 | } |
1462 | 1458 | ||
1463 | static void | 1459 | static void |
1464 | mm_record_login(Session *s, struct passwd *pw) | 1460 | mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw) |
1465 | { | 1461 | { |
1466 | struct ssh *ssh = active_state; /* XXX */ | ||
1467 | socklen_t fromlen; | 1462 | socklen_t fromlen; |
1468 | struct sockaddr_storage from; | 1463 | struct sockaddr_storage from; |
1469 | 1464 | ||
@@ -1473,8 +1468,8 @@ mm_record_login(Session *s, struct passwd *pw) | |||
1473 | */ | 1468 | */ |
1474 | memset(&from, 0, sizeof(from)); | 1469 | memset(&from, 0, sizeof(from)); |
1475 | fromlen = sizeof(from); | 1470 | fromlen = sizeof(from); |
1476 | if (packet_connection_is_on_socket()) { | 1471 | if (ssh_packet_connection_is_on_socket(ssh)) { |
1477 | if (getpeername(packet_get_connection_in(), | 1472 | if (getpeername(ssh_packet_get_connection_in(ssh), |
1478 | (struct sockaddr *)&from, &fromlen) < 0) { | 1473 | (struct sockaddr *)&from, &fromlen) < 0) { |
1479 | debug("getpeername: %.100s", strerror(errno)); | 1474 | debug("getpeername: %.100s", strerror(errno)); |
1480 | cleanup_exit(255); | 1475 | cleanup_exit(255); |
@@ -1498,7 +1493,7 @@ mm_session_close(Session *s) | |||
1498 | } | 1493 | } |
1499 | 1494 | ||
1500 | int | 1495 | int |
1501 | mm_answer_pty(int sock, struct sshbuf *m) | 1496 | mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) |
1502 | { | 1497 | { |
1503 | extern struct monitor *pmonitor; | 1498 | extern struct monitor *pmonitor; |
1504 | Session *s; | 1499 | Session *s; |
@@ -1526,7 +1521,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | |||
1526 | if (dup2(s->ttyfd, 0) == -1) | 1521 | if (dup2(s->ttyfd, 0) == -1) |
1527 | fatal("%s: dup2", __func__); | 1522 | fatal("%s: dup2", __func__); |
1528 | 1523 | ||
1529 | mm_record_login(s, authctxt->pw); | 1524 | mm_record_login(ssh, s, authctxt->pw); |
1530 | 1525 | ||
1531 | /* Now we can close the file descriptor again */ | 1526 | /* Now we can close the file descriptor again */ |
1532 | close(0); | 1527 | close(0); |
@@ -1568,7 +1563,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | |||
1568 | } | 1563 | } |
1569 | 1564 | ||
1570 | int | 1565 | int |
1571 | mm_answer_pty_cleanup(int sock, struct sshbuf *m) | 1566 | mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m) |
1572 | { | 1567 | { |
1573 | Session *s; | 1568 | Session *s; |
1574 | char *tty; | 1569 | char *tty; |
@@ -1586,9 +1581,8 @@ mm_answer_pty_cleanup(int sock, struct sshbuf *m) | |||
1586 | } | 1581 | } |
1587 | 1582 | ||
1588 | int | 1583 | int |
1589 | mm_answer_term(int sock, struct sshbuf *req) | 1584 | mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req) |
1590 | { | 1585 | { |
1591 | struct ssh *ssh = active_state; /* XXX */ | ||
1592 | extern struct monitor *pmonitor; | 1586 | extern struct monitor *pmonitor; |
1593 | int res, status; | 1587 | int res, status; |
1594 | 1588 | ||
@@ -1615,7 +1609,7 @@ mm_answer_term(int sock, struct sshbuf *req) | |||
1615 | #ifdef SSH_AUDIT_EVENTS | 1609 | #ifdef SSH_AUDIT_EVENTS |
1616 | /* Report that an audit event occurred */ | 1610 | /* Report that an audit event occurred */ |
1617 | int | 1611 | int |
1618 | mm_answer_audit_event(int socket, struct sshbuf *m) | 1612 | mm_answer_audit_event(struct ssh *ssh, int socket, struct sshbuf *m) |
1619 | { | 1613 | { |
1620 | u_int n; | 1614 | u_int n; |
1621 | ssh_audit_event_t event; | 1615 | ssh_audit_event_t event; |
@@ -1644,7 +1638,7 @@ mm_answer_audit_event(int socket, struct sshbuf *m) | |||
1644 | } | 1638 | } |
1645 | 1639 | ||
1646 | int | 1640 | int |
1647 | mm_answer_audit_command(int socket, struct sshbuf *m) | 1641 | mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m) |
1648 | { | 1642 | { |
1649 | char *cmd; | 1643 | char *cmd; |
1650 | int r; | 1644 | int r; |
@@ -1660,10 +1654,8 @@ mm_answer_audit_command(int socket, struct sshbuf *m) | |||
1660 | #endif /* SSH_AUDIT_EVENTS */ | 1654 | #endif /* SSH_AUDIT_EVENTS */ |
1661 | 1655 | ||
1662 | void | 1656 | void |
1663 | monitor_clear_keystate(struct monitor *pmonitor) | 1657 | monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor) |
1664 | { | 1658 | { |
1665 | struct ssh *ssh = active_state; /* XXX */ | ||
1666 | |||
1667 | ssh_clear_newkeys(ssh, MODE_IN); | 1659 | ssh_clear_newkeys(ssh, MODE_IN); |
1668 | ssh_clear_newkeys(ssh, MODE_OUT); | 1660 | ssh_clear_newkeys(ssh, MODE_OUT); |
1669 | sshbuf_free(child_state); | 1661 | sshbuf_free(child_state); |
@@ -1671,9 +1663,8 @@ monitor_clear_keystate(struct monitor *pmonitor) | |||
1671 | } | 1663 | } |
1672 | 1664 | ||
1673 | void | 1665 | void |
1674 | monitor_apply_keystate(struct monitor *pmonitor) | 1666 | monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) |
1675 | { | 1667 | { |
1676 | struct ssh *ssh = active_state; /* XXX */ | ||
1677 | struct kex *kex; | 1668 | struct kex *kex; |
1678 | int r; | 1669 | int r; |
1679 | 1670 | ||
@@ -1780,7 +1771,7 @@ monitor_reinit(struct monitor *mon) | |||
1780 | 1771 | ||
1781 | #ifdef GSSAPI | 1772 | #ifdef GSSAPI |
1782 | int | 1773 | int |
1783 | mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) | 1774 | mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1784 | { | 1775 | { |
1785 | gss_OID_desc goid; | 1776 | gss_OID_desc goid; |
1786 | OM_uint32 major; | 1777 | OM_uint32 major; |
@@ -1813,7 +1804,7 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) | |||
1813 | } | 1804 | } |
1814 | 1805 | ||
1815 | int | 1806 | int |
1816 | mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) | 1807 | mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1817 | { | 1808 | { |
1818 | gss_buffer_desc in; | 1809 | gss_buffer_desc in; |
1819 | gss_buffer_desc out = GSS_C_EMPTY_BUFFER; | 1810 | gss_buffer_desc out = GSS_C_EMPTY_BUFFER; |
@@ -1847,7 +1838,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) | |||
1847 | } | 1838 | } |
1848 | 1839 | ||
1849 | int | 1840 | int |
1850 | mm_answer_gss_checkmic(int sock, struct sshbuf *m) | 1841 | mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
1851 | { | 1842 | { |
1852 | gss_buffer_desc gssbuf, mic; | 1843 | gss_buffer_desc gssbuf, mic; |
1853 | OM_uint32 ret; | 1844 | OM_uint32 ret; |
@@ -1878,7 +1869,7 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m) | |||
1878 | } | 1869 | } |
1879 | 1870 | ||
1880 | int | 1871 | int |
1881 | mm_answer_gss_userok(int sock, struct sshbuf *m) | 1872 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
1882 | { | 1873 | { |
1883 | int r, authenticated; | 1874 | int r, authenticated; |
1884 | const char *displayname; | 1875 | const char *displayname; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.h,v 1.21 2018/07/09 21:53:45 markus Exp $ */ | 1 | /* $OpenBSD: monitor.h,v 1.22 2019/01/19 21:43:07 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
@@ -65,6 +65,8 @@ enum monitor_reqtype { | |||
65 | 65 | ||
66 | }; | 66 | }; |
67 | 67 | ||
68 | struct ssh; | ||
69 | |||
68 | struct monitor { | 70 | struct monitor { |
69 | int m_recvfd; | 71 | int m_recvfd; |
70 | int m_sendfd; | 72 | int m_sendfd; |
@@ -78,11 +80,11 @@ struct monitor *monitor_init(void); | |||
78 | void monitor_reinit(struct monitor *); | 80 | void monitor_reinit(struct monitor *); |
79 | 81 | ||
80 | struct Authctxt; | 82 | struct Authctxt; |
81 | void monitor_child_preauth(struct Authctxt *, struct monitor *); | 83 | void monitor_child_preauth(struct ssh *, struct monitor *); |
82 | void monitor_child_postauth(struct monitor *); | 84 | void monitor_child_postauth(struct ssh *, struct monitor *); |
83 | 85 | ||
84 | struct mon_table; | 86 | void monitor_clear_keystate(struct ssh *, struct monitor *); |
85 | int monitor_read(struct monitor*, struct mon_table *, struct mon_table **); | 87 | void monitor_apply_keystate(struct ssh *, struct monitor *); |
86 | 88 | ||
87 | /* Prototypes for request sending and receiving */ | 89 | /* Prototypes for request sending and receiving */ |
88 | void mm_request_send(int, enum monitor_reqtype, struct sshbuf *); | 90 | void mm_request_send(int, enum monitor_reqtype, struct sshbuf *); |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 5db8a0a9c..4bdfd518e 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.c,v 1.109 2019/01/19 21:41:18 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.110 2019/01/19 21:43:07 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -76,7 +76,6 @@ | |||
76 | 76 | ||
77 | #include "ssherr.h" | 77 | #include "ssherr.h" |
78 | 78 | ||
79 | #include "opacket.h" /* XXX */ | ||
80 | extern struct ssh *active_state; /* XXX */ | 79 | extern struct ssh *active_state; /* XXX */ |
81 | 80 | ||
82 | /* Imports */ | 81 | /* Imports */ |
diff --git a/monitor_wrap.h b/monitor_wrap.h index 19c58e486..8277cbf45 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.h,v 1.39 2019/01/19 21:41:18 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.h,v 1.40 2019/01/19 21:43:07 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
@@ -89,8 +89,6 @@ void mm_session_pty_cleanup2(struct Session *); | |||
89 | struct newkeys *mm_newkeys_from_blob(u_char *, int); | 89 | struct newkeys *mm_newkeys_from_blob(u_char *, int); |
90 | int mm_newkeys_to_blob(int, u_char **, u_int *); | 90 | int mm_newkeys_to_blob(int, u_char **, u_int *); |
91 | 91 | ||
92 | void monitor_clear_keystate(struct monitor *); | ||
93 | void monitor_apply_keystate(struct monitor *); | ||
94 | void mm_get_keystate(struct monitor *); | 92 | void mm_get_keystate(struct monitor *); |
95 | void mm_send_keystate(struct monitor*); | 93 | void mm_send_keystate(struct monitor*); |
96 | 94 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.525 2019/01/19 21:42:30 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.526 2019/01/19 21:43:07 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -459,7 +459,6 @@ privsep_preauth_child(void) | |||
459 | static int | 459 | static int |
460 | privsep_preauth(struct ssh *ssh) | 460 | privsep_preauth(struct ssh *ssh) |
461 | { | 461 | { |
462 | Authctxt *authctxt = (Authctxt *)ssh->authctxt; | ||
463 | int status, r; | 462 | int status, r; |
464 | pid_t pid; | 463 | pid_t pid; |
465 | struct ssh_sandbox *box = NULL; | 464 | struct ssh_sandbox *box = NULL; |
@@ -488,7 +487,7 @@ privsep_preauth(struct ssh *ssh) | |||
488 | } | 487 | } |
489 | if (box != NULL) | 488 | if (box != NULL) |
490 | ssh_sandbox_parent_preauth(box, pid); | 489 | ssh_sandbox_parent_preauth(box, pid); |
491 | monitor_child_preauth(authctxt, pmonitor); | 490 | monitor_child_preauth(ssh, pmonitor); |
492 | 491 | ||
493 | /* Wait for the child's exit status */ | 492 | /* Wait for the child's exit status */ |
494 | while (waitpid(pid, &status, 0) < 0) { | 493 | while (waitpid(pid, &status, 0) < 0) { |
@@ -548,8 +547,8 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) | |||
548 | else if (pmonitor->m_pid != 0) { | 547 | else if (pmonitor->m_pid != 0) { |
549 | verbose("User child is on pid %ld", (long)pmonitor->m_pid); | 548 | verbose("User child is on pid %ld", (long)pmonitor->m_pid); |
550 | sshbuf_reset(loginmsg); | 549 | sshbuf_reset(loginmsg); |
551 | monitor_clear_keystate(pmonitor); | 550 | monitor_clear_keystate(ssh, pmonitor); |
552 | monitor_child_postauth(pmonitor); | 551 | monitor_child_postauth(ssh, pmonitor); |
553 | 552 | ||
554 | /* NEVERREACHED */ | 553 | /* NEVERREACHED */ |
555 | exit(0); | 554 | exit(0); |
@@ -570,7 +569,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) | |||
570 | 569 | ||
571 | skip: | 570 | skip: |
572 | /* It is safe now to apply the key state */ | 571 | /* It is safe now to apply the key state */ |
573 | monitor_apply_keystate(pmonitor); | 572 | monitor_apply_keystate(ssh, pmonitor); |
574 | 573 | ||
575 | /* | 574 | /* |
576 | * Tell the packet layer that authentication was successful, since | 575 | * Tell the packet layer that authentication was successful, since |