1 files changed, 48 insertions, 33 deletions
diff --git a/auth.h b/auth.h
index 8c658d16e..27a1a88ec 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.89 2016/08/13 17:47:41 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.93 2017/08/18 05:36:45 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -44,6 +44,7 @@
 struct ssh;
 struct sshkey;
+struct sshbuf;
 typedef struct Authctxt Authctxt;
 typedef struct Authmethod Authmethod;
@@ -63,13 +64,17 @@ struct Authctxt {
        struct passwd   *pw;            /* set if 'valid' */
        char            *style;
        char            *role;
+        /* Method lists for multiple authentication */
+        char            **auth_methods; /* modified from server config */
+        u_int            num_auth_methods;
+        /* Authentication method-specific data */
+        void            *methoddata;
        void            *kbdintctxt;
-        char            *info;          /* Extra info for next auth_log */
 #ifdef BSD_AUTH
        auth_session_t  *as;
 #endif
-        char            **auth_methods; /* modified from server config */
-        u_int            num_auth_methods;
 #ifdef KRB5
        krb5_context     krb5_ctx;
        krb5_ccache      krb5_fwd_ccache;
@@ -77,12 +82,20 @@ struct Authctxt {
        char            *krb5_ticket_file;
        char            *krb5_ccname;
 #endif
-        Buffer          *loginmsg;
+        struct sshbuf   *loginmsg;
-        void            *methoddata;
+        /* Authentication keys already used; these will be refused henceforth */
+        struct sshkey   **prev_keys;
+        u_int            nprev_keys;
-        struct sshkey   **prev_userkeys;
+        /* Last used key and ancilliary information from active auth method */
-        u_int            nprev_userkeys;
+        struct sshkey   *auth_method_key;
+        char            *auth_method_info;
+        /* Information exposed to session */
+        struct sshbuf   *session_info;  /* Auth info for environment */
 };
 /*
 * Every authentication method has to handle authentication requests for
 * non-existing users, or for users that are not allowed to login. In this
@@ -92,7 +105,7 @@ struct Authctxt {
 struct Authmethod {
        char    *name;
-        int     (*userauth)(Authctxt *authctxt);
+        int     (*userauth)(struct ssh *);
        int     *enabled;
 };
@@ -118,16 +131,21 @@ auth_rhosts2(struct passwd *, const char *, const char *, const char *);
 int      auth_password(Authctxt *, const char *);
-int      hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
+int      hostbased_key_allowed(struct passwd *, const char *, char *,
-int      user_key_allowed(struct passwd *, Key *, int);
+            struct sshkey *);
-void     pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
+int      user_key_allowed(struct passwd *, struct sshkey *, int);
-            __attribute__((__format__ (printf, 3, 4)));
+int      auth2_key_already_used(Authctxt *, const struct sshkey *);
-void     auth2_record_userkey(Authctxt *, struct sshkey *);
-int      auth2_userkey_already_used(Authctxt *, struct sshkey *);
-struct stat;
+/*
-int      auth_secure_path(const char *, struct stat *, const char *, uid_t,
+ * Handling auth method-specific information for logging and prevention
-    char *, size_t);
+ * of key reuse during multiple authentication.
+ */
+void     auth2_authctxt_reset_info(Authctxt *);
+void     auth2_record_key(Authctxt *, int, const struct sshkey *);
+void     auth2_record_info(Authctxt *authctxt, const char *, ...)
+            __attribute__((__format__ (printf, 2, 3)))
+            __attribute__((__nonnull__ (2)));
+void     auth2_update_session_info(Authctxt *, const char *, const char *);
 #ifdef KRB5
 int     auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
@@ -150,12 +168,9 @@ void disable_forwarding(void);
 void    do_authentication2(Authctxt *);
-void    auth_info(Authctxt *authctxt, const char *, ...)
-            __attribute__((__format__ (printf, 2, 3)))
-            __attribute__((__nonnull__ (2)));
 void    auth_log(Authctxt *, int, int, const char *, const char *);
 void    auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
-void    userauth_finish(Authctxt *, int, const char *, const char *);
+void    userauth_finish(struct ssh *, int, const char *, const char *);
 int     auth_root_allowed(const char *);
 void    userauth_send_banner(const char *);
@@ -168,8 +183,8 @@ int	 auth2_method_allowed(Authctxt *, const char *, const char *);
 void    privsep_challenge_enable(void);
-int     auth2_challenge(Authctxt *, char *);
+int     auth2_challenge(struct ssh *, char *);
-void    auth2_challenge_stop(Authctxt *);
+void    auth2_challenge_stop(struct ssh *);
 int     bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
 int     bsdauth_respond(void *, u_int, char **);
 int     skey_query(void *, char **, char **, u_int *, char ***, u_int **);
@@ -183,22 +198,22 @@ char	*authorized_principals_file(struct passwd *);
 FILE    *auth_openkeyfile(const char *, struct passwd *, int);
 FILE    *auth_openprincipals(const char *, struct passwd *, int);
-int      auth_key_is_revoked(Key *);
+int      auth_key_is_revoked(struct sshkey *);
 const char      *auth_get_canonical_hostname(struct ssh *, int);
 HostStatus
-check_key_in_hostfiles(struct passwd *, Key *, const char *,
+check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
    const char *, const char *);
 /* hostkey handling */
-Key     *get_hostkey_by_index(int);
+struct sshkey   *get_hostkey_by_index(int);
-Key     *get_hostkey_public_by_index(int, struct ssh *);
+struct sshkey   *get_hostkey_public_by_index(int, struct ssh *);
-Key     *get_hostkey_public_by_type(int, int, struct ssh *);
+struct sshkey   *get_hostkey_public_by_type(int, int, struct ssh *);
-Key     *get_hostkey_private_by_type(int, int, struct ssh *);
+struct sshkey   *get_hostkey_private_by_type(int, int, struct ssh *);
-int      get_hostkey_index(Key *, int, struct ssh *);
+int      get_hostkey_index(struct sshkey *, int, struct ssh *);
-int      sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
+int      sshd_hostkey_sign(struct sshkey *, struct sshkey *, u_char **,
-             const u_char *, size_t, const char *, u_int);
+             size_t *, const u_char *, size_t, const char *, u_int);
 /* debug messages during authentication */
 void     auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

diff --git a/auth.h b/auth.h index 8c658d16e..27a1a88ec 100644 --- a/auth.h +++ b/auth.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth.h,v 1.89 2016/08/13 17:47:41 markus Exp $ */	1	/* $OpenBSD: auth.h,v 1.93 2017/08/18 05:36:45 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2000 Markus Friedl. All rights reserved.	4	* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -44,6 +44,7 @@
44		44
45	struct ssh;	45	struct ssh;
46	struct sshkey;	46	struct sshkey;
		47	struct sshbuf;
47		48
48	typedef struct Authctxt Authctxt;	49	typedef struct Authctxt Authctxt;
49	typedef struct Authmethod Authmethod;	50	typedef struct Authmethod Authmethod;
@@ -63,13 +64,17 @@ struct Authctxt {
63	struct passwd pw; / set if 'valid' */	64	struct passwd pw; / set if 'valid' */
64	char *style;	65	char *style;
65	char *role;	66	char *role;
		67
		68	/* Method lists for multiple authentication */
		69	char *auth_methods; / modified from server config */
		70	u_int num_auth_methods;
		71
		72	/* Authentication method-specific data */
		73	void *methoddata;
66	void *kbdintctxt;	74	void *kbdintctxt;
67	char info; / Extra info for next auth_log */
68	#ifdef BSD_AUTH	75	#ifdef BSD_AUTH
69	auth_session_t *as;	76	auth_session_t *as;
70	#endif	77	#endif
71	char *auth_methods; / modified from server config */
72	u_int num_auth_methods;
73	#ifdef KRB5	78	#ifdef KRB5
74	krb5_context krb5_ctx;	79	krb5_context krb5_ctx;
75	krb5_ccache krb5_fwd_ccache;	80	krb5_ccache krb5_fwd_ccache;
@@ -77,12 +82,20 @@ struct Authctxt {
77	char *krb5_ticket_file;	82	char *krb5_ticket_file;
78	char *krb5_ccname;	83	char *krb5_ccname;
79	#endif	84	#endif
80	Buffer *loginmsg;	85	struct sshbuf *loginmsg;
81	void *methoddata;	86
		87	/* Authentication keys already used; these will be refused henceforth */
		88	struct sshkey **prev_keys;
		89	u_int nprev_keys;
82		90
83	struct sshkey **prev_userkeys;	91	/* Last used key and ancilliary information from active auth method */
84	u_int nprev_userkeys;	92	struct sshkey *auth_method_key;
		93	char *auth_method_info;
		94
		95	/* Information exposed to session */
		96	struct sshbuf session_info; / Auth info for environment */
85	};	97	};
		98
86	/*	99	/*
87	* Every authentication method has to handle authentication requests for	100	* Every authentication method has to handle authentication requests for
88	* non-existing users, or for users that are not allowed to login. In this	101	* non-existing users, or for users that are not allowed to login. In this
@@ -92,7 +105,7 @@ struct Authctxt {
92		105
93	struct Authmethod {	106	struct Authmethod {
94	char *name;	107	char *name;
95	int (userauth)(Authctxt authctxt);	108	int (userauth)(struct ssh );
96	int *enabled;	109	int *enabled;
97	};	110	};
98		111
@@ -118,16 +131,21 @@ auth_rhosts2(struct passwd , const char , const char , const char );
118		131
119	int auth_password(Authctxt , const char );	132	int auth_password(Authctxt , const char );
120		133
121	int hostbased_key_allowed(struct passwd , const char , char , Key );	134	int hostbased_key_allowed(struct passwd , const char , char *,
122	int user_key_allowed(struct passwd , Key , int);	135	struct sshkey *);
123	void pubkey_auth_info(Authctxt , const Key , const char *, ...)	136	int user_key_allowed(struct passwd , struct sshkey , int);
124	__attribute__((__format__ (printf, 3, 4)));	137	int auth2_key_already_used(Authctxt , const struct sshkey );
125	void auth2_record_userkey(Authctxt , struct sshkey );
126	int auth2_userkey_already_used(Authctxt , struct sshkey );
127		138
128	struct stat;	139	/*
129	int auth_secure_path(const char , struct stat , const char *, uid_t,	140	* Handling auth method-specific information for logging and prevention
130	char *, size_t);	141	* of key reuse during multiple authentication.
		142	*/
		143	void auth2_authctxt_reset_info(Authctxt *);
		144	void auth2_record_key(Authctxt , int, const struct sshkey );
		145	void auth2_record_info(Authctxt authctxt, const char , ...)
		146	__attribute__((__format__ (printf, 2, 3)))
		147	__attribute__((__nonnull__ (2)));
		148	void auth2_update_session_info(Authctxt , const char , const char *);
131		149
132	#ifdef KRB5	150	#ifdef KRB5
133	int auth_krb5(Authctxt authctxt, krb5_data auth, char *client, krb5_data );	151	int auth_krb5(Authctxt authctxt, krb5_data auth, char *client, krb5_data );
@@ -150,12 +168,9 @@ void disable_forwarding(void);
150		168
151	void do_authentication2(Authctxt *);	169	void do_authentication2(Authctxt *);
152		170
153	void auth_info(Authctxt authctxt, const char , ...)
154	__attribute__((__format__ (printf, 2, 3)))
155	__attribute__((__nonnull__ (2)));
156	void auth_log(Authctxt , int, int, const char , const char *);	171	void auth_log(Authctxt , int, int, const char , const char *);
157	void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));	172	void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
158	void userauth_finish(Authctxt , int, const char , const char *);	173	void userauth_finish(struct ssh , int, const char , const char *);
159	int auth_root_allowed(const char *);	174	int auth_root_allowed(const char *);
160		175
161	void userauth_send_banner(const char *);	176	void userauth_send_banner(const char *);
@@ -168,8 +183,8 @@ int auth2_method_allowed(Authctxt , const char , const char *);
168		183
169	void privsep_challenge_enable(void);	184	void privsep_challenge_enable(void);
170		185
171	int auth2_challenge(Authctxt , char );	186	int auth2_challenge(struct ssh , char );
172	void auth2_challenge_stop(Authctxt *);	187	void auth2_challenge_stop(struct ssh *);
173	int bsdauth_query(void , char , char , u_int , char *, u_int );	188	int bsdauth_query(void , char , char , u_int , char *, u_int );
174	int bsdauth_respond(void , u_int, char *);	189	int bsdauth_respond(void , u_int, char *);
175	int skey_query(void , char , char , u_int , char *, u_int );	190	int skey_query(void , char , char , u_int , char *, u_int );
@@ -183,22 +198,22 @@ char authorized_principals_file(struct passwd );
183		198
184	FILE auth_openkeyfile(const char , struct passwd *, int);	199	FILE auth_openkeyfile(const char , struct passwd *, int);
185	FILE auth_openprincipals(const char , struct passwd *, int);	200	FILE auth_openprincipals(const char , struct passwd *, int);
186	int auth_key_is_revoked(Key *);	201	int auth_key_is_revoked(struct sshkey *);
187		202
188	const char auth_get_canonical_hostname(struct ssh , int);	203	const char auth_get_canonical_hostname(struct ssh , int);
189		204
190	HostStatus	205	HostStatus
191	check_key_in_hostfiles(struct passwd , Key , const char *,	206	check_key_in_hostfiles(struct passwd , struct sshkey , const char *,
192	const char , const char );	207	const char , const char );
193		208
194	/* hostkey handling */	209	/* hostkey handling */
195	Key *get_hostkey_by_index(int);	210	struct sshkey *get_hostkey_by_index(int);
196	Key get_hostkey_public_by_index(int, struct ssh );	211	struct sshkey get_hostkey_public_by_index(int, struct ssh );
197	Key get_hostkey_public_by_type(int, int, struct ssh );	212	struct sshkey get_hostkey_public_by_type(int, int, struct ssh );
198	Key get_hostkey_private_by_type(int, int, struct ssh );	213	struct sshkey get_hostkey_private_by_type(int, int, struct ssh );
199	int get_hostkey_index(Key , int, struct ssh );	214	int get_hostkey_index(struct sshkey , int, struct ssh );
200	int sshd_hostkey_sign(Key , Key , u_char *, size_t ,	215	int sshd_hostkey_sign(struct sshkey , struct sshkey , u_char **,
201	const u_char , size_t, const char , u_int);	216	size_t , const u_char , size_t, const char *, u_int);
202		217
203	/* debug messages during authentication */	218	/* debug messages during authentication */
204	void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));	219	void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));