diff options
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 39 |
1 files changed, 18 insertions, 21 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.150 2015/06/22 23:42:16 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.157 2016/02/15 23:32:37 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -100,7 +100,6 @@ | |||
| 100 | #include "monitor_fdpass.h" | 100 | #include "monitor_fdpass.h" |
| 101 | #include "compat.h" | 101 | #include "compat.h" |
| 102 | #include "ssh2.h" | 102 | #include "ssh2.h" |
| 103 | #include "roaming.h" | ||
| 104 | #include "authfd.h" | 103 | #include "authfd.h" |
| 105 | #include "match.h" | 104 | #include "match.h" |
| 106 | #include "ssherr.h" | 105 | #include "ssherr.h" |
| @@ -506,15 +505,10 @@ monitor_sync(struct monitor *pmonitor) | |||
| 506 | static void * | 505 | static void * |
| 507 | mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) | 506 | mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) |
| 508 | { | 507 | { |
| 509 | size_t len = (size_t) size * ncount; | 508 | if (size == 0 || ncount == 0 || ncount > SIZE_MAX / size) |
| 510 | void *address; | ||
| 511 | |||
| 512 | if (len == 0 || ncount > SIZE_MAX / size) | ||
| 513 | fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size); | 509 | fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size); |
| 514 | 510 | ||
| 515 | address = mm_malloc(mm, len); | 511 | return mm_malloc(mm, size * ncount); |
| 516 | |||
| 517 | return (address); | ||
| 518 | } | 512 | } |
| 519 | 513 | ||
| 520 | static void | 514 | static void |
| @@ -709,17 +703,18 @@ mm_answer_sign(int sock, Buffer *m) | |||
| 709 | struct ssh *ssh = active_state; /* XXX */ | 703 | struct ssh *ssh = active_state; /* XXX */ |
| 710 | extern int auth_sock; /* XXX move to state struct? */ | 704 | extern int auth_sock; /* XXX move to state struct? */ |
| 711 | struct sshkey *key; | 705 | struct sshkey *key; |
| 712 | struct sshbuf *sigbuf; | 706 | struct sshbuf *sigbuf = NULL; |
| 713 | u_char *p; | 707 | u_char *p = NULL, *signature = NULL; |
| 714 | u_char *signature; | 708 | char *alg = NULL; |
| 715 | size_t datlen, siglen; | 709 | size_t datlen, siglen, alglen; |
| 716 | int r, keyid, is_proof = 0; | 710 | int r, keyid, is_proof = 0; |
| 717 | const char proof_req[] = "hostkeys-prove-00@openssh.com"; | 711 | const char proof_req[] = "hostkeys-prove-00@openssh.com"; |
| 718 | 712 | ||
| 719 | debug3("%s", __func__); | 713 | debug3("%s", __func__); |
| 720 | 714 | ||
| 721 | if ((r = sshbuf_get_u32(m, &keyid)) != 0 || | 715 | if ((r = sshbuf_get_u32(m, &keyid)) != 0 || |
| 722 | (r = sshbuf_get_string(m, &p, &datlen)) != 0) | 716 | (r = sshbuf_get_string(m, &p, &datlen)) != 0 || |
| 717 | (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) | ||
| 723 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 718 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 724 | 719 | ||
| 725 | /* | 720 | /* |
| @@ -746,7 +741,7 @@ mm_answer_sign(int sock, Buffer *m) | |||
| 746 | fatal("%s: sshbuf_new", __func__); | 741 | fatal("%s: sshbuf_new", __func__); |
| 747 | if ((r = sshbuf_put_cstring(sigbuf, proof_req)) != 0 || | 742 | if ((r = sshbuf_put_cstring(sigbuf, proof_req)) != 0 || |
| 748 | (r = sshbuf_put_string(sigbuf, session_id2, | 743 | (r = sshbuf_put_string(sigbuf, session_id2, |
| 749 | session_id2_len) != 0) || | 744 | session_id2_len)) != 0 || |
| 750 | (r = sshkey_puts(key, sigbuf)) != 0) | 745 | (r = sshkey_puts(key, sigbuf)) != 0) |
| 751 | fatal("%s: couldn't prepare private key " | 746 | fatal("%s: couldn't prepare private key " |
| 752 | "proof buffer: %s", __func__, ssh_err(r)); | 747 | "proof buffer: %s", __func__, ssh_err(r)); |
| @@ -766,14 +761,14 @@ mm_answer_sign(int sock, Buffer *m) | |||
| 766 | } | 761 | } |
| 767 | 762 | ||
| 768 | if ((key = get_hostkey_by_index(keyid)) != NULL) { | 763 | if ((key = get_hostkey_by_index(keyid)) != NULL) { |
| 769 | if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, | 764 | if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, |
| 770 | datafellows)) != 0) | 765 | datafellows)) != 0) |
| 771 | fatal("%s: sshkey_sign failed: %s", | 766 | fatal("%s: sshkey_sign failed: %s", |
| 772 | __func__, ssh_err(r)); | 767 | __func__, ssh_err(r)); |
| 773 | } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && | 768 | } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && |
| 774 | auth_sock > 0) { | 769 | auth_sock > 0) { |
| 775 | if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen, | 770 | if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen, |
| 776 | p, datlen, datafellows)) != 0) { | 771 | p, datlen, alg, datafellows)) != 0) { |
| 777 | fatal("%s: ssh_agent_sign failed: %s", | 772 | fatal("%s: ssh_agent_sign failed: %s", |
| 778 | __func__, ssh_err(r)); | 773 | __func__, ssh_err(r)); |
| 779 | } | 774 | } |
| @@ -787,6 +782,7 @@ mm_answer_sign(int sock, Buffer *m) | |||
| 787 | if ((r = sshbuf_put_string(m, signature, siglen)) != 0) | 782 | if ((r = sshbuf_put_string(m, signature, siglen)) != 0) |
| 788 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 783 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 789 | 784 | ||
| 785 | free(alg); | ||
| 790 | free(p); | 786 | free(p); |
| 791 | free(signature); | 787 | free(signature); |
| 792 | 788 | ||
| @@ -1014,7 +1010,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) | |||
| 1014 | char *response; | 1010 | char *response; |
| 1015 | int authok; | 1011 | int authok; |
| 1016 | 1012 | ||
| 1017 | if (authctxt->as == 0) | 1013 | if (authctxt->as == NULL) |
| 1018 | fatal("%s: no bsd auth session", __func__); | 1014 | fatal("%s: no bsd auth session", __func__); |
| 1019 | 1015 | ||
| 1020 | response = buffer_get_string(m, NULL); | 1016 | response = buffer_get_string(m, NULL); |
| @@ -1083,7 +1079,8 @@ mm_answer_skeyrespond(int sock, Buffer *m) | |||
| 1083 | debug3("%s: sending authenticated: %d", __func__, authok); | 1079 | debug3("%s: sending authenticated: %d", __func__, authok); |
| 1084 | mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); | 1080 | mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); |
| 1085 | 1081 | ||
| 1086 | auth_method = "skey"; | 1082 | auth_method = "keyboard-interactive"; |
| 1083 | auth_submethod = "skey"; | ||
| 1087 | 1084 | ||
| 1088 | return (authok != 0); | 1085 | return (authok != 0); |
| 1089 | } | 1086 | } |
| @@ -1492,7 +1489,7 @@ mm_answer_keyverify(int sock, Buffer *m) | |||
| 1492 | __func__, key, (verified == 1) ? "verified" : "unverified"); | 1489 | __func__, key, (verified == 1) ? "verified" : "unverified"); |
| 1493 | 1490 | ||
| 1494 | /* If auth was successful then record key to ensure it isn't reused */ | 1491 | /* If auth was successful then record key to ensure it isn't reused */ |
| 1495 | if (verified == 1) | 1492 | if (verified == 1 && key_blobtype == MM_USERKEY) |
| 1496 | auth2_record_userkey(authctxt, key); | 1493 | auth2_record_userkey(authctxt, key); |
| 1497 | else | 1494 | else |
| 1498 | key_free(key); | 1495 | key_free(key); |
| @@ -1895,7 +1892,7 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
| 1895 | sshbuf_free(child_state); | 1892 | sshbuf_free(child_state); |
| 1896 | child_state = NULL; | 1893 | child_state = NULL; |
| 1897 | 1894 | ||
| 1898 | if ((kex = ssh->kex) != 0) { | 1895 | if ((kex = ssh->kex) != NULL) { |
| 1899 | /* XXX set callbacks */ | 1896 | /* XXX set callbacks */ |
| 1900 | #ifdef WITH_OPENSSL | 1897 | #ifdef WITH_OPENSSL |
| 1901 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 1898 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |