summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c45
1 files changed, 30 insertions, 15 deletions
diff --git a/monitor.c b/monitor.c
index 5be3fbfdb..e91054e5f 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.157 2016/02/15 23:32:37 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.161 2016/07/22 03:39:13 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -34,6 +34,7 @@
34 34
35#include <errno.h> 35#include <errno.h>
36#include <fcntl.h> 36#include <fcntl.h>
37#include <limits.h>
37#ifdef HAVE_PATHS_H 38#ifdef HAVE_PATHS_H
38#include <paths.h> 39#include <paths.h>
39#endif 40#endif
@@ -74,6 +75,7 @@
74#include "cipher.h" 75#include "cipher.h"
75#include "kex.h" 76#include "kex.h"
76#include "dh.h" 77#include "dh.h"
78#include "auth-pam.h"
77#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ 79#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
78#undef TARGET_OS_MAC 80#undef TARGET_OS_MAC
79#include "zlib.h" 81#include "zlib.h"
@@ -707,7 +709,8 @@ mm_answer_sign(int sock, Buffer *m)
707 u_char *p = NULL, *signature = NULL; 709 u_char *p = NULL, *signature = NULL;
708 char *alg = NULL; 710 char *alg = NULL;
709 size_t datlen, siglen, alglen; 711 size_t datlen, siglen, alglen;
710 int r, keyid, is_proof = 0; 712 int r, is_proof = 0;
713 u_int keyid;
711 const char proof_req[] = "hostkeys-prove-00@openssh.com"; 714 const char proof_req[] = "hostkeys-prove-00@openssh.com";
712 715
713 debug3("%s", __func__); 716 debug3("%s", __func__);
@@ -716,6 +719,8 @@ mm_answer_sign(int sock, Buffer *m)
716 (r = sshbuf_get_string(m, &p, &datlen)) != 0 || 719 (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
717 (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) 720 (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
718 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 721 fatal("%s: buffer error: %s", __func__, ssh_err(r));
722 if (keyid > INT_MAX)
723 fatal("%s: invalid key ID", __func__);
719 724
720 /* 725 /*
721 * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes), 726 * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes),
@@ -959,6 +964,9 @@ mm_answer_authpassword(int sock, Buffer *m)
959 964
960 buffer_clear(m); 965 buffer_clear(m);
961 buffer_put_int(m, authenticated); 966 buffer_put_int(m, authenticated);
967#ifdef USE_PAM
968 buffer_put_int(m, sshpam_get_maxtries_reached());
969#endif
962 970
963 debug3("%s: sending result %d", __func__, authenticated); 971 debug3("%s: sending result %d", __func__, authenticated);
964 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m); 972 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);
@@ -1158,6 +1166,7 @@ mm_answer_pam_query(int sock, Buffer *m)
1158 free(name); 1166 free(name);
1159 buffer_put_cstring(m, info); 1167 buffer_put_cstring(m, info);
1160 free(info); 1168 free(info);
1169 buffer_put_int(m, sshpam_get_maxtries_reached());
1161 buffer_put_int(m, num); 1170 buffer_put_int(m, num);
1162 for (i = 0; i < num; ++i) { 1171 for (i = 0; i < num; ++i) {
1163 buffer_put_cstring(m, prompts[i]); 1172 buffer_put_cstring(m, prompts[i]);
@@ -1292,6 +1301,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
1292 break; 1301 break;
1293 } 1302 }
1294 } 1303 }
1304
1305 debug3("%s: key %p is %s",
1306 __func__, key, allowed ? "allowed" : "not allowed");
1307
1295 if (key != NULL) 1308 if (key != NULL)
1296 key_free(key); 1309 key_free(key);
1297 1310
@@ -1313,9 +1326,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
1313 free(chost); 1326 free(chost);
1314 } 1327 }
1315 1328
1316 debug3("%s: key %p is %s",
1317 __func__, key, allowed ? "allowed" : "not allowed");
1318
1319 buffer_clear(m); 1329 buffer_clear(m);
1320 buffer_put_int(m, allowed); 1330 buffer_put_int(m, allowed);
1321 buffer_put_int(m, forced_command != NULL); 1331 buffer_put_int(m, forced_command != NULL);
@@ -1332,7 +1342,8 @@ static int
1332monitor_valid_userblob(u_char *data, u_int datalen) 1342monitor_valid_userblob(u_char *data, u_int datalen)
1333{ 1343{
1334 Buffer b; 1344 Buffer b;
1335 char *p, *userstyle; 1345 u_char *p;
1346 char *userstyle, *cp;
1336 u_int len; 1347 u_int len;
1337 int fail = 0; 1348 int fail = 0;
1338 1349
@@ -1357,26 +1368,26 @@ monitor_valid_userblob(u_char *data, u_int datalen)
1357 } 1368 }
1358 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1369 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1359 fail++; 1370 fail++;
1360 p = buffer_get_cstring(&b, NULL); 1371 cp = buffer_get_cstring(&b, NULL);
1361 xasprintf(&userstyle, "%s%s%s", authctxt->user, 1372 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1362 authctxt->style ? ":" : "", 1373 authctxt->style ? ":" : "",
1363 authctxt->style ? authctxt->style : ""); 1374 authctxt->style ? authctxt->style : "");
1364 if (strcmp(userstyle, p) != 0) { 1375 if (strcmp(userstyle, cp) != 0) {
1365 logit("wrong user name passed to monitor: expected %s != %.100s", 1376 logit("wrong user name passed to monitor: "
1366 userstyle, p); 1377 "expected %s != %.100s", userstyle, cp);
1367 fail++; 1378 fail++;
1368 } 1379 }
1369 free(userstyle); 1380 free(userstyle);
1370 free(p); 1381 free(cp);
1371 buffer_skip_string(&b); 1382 buffer_skip_string(&b);
1372 if (datafellows & SSH_BUG_PKAUTH) { 1383 if (datafellows & SSH_BUG_PKAUTH) {
1373 if (!buffer_get_char(&b)) 1384 if (!buffer_get_char(&b))
1374 fail++; 1385 fail++;
1375 } else { 1386 } else {
1376 p = buffer_get_cstring(&b, NULL); 1387 cp = buffer_get_cstring(&b, NULL);
1377 if (strcmp("publickey", p) != 0) 1388 if (strcmp("publickey", cp) != 0)
1378 fail++; 1389 fail++;
1379 free(p); 1390 free(cp);
1380 if (!buffer_get_char(&b)) 1391 if (!buffer_get_char(&b))
1381 fail++; 1392 fail++;
1382 buffer_skip_string(&b); 1393 buffer_skip_string(&b);
@@ -1512,6 +1523,7 @@ mm_answer_keyverify(int sock, Buffer *m)
1512static void 1523static void
1513mm_record_login(Session *s, struct passwd *pw) 1524mm_record_login(Session *s, struct passwd *pw)
1514{ 1525{
1526 struct ssh *ssh = active_state; /* XXX */
1515 socklen_t fromlen; 1527 socklen_t fromlen;
1516 struct sockaddr_storage from; 1528 struct sockaddr_storage from;
1517 1529
@@ -1533,7 +1545,7 @@ mm_record_login(Session *s, struct passwd *pw)
1533 } 1545 }
1534 /* Record that there was a login on that tty from the remote host. */ 1546 /* Record that there was a login on that tty from the remote host. */
1535 record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, 1547 record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
1536 get_remote_name_or_ip(utmp_len, options.use_dns), 1548 session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
1537 (struct sockaddr *)&from, fromlen); 1549 (struct sockaddr *)&from, fromlen);
1538} 1550}
1539 1551
@@ -1897,6 +1909,9 @@ monitor_apply_keystate(struct monitor *pmonitor)
1897#ifdef WITH_OPENSSL 1909#ifdef WITH_OPENSSL
1898 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 1910 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1899 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 1911 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1912 kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server;
1913 kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server;
1914 kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server;
1900 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1915 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1901 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 1916 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1902# ifdef OPENSSL_HAS_ECC 1917# ifdef OPENSSL_HAS_ECC
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 07:45:44 +0000