diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 256 |
1 files changed, 132 insertions, 124 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.197 2019/01/21 10:38:54 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -112,51 +112,51 @@ static struct sshbuf *child_state; | |||
112 | 112 | ||
113 | /* Functions on the monitor that answer unprivileged requests */ | 113 | /* Functions on the monitor that answer unprivileged requests */ |
114 | 114 | ||
115 | int mm_answer_moduli(int, struct sshbuf *); | 115 | int mm_answer_moduli(struct ssh *, int, struct sshbuf *); |
116 | int mm_answer_sign(int, struct sshbuf *); | 116 | int mm_answer_sign(struct ssh *, int, struct sshbuf *); |
117 | int mm_answer_pwnamallow(int, struct sshbuf *); | 117 | int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); |
118 | int mm_answer_auth2_read_banner(int, struct sshbuf *); | 118 | int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); |
119 | int mm_answer_authserv(int, struct sshbuf *); | 119 | int mm_answer_authserv(struct ssh *, int, struct sshbuf *); |
120 | int mm_answer_authrole(int, struct sshbuf *); | 120 | int mm_answer_authrole(struct ssh *, int, struct sshbuf *); |
121 | int mm_answer_authpassword(int, struct sshbuf *); | 121 | int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); |
122 | int mm_answer_bsdauthquery(int, struct sshbuf *); | 122 | int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); |
123 | int mm_answer_bsdauthrespond(int, struct sshbuf *); | 123 | int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); |
124 | int mm_answer_keyallowed(int, struct sshbuf *); | 124 | int mm_answer_skeyquery(struct ssh *, int, struct sshbuf *); |
125 | int mm_answer_keyverify(int, struct sshbuf *); | 125 | int mm_answer_skeyrespond(struct ssh *, int, struct sshbuf *); |
126 | int mm_answer_pty(int, struct sshbuf *); | 126 | int mm_answer_keyallowed(struct ssh *, int, struct sshbuf *); |
127 | int mm_answer_pty_cleanup(int, struct sshbuf *); | 127 | int mm_answer_keyverify(struct ssh *, int, struct sshbuf *); |
128 | int mm_answer_term(int, struct sshbuf *); | 128 | int mm_answer_pty(struct ssh *, int, struct sshbuf *); |
129 | int mm_answer_rsa_keyallowed(int, struct sshbuf *); | 129 | int mm_answer_pty_cleanup(struct ssh *, int, struct sshbuf *); |
130 | int mm_answer_rsa_challenge(int, struct sshbuf *); | 130 | int mm_answer_term(struct ssh *, int, struct sshbuf *); |
131 | int mm_answer_rsa_response(int, struct sshbuf *); | 131 | int mm_answer_rsa_keyallowed(struct ssh *, int, struct sshbuf *); |
132 | int mm_answer_sesskey(int, struct sshbuf *); | 132 | int mm_answer_rsa_challenge(struct ssh *, int, struct sshbuf *); |
133 | int mm_answer_sessid(int, struct sshbuf *); | 133 | int mm_answer_rsa_response(struct ssh *, int, struct sshbuf *); |
134 | int mm_answer_sesskey(struct ssh *, int, struct sshbuf *); | ||
135 | int mm_answer_sessid(struct ssh *, int, struct sshbuf *); | ||
134 | 136 | ||
135 | #ifdef USE_PAM | 137 | #ifdef USE_PAM |
136 | int mm_answer_pam_start(int, struct sshbuf *); | 138 | int mm_answer_pam_start(struct ssh *, int, struct sshbuf *); |
137 | int mm_answer_pam_account(int, struct sshbuf *); | 139 | int mm_answer_pam_account(struct ssh *, int, struct sshbuf *); |
138 | int mm_answer_pam_init_ctx(int, struct sshbuf *); | 140 | int mm_answer_pam_init_ctx(struct ssh *, int, struct sshbuf *); |
139 | int mm_answer_pam_query(int, struct sshbuf *); | 141 | int mm_answer_pam_query(struct ssh *, int, struct sshbuf *); |
140 | int mm_answer_pam_respond(int, struct sshbuf *); | 142 | int mm_answer_pam_respond(struct ssh *, int, struct sshbuf *); |
141 | int mm_answer_pam_free_ctx(int, struct sshbuf *); | 143 | int mm_answer_pam_free_ctx(struct ssh *, int, struct sshbuf *); |
142 | #endif | 144 | #endif |
143 | 145 | ||
144 | #ifdef GSSAPI | 146 | #ifdef GSSAPI |
145 | int mm_answer_gss_setup_ctx(int, struct sshbuf *); | 147 | int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); |
146 | int mm_answer_gss_accept_ctx(int, struct sshbuf *); | 148 | int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); |
147 | int mm_answer_gss_userok(int, struct sshbuf *); | 149 | int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); |
148 | int mm_answer_gss_checkmic(int, struct sshbuf *); | 150 | int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *); |
149 | int mm_answer_gss_sign(int, struct sshbuf *); | 151 | int mm_answer_gss_sign(struct ssh *, int, struct sshbuf *); |
150 | int mm_answer_gss_updatecreds(int, struct sshbuf *); | 152 | int mm_answer_gss_updatecreds(struct ssh *, int, struct sshbuf *); |
151 | #endif | 153 | #endif |
152 | 154 | ||
153 | #ifdef SSH_AUDIT_EVENTS | 155 | #ifdef SSH_AUDIT_EVENTS |
154 | int mm_answer_audit_event(int, struct sshbuf *); | 156 | int mm_answer_audit_event(struct ssh *, int, struct sshbuf *); |
155 | int mm_answer_audit_command(int, struct sshbuf *); | 157 | int mm_answer_audit_command(struct ssh *, int, struct sshbuf *); |
156 | #endif | 158 | #endif |
157 | 159 | ||
158 | static int monitor_read_log(struct monitor *); | ||
159 | |||
160 | static Authctxt *authctxt; | 160 | static Authctxt *authctxt; |
161 | 161 | ||
162 | /* local state for key verify */ | 162 | /* local state for key verify */ |
@@ -175,7 +175,7 @@ static pid_t monitor_child_pid; | |||
175 | struct mon_table { | 175 | struct mon_table { |
176 | enum monitor_reqtype type; | 176 | enum monitor_reqtype type; |
177 | int flags; | 177 | int flags; |
178 | int (*f)(int, struct sshbuf *); | 178 | int (*f)(struct ssh *, int, struct sshbuf *); |
179 | }; | 179 | }; |
180 | 180 | ||
181 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ | 181 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ |
@@ -187,6 +187,10 @@ struct mon_table { | |||
187 | 187 | ||
188 | #define MON_PERMIT 0x1000 /* Request is permitted */ | 188 | #define MON_PERMIT 0x1000 /* Request is permitted */ |
189 | 189 | ||
190 | static int monitor_read(struct ssh *, struct monitor *, struct mon_table *, | ||
191 | struct mon_table **); | ||
192 | static int monitor_read_log(struct monitor *); | ||
193 | |||
190 | struct mon_table mon_dispatch_proto20[] = { | 194 | struct mon_table mon_dispatch_proto20[] = { |
191 | #ifdef WITH_OPENSSL | 195 | #ifdef WITH_OPENSSL |
192 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, | 196 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, |
@@ -276,9 +280,8 @@ monitor_permit_authentications(int permit) | |||
276 | } | 280 | } |
277 | 281 | ||
278 | void | 282 | void |
279 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 283 | monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) |
280 | { | 284 | { |
281 | struct ssh *ssh = active_state; /* XXX */ | ||
282 | struct mon_table *ent; | 285 | struct mon_table *ent; |
283 | int authenticated = 0, partial = 0; | 286 | int authenticated = 0, partial = 0; |
284 | 287 | ||
@@ -290,7 +293,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
290 | close(pmonitor->m_log_sendfd); | 293 | close(pmonitor->m_log_sendfd); |
291 | pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; | 294 | pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; |
292 | 295 | ||
293 | authctxt = _authctxt; | 296 | authctxt = (Authctxt *)ssh->authctxt; |
294 | memset(authctxt, 0, sizeof(*authctxt)); | 297 | memset(authctxt, 0, sizeof(*authctxt)); |
295 | ssh->authctxt = authctxt; | 298 | ssh->authctxt = authctxt; |
296 | 299 | ||
@@ -312,7 +315,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
312 | auth_submethod = NULL; | 315 | auth_submethod = NULL; |
313 | auth2_authctxt_reset_info(authctxt); | 316 | auth2_authctxt_reset_info(authctxt); |
314 | 317 | ||
315 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 318 | authenticated = (monitor_read(ssh, pmonitor, |
319 | mon_dispatch, &ent) == 1); | ||
316 | 320 | ||
317 | /* Special handling for multiple required authentications */ | 321 | /* Special handling for multiple required authentications */ |
318 | if (options.num_auth_methods != 0) { | 322 | if (options.num_auth_methods != 0) { |
@@ -344,13 +348,13 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
344 | mm_request_receive_expect(pmonitor->m_sendfd, | 348 | mm_request_receive_expect(pmonitor->m_sendfd, |
345 | MONITOR_REQ_PAM_ACCOUNT, m); | 349 | MONITOR_REQ_PAM_ACCOUNT, m); |
346 | authenticated = mm_answer_pam_account( | 350 | authenticated = mm_answer_pam_account( |
347 | pmonitor->m_sendfd, m); | 351 | ssh, pmonitor->m_sendfd, m); |
348 | sshbuf_free(m); | 352 | sshbuf_free(m); |
349 | } | 353 | } |
350 | #endif | 354 | #endif |
351 | } | 355 | } |
352 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 356 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
353 | auth_log(authctxt, authenticated, partial, | 357 | auth_log(ssh, authenticated, partial, |
354 | auth_method, auth_submethod); | 358 | auth_method, auth_submethod); |
355 | if (!partial && !authenticated) | 359 | if (!partial && !authenticated) |
356 | authctxt->failures++; | 360 | authctxt->failures++; |
@@ -371,7 +375,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
371 | ssh->authctxt = NULL; | 375 | ssh->authctxt = NULL; |
372 | ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); | 376 | ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); |
373 | 377 | ||
374 | mm_get_keystate(pmonitor); | 378 | mm_get_keystate(ssh, pmonitor); |
375 | 379 | ||
376 | /* Drain any buffered messages from the child */ | 380 | /* Drain any buffered messages from the child */ |
377 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | 381 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) |
@@ -397,7 +401,7 @@ monitor_child_handler(int sig) | |||
397 | } | 401 | } |
398 | 402 | ||
399 | void | 403 | void |
400 | monitor_child_postauth(struct monitor *pmonitor) | 404 | monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) |
401 | { | 405 | { |
402 | close(pmonitor->m_recvfd); | 406 | close(pmonitor->m_recvfd); |
403 | pmonitor->m_recvfd = -1; | 407 | pmonitor->m_recvfd = -1; |
@@ -419,7 +423,7 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
419 | #ifdef GSSAPI | 423 | #ifdef GSSAPI |
420 | /* and for the GSSAPI key exchange */ | 424 | /* and for the GSSAPI key exchange */ |
421 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | 425 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); |
422 | #endif | 426 | #endif |
423 | 427 | ||
424 | if (auth_opts->permit_pty_flag) { | 428 | if (auth_opts->permit_pty_flag) { |
425 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 429 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
@@ -427,7 +431,7 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
427 | } | 431 | } |
428 | 432 | ||
429 | for (;;) | 433 | for (;;) |
430 | monitor_read(pmonitor, mon_dispatch, NULL); | 434 | monitor_read(ssh, pmonitor, mon_dispatch, NULL); |
431 | } | 435 | } |
432 | 436 | ||
433 | static int | 437 | static int |
@@ -482,8 +486,8 @@ monitor_read_log(struct monitor *pmonitor) | |||
482 | return 0; | 486 | return 0; |
483 | } | 487 | } |
484 | 488 | ||
485 | int | 489 | static int |
486 | monitor_read(struct monitor *pmonitor, struct mon_table *ent, | 490 | monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent, |
487 | struct mon_table **pent) | 491 | struct mon_table **pent) |
488 | { | 492 | { |
489 | struct sshbuf *m; | 493 | struct sshbuf *m; |
@@ -533,7 +537,7 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent, | |||
533 | if (!(ent->flags & MON_PERMIT)) | 537 | if (!(ent->flags & MON_PERMIT)) |
534 | fatal("%s: unpermitted request %d", __func__, | 538 | fatal("%s: unpermitted request %d", __func__, |
535 | type); | 539 | type); |
536 | ret = (*ent->f)(pmonitor->m_sendfd, m); | 540 | ret = (*ent->f)(ssh, pmonitor->m_sendfd, m); |
537 | sshbuf_free(m); | 541 | sshbuf_free(m); |
538 | 542 | ||
539 | /* The child may use this request only once, disable it */ | 543 | /* The child may use this request only once, disable it */ |
@@ -584,7 +588,7 @@ monitor_reset_key_state(void) | |||
584 | 588 | ||
585 | #ifdef WITH_OPENSSL | 589 | #ifdef WITH_OPENSSL |
586 | int | 590 | int |
587 | mm_answer_moduli(int sock, struct sshbuf *m) | 591 | mm_answer_moduli(struct ssh *ssh, int sock, struct sshbuf *m) |
588 | { | 592 | { |
589 | DH *dh; | 593 | DH *dh; |
590 | const BIGNUM *dh_p, *dh_g; | 594 | const BIGNUM *dh_p, *dh_g; |
@@ -626,9 +630,8 @@ mm_answer_moduli(int sock, struct sshbuf *m) | |||
626 | #endif | 630 | #endif |
627 | 631 | ||
628 | int | 632 | int |
629 | mm_answer_sign(int sock, struct sshbuf *m) | 633 | mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m) |
630 | { | 634 | { |
631 | struct ssh *ssh = active_state; /* XXX */ | ||
632 | extern int auth_sock; /* XXX move to state struct? */ | 635 | extern int auth_sock; /* XXX move to state struct? */ |
633 | struct sshkey *key; | 636 | struct sshkey *key; |
634 | struct sshbuf *sigbuf = NULL; | 637 | struct sshbuf *sigbuf = NULL; |
@@ -729,9 +732,8 @@ mm_answer_sign(int sock, struct sshbuf *m) | |||
729 | /* Retrieves the password entry and also checks if the user is permitted */ | 732 | /* Retrieves the password entry and also checks if the user is permitted */ |
730 | 733 | ||
731 | int | 734 | int |
732 | mm_answer_pwnamallow(int sock, struct sshbuf *m) | 735 | mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) |
733 | { | 736 | { |
734 | struct ssh *ssh = active_state; /* XXX */ | ||
735 | char *username; | 737 | char *username; |
736 | struct passwd *pwent; | 738 | struct passwd *pwent; |
737 | int r, allowed = 0; | 739 | int r, allowed = 0; |
@@ -745,7 +747,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | |||
745 | if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0) | 747 | if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0) |
746 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 748 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
747 | 749 | ||
748 | pwent = getpwnamallow(username); | 750 | pwent = getpwnamallow(ssh, username); |
749 | 751 | ||
750 | authctxt->user = xstrdup(username); | 752 | authctxt->user = xstrdup(username); |
751 | setproctitle("%s [priv]", pwent ? username : "unknown"); | 753 | setproctitle("%s [priv]", pwent ? username : "unknown"); |
@@ -830,7 +832,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | |||
830 | return (0); | 832 | return (0); |
831 | } | 833 | } |
832 | 834 | ||
833 | int mm_answer_auth2_read_banner(int sock, struct sshbuf *m) | 835 | int mm_answer_auth2_read_banner(struct ssh *ssh, int sock, struct sshbuf *m) |
834 | { | 836 | { |
835 | char *banner; | 837 | char *banner; |
836 | int r; | 838 | int r; |
@@ -846,7 +848,7 @@ int mm_answer_auth2_read_banner(int sock, struct sshbuf *m) | |||
846 | } | 848 | } |
847 | 849 | ||
848 | int | 850 | int |
849 | mm_answer_authserv(int sock, struct sshbuf *m) | 851 | mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m) |
850 | { | 852 | { |
851 | int r; | 853 | int r; |
852 | 854 | ||
@@ -873,7 +875,7 @@ mm_answer_authserv(int sock, struct sshbuf *m) | |||
873 | } | 875 | } |
874 | 876 | ||
875 | int | 877 | int |
876 | mm_answer_authrole(int sock, struct sshbuf *m) | 878 | mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m) |
877 | { | 879 | { |
878 | int r; | 880 | int r; |
879 | 881 | ||
@@ -922,9 +924,8 @@ key_base_type_match(const char *method, const struct sshkey *key, | |||
922 | } | 924 | } |
923 | 925 | ||
924 | int | 926 | int |
925 | mm_answer_authpassword(int sock, struct sshbuf *m) | 927 | mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) |
926 | { | 928 | { |
927 | struct ssh *ssh = active_state; /* XXX */ | ||
928 | static int call_count; | 929 | static int call_count; |
929 | char *passwd; | 930 | char *passwd; |
930 | int r, authenticated; | 931 | int r, authenticated; |
@@ -963,7 +964,7 @@ mm_answer_authpassword(int sock, struct sshbuf *m) | |||
963 | 964 | ||
964 | #ifdef BSD_AUTH | 965 | #ifdef BSD_AUTH |
965 | int | 966 | int |
966 | mm_answer_bsdauthquery(int sock, struct sshbuf *m) | 967 | mm_answer_bsdauthquery(struct ssh *ssh, int sock, struct sshbuf *m) |
967 | { | 968 | { |
968 | char *name, *infotxt; | 969 | char *name, *infotxt; |
969 | u_int numprompts, *echo_on, success; | 970 | u_int numprompts, *echo_on, success; |
@@ -997,7 +998,7 @@ mm_answer_bsdauthquery(int sock, struct sshbuf *m) | |||
997 | } | 998 | } |
998 | 999 | ||
999 | int | 1000 | int |
1000 | mm_answer_bsdauthrespond(int sock, struct sshbuf *m) | 1001 | mm_answer_bsdauthrespond(struct ssh *ssh, int sock, struct sshbuf *m) |
1001 | { | 1002 | { |
1002 | char *response; | 1003 | char *response; |
1003 | int r, authok; | 1004 | int r, authok; |
@@ -1031,12 +1032,12 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m) | |||
1031 | 1032 | ||
1032 | #ifdef USE_PAM | 1033 | #ifdef USE_PAM |
1033 | int | 1034 | int |
1034 | mm_answer_pam_start(int sock, struct sshbuf *m) | 1035 | mm_answer_pam_start(struct ssh *ssh, int sock, struct sshbuf *m) |
1035 | { | 1036 | { |
1036 | if (!options.use_pam) | 1037 | if (!options.use_pam) |
1037 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | 1038 | fatal("UsePAM not set, but ended up in %s anyway", __func__); |
1038 | 1039 | ||
1039 | start_pam(authctxt); | 1040 | start_pam(ssh); |
1040 | 1041 | ||
1041 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); | 1042 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); |
1042 | if (options.kbd_interactive_authentication) | 1043 | if (options.kbd_interactive_authentication) |
@@ -1046,7 +1047,7 @@ mm_answer_pam_start(int sock, struct sshbuf *m) | |||
1046 | } | 1047 | } |
1047 | 1048 | ||
1048 | int | 1049 | int |
1049 | mm_answer_pam_account(int sock, struct sshbuf *m) | 1050 | mm_answer_pam_account(struct ssh *ssh, int sock, struct sshbuf *m) |
1050 | { | 1051 | { |
1051 | u_int ret; | 1052 | u_int ret; |
1052 | int r; | 1053 | int r; |
@@ -1069,7 +1070,7 @@ static void *sshpam_ctxt, *sshpam_authok; | |||
1069 | extern KbdintDevice sshpam_device; | 1070 | extern KbdintDevice sshpam_device; |
1070 | 1071 | ||
1071 | int | 1072 | int |
1072 | mm_answer_pam_init_ctx(int sock, struct sshbuf *m) | 1073 | mm_answer_pam_init_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1073 | { | 1074 | { |
1074 | u_int ok = 0; | 1075 | u_int ok = 0; |
1075 | int r; | 1076 | int r; |
@@ -1094,7 +1095,7 @@ mm_answer_pam_init_ctx(int sock, struct sshbuf *m) | |||
1094 | } | 1095 | } |
1095 | 1096 | ||
1096 | int | 1097 | int |
1097 | mm_answer_pam_query(int sock, struct sshbuf *m) | 1098 | mm_answer_pam_query(struct ssh *ssh, int sock, struct sshbuf *m) |
1098 | { | 1099 | { |
1099 | char *name = NULL, *info = NULL, **prompts = NULL; | 1100 | char *name = NULL, *info = NULL, **prompts = NULL; |
1100 | u_int i, num = 0, *echo_on = 0; | 1101 | u_int i, num = 0, *echo_on = 0; |
@@ -1135,7 +1136,7 @@ mm_answer_pam_query(int sock, struct sshbuf *m) | |||
1135 | } | 1136 | } |
1136 | 1137 | ||
1137 | int | 1138 | int |
1138 | mm_answer_pam_respond(int sock, struct sshbuf *m) | 1139 | mm_answer_pam_respond(struct ssh *ssh, int sock, struct sshbuf *m) |
1139 | { | 1140 | { |
1140 | char **resp; | 1141 | char **resp; |
1141 | u_int i, num; | 1142 | u_int i, num; |
@@ -1173,7 +1174,7 @@ mm_answer_pam_respond(int sock, struct sshbuf *m) | |||
1173 | } | 1174 | } |
1174 | 1175 | ||
1175 | int | 1176 | int |
1176 | mm_answer_pam_free_ctx(int sock, struct sshbuf *m) | 1177 | mm_answer_pam_free_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1177 | { | 1178 | { |
1178 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | 1179 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; |
1179 | 1180 | ||
@@ -1193,9 +1194,8 @@ mm_answer_pam_free_ctx(int sock, struct sshbuf *m) | |||
1193 | #endif | 1194 | #endif |
1194 | 1195 | ||
1195 | int | 1196 | int |
1196 | mm_answer_keyallowed(int sock, struct sshbuf *m) | 1197 | mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) |
1197 | { | 1198 | { |
1198 | struct ssh *ssh = active_state; /* XXX */ | ||
1199 | struct sshkey *key = NULL; | 1199 | struct sshkey *key = NULL; |
1200 | char *cuser, *chost; | 1200 | char *cuser, *chost; |
1201 | u_int pubkey_auth_attempt; | 1201 | u_int pubkey_auth_attempt; |
@@ -1241,7 +1241,7 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1241 | if (!key_base_type_match(auth_method, key, | 1241 | if (!key_base_type_match(auth_method, key, |
1242 | options.hostbased_key_types)) | 1242 | options.hostbased_key_types)) |
1243 | break; | 1243 | break; |
1244 | allowed = hostbased_key_allowed(authctxt->pw, | 1244 | allowed = hostbased_key_allowed(ssh, authctxt->pw, |
1245 | cuser, chost, key); | 1245 | cuser, chost, key); |
1246 | auth2_record_info(authctxt, | 1246 | auth2_record_info(authctxt, |
1247 | "client user \"%.100s\", client host \"%.100s\"", | 1247 | "client user \"%.100s\", client host \"%.100s\"", |
@@ -1273,7 +1273,7 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1273 | hostbased_chost = chost; | 1273 | hostbased_chost = chost; |
1274 | } else { | 1274 | } else { |
1275 | /* Log failed attempt */ | 1275 | /* Log failed attempt */ |
1276 | auth_log(authctxt, 0, 0, auth_method, NULL); | 1276 | auth_log(ssh, 0, 0, auth_method, NULL); |
1277 | free(cuser); | 1277 | free(cuser); |
1278 | free(chost); | 1278 | free(chost); |
1279 | } | 1279 | } |
@@ -1430,9 +1430,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, | |||
1430 | } | 1430 | } |
1431 | 1431 | ||
1432 | int | 1432 | int |
1433 | mm_answer_keyverify(int sock, struct sshbuf *m) | 1433 | mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) |
1434 | { | 1434 | { |
1435 | struct ssh *ssh = active_state; /* XXX */ | ||
1436 | struct sshkey *key; | 1435 | struct sshkey *key; |
1437 | u_char *signature, *data, *blob; | 1436 | u_char *signature, *data, *blob; |
1438 | char *sigalg; | 1437 | char *sigalg; |
@@ -1477,7 +1476,7 @@ mm_answer_keyverify(int sock, struct sshbuf *m) | |||
1477 | fatal("%s: bad signature data blob", __func__); | 1476 | fatal("%s: bad signature data blob", __func__); |
1478 | 1477 | ||
1479 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, | 1478 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, |
1480 | sigalg, active_state->compat); | 1479 | sigalg, ssh->compat); |
1481 | debug3("%s: %s %p signature %s", __func__, auth_method, key, | 1480 | debug3("%s: %s %p signature %s", __func__, auth_method, key, |
1482 | (ret == 0) ? "verified" : "unverified"); | 1481 | (ret == 0) ? "verified" : "unverified"); |
1483 | auth2_record_key(authctxt, ret == 0, key); | 1482 | auth2_record_key(authctxt, ret == 0, key); |
@@ -1504,9 +1503,8 @@ mm_answer_keyverify(int sock, struct sshbuf *m) | |||
1504 | } | 1503 | } |
1505 | 1504 | ||
1506 | static void | 1505 | static void |
1507 | mm_record_login(Session *s, struct passwd *pw) | 1506 | mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw) |
1508 | { | 1507 | { |
1509 | struct ssh *ssh = active_state; /* XXX */ | ||
1510 | socklen_t fromlen; | 1508 | socklen_t fromlen; |
1511 | struct sockaddr_storage from; | 1509 | struct sockaddr_storage from; |
1512 | 1510 | ||
@@ -1516,8 +1514,8 @@ mm_record_login(Session *s, struct passwd *pw) | |||
1516 | */ | 1514 | */ |
1517 | memset(&from, 0, sizeof(from)); | 1515 | memset(&from, 0, sizeof(from)); |
1518 | fromlen = sizeof(from); | 1516 | fromlen = sizeof(from); |
1519 | if (packet_connection_is_on_socket()) { | 1517 | if (ssh_packet_connection_is_on_socket(ssh)) { |
1520 | if (getpeername(packet_get_connection_in(), | 1518 | if (getpeername(ssh_packet_get_connection_in(ssh), |
1521 | (struct sockaddr *)&from, &fromlen) < 0) { | 1519 | (struct sockaddr *)&from, &fromlen) < 0) { |
1522 | debug("getpeername: %.100s", strerror(errno)); | 1520 | debug("getpeername: %.100s", strerror(errno)); |
1523 | cleanup_exit(255); | 1521 | cleanup_exit(255); |
@@ -1541,7 +1539,7 @@ mm_session_close(Session *s) | |||
1541 | } | 1539 | } |
1542 | 1540 | ||
1543 | int | 1541 | int |
1544 | mm_answer_pty(int sock, struct sshbuf *m) | 1542 | mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) |
1545 | { | 1543 | { |
1546 | extern struct monitor *pmonitor; | 1544 | extern struct monitor *pmonitor; |
1547 | Session *s; | 1545 | Session *s; |
@@ -1569,7 +1567,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | |||
1569 | if (dup2(s->ttyfd, 0) == -1) | 1567 | if (dup2(s->ttyfd, 0) == -1) |
1570 | fatal("%s: dup2", __func__); | 1568 | fatal("%s: dup2", __func__); |
1571 | 1569 | ||
1572 | mm_record_login(s, authctxt->pw); | 1570 | mm_record_login(ssh, s, authctxt->pw); |
1573 | 1571 | ||
1574 | /* Now we can close the file descriptor again */ | 1572 | /* Now we can close the file descriptor again */ |
1575 | close(0); | 1573 | close(0); |
@@ -1611,7 +1609,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | |||
1611 | } | 1609 | } |
1612 | 1610 | ||
1613 | int | 1611 | int |
1614 | mm_answer_pty_cleanup(int sock, struct sshbuf *m) | 1612 | mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m) |
1615 | { | 1613 | { |
1616 | Session *s; | 1614 | Session *s; |
1617 | char *tty; | 1615 | char *tty; |
@@ -1629,9 +1627,8 @@ mm_answer_pty_cleanup(int sock, struct sshbuf *m) | |||
1629 | } | 1627 | } |
1630 | 1628 | ||
1631 | int | 1629 | int |
1632 | mm_answer_term(int sock, struct sshbuf *req) | 1630 | mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req) |
1633 | { | 1631 | { |
1634 | struct ssh *ssh = active_state; /* XXX */ | ||
1635 | extern struct monitor *pmonitor; | 1632 | extern struct monitor *pmonitor; |
1636 | int res, status; | 1633 | int res, status; |
1637 | 1634 | ||
@@ -1658,7 +1655,7 @@ mm_answer_term(int sock, struct sshbuf *req) | |||
1658 | #ifdef SSH_AUDIT_EVENTS | 1655 | #ifdef SSH_AUDIT_EVENTS |
1659 | /* Report that an audit event occurred */ | 1656 | /* Report that an audit event occurred */ |
1660 | int | 1657 | int |
1661 | mm_answer_audit_event(int socket, struct sshbuf *m) | 1658 | mm_answer_audit_event(struct ssh *ssh, int socket, struct sshbuf *m) |
1662 | { | 1659 | { |
1663 | u_int n; | 1660 | u_int n; |
1664 | ssh_audit_event_t event; | 1661 | ssh_audit_event_t event; |
@@ -1677,7 +1674,7 @@ mm_answer_audit_event(int socket, struct sshbuf *m) | |||
1677 | case SSH_LOGIN_ROOT_DENIED: | 1674 | case SSH_LOGIN_ROOT_DENIED: |
1678 | case SSH_CONNECTION_CLOSE: | 1675 | case SSH_CONNECTION_CLOSE: |
1679 | case SSH_INVALID_USER: | 1676 | case SSH_INVALID_USER: |
1680 | audit_event(event); | 1677 | audit_event(ssh, event); |
1681 | break; | 1678 | break; |
1682 | default: | 1679 | default: |
1683 | fatal("Audit event type %d not permitted", event); | 1680 | fatal("Audit event type %d not permitted", event); |
@@ -1687,7 +1684,7 @@ mm_answer_audit_event(int socket, struct sshbuf *m) | |||
1687 | } | 1684 | } |
1688 | 1685 | ||
1689 | int | 1686 | int |
1690 | mm_answer_audit_command(int socket, struct sshbuf *m) | 1687 | mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m) |
1691 | { | 1688 | { |
1692 | char *cmd; | 1689 | char *cmd; |
1693 | int r; | 1690 | int r; |
@@ -1703,10 +1700,8 @@ mm_answer_audit_command(int socket, struct sshbuf *m) | |||
1703 | #endif /* SSH_AUDIT_EVENTS */ | 1700 | #endif /* SSH_AUDIT_EVENTS */ |
1704 | 1701 | ||
1705 | void | 1702 | void |
1706 | monitor_clear_keystate(struct monitor *pmonitor) | 1703 | monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor) |
1707 | { | 1704 | { |
1708 | struct ssh *ssh = active_state; /* XXX */ | ||
1709 | |||
1710 | ssh_clear_newkeys(ssh, MODE_IN); | 1705 | ssh_clear_newkeys(ssh, MODE_IN); |
1711 | ssh_clear_newkeys(ssh, MODE_OUT); | 1706 | ssh_clear_newkeys(ssh, MODE_OUT); |
1712 | sshbuf_free(child_state); | 1707 | sshbuf_free(child_state); |
@@ -1714,9 +1709,8 @@ monitor_clear_keystate(struct monitor *pmonitor) | |||
1714 | } | 1709 | } |
1715 | 1710 | ||
1716 | void | 1711 | void |
1717 | monitor_apply_keystate(struct monitor *pmonitor) | 1712 | monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) |
1718 | { | 1713 | { |
1719 | struct ssh *ssh = active_state; /* XXX */ | ||
1720 | struct kex *kex; | 1714 | struct kex *kex; |
1721 | int r; | 1715 | int r; |
1722 | 1716 | ||
@@ -1729,25 +1723,30 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
1729 | if ((kex = ssh->kex) != NULL) { | 1723 | if ((kex = ssh->kex) != NULL) { |
1730 | /* XXX set callbacks */ | 1724 | /* XXX set callbacks */ |
1731 | #ifdef WITH_OPENSSL | 1725 | #ifdef WITH_OPENSSL |
1732 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 1726 | kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server; |
1733 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1727 | kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server; |
1734 | kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server; | 1728 | kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server; |
1735 | kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server; | 1729 | kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server; |
1736 | kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server; | 1730 | kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server; |
1737 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1731 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1738 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1732 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1739 | # ifdef OPENSSL_HAS_ECC | 1733 | # ifdef OPENSSL_HAS_ECC |
1740 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 1734 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
1741 | # endif | 1735 | # endif |
1742 | #endif /* WITH_OPENSSL */ | 1736 | # ifdef GSSAPI |
1743 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | ||
1744 | #ifdef GSSAPI | ||
1745 | if (options.gss_keyex) { | 1737 | if (options.gss_keyex) { |
1746 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | 1738 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; |
1747 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | 1739 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; |
1748 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | 1740 | kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server; |
1741 | kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server; | ||
1742 | kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server; | ||
1743 | kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server; | ||
1744 | kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server; | ||
1749 | } | 1745 | } |
1750 | #endif | 1746 | # endif |
1747 | #endif /* WITH_OPENSSL */ | ||
1748 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; | ||
1749 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; | ||
1751 | kex->load_host_public_key=&get_hostkey_public_by_type; | 1750 | kex->load_host_public_key=&get_hostkey_public_by_type; |
1752 | kex->load_host_private_key=&get_hostkey_private_by_type; | 1751 | kex->load_host_private_key=&get_hostkey_private_by_type; |
1753 | kex->host_key_index=&get_hostkey_index; | 1752 | kex->host_key_index=&get_hostkey_index; |
@@ -1758,7 +1757,7 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
1758 | /* This function requries careful sanity checking */ | 1757 | /* This function requries careful sanity checking */ |
1759 | 1758 | ||
1760 | void | 1759 | void |
1761 | mm_get_keystate(struct monitor *pmonitor) | 1760 | mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor) |
1762 | { | 1761 | { |
1763 | debug3("%s: Waiting for new keys", __func__); | 1762 | debug3("%s: Waiting for new keys", __func__); |
1764 | 1763 | ||
@@ -1830,7 +1829,7 @@ monitor_reinit(struct monitor *mon) | |||
1830 | 1829 | ||
1831 | #ifdef GSSAPI | 1830 | #ifdef GSSAPI |
1832 | int | 1831 | int |
1833 | mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) | 1832 | mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1834 | { | 1833 | { |
1835 | gss_OID_desc goid; | 1834 | gss_OID_desc goid; |
1836 | OM_uint32 major; | 1835 | OM_uint32 major; |
@@ -1863,7 +1862,7 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) | |||
1863 | } | 1862 | } |
1864 | 1863 | ||
1865 | int | 1864 | int |
1866 | mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) | 1865 | mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) |
1867 | { | 1866 | { |
1868 | gss_buffer_desc in; | 1867 | gss_buffer_desc in; |
1869 | gss_buffer_desc out = GSS_C_EMPTY_BUFFER; | 1868 | gss_buffer_desc out = GSS_C_EMPTY_BUFFER; |
@@ -1898,7 +1897,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) | |||
1898 | } | 1897 | } |
1899 | 1898 | ||
1900 | int | 1899 | int |
1901 | mm_answer_gss_checkmic(int sock, struct sshbuf *m) | 1900 | mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) |
1902 | { | 1901 | { |
1903 | gss_buffer_desc gssbuf, mic; | 1902 | gss_buffer_desc gssbuf, mic; |
1904 | OM_uint32 ret; | 1903 | OM_uint32 ret; |
@@ -1929,16 +1928,19 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m) | |||
1929 | } | 1928 | } |
1930 | 1929 | ||
1931 | int | 1930 | int |
1932 | mm_answer_gss_userok(int sock, struct sshbuf *m) | 1931 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
1933 | { | 1932 | { |
1934 | int r, authenticated; | 1933 | int r, authenticated, kex; |
1935 | const char *displayname; | 1934 | const char *displayname; |
1936 | 1935 | ||
1937 | if (!options.gss_authentication && !options.gss_keyex) | 1936 | if (!options.gss_authentication && !options.gss_keyex) |
1938 | fatal("%s: GSSAPI not enabled", __func__); | 1937 | fatal("%s: GSSAPI not enabled", __func__); |
1939 | 1938 | ||
1940 | authenticated = authctxt->valid && | 1939 | if ((r = sshbuf_get_u32(m, &kex)) != 0) |
1941 | ssh_gssapi_userok(authctxt->user, authctxt->pw); | 1940 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
1941 | |||
1942 | authenticated = authctxt->valid && | ||
1943 | ssh_gssapi_userok(authctxt->user, authctxt->pw, kex); | ||
1942 | 1944 | ||
1943 | sshbuf_reset(m); | 1945 | sshbuf_reset(m); |
1944 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) | 1946 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) |
@@ -1947,7 +1949,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) | |||
1947 | debug3("%s: sending result %d", __func__, authenticated); | 1949 | debug3("%s: sending result %d", __func__, authenticated); |
1948 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); | 1950 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); |
1949 | 1951 | ||
1950 | auth_method = "gssapi-with-mic"; | 1952 | if (kex) { |
1953 | auth_method = "gssapi-keyex"; | ||
1954 | } else { | ||
1955 | auth_method = "gssapi-with-mic"; | ||
1956 | } | ||
1951 | 1957 | ||
1952 | if ((displayname = ssh_gssapi_displayname()) != NULL) | 1958 | if ((displayname = ssh_gssapi_displayname()) != NULL) |
1953 | auth2_record_info(authctxt, "%s", displayname); | 1959 | auth2_record_info(authctxt, "%s", displayname); |
@@ -1956,14 +1962,14 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) | |||
1956 | return (authenticated); | 1962 | return (authenticated); |
1957 | } | 1963 | } |
1958 | 1964 | ||
1959 | int | 1965 | int |
1960 | mm_answer_gss_sign(int socket, struct sshbuf *m) | 1966 | mm_answer_gss_sign(struct ssh *ssh, int socket, struct sshbuf *m) |
1961 | { | 1967 | { |
1962 | gss_buffer_desc data; | 1968 | gss_buffer_desc data; |
1963 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | 1969 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; |
1964 | OM_uint32 major, minor; | 1970 | OM_uint32 major, minor; |
1965 | size_t len; | 1971 | size_t len; |
1966 | u_char *p; | 1972 | u_char *p = NULL; |
1967 | int r; | 1973 | int r; |
1968 | 1974 | ||
1969 | if (!options.gss_authentication && !options.gss_keyex) | 1975 | if (!options.gss_authentication && !options.gss_keyex) |
@@ -1973,8 +1979,9 @@ mm_answer_gss_sign(int socket, struct sshbuf *m) | |||
1973 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 1979 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
1974 | data.value = p; | 1980 | data.value = p; |
1975 | data.length = len; | 1981 | data.length = len; |
1976 | if (data.length != 20) | 1982 | /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */ |
1977 | fatal("%s: data length incorrect: %d", __func__, | 1983 | if (data.length != 20 && data.length != 32 && data.length != 64) |
1984 | fatal("%s: data length incorrect: %d", __func__, | ||
1978 | (int) data.length); | 1985 | (int) data.length); |
1979 | 1986 | ||
1980 | /* Save the session ID on the first time around */ | 1987 | /* Save the session ID on the first time around */ |
@@ -1988,6 +1995,7 @@ mm_answer_gss_sign(int socket, struct sshbuf *m) | |||
1988 | free(data.value); | 1995 | free(data.value); |
1989 | 1996 | ||
1990 | sshbuf_reset(m); | 1997 | sshbuf_reset(m); |
1998 | |||
1991 | if ((r = sshbuf_put_u32(m, major)) != 0 || | 1999 | if ((r = sshbuf_put_u32(m, major)) != 0 || |
1992 | (r = sshbuf_put_string(m, hash.value, hash.length)) != 0) | 2000 | (r = sshbuf_put_string(m, hash.value, hash.length)) != 0) |
1993 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2001 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
@@ -1998,7 +2006,7 @@ mm_answer_gss_sign(int socket, struct sshbuf *m) | |||
1998 | 2006 | ||
1999 | /* Turn on getpwnam permissions */ | 2007 | /* Turn on getpwnam permissions */ |
2000 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | 2008 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); |
2001 | 2009 | ||
2002 | /* And credential updating, for when rekeying */ | 2010 | /* And credential updating, for when rekeying */ |
2003 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); | 2011 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); |
2004 | 2012 | ||
@@ -2006,16 +2014,16 @@ mm_answer_gss_sign(int socket, struct sshbuf *m) | |||
2006 | } | 2014 | } |
2007 | 2015 | ||
2008 | int | 2016 | int |
2009 | mm_answer_gss_updatecreds(int socket, struct sshbuf *m) { | 2017 | mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) { |
2010 | ssh_gssapi_ccache store; | 2018 | ssh_gssapi_ccache store; |
2011 | int r, ok; | 2019 | int r, ok; |
2012 | 2020 | ||
2013 | if (!options.gss_authentication && !options.gss_keyex) | 2021 | if (!options.gss_authentication && !options.gss_keyex) |
2014 | fatal("%s: GSSAPI not enabled", __func__); | 2022 | fatal("%s: GSSAPI not enabled", __func__); |
2015 | 2023 | ||
2016 | if ((r = sshbuf_get_cstring(m, &store.filename, NULL)) != 0 || | 2024 | if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 || |
2017 | (r = sshbuf_get_cstring(m, &store.envvar, NULL)) != 0 || | 2025 | (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 || |
2018 | (r = sshbuf_get_cstring(m, &store.envval, NULL)) != 0) | 2026 | (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0) |
2019 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 2027 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
2020 | 2028 | ||
2021 | ok = ssh_gssapi_update_creds(&store); | 2029 | ok = ssh_gssapi_update_creds(&store); |