summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c214
1 files changed, 117 insertions, 97 deletions
diff --git a/monitor.c b/monitor.c
index 8006b833c..44dff98c9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ 1/* $OpenBSD: monitor.c,v 1.127 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -97,6 +97,7 @@
97#include "ssh2.h" 97#include "ssh2.h"
98#include "jpake.h" 98#include "jpake.h"
99#include "roaming.h" 99#include "roaming.h"
100#include "authfd.h"
100 101
101#ifdef GSSAPI 102#ifdef GSSAPI
102static Gssctxt *gsscontext = NULL; 103static Gssctxt *gsscontext = NULL;
@@ -392,7 +393,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
392 "with SSH protocol 1"); 393 "with SSH protocol 1");
393 if (authenticated && 394 if (authenticated &&
394 !auth2_update_methods_lists(authctxt, 395 !auth2_update_methods_lists(authctxt,
395 auth_method)) { 396 auth_method, auth_submethod)) {
396 debug3("%s: method %s: partial", __func__, 397 debug3("%s: method %s: partial", __func__,
397 auth_method); 398 auth_method);
398 authenticated = 0; 399 authenticated = 0;
@@ -422,8 +423,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
422 } 423 }
423 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { 424 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
424 auth_log(authctxt, authenticated, partial, 425 auth_log(authctxt, authenticated, partial,
425 auth_method, auth_submethod, 426 auth_method, auth_submethod);
426 compat20 ? " ssh2" : "");
427 if (!authenticated) 427 if (!authenticated)
428 authctxt->failures++; 428 authctxt->failures++;
429 } 429 }
@@ -551,7 +551,7 @@ monitor_read_log(struct monitor *pmonitor)
551 do_log2(level, "%s [preauth]", msg); 551 do_log2(level, "%s [preauth]", msg);
552 552
553 buffer_free(&logmsg); 553 buffer_free(&logmsg);
554 xfree(msg); 554 free(msg);
555 555
556 return 0; 556 return 0;
557} 557}
@@ -642,12 +642,9 @@ static void
642monitor_reset_key_state(void) 642monitor_reset_key_state(void)
643{ 643{
644 /* reset state */ 644 /* reset state */
645 if (key_blob != NULL) 645 free(key_blob);
646 xfree(key_blob); 646 free(hostbased_cuser);
647 if (hostbased_cuser != NULL) 647 free(hostbased_chost);
648 xfree(hostbased_cuser);
649 if (hostbased_chost != NULL)
650 xfree(hostbased_chost);
651 key_blob = NULL; 648 key_blob = NULL;
652 key_bloblen = 0; 649 key_bloblen = 0;
653 key_blobtype = MM_NOKEY; 650 key_blobtype = MM_NOKEY;
@@ -690,6 +687,8 @@ mm_answer_moduli(int sock, Buffer *m)
690 return (0); 687 return (0);
691} 688}
692 689
690extern AuthenticationConnection *auth_conn;
691
693int 692int
694mm_answer_sign(int sock, Buffer *m) 693mm_answer_sign(int sock, Buffer *m)
695{ 694{
@@ -718,18 +717,24 @@ mm_answer_sign(int sock, Buffer *m)
718 memcpy(session_id2, p, session_id2_len); 717 memcpy(session_id2, p, session_id2_len);
719 } 718 }
720 719
721 if ((key = get_hostkey_by_index(keyid)) == NULL) 720 if ((key = get_hostkey_by_index(keyid)) != NULL) {
721 if (key_sign(key, &signature, &siglen, p, datlen) < 0)
722 fatal("%s: key_sign failed", __func__);
723 } else if ((key = get_hostkey_public_by_index(keyid)) != NULL &&
724 auth_conn != NULL) {
725 if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p,
726 datlen) < 0)
727 fatal("%s: ssh_agent_sign failed", __func__);
728 } else
722 fatal("%s: no hostkey from index %d", __func__, keyid); 729 fatal("%s: no hostkey from index %d", __func__, keyid);
723 if (key_sign(key, &signature, &siglen, p, datlen) < 0)
724 fatal("%s: key_sign failed", __func__);
725 730
726 debug3("%s: signature %p(%u)", __func__, signature, siglen); 731 debug3("%s: signature %p(%u)", __func__, signature, siglen);
727 732
728 buffer_clear(m); 733 buffer_clear(m);
729 buffer_put_string(m, signature, siglen); 734 buffer_put_string(m, signature, siglen);
730 735
731 xfree(p); 736 free(p);
732 xfree(signature); 737 free(signature);
733 738
734 mm_request_send(sock, MONITOR_ANS_SIGN, m); 739 mm_request_send(sock, MONITOR_ANS_SIGN, m);
735 740
@@ -760,7 +765,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
760 765
761 authctxt->user = xstrdup(username); 766 authctxt->user = xstrdup(username);
762 setproctitle("%s [priv]", pwent ? username : "unknown"); 767 setproctitle("%s [priv]", pwent ? username : "unknown");
763 xfree(username); 768 free(username);
764 769
765 buffer_clear(m); 770 buffer_clear(m);
766 771
@@ -778,8 +783,10 @@ mm_answer_pwnamallow(int sock, Buffer *m)
778 buffer_put_string(m, pwent, sizeof(struct passwd)); 783 buffer_put_string(m, pwent, sizeof(struct passwd));
779 buffer_put_cstring(m, pwent->pw_name); 784 buffer_put_cstring(m, pwent->pw_name);
780 buffer_put_cstring(m, "*"); 785 buffer_put_cstring(m, "*");
786#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
781 buffer_put_cstring(m, pwent->pw_gecos); 787 buffer_put_cstring(m, pwent->pw_gecos);
782#ifdef HAVE_PW_CLASS_IN_PASSWD 788#endif
789#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
783 buffer_put_cstring(m, pwent->pw_class); 790 buffer_put_cstring(m, pwent->pw_class);
784#endif 791#endif
785 buffer_put_cstring(m, pwent->pw_dir); 792 buffer_put_cstring(m, pwent->pw_dir);
@@ -838,9 +845,7 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m)
838 banner = auth2_read_banner(); 845 banner = auth2_read_banner();
839 buffer_put_cstring(m, banner != NULL ? banner : ""); 846 buffer_put_cstring(m, banner != NULL ? banner : "");
840 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); 847 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
841 848 free(banner);
842 if (banner != NULL)
843 xfree(banner);
844 849
845 return (0); 850 return (0);
846} 851}
@@ -856,7 +861,7 @@ mm_answer_authserv(int sock, Buffer *m)
856 __func__, authctxt->service, authctxt->style); 861 __func__, authctxt->service, authctxt->style);
857 862
858 if (strlen(authctxt->style) == 0) { 863 if (strlen(authctxt->style) == 0) {
859 xfree(authctxt->style); 864 free(authctxt->style);
860 authctxt->style = NULL; 865 authctxt->style = NULL;
861 } 866 }
862 867
@@ -876,7 +881,7 @@ mm_answer_authpassword(int sock, Buffer *m)
876 authenticated = options.password_authentication && 881 authenticated = options.password_authentication &&
877 auth_password(authctxt, passwd); 882 auth_password(authctxt, passwd);
878 memset(passwd, 0, strlen(passwd)); 883 memset(passwd, 0, strlen(passwd));
879 xfree(passwd); 884 free(passwd);
880 885
881 buffer_clear(m); 886 buffer_clear(m);
882 buffer_put_int(m, authenticated); 887 buffer_put_int(m, authenticated);
@@ -916,10 +921,10 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
916 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); 921 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
917 922
918 if (success) { 923 if (success) {
919 xfree(name); 924 free(name);
920 xfree(infotxt); 925 free(infotxt);
921 xfree(prompts); 926 free(prompts);
922 xfree(echo_on); 927 free(echo_on);
923 } 928 }
924 929
925 return (0); 930 return (0);
@@ -939,7 +944,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
939 auth_userresponse(authctxt->as, response, 0); 944 auth_userresponse(authctxt->as, response, 0);
940 authctxt->as = NULL; 945 authctxt->as = NULL;
941 debug3("%s: <%s> = <%d>", __func__, response, authok); 946 debug3("%s: <%s> = <%d>", __func__, response, authok);
942 xfree(response); 947 free(response);
943 948
944 buffer_clear(m); 949 buffer_clear(m);
945 buffer_put_int(m, authok); 950 buffer_put_int(m, authok);
@@ -947,9 +952,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
947 debug3("%s: sending authenticated: %d", __func__, authok); 952 debug3("%s: sending authenticated: %d", __func__, authok);
948 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); 953 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
949 954
950 if (compat20) 955 if (compat20) {
951 auth_method = "keyboard-interactive"; /* XXX auth_submethod */ 956 auth_method = "keyboard-interactive";
952 else 957 auth_submethod = "bsdauth";
958 } else
953 auth_method = "bsdauth"; 959 auth_method = "bsdauth";
954 960
955 return (authok != 0); 961 return (authok != 0);
@@ -991,7 +997,7 @@ mm_answer_skeyrespond(int sock, Buffer *m)
991 skey_haskey(authctxt->pw->pw_name) == 0 && 997 skey_haskey(authctxt->pw->pw_name) == 0 &&
992 skey_passcheck(authctxt->pw->pw_name, response) != -1); 998 skey_passcheck(authctxt->pw->pw_name, response) != -1);
993 999
994 xfree(response); 1000 free(response);
995 1001
996 buffer_clear(m); 1002 buffer_clear(m);
997 buffer_put_int(m, authok); 1003 buffer_put_int(m, authok);
@@ -1076,19 +1082,17 @@ mm_answer_pam_query(int sock, Buffer *m)
1076 buffer_clear(m); 1082 buffer_clear(m);
1077 buffer_put_int(m, ret); 1083 buffer_put_int(m, ret);
1078 buffer_put_cstring(m, name); 1084 buffer_put_cstring(m, name);
1079 xfree(name); 1085 free(name);
1080 buffer_put_cstring(m, info); 1086 buffer_put_cstring(m, info);
1081 xfree(info); 1087 free(info);
1082 buffer_put_int(m, num); 1088 buffer_put_int(m, num);
1083 for (i = 0; i < num; ++i) { 1089 for (i = 0; i < num; ++i) {
1084 buffer_put_cstring(m, prompts[i]); 1090 buffer_put_cstring(m, prompts[i]);
1085 xfree(prompts[i]); 1091 free(prompts[i]);
1086 buffer_put_int(m, echo_on[i]); 1092 buffer_put_int(m, echo_on[i]);
1087 } 1093 }
1088 if (prompts != NULL) 1094 free(prompts);
1089 xfree(prompts); 1095 free(echo_on);
1090 if (echo_on != NULL)
1091 xfree(echo_on);
1092 auth_method = "keyboard-interactive"; 1096 auth_method = "keyboard-interactive";
1093 auth_submethod = "pam"; 1097 auth_submethod = "pam";
1094 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); 1098 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
@@ -1111,8 +1115,8 @@ mm_answer_pam_respond(int sock, Buffer *m)
1111 resp[i] = buffer_get_string(m, NULL); 1115 resp[i] = buffer_get_string(m, NULL);
1112 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); 1116 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
1113 for (i = 0; i < num; ++i) 1117 for (i = 0; i < num; ++i)
1114 xfree(resp[i]); 1118 free(resp[i]);
1115 xfree(resp); 1119 free(resp);
1116 } else { 1120 } else {
1117 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); 1121 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
1118 } 1122 }
@@ -1170,6 +1174,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
1170 case MM_USERKEY: 1174 case MM_USERKEY:
1171 allowed = options.pubkey_authentication && 1175 allowed = options.pubkey_authentication &&
1172 user_key_allowed(authctxt->pw, key); 1176 user_key_allowed(authctxt->pw, key);
1177 pubkey_auth_info(authctxt, key, NULL);
1173 auth_method = "publickey"; 1178 auth_method = "publickey";
1174 if (options.pubkey_authentication && allowed != 1) 1179 if (options.pubkey_authentication && allowed != 1)
1175 auth_clear_options(); 1180 auth_clear_options();
@@ -1178,6 +1183,9 @@ mm_answer_keyallowed(int sock, Buffer *m)
1178 allowed = options.hostbased_authentication && 1183 allowed = options.hostbased_authentication &&
1179 hostbased_key_allowed(authctxt->pw, 1184 hostbased_key_allowed(authctxt->pw,
1180 cuser, chost, key); 1185 cuser, chost, key);
1186 pubkey_auth_info(authctxt, key,
1187 "client user \"%.100s\", client host \"%.100s\"",
1188 cuser, chost);
1181 auth_method = "hostbased"; 1189 auth_method = "hostbased";
1182 break; 1190 break;
1183 case MM_RSAHOSTKEY: 1191 case MM_RSAHOSTKEY:
@@ -1209,11 +1217,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
1209 hostbased_chost = chost; 1217 hostbased_chost = chost;
1210 } else { 1218 } else {
1211 /* Log failed attempt */ 1219 /* Log failed attempt */
1212 auth_log(authctxt, 0, 0, auth_method, NULL, 1220 auth_log(authctxt, 0, 0, auth_method, NULL);
1213 compat20 ? " ssh2" : ""); 1221 free(blob);
1214 xfree(blob); 1222 free(cuser);
1215 xfree(cuser); 1223 free(chost);
1216 xfree(chost);
1217 } 1224 }
1218 1225
1219 debug3("%s: key %p is %s", 1226 debug3("%s: key %p is %s",
@@ -1235,7 +1242,7 @@ static int
1235monitor_valid_userblob(u_char *data, u_int datalen) 1242monitor_valid_userblob(u_char *data, u_int datalen)
1236{ 1243{
1237 Buffer b; 1244 Buffer b;
1238 char *p; 1245 char *p, *userstyle;
1239 u_int len; 1246 u_int len;
1240 int fail = 0; 1247 int fail = 0;
1241 1248
@@ -1256,26 +1263,30 @@ monitor_valid_userblob(u_char *data, u_int datalen)
1256 (len != session_id2_len) || 1263 (len != session_id2_len) ||
1257 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1264 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
1258 fail++; 1265 fail++;
1259 xfree(p); 1266 free(p);
1260 } 1267 }
1261 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1268 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1262 fail++; 1269 fail++;
1263 p = buffer_get_string(&b, NULL); 1270 p = buffer_get_cstring(&b, NULL);
1264 if (strcmp(authctxt->user, p) != 0) { 1271 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1272 authctxt->style ? ":" : "",
1273 authctxt->style ? authctxt->style : "");
1274 if (strcmp(userstyle, p) != 0) {
1265 logit("wrong user name passed to monitor: expected %s != %.100s", 1275 logit("wrong user name passed to monitor: expected %s != %.100s",
1266 authctxt->user, p); 1276 userstyle, p);
1267 fail++; 1277 fail++;
1268 } 1278 }
1269 xfree(p); 1279 free(userstyle);
1280 free(p);
1270 buffer_skip_string(&b); 1281 buffer_skip_string(&b);
1271 if (datafellows & SSH_BUG_PKAUTH) { 1282 if (datafellows & SSH_BUG_PKAUTH) {
1272 if (!buffer_get_char(&b)) 1283 if (!buffer_get_char(&b))
1273 fail++; 1284 fail++;
1274 } else { 1285 } else {
1275 p = buffer_get_string(&b, NULL); 1286 p = buffer_get_cstring(&b, NULL);
1276 if (strcmp("publickey", p) != 0) 1287 if (strcmp("publickey", p) != 0)
1277 fail++; 1288 fail++;
1278 xfree(p); 1289 free(p);
1279 if (!buffer_get_char(&b)) 1290 if (!buffer_get_char(&b))
1280 fail++; 1291 fail++;
1281 buffer_skip_string(&b); 1292 buffer_skip_string(&b);
@@ -1292,7 +1303,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1292 char *chost) 1303 char *chost)
1293{ 1304{
1294 Buffer b; 1305 Buffer b;
1295 char *p; 1306 char *p, *userstyle;
1296 u_int len; 1307 u_int len;
1297 int fail = 0; 1308 int fail = 0;
1298 1309
@@ -1304,22 +1315,26 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1304 (len != session_id2_len) || 1315 (len != session_id2_len) ||
1305 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1316 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
1306 fail++; 1317 fail++;
1307 xfree(p); 1318 free(p);
1308 1319
1309 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1320 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1310 fail++; 1321 fail++;
1311 p = buffer_get_string(&b, NULL); 1322 p = buffer_get_cstring(&b, NULL);
1312 if (strcmp(authctxt->user, p) != 0) { 1323 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1324 authctxt->style ? ":" : "",
1325 authctxt->style ? authctxt->style : "");
1326 if (strcmp(userstyle, p) != 0) {
1313 logit("wrong user name passed to monitor: expected %s != %.100s", 1327 logit("wrong user name passed to monitor: expected %s != %.100s",
1314 authctxt->user, p); 1328 userstyle, p);
1315 fail++; 1329 fail++;
1316 } 1330 }
1317 xfree(p); 1331 free(userstyle);
1332 free(p);
1318 buffer_skip_string(&b); /* service */ 1333 buffer_skip_string(&b); /* service */
1319 p = buffer_get_string(&b, NULL); 1334 p = buffer_get_cstring(&b, NULL);
1320 if (strcmp(p, "hostbased") != 0) 1335 if (strcmp(p, "hostbased") != 0)
1321 fail++; 1336 fail++;
1322 xfree(p); 1337 free(p);
1323 buffer_skip_string(&b); /* pkalg */ 1338 buffer_skip_string(&b); /* pkalg */
1324 buffer_skip_string(&b); /* pkblob */ 1339 buffer_skip_string(&b); /* pkblob */
1325 1340
@@ -1329,13 +1344,13 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1329 p[len - 1] = '\0'; 1344 p[len - 1] = '\0';
1330 if (strcmp(p, chost) != 0) 1345 if (strcmp(p, chost) != 0)
1331 fail++; 1346 fail++;
1332 xfree(p); 1347 free(p);
1333 1348
1334 /* verify client user */ 1349 /* verify client user */
1335 p = buffer_get_string(&b, NULL); 1350 p = buffer_get_string(&b, NULL);
1336 if (strcmp(p, cuser) != 0) 1351 if (strcmp(p, cuser) != 0)
1337 fail++; 1352 fail++;
1338 xfree(p); 1353 free(p);
1339 1354
1340 if (buffer_len(&b) != 0) 1355 if (buffer_len(&b) != 0)
1341 fail++; 1356 fail++;
@@ -1384,9 +1399,9 @@ mm_answer_keyverify(int sock, Buffer *m)
1384 __func__, key, (verified == 1) ? "verified" : "unverified"); 1399 __func__, key, (verified == 1) ? "verified" : "unverified");
1385 1400
1386 key_free(key); 1401 key_free(key);
1387 xfree(blob); 1402 free(blob);
1388 xfree(signature); 1403 free(signature);
1389 xfree(data); 1404 free(data);
1390 1405
1391 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; 1406 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1392 1407
@@ -1514,7 +1529,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
1514 if ((s = session_by_tty(tty)) != NULL) 1529 if ((s = session_by_tty(tty)) != NULL)
1515 mm_session_close(s); 1530 mm_session_close(s);
1516 buffer_clear(m); 1531 buffer_clear(m);
1517 xfree(tty); 1532 free(tty);
1518 return (0); 1533 return (0);
1519} 1534}
1520 1535
@@ -1646,7 +1661,7 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
1646 1661
1647 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); 1662 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
1648 1663
1649 xfree(blob); 1664 free(blob);
1650 key_free(key); 1665 key_free(key);
1651 return (0); 1666 return (0);
1652} 1667}
@@ -1678,9 +1693,9 @@ mm_answer_rsa_response(int sock, Buffer *m)
1678 fatal("%s: received bad response to challenge", __func__); 1693 fatal("%s: received bad response to challenge", __func__);
1679 success = auth_rsa_verify_response(key, ssh1_challenge, response); 1694 success = auth_rsa_verify_response(key, ssh1_challenge, response);
1680 1695
1681 xfree(blob); 1696 free(blob);
1682 key_free(key); 1697 key_free(key);
1683 xfree(response); 1698 free(response);
1684 1699
1685 auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; 1700 auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
1686 1701
@@ -1759,7 +1774,7 @@ mm_answer_audit_command(int socket, Buffer *m)
1759 cmd = buffer_get_string(m, &len); 1774 cmd = buffer_get_string(m, &len);
1760 /* sanity check command, if so how? */ 1775 /* sanity check command, if so how? */
1761 audit_run_command(cmd); 1776 audit_run_command(cmd);
1762 xfree(cmd); 1777 free(cmd);
1763 return (0); 1778 return (0);
1764} 1779}
1765#endif /* SSH_AUDIT_EVENTS */ 1780#endif /* SSH_AUDIT_EVENTS */
@@ -1774,20 +1789,20 @@ monitor_apply_keystate(struct monitor *pmonitor)
1774 packet_set_protocol_flags(child_state.ssh1protoflags); 1789 packet_set_protocol_flags(child_state.ssh1protoflags);
1775 packet_set_encryption_key(child_state.ssh1key, 1790 packet_set_encryption_key(child_state.ssh1key,
1776 child_state.ssh1keylen, child_state.ssh1cipher); 1791 child_state.ssh1keylen, child_state.ssh1cipher);
1777 xfree(child_state.ssh1key); 1792 free(child_state.ssh1key);
1778 } 1793 }
1779 1794
1780 /* for rc4 and other stateful ciphers */ 1795 /* for rc4 and other stateful ciphers */
1781 packet_set_keycontext(MODE_OUT, child_state.keyout); 1796 packet_set_keycontext(MODE_OUT, child_state.keyout);
1782 xfree(child_state.keyout); 1797 free(child_state.keyout);
1783 packet_set_keycontext(MODE_IN, child_state.keyin); 1798 packet_set_keycontext(MODE_IN, child_state.keyin);
1784 xfree(child_state.keyin); 1799 free(child_state.keyin);
1785 1800
1786 if (!compat20) { 1801 if (!compat20) {
1787 packet_set_iv(MODE_OUT, child_state.ivout); 1802 packet_set_iv(MODE_OUT, child_state.ivout);
1788 xfree(child_state.ivout); 1803 free(child_state.ivout);
1789 packet_set_iv(MODE_IN, child_state.ivin); 1804 packet_set_iv(MODE_IN, child_state.ivin);
1790 xfree(child_state.ivin); 1805 free(child_state.ivin);
1791 } 1806 }
1792 1807
1793 memcpy(&incoming_stream, &child_state.incoming, 1808 memcpy(&incoming_stream, &child_state.incoming,
@@ -1799,18 +1814,22 @@ monitor_apply_keystate(struct monitor *pmonitor)
1799 if (options.compression) 1814 if (options.compression)
1800 mm_init_compression(pmonitor->m_zlib); 1815 mm_init_compression(pmonitor->m_zlib);
1801 1816
1817 if (options.rekey_limit || options.rekey_interval)
1818 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
1819 (time_t)options.rekey_interval);
1820
1802 /* Network I/O buffers */ 1821 /* Network I/O buffers */
1803 /* XXX inefficient for large buffers, need: buffer_init_from_string */ 1822 /* XXX inefficient for large buffers, need: buffer_init_from_string */
1804 buffer_clear(packet_get_input()); 1823 buffer_clear(packet_get_input());
1805 buffer_append(packet_get_input(), child_state.input, child_state.ilen); 1824 buffer_append(packet_get_input(), child_state.input, child_state.ilen);
1806 memset(child_state.input, 0, child_state.ilen); 1825 memset(child_state.input, 0, child_state.ilen);
1807 xfree(child_state.input); 1826 free(child_state.input);
1808 1827
1809 buffer_clear(packet_get_output()); 1828 buffer_clear(packet_get_output());
1810 buffer_append(packet_get_output(), child_state.output, 1829 buffer_append(packet_get_output(), child_state.output,
1811 child_state.olen); 1830 child_state.olen);
1812 memset(child_state.output, 0, child_state.olen); 1831 memset(child_state.output, 0, child_state.olen);
1813 xfree(child_state.output); 1832 free(child_state.output);
1814 1833
1815 /* Roaming */ 1834 /* Roaming */
1816 if (compat20) 1835 if (compat20)
@@ -1842,11 +1861,11 @@ mm_get_kex(Buffer *m)
1842 blob = buffer_get_string(m, &bloblen); 1861 blob = buffer_get_string(m, &bloblen);
1843 buffer_init(&kex->my); 1862 buffer_init(&kex->my);
1844 buffer_append(&kex->my, blob, bloblen); 1863 buffer_append(&kex->my, blob, bloblen);
1845 xfree(blob); 1864 free(blob);
1846 blob = buffer_get_string(m, &bloblen); 1865 blob = buffer_get_string(m, &bloblen);
1847 buffer_init(&kex->peer); 1866 buffer_init(&kex->peer);
1848 buffer_append(&kex->peer, blob, bloblen); 1867 buffer_append(&kex->peer, blob, bloblen);
1849 xfree(blob); 1868 free(blob);
1850 kex->done = 1; 1869 kex->done = 1;
1851 kex->flags = buffer_get_int(m); 1870 kex->flags = buffer_get_int(m);
1852 kex->client_version_string = buffer_get_string(m, NULL); 1871 kex->client_version_string = buffer_get_string(m, NULL);
@@ -1854,6 +1873,7 @@ mm_get_kex(Buffer *m)
1854 kex->load_host_public_key=&get_hostkey_public_by_type; 1873 kex->load_host_public_key=&get_hostkey_public_by_type;
1855 kex->load_host_private_key=&get_hostkey_private_by_type; 1874 kex->load_host_private_key=&get_hostkey_private_by_type;
1856 kex->host_key_index=&get_hostkey_index; 1875 kex->host_key_index=&get_hostkey_index;
1876 kex->sign = sshd_hostkey_sign;
1857 1877
1858 return (kex); 1878 return (kex);
1859} 1879}
@@ -1889,12 +1909,12 @@ mm_get_keystate(struct monitor *pmonitor)
1889 1909
1890 blob = buffer_get_string(&m, &bloblen); 1910 blob = buffer_get_string(&m, &bloblen);
1891 current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); 1911 current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
1892 xfree(blob); 1912 free(blob);
1893 1913
1894 debug3("%s: Waiting for second key", __func__); 1914 debug3("%s: Waiting for second key", __func__);
1895 blob = buffer_get_string(&m, &bloblen); 1915 blob = buffer_get_string(&m, &bloblen);
1896 current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); 1916 current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
1897 xfree(blob); 1917 free(blob);
1898 1918
1899 /* Now get sequence numbers for the packets */ 1919 /* Now get sequence numbers for the packets */
1900 seqnr = buffer_get_int(&m); 1920 seqnr = buffer_get_int(&m);
@@ -1919,13 +1939,13 @@ mm_get_keystate(struct monitor *pmonitor)
1919 if (plen != sizeof(child_state.outgoing)) 1939 if (plen != sizeof(child_state.outgoing))
1920 fatal("%s: bad request size", __func__); 1940 fatal("%s: bad request size", __func__);
1921 memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing)); 1941 memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing));
1922 xfree(p); 1942 free(p);
1923 1943
1924 p = buffer_get_string(&m, &plen); 1944 p = buffer_get_string(&m, &plen);
1925 if (plen != sizeof(child_state.incoming)) 1945 if (plen != sizeof(child_state.incoming))
1926 fatal("%s: bad request size", __func__); 1946 fatal("%s: bad request size", __func__);
1927 memcpy(&child_state.incoming, p, sizeof(child_state.incoming)); 1947 memcpy(&child_state.incoming, p, sizeof(child_state.incoming));
1928 xfree(p); 1948 free(p);
1929 1949
1930 /* Network I/O buffers */ 1950 /* Network I/O buffers */
1931 debug3("%s: Getting Network I/O buffers", __func__); 1951 debug3("%s: Getting Network I/O buffers", __func__);
@@ -2047,7 +2067,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2047 2067
2048 major = ssh_gssapi_server_ctx(&gsscontext, &goid); 2068 major = ssh_gssapi_server_ctx(&gsscontext, &goid);
2049 2069
2050 xfree(goid.elements); 2070 free(goid.elements);
2051 2071
2052 buffer_clear(m); 2072 buffer_clear(m);
2053 buffer_put_int(m, major); 2073 buffer_put_int(m, major);
@@ -2072,7 +2092,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2072 in.value = buffer_get_string(m, &len); 2092 in.value = buffer_get_string(m, &len);
2073 in.length = len; 2093 in.length = len;
2074 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2094 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2075 xfree(in.value); 2095 free(in.value);
2076 2096
2077 buffer_clear(m); 2097 buffer_clear(m);
2078 buffer_put_int(m, major); 2098 buffer_put_int(m, major);
@@ -2104,8 +2124,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2104 2124
2105 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); 2125 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
2106 2126
2107 xfree(gssbuf.value); 2127 free(gssbuf.value);
2108 xfree(mic.value); 2128 free(mic.value);
2109 2129
2110 buffer_clear(m); 2130 buffer_clear(m);
2111 buffer_put_int(m, ret); 2131 buffer_put_int(m, ret);
@@ -2175,8 +2195,8 @@ mm_answer_jpake_step1(int sock, Buffer *m)
2175 2195
2176 bzero(x3_proof, x3_proof_len); 2196 bzero(x3_proof, x3_proof_len);
2177 bzero(x4_proof, x4_proof_len); 2197 bzero(x4_proof, x4_proof_len);
2178 xfree(x3_proof); 2198 free(x3_proof);
2179 xfree(x4_proof); 2199 free(x4_proof);
2180 2200
2181 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1); 2201 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1);
2182 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0); 2202 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0);
@@ -2205,8 +2225,8 @@ mm_answer_jpake_get_pwdata(int sock, Buffer *m)
2205 2225
2206 bzero(hash_scheme, strlen(hash_scheme)); 2226 bzero(hash_scheme, strlen(hash_scheme));
2207 bzero(salt, strlen(salt)); 2227 bzero(salt, strlen(salt));
2208 xfree(hash_scheme); 2228 free(hash_scheme);
2209 xfree(salt); 2229 free(salt);
2210 2230
2211 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1); 2231 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1);
2212 2232
@@ -2245,8 +2265,8 @@ mm_answer_jpake_step2(int sock, Buffer *m)
2245 2265
2246 bzero(x1_proof, x1_proof_len); 2266 bzero(x1_proof, x1_proof_len);
2247 bzero(x2_proof, x2_proof_len); 2267 bzero(x2_proof, x2_proof_len);
2248 xfree(x1_proof); 2268 free(x1_proof);
2249 xfree(x2_proof); 2269 free(x2_proof);
2250 2270
2251 buffer_clear(m); 2271 buffer_clear(m);
2252 2272
@@ -2257,7 +2277,7 @@ mm_answer_jpake_step2(int sock, Buffer *m)
2257 mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); 2277 mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m);
2258 2278
2259 bzero(x4_s_proof, x4_s_proof_len); 2279 bzero(x4_s_proof, x4_s_proof_len);
2260 xfree(x4_s_proof); 2280 free(x4_s_proof);
2261 2281
2262 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); 2282 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1);
2263 2283
@@ -2325,7 +2345,7 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
2325 JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__)); 2345 JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__));
2326 2346
2327 bzero(peer_confirm_hash, peer_confirm_hash_len); 2347 bzero(peer_confirm_hash, peer_confirm_hash_len);
2328 xfree(peer_confirm_hash); 2348 free(peer_confirm_hash);
2329 2349
2330 buffer_clear(m); 2350 buffer_clear(m);
2331 buffer_put_int(m, authenticated); 2351 buffer_put_int(m, authenticated);
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 17:42:02 +0000