diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 33 |
1 files changed, 30 insertions, 3 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.135 2014/07/15 15:54:14 millert Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -40,9 +40,10 @@ | |||
40 | #endif | 40 | #endif |
41 | #include <pwd.h> | 41 | #include <pwd.h> |
42 | #include <signal.h> | 42 | #include <signal.h> |
43 | #include <stdarg.h> | ||
44 | #include <stdlib.h> | 43 | #include <stdlib.h> |
45 | #include <string.h> | 44 | #include <string.h> |
45 | #include <stdarg.h> | ||
46 | #include <stdio.h> | ||
46 | #include <unistd.h> | 47 | #include <unistd.h> |
47 | #ifdef HAVE_POLL_H | 48 | #ifdef HAVE_POLL_H |
48 | #include <poll.h> | 49 | #include <poll.h> |
@@ -56,7 +57,9 @@ | |||
56 | #include <skey.h> | 57 | #include <skey.h> |
57 | #endif | 58 | #endif |
58 | 59 | ||
60 | #ifdef WITH_OPENSSL | ||
59 | #include <openssl/dh.h> | 61 | #include <openssl/dh.h> |
62 | #endif | ||
60 | 63 | ||
61 | #include "openbsd-compat/sys-queue.h" | 64 | #include "openbsd-compat/sys-queue.h" |
62 | #include "atomicio.h" | 65 | #include "atomicio.h" |
@@ -84,6 +87,7 @@ | |||
84 | #include "sshlogin.h" | 87 | #include "sshlogin.h" |
85 | #include "canohost.h" | 88 | #include "canohost.h" |
86 | #include "log.h" | 89 | #include "log.h" |
90 | #include "misc.h" | ||
87 | #include "servconf.h" | 91 | #include "servconf.h" |
88 | #include "monitor.h" | 92 | #include "monitor.h" |
89 | #include "monitor_mm.h" | 93 | #include "monitor_mm.h" |
@@ -92,7 +96,6 @@ | |||
92 | #endif | 96 | #endif |
93 | #include "monitor_wrap.h" | 97 | #include "monitor_wrap.h" |
94 | #include "monitor_fdpass.h" | 98 | #include "monitor_fdpass.h" |
95 | #include "misc.h" | ||
96 | #include "compat.h" | 99 | #include "compat.h" |
97 | #include "ssh2.h" | 100 | #include "ssh2.h" |
98 | #include "roaming.h" | 101 | #include "roaming.h" |
@@ -195,7 +198,10 @@ int mm_answer_consolekit_register(int, Buffer *); | |||
195 | #endif | 198 | #endif |
196 | 199 | ||
197 | static Authctxt *authctxt; | 200 | static Authctxt *authctxt; |
201 | |||
202 | #ifdef WITH_SSH1 | ||
198 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | 203 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ |
204 | #endif | ||
199 | 205 | ||
200 | /* local state for key verify */ | 206 | /* local state for key verify */ |
201 | static u_char *key_blob = NULL; | 207 | static u_char *key_blob = NULL; |
@@ -225,7 +231,9 @@ struct mon_table { | |||
225 | #define MON_PERMIT 0x1000 /* Request is permitted */ | 231 | #define MON_PERMIT 0x1000 /* Request is permitted */ |
226 | 232 | ||
227 | struct mon_table mon_dispatch_proto20[] = { | 233 | struct mon_table mon_dispatch_proto20[] = { |
234 | #ifdef WITH_OPENSSL | ||
228 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, | 235 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, |
236 | #endif | ||
229 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 237 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
230 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 238 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
231 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 239 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -270,7 +278,9 @@ struct mon_table mon_dispatch_postauth20[] = { | |||
270 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | 278 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, |
271 | {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | 279 | {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, |
272 | #endif | 280 | #endif |
281 | #ifdef WITH_OPENSSL | ||
273 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 282 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
283 | #endif | ||
274 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 284 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
275 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 285 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
276 | {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, | 286 | {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, |
@@ -286,6 +296,7 @@ struct mon_table mon_dispatch_postauth20[] = { | |||
286 | }; | 296 | }; |
287 | 297 | ||
288 | struct mon_table mon_dispatch_proto15[] = { | 298 | struct mon_table mon_dispatch_proto15[] = { |
299 | #ifdef WITH_SSH1 | ||
289 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 300 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
290 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, | 301 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, |
291 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, | 302 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, |
@@ -313,10 +324,12 @@ struct mon_table mon_dispatch_proto15[] = { | |||
313 | #ifdef SSH_AUDIT_EVENTS | 324 | #ifdef SSH_AUDIT_EVENTS |
314 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 325 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
315 | #endif | 326 | #endif |
327 | #endif /* WITH_SSH1 */ | ||
316 | {0, 0, NULL} | 328 | {0, 0, NULL} |
317 | }; | 329 | }; |
318 | 330 | ||
319 | struct mon_table mon_dispatch_postauth15[] = { | 331 | struct mon_table mon_dispatch_postauth15[] = { |
332 | #ifdef WITH_SSH1 | ||
320 | {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, | 333 | {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, |
321 | {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, | 334 | {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, |
322 | {MONITOR_REQ_TERM, 0, mm_answer_term}, | 335 | {MONITOR_REQ_TERM, 0, mm_answer_term}, |
@@ -327,6 +340,7 @@ struct mon_table mon_dispatch_postauth15[] = { | |||
327 | #ifdef USE_CONSOLEKIT | 340 | #ifdef USE_CONSOLEKIT |
328 | {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register}, | 341 | {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register}, |
329 | #endif | 342 | #endif |
343 | #endif /* WITH_SSH1 */ | ||
330 | {0, 0, NULL} | 344 | {0, 0, NULL} |
331 | }; | 345 | }; |
332 | 346 | ||
@@ -485,6 +499,9 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
485 | signal(SIGHUP, &monitor_child_handler); | 499 | signal(SIGHUP, &monitor_child_handler); |
486 | signal(SIGTERM, &monitor_child_handler); | 500 | signal(SIGTERM, &monitor_child_handler); |
487 | signal(SIGINT, &monitor_child_handler); | 501 | signal(SIGINT, &monitor_child_handler); |
502 | #ifdef SIGXFSZ | ||
503 | signal(SIGXFSZ, SIG_IGN); | ||
504 | #endif | ||
488 | 505 | ||
489 | if (compat20) { | 506 | if (compat20) { |
490 | mon_dispatch = mon_dispatch_postauth20; | 507 | mon_dispatch = mon_dispatch_postauth20; |
@@ -665,6 +682,7 @@ monitor_reset_key_state(void) | |||
665 | hostbased_chost = NULL; | 682 | hostbased_chost = NULL; |
666 | } | 683 | } |
667 | 684 | ||
685 | #ifdef WITH_OPENSSL | ||
668 | int | 686 | int |
669 | mm_answer_moduli(int sock, Buffer *m) | 687 | mm_answer_moduli(int sock, Buffer *m) |
670 | { | 688 | { |
@@ -699,6 +717,7 @@ mm_answer_moduli(int sock, Buffer *m) | |||
699 | mm_request_send(sock, MONITOR_ANS_MODULI, m); | 717 | mm_request_send(sock, MONITOR_ANS_MODULI, m); |
700 | return (0); | 718 | return (0); |
701 | } | 719 | } |
720 | #endif | ||
702 | 721 | ||
703 | extern AuthenticationConnection *auth_conn; | 722 | extern AuthenticationConnection *auth_conn; |
704 | 723 | ||
@@ -1225,6 +1244,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1225 | cuser, chost); | 1244 | cuser, chost); |
1226 | auth_method = "hostbased"; | 1245 | auth_method = "hostbased"; |
1227 | break; | 1246 | break; |
1247 | #ifdef WITH_SSH1 | ||
1228 | case MM_RSAHOSTKEY: | 1248 | case MM_RSAHOSTKEY: |
1229 | key->type = KEY_RSA1; /* XXX */ | 1249 | key->type = KEY_RSA1; /* XXX */ |
1230 | allowed = options.rhosts_rsa_authentication && | 1250 | allowed = options.rhosts_rsa_authentication && |
@@ -1234,6 +1254,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1234 | auth_clear_options(); | 1254 | auth_clear_options(); |
1235 | auth_method = "rsa"; | 1255 | auth_method = "rsa"; |
1236 | break; | 1256 | break; |
1257 | #endif | ||
1237 | default: | 1258 | default: |
1238 | fatal("%s: unknown key type %d", __func__, type); | 1259 | fatal("%s: unknown key type %d", __func__, type); |
1239 | break; | 1260 | break; |
@@ -1570,6 +1591,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m) | |||
1570 | return (0); | 1591 | return (0); |
1571 | } | 1592 | } |
1572 | 1593 | ||
1594 | #ifdef WITH_SSH1 | ||
1573 | int | 1595 | int |
1574 | mm_answer_sesskey(int sock, Buffer *m) | 1596 | mm_answer_sesskey(int sock, Buffer *m) |
1575 | { | 1597 | { |
@@ -1747,6 +1769,7 @@ mm_answer_rsa_response(int sock, Buffer *m) | |||
1747 | 1769 | ||
1748 | return (success); | 1770 | return (success); |
1749 | } | 1771 | } |
1772 | #endif | ||
1750 | 1773 | ||
1751 | int | 1774 | int |
1752 | mm_answer_term(int sock, Buffer *req) | 1775 | mm_answer_term(int sock, Buffer *req) |
@@ -1851,6 +1874,8 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
1851 | if (options.compression) | 1874 | if (options.compression) |
1852 | mm_init_compression(pmonitor->m_zlib); | 1875 | mm_init_compression(pmonitor->m_zlib); |
1853 | 1876 | ||
1877 | packet_set_postauth(); | ||
1878 | |||
1854 | if (options.rekey_limit || options.rekey_interval) | 1879 | if (options.rekey_limit || options.rekey_interval) |
1855 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 1880 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
1856 | (time_t)options.rekey_interval); | 1881 | (time_t)options.rekey_interval); |
@@ -1887,11 +1912,13 @@ mm_get_kex(Buffer *m) | |||
1887 | timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) | 1912 | timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) |
1888 | fatal("mm_get_get: internal error: bad session id"); | 1913 | fatal("mm_get_get: internal error: bad session id"); |
1889 | kex->we_need = buffer_get_int(m); | 1914 | kex->we_need = buffer_get_int(m); |
1915 | #ifdef WITH_OPENSSL | ||
1890 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 1916 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
1891 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1917 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
1892 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1918 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1893 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1919 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1894 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 1920 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
1921 | #endif | ||
1895 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1922 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
1896 | #ifdef GSSAPI | 1923 | #ifdef GSSAPI |
1897 | if (options.gss_keyex) { | 1924 | if (options.gss_keyex) { |