diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 33 |
1 files changed, 30 insertions, 3 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.135 2014/07/15 15:54:14 millert Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -40,9 +40,10 @@ | |||
40 | #endif | 40 | #endif |
41 | #include <pwd.h> | 41 | #include <pwd.h> |
42 | #include <signal.h> | 42 | #include <signal.h> |
43 | #include <stdarg.h> | ||
44 | #include <stdlib.h> | 43 | #include <stdlib.h> |
45 | #include <string.h> | 44 | #include <string.h> |
45 | #include <stdarg.h> | ||
46 | #include <stdio.h> | ||
46 | #include <unistd.h> | 47 | #include <unistd.h> |
47 | #ifdef HAVE_POLL_H | 48 | #ifdef HAVE_POLL_H |
48 | #include <poll.h> | 49 | #include <poll.h> |
@@ -56,7 +57,9 @@ | |||
56 | #include <skey.h> | 57 | #include <skey.h> |
57 | #endif | 58 | #endif |
58 | 59 | ||
60 | #ifdef WITH_OPENSSL | ||
59 | #include <openssl/dh.h> | 61 | #include <openssl/dh.h> |
62 | #endif | ||
60 | 63 | ||
61 | #include "openbsd-compat/sys-queue.h" | 64 | #include "openbsd-compat/sys-queue.h" |
62 | #include "atomicio.h" | 65 | #include "atomicio.h" |
@@ -84,6 +87,7 @@ | |||
84 | #include "sshlogin.h" | 87 | #include "sshlogin.h" |
85 | #include "canohost.h" | 88 | #include "canohost.h" |
86 | #include "log.h" | 89 | #include "log.h" |
90 | #include "misc.h" | ||
87 | #include "servconf.h" | 91 | #include "servconf.h" |
88 | #include "monitor.h" | 92 | #include "monitor.h" |
89 | #include "monitor_mm.h" | 93 | #include "monitor_mm.h" |
@@ -92,7 +96,6 @@ | |||
92 | #endif | 96 | #endif |
93 | #include "monitor_wrap.h" | 97 | #include "monitor_wrap.h" |
94 | #include "monitor_fdpass.h" | 98 | #include "monitor_fdpass.h" |
95 | #include "misc.h" | ||
96 | #include "compat.h" | 99 | #include "compat.h" |
97 | #include "ssh2.h" | 100 | #include "ssh2.h" |
98 | #include "roaming.h" | 101 | #include "roaming.h" |
@@ -185,7 +188,10 @@ int mm_answer_audit_command(int, Buffer *); | |||
185 | static int monitor_read_log(struct monitor *); | 188 | static int monitor_read_log(struct monitor *); |
186 | 189 | ||
187 | static Authctxt *authctxt; | 190 | static Authctxt *authctxt; |
191 | |||
192 | #ifdef WITH_SSH1 | ||
188 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | 193 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ |
194 | #endif | ||
189 | 195 | ||
190 | /* local state for key verify */ | 196 | /* local state for key verify */ |
191 | static u_char *key_blob = NULL; | 197 | static u_char *key_blob = NULL; |
@@ -215,7 +221,9 @@ struct mon_table { | |||
215 | #define MON_PERMIT 0x1000 /* Request is permitted */ | 221 | #define MON_PERMIT 0x1000 /* Request is permitted */ |
216 | 222 | ||
217 | struct mon_table mon_dispatch_proto20[] = { | 223 | struct mon_table mon_dispatch_proto20[] = { |
224 | #ifdef WITH_OPENSSL | ||
218 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, | 225 | {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, |
226 | #endif | ||
219 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 227 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
220 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 228 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
221 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 229 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -252,7 +260,9 @@ struct mon_table mon_dispatch_proto20[] = { | |||
252 | }; | 260 | }; |
253 | 261 | ||
254 | struct mon_table mon_dispatch_postauth20[] = { | 262 | struct mon_table mon_dispatch_postauth20[] = { |
263 | #ifdef WITH_OPENSSL | ||
255 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 264 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
265 | #endif | ||
256 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 266 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
257 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 267 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
258 | {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, | 268 | {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, |
@@ -265,6 +275,7 @@ struct mon_table mon_dispatch_postauth20[] = { | |||
265 | }; | 275 | }; |
266 | 276 | ||
267 | struct mon_table mon_dispatch_proto15[] = { | 277 | struct mon_table mon_dispatch_proto15[] = { |
278 | #ifdef WITH_SSH1 | ||
268 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 279 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
269 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, | 280 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, |
270 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, | 281 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, |
@@ -292,10 +303,12 @@ struct mon_table mon_dispatch_proto15[] = { | |||
292 | #ifdef SSH_AUDIT_EVENTS | 303 | #ifdef SSH_AUDIT_EVENTS |
293 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 304 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
294 | #endif | 305 | #endif |
306 | #endif /* WITH_SSH1 */ | ||
295 | {0, 0, NULL} | 307 | {0, 0, NULL} |
296 | }; | 308 | }; |
297 | 309 | ||
298 | struct mon_table mon_dispatch_postauth15[] = { | 310 | struct mon_table mon_dispatch_postauth15[] = { |
311 | #ifdef WITH_SSH1 | ||
299 | {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, | 312 | {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, |
300 | {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, | 313 | {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, |
301 | {MONITOR_REQ_TERM, 0, mm_answer_term}, | 314 | {MONITOR_REQ_TERM, 0, mm_answer_term}, |
@@ -303,6 +316,7 @@ struct mon_table mon_dispatch_postauth15[] = { | |||
303 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 316 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
304 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, | 317 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, |
305 | #endif | 318 | #endif |
319 | #endif /* WITH_SSH1 */ | ||
306 | {0, 0, NULL} | 320 | {0, 0, NULL} |
307 | }; | 321 | }; |
308 | 322 | ||
@@ -457,6 +471,9 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
457 | signal(SIGHUP, &monitor_child_handler); | 471 | signal(SIGHUP, &monitor_child_handler); |
458 | signal(SIGTERM, &monitor_child_handler); | 472 | signal(SIGTERM, &monitor_child_handler); |
459 | signal(SIGINT, &monitor_child_handler); | 473 | signal(SIGINT, &monitor_child_handler); |
474 | #ifdef SIGXFSZ | ||
475 | signal(SIGXFSZ, SIG_IGN); | ||
476 | #endif | ||
460 | 477 | ||
461 | if (compat20) { | 478 | if (compat20) { |
462 | mon_dispatch = mon_dispatch_postauth20; | 479 | mon_dispatch = mon_dispatch_postauth20; |
@@ -630,6 +647,7 @@ monitor_reset_key_state(void) | |||
630 | hostbased_chost = NULL; | 647 | hostbased_chost = NULL; |
631 | } | 648 | } |
632 | 649 | ||
650 | #ifdef WITH_OPENSSL | ||
633 | int | 651 | int |
634 | mm_answer_moduli(int sock, Buffer *m) | 652 | mm_answer_moduli(int sock, Buffer *m) |
635 | { | 653 | { |
@@ -664,6 +682,7 @@ mm_answer_moduli(int sock, Buffer *m) | |||
664 | mm_request_send(sock, MONITOR_ANS_MODULI, m); | 682 | mm_request_send(sock, MONITOR_ANS_MODULI, m); |
665 | return (0); | 683 | return (0); |
666 | } | 684 | } |
685 | #endif | ||
667 | 686 | ||
668 | extern AuthenticationConnection *auth_conn; | 687 | extern AuthenticationConnection *auth_conn; |
669 | 688 | ||
@@ -1166,6 +1185,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1166 | cuser, chost); | 1185 | cuser, chost); |
1167 | auth_method = "hostbased"; | 1186 | auth_method = "hostbased"; |
1168 | break; | 1187 | break; |
1188 | #ifdef WITH_SSH1 | ||
1169 | case MM_RSAHOSTKEY: | 1189 | case MM_RSAHOSTKEY: |
1170 | key->type = KEY_RSA1; /* XXX */ | 1190 | key->type = KEY_RSA1; /* XXX */ |
1171 | allowed = options.rhosts_rsa_authentication && | 1191 | allowed = options.rhosts_rsa_authentication && |
@@ -1175,6 +1195,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1175 | auth_clear_options(); | 1195 | auth_clear_options(); |
1176 | auth_method = "rsa"; | 1196 | auth_method = "rsa"; |
1177 | break; | 1197 | break; |
1198 | #endif | ||
1178 | default: | 1199 | default: |
1179 | fatal("%s: unknown key type %d", __func__, type); | 1200 | fatal("%s: unknown key type %d", __func__, type); |
1180 | break; | 1201 | break; |
@@ -1511,6 +1532,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m) | |||
1511 | return (0); | 1532 | return (0); |
1512 | } | 1533 | } |
1513 | 1534 | ||
1535 | #ifdef WITH_SSH1 | ||
1514 | int | 1536 | int |
1515 | mm_answer_sesskey(int sock, Buffer *m) | 1537 | mm_answer_sesskey(int sock, Buffer *m) |
1516 | { | 1538 | { |
@@ -1688,6 +1710,7 @@ mm_answer_rsa_response(int sock, Buffer *m) | |||
1688 | 1710 | ||
1689 | return (success); | 1711 | return (success); |
1690 | } | 1712 | } |
1713 | #endif | ||
1691 | 1714 | ||
1692 | int | 1715 | int |
1693 | mm_answer_term(int sock, Buffer *req) | 1716 | mm_answer_term(int sock, Buffer *req) |
@@ -1792,6 +1815,8 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
1792 | if (options.compression) | 1815 | if (options.compression) |
1793 | mm_init_compression(pmonitor->m_zlib); | 1816 | mm_init_compression(pmonitor->m_zlib); |
1794 | 1817 | ||
1818 | packet_set_postauth(); | ||
1819 | |||
1795 | if (options.rekey_limit || options.rekey_interval) | 1820 | if (options.rekey_limit || options.rekey_interval) |
1796 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 1821 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
1797 | (time_t)options.rekey_interval); | 1822 | (time_t)options.rekey_interval); |
@@ -1828,11 +1853,13 @@ mm_get_kex(Buffer *m) | |||
1828 | timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) | 1853 | timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) |
1829 | fatal("mm_get_get: internal error: bad session id"); | 1854 | fatal("mm_get_get: internal error: bad session id"); |
1830 | kex->we_need = buffer_get_int(m); | 1855 | kex->we_need = buffer_get_int(m); |
1856 | #ifdef WITH_OPENSSL | ||
1831 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 1857 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
1832 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1858 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
1833 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1859 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1834 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1860 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1835 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 1861 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
1862 | #endif | ||
1836 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1863 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
1837 | kex->server = 1; | 1864 | kex->server = 1; |
1838 | kex->hostkey_type = buffer_get_int(m); | 1865 | kex->hostkey_type = buffer_get_int(m); |