1 files changed, 31 insertions, 25 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 69212aaf3..9666bda4b 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.94 2017/10/02 19:33:20 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.99 2018/03/03 03:15:51 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -76,7 +76,6 @@
 #include "atomicio.h"
 #include "monitor_fdpass.h"
 #include "misc.h"
-#include "uuencode.h"
 #include "channels.h"
 #include "session.h"
@@ -287,19 +286,15 @@ out:
                        newopts->x = buffer_get_string(&m, NULL); \
        } while (0)
 #define M_CP_STRARRAYOPT(x, nx) do { \
-                for (i = 0; i < newopts->nx; i++) \
-                        newopts->x[i] = buffer_get_string(&m, NULL); \
-        } while (0)
-#define M_CP_STRARRAYOPT_ALLOC(x, nx) do { \
                newopts->x = newopts->nx == 0 ? \
                    NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \
-                M_CP_STRARRAYOPT(x, nx); \
+                for (i = 0; i < newopts->nx; i++) \
+                        newopts->x[i] = buffer_get_string(&m, NULL); \
        } while (0)
        /* See comment in servconf.h */
        COPY_MATCH_STRING_OPTS();
 #undef M_CP_STROPT
 #undef M_CP_STRARRAYOPT
-#undef M_CP_STRARRAYOPT_ALLOC
        copy_set_server_options(&options, newopts, 1);
        log_change_level(options.log_level);
@@ -356,7 +351,7 @@ mm_inform_authserv(char *service, char *style)
 /* Do the password authentication */
 int
-mm_auth_password(Authctxt *authctxt, char *password)
+mm_auth_password(struct ssh *ssh, char *password)
 {
        Buffer m;
        int authenticated = 0;
@@ -383,34 +378,38 @@ mm_auth_password(Authctxt *authctxt, char *password)
 }
 int
-mm_user_key_allowed(struct passwd *pw, struct sshkey *key,
+mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
-    int pubkey_auth_attempt)
+    int pubkey_auth_attempt, struct sshauthopt **authoptp)
 {
        return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
-            pubkey_auth_attempt));
+            pubkey_auth_attempt, authoptp));
 }
 int
 mm_hostbased_key_allowed(struct passwd *pw, const char *user, const char *host,
    struct sshkey *key)
 {
-        return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0));
+        return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
 }
 int
 mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
-    struct sshkey *key, int pubkey_auth_attempt)
+    struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp)
 {
        Buffer m;
        u_char *blob;
        u_int len;
-        int allowed = 0, have_forced = 0;
+        int r, allowed = 0;
+        struct sshauthopt *opts = NULL;
        debug3("%s entering", __func__);
+        if (authoptp != NULL)
+                *authoptp = NULL;
        /* Convert the key to a blob and the pass it over */
        if (!key_to_blob(key, &blob, &len))
-                return (0);
+                return 0;
        buffer_init(&m);
        buffer_put_int(&m, type);
@@ -423,18 +422,24 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
        debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_KEYALLOWED, &m);
        allowed = buffer_get_int(&m);
+        if (allowed && type == MM_USERKEY) {
-        /* fake forced command */
+                if ((r = sshauthopt_deserialise(&m, &opts)) != 0)
-        auth_clear_options();
+                        fatal("%s: sshauthopt_deserialise: %s",
-        have_forced = buffer_get_int(&m);
+                            __func__, ssh_err(r));
-        forced_command = have_forced ? xstrdup("true") : NULL;
+        }
        buffer_free(&m);
-        return (allowed);
+        if (authoptp != NULL) {
+                *authoptp = opts;
+                opts = NULL;
+        }
+        sshauthopt_free(opts);
+        return allowed;
 }
 /*
@@ -445,7 +450,7 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
 int
 mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
-    const u_char *data, size_t datalen, u_int compat)
+    const u_char *data, size_t datalen, const char *sigalg, u_int compat)
 {
        Buffer m;
        u_char *blob;
@@ -462,6 +467,7 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
        buffer_put_string(&m, blob, len);
        buffer_put_string(&m, sig, siglen);
        buffer_put_string(&m, data, datalen);
+        buffer_put_cstring(&m, sigalg == NULL ? "" : sigalg);
        free(blob);
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);

diff --git a/monitor_wrap.c b/monitor_wrap.c index 69212aaf3..9666bda4b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: monitor_wrap.c,v 1.94 2017/10/02 19:33:20 djm Exp $ */	1	/* $OpenBSD: monitor_wrap.c,v 1.99 2018/03/03 03:15:51 djm Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -76,7 +76,6 @@
76	#include "atomicio.h"	76	#include "atomicio.h"
77	#include "monitor_fdpass.h"	77	#include "monitor_fdpass.h"
78	#include "misc.h"	78	#include "misc.h"
79	#include "uuencode.h"
80		79
81	#include "channels.h"	80	#include "channels.h"
82	#include "session.h"	81	#include "session.h"
@@ -287,19 +286,15 @@ out:
287	newopts->x = buffer_get_string(&m, NULL); \	286	newopts->x = buffer_get_string(&m, NULL); \
288	} while (0)	287	} while (0)
289	#define M_CP_STRARRAYOPT(x, nx) do { \	288	#define M_CP_STRARRAYOPT(x, nx) do { \
290	for (i = 0; i < newopts->nx; i++) \
291	newopts->x[i] = buffer_get_string(&m, NULL); \
292	} while (0)
293	#define M_CP_STRARRAYOPT_ALLOC(x, nx) do { \
294	newopts->x = newopts->nx == 0 ? \	289	newopts->x = newopts->nx == 0 ? \
295	NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \	290	NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \
296	M_CP_STRARRAYOPT(x, nx); \	291	for (i = 0; i < newopts->nx; i++) \
		292	newopts->x[i] = buffer_get_string(&m, NULL); \
297	} while (0)	293	} while (0)
298	/* See comment in servconf.h */	294	/* See comment in servconf.h */
299	COPY_MATCH_STRING_OPTS();	295	COPY_MATCH_STRING_OPTS();
300	#undef M_CP_STROPT	296	#undef M_CP_STROPT
301	#undef M_CP_STRARRAYOPT	297	#undef M_CP_STRARRAYOPT
302	#undef M_CP_STRARRAYOPT_ALLOC
303		298
304	copy_set_server_options(&options, newopts, 1);	299	copy_set_server_options(&options, newopts, 1);
305	log_change_level(options.log_level);	300	log_change_level(options.log_level);
@@ -356,7 +351,7 @@ mm_inform_authserv(char service, char style)
356		351
357	/* Do the password authentication */	352	/* Do the password authentication */
358	int	353	int
359	mm_auth_password(Authctxt authctxt, char password)	354	mm_auth_password(struct ssh ssh, char password)
360	{	355	{
361	Buffer m;	356	Buffer m;
362	int authenticated = 0;	357	int authenticated = 0;
@@ -383,34 +378,38 @@ mm_auth_password(Authctxt authctxt, char password)
383	}	378	}
384		379
385	int	380	int
386	mm_user_key_allowed(struct passwd pw, struct sshkey key,	381	mm_user_key_allowed(struct ssh ssh, struct passwd pw, struct sshkey *key,
387	int pubkey_auth_attempt)	382	int pubkey_auth_attempt, struct sshauthopt **authoptp)
388	{	383	{
389	return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,	384	return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
390	pubkey_auth_attempt));	385	pubkey_auth_attempt, authoptp));
391	}	386	}
392		387
393	int	388	int
394	mm_hostbased_key_allowed(struct passwd pw, const char user, const char *host,	389	mm_hostbased_key_allowed(struct passwd pw, const char user, const char *host,
395	struct sshkey *key)	390	struct sshkey *key)
396	{	391	{
397	return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0));	392	return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
398	}	393	}
399		394
400	int	395	int
401	mm_key_allowed(enum mm_keytype type, const char user, const char host,	396	mm_key_allowed(enum mm_keytype type, const char user, const char host,
402	struct sshkey *key, int pubkey_auth_attempt)	397	struct sshkey key, int pubkey_auth_attempt, struct sshauthopt *authoptp)
403	{	398	{
404	Buffer m;	399	Buffer m;
405	u_char *blob;	400	u_char *blob;
406	u_int len;	401	u_int len;
407	int allowed = 0, have_forced = 0;	402	int r, allowed = 0;
		403	struct sshauthopt *opts = NULL;
408		404
409	debug3("%s entering", __func__);	405	debug3("%s entering", __func__);
410		406
		407	if (authoptp != NULL)
		408	*authoptp = NULL;
		409
411	/* Convert the key to a blob and the pass it over */	410	/* Convert the key to a blob and the pass it over */
412	if (!key_to_blob(key, &blob, &len))	411	if (!key_to_blob(key, &blob, &len))
413	return (0);	412	return 0;
414		413
415	buffer_init(&m);	414	buffer_init(&m);
416	buffer_put_int(&m, type);	415	buffer_put_int(&m, type);
@@ -423,18 +422,24 @@ mm_key_allowed(enum mm_keytype type, const char user, const char host,
423	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);	422	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
424		423
425	debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);	424	debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
426	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);	425	mm_request_receive_expect(pmonitor->m_recvfd,
		426	MONITOR_ANS_KEYALLOWED, &m);
427		427
428	allowed = buffer_get_int(&m);	428	allowed = buffer_get_int(&m);
429		429	if (allowed && type == MM_USERKEY) {
430	/* fake forced command */	430	if ((r = sshauthopt_deserialise(&m, &opts)) != 0)
431	auth_clear_options();	431	fatal("%s: sshauthopt_deserialise: %s",
432	have_forced = buffer_get_int(&m);	432	__func__, ssh_err(r));
433	forced_command = have_forced ? xstrdup("true") : NULL;	433	}
434
435	buffer_free(&m);	434	buffer_free(&m);
436		435
437	return (allowed);	436	if (authoptp != NULL) {
		437	*authoptp = opts;
		438	opts = NULL;
		439	}
		440	sshauthopt_free(opts);
		441
		442	return allowed;
438	}	443	}
439		444
440	/*	445	/*
@@ -445,7 +450,7 @@ mm_key_allowed(enum mm_keytype type, const char user, const char host,
445		450
446	int	451	int
447	mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,	452	mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,
448	const u_char *data, size_t datalen, u_int compat)	453	const u_char data, size_t datalen, const char sigalg, u_int compat)
449	{	454	{
450	Buffer m;	455	Buffer m;
451	u_char *blob;	456	u_char *blob;
@@ -462,6 +467,7 @@ mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,
462	buffer_put_string(&m, blob, len);	467	buffer_put_string(&m, blob, len);
463	buffer_put_string(&m, sig, siglen);	468	buffer_put_string(&m, sig, siglen);
464	buffer_put_string(&m, data, datalen);	469	buffer_put_string(&m, data, datalen);
		470	buffer_put_cstring(&m, sigalg == NULL ? "" : sigalg);
465	free(blob);	471	free(blob);
466		472
467	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);	473	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);