diff options
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r-- | monitor_wrap.c | 191 |
1 files changed, 188 insertions, 3 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c index b559c77bf..5f608b3b6 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.c,v 1.63 2008/07/10 18:08:11 markus Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.64 2008/11/04 08:22:13 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -40,6 +40,7 @@ | |||
40 | 40 | ||
41 | #include <openssl/bn.h> | 41 | #include <openssl/bn.h> |
42 | #include <openssl/dh.h> | 42 | #include <openssl/dh.h> |
43 | #include <openssl/evp.h> | ||
43 | 44 | ||
44 | #include "openbsd-compat/sys-queue.h" | 45 | #include "openbsd-compat/sys-queue.h" |
45 | #include "xmalloc.h" | 46 | #include "xmalloc.h" |
@@ -70,7 +71,7 @@ | |||
70 | #include "atomicio.h" | 71 | #include "atomicio.h" |
71 | #include "monitor_fdpass.h" | 72 | #include "monitor_fdpass.h" |
72 | #include "misc.h" | 73 | #include "misc.h" |
73 | #include "servconf.h" | 74 | #include "jpake.h" |
74 | 75 | ||
75 | #include "channels.h" | 76 | #include "channels.h" |
76 | #include "session.h" | 77 | #include "session.h" |
@@ -1238,7 +1239,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | |||
1238 | } | 1239 | } |
1239 | 1240 | ||
1240 | int | 1241 | int |
1241 | mm_ssh_gssapi_userok(char *user) | 1242 | mm_ssh_gssapi_userok(char *user, struct passwd *pw) |
1242 | { | 1243 | { |
1243 | Buffer m; | 1244 | Buffer m; |
1244 | int authenticated = 0; | 1245 | int authenticated = 0; |
@@ -1278,4 +1279,188 @@ mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) | |||
1278 | return(major); | 1279 | return(major); |
1279 | } | 1280 | } |
1280 | 1281 | ||
1282 | int | ||
1283 | mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) | ||
1284 | { | ||
1285 | Buffer m; | ||
1286 | int ok; | ||
1287 | |||
1288 | buffer_init(&m); | ||
1289 | |||
1290 | buffer_put_cstring(&m, store->filename ? store->filename : ""); | ||
1291 | buffer_put_cstring(&m, store->envvar ? store->envvar : ""); | ||
1292 | buffer_put_cstring(&m, store->envval ? store->envval : ""); | ||
1293 | |||
1294 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m); | ||
1295 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m); | ||
1296 | |||
1297 | ok = buffer_get_int(&m); | ||
1298 | |||
1299 | buffer_free(&m); | ||
1300 | |||
1301 | return (ok); | ||
1302 | } | ||
1303 | |||
1281 | #endif /* GSSAPI */ | 1304 | #endif /* GSSAPI */ |
1305 | |||
1306 | #ifdef JPAKE | ||
1307 | void | ||
1308 | mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s, | ||
1309 | char **hash_scheme, char **salt) | ||
1310 | { | ||
1311 | Buffer m; | ||
1312 | |||
1313 | debug3("%s entering", __func__); | ||
1314 | |||
1315 | buffer_init(&m); | ||
1316 | mm_request_send(pmonitor->m_recvfd, | ||
1317 | MONITOR_REQ_JPAKE_GET_PWDATA, &m); | ||
1318 | |||
1319 | debug3("%s: waiting for MONITOR_ANS_JPAKE_GET_PWDATA", __func__); | ||
1320 | mm_request_receive_expect(pmonitor->m_recvfd, | ||
1321 | MONITOR_ANS_JPAKE_GET_PWDATA, &m); | ||
1322 | |||
1323 | *hash_scheme = buffer_get_string(&m, NULL); | ||
1324 | *salt = buffer_get_string(&m, NULL); | ||
1325 | |||
1326 | buffer_free(&m); | ||
1327 | } | ||
1328 | |||
1329 | void | ||
1330 | mm_jpake_step1(struct jpake_group *grp, | ||
1331 | u_char **id, u_int *id_len, | ||
1332 | BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2, | ||
1333 | u_char **priv1_proof, u_int *priv1_proof_len, | ||
1334 | u_char **priv2_proof, u_int *priv2_proof_len) | ||
1335 | { | ||
1336 | Buffer m; | ||
1337 | |||
1338 | debug3("%s entering", __func__); | ||
1339 | |||
1340 | buffer_init(&m); | ||
1341 | mm_request_send(pmonitor->m_recvfd, | ||
1342 | MONITOR_REQ_JPAKE_STEP1, &m); | ||
1343 | |||
1344 | debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP1", __func__); | ||
1345 | mm_request_receive_expect(pmonitor->m_recvfd, | ||
1346 | MONITOR_ANS_JPAKE_STEP1, &m); | ||
1347 | |||
1348 | if ((*priv1 = BN_new()) == NULL || | ||
1349 | (*priv2 = BN_new()) == NULL || | ||
1350 | (*g_priv1 = BN_new()) == NULL || | ||
1351 | (*g_priv2 = BN_new()) == NULL) | ||
1352 | fatal("%s: BN_new", __func__); | ||
1353 | |||
1354 | *id = buffer_get_string(&m, id_len); | ||
1355 | /* priv1 and priv2 are, well, private */ | ||
1356 | buffer_get_bignum2(&m, *g_priv1); | ||
1357 | buffer_get_bignum2(&m, *g_priv2); | ||
1358 | *priv1_proof = buffer_get_string(&m, priv1_proof_len); | ||
1359 | *priv2_proof = buffer_get_string(&m, priv2_proof_len); | ||
1360 | |||
1361 | buffer_free(&m); | ||
1362 | } | ||
1363 | |||
1364 | void | ||
1365 | mm_jpake_step2(struct jpake_group *grp, BIGNUM *s, | ||
1366 | BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2, | ||
1367 | const u_char *theirid, u_int theirid_len, | ||
1368 | const u_char *myid, u_int myid_len, | ||
1369 | const u_char *theirpub1_proof, u_int theirpub1_proof_len, | ||
1370 | const u_char *theirpub2_proof, u_int theirpub2_proof_len, | ||
1371 | BIGNUM **newpub, | ||
1372 | u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len) | ||
1373 | { | ||
1374 | Buffer m; | ||
1375 | |||
1376 | debug3("%s entering", __func__); | ||
1377 | |||
1378 | buffer_init(&m); | ||
1379 | /* monitor already has all bignums except theirpub1, theirpub2 */ | ||
1380 | buffer_put_bignum2(&m, theirpub1); | ||
1381 | buffer_put_bignum2(&m, theirpub2); | ||
1382 | /* monitor already knows our id */ | ||
1383 | buffer_put_string(&m, theirid, theirid_len); | ||
1384 | buffer_put_string(&m, theirpub1_proof, theirpub1_proof_len); | ||
1385 | buffer_put_string(&m, theirpub2_proof, theirpub2_proof_len); | ||
1386 | |||
1387 | mm_request_send(pmonitor->m_recvfd, | ||
1388 | MONITOR_REQ_JPAKE_STEP2, &m); | ||
1389 | |||
1390 | debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP2", __func__); | ||
1391 | mm_request_receive_expect(pmonitor->m_recvfd, | ||
1392 | MONITOR_ANS_JPAKE_STEP2, &m); | ||
1393 | |||
1394 | if ((*newpub = BN_new()) == NULL) | ||
1395 | fatal("%s: BN_new", __func__); | ||
1396 | |||
1397 | buffer_get_bignum2(&m, *newpub); | ||
1398 | *newpub_exponent_proof = buffer_get_string(&m, | ||
1399 | newpub_exponent_proof_len); | ||
1400 | |||
1401 | buffer_free(&m); | ||
1402 | } | ||
1403 | |||
1404 | void | ||
1405 | mm_jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val, | ||
1406 | BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2, | ||
1407 | BIGNUM *theirpub1, BIGNUM *theirpub2, | ||
1408 | const u_char *my_id, u_int my_id_len, | ||
1409 | const u_char *their_id, u_int their_id_len, | ||
1410 | const u_char *sess_id, u_int sess_id_len, | ||
1411 | const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len, | ||
1412 | BIGNUM **k, | ||
1413 | u_char **confirm_hash, u_int *confirm_hash_len) | ||
1414 | { | ||
1415 | Buffer m; | ||
1416 | |||
1417 | debug3("%s entering", __func__); | ||
1418 | |||
1419 | buffer_init(&m); | ||
1420 | /* monitor already has all bignums except step2_val */ | ||
1421 | buffer_put_bignum2(&m, step2_val); | ||
1422 | /* monitor already knows all the ids */ | ||
1423 | buffer_put_string(&m, theirpriv2_s_proof, theirpriv2_s_proof_len); | ||
1424 | |||
1425 | mm_request_send(pmonitor->m_recvfd, | ||
1426 | MONITOR_REQ_JPAKE_KEY_CONFIRM, &m); | ||
1427 | |||
1428 | debug3("%s: waiting for MONITOR_ANS_JPAKE_KEY_CONFIRM", __func__); | ||
1429 | mm_request_receive_expect(pmonitor->m_recvfd, | ||
1430 | MONITOR_ANS_JPAKE_KEY_CONFIRM, &m); | ||
1431 | |||
1432 | /* 'k' is sensitive and stays in the monitor */ | ||
1433 | *confirm_hash = buffer_get_string(&m, confirm_hash_len); | ||
1434 | |||
1435 | buffer_free(&m); | ||
1436 | } | ||
1437 | |||
1438 | int | ||
1439 | mm_jpake_check_confirm(const BIGNUM *k, | ||
1440 | const u_char *peer_id, u_int peer_id_len, | ||
1441 | const u_char *sess_id, u_int sess_id_len, | ||
1442 | const u_char *peer_confirm_hash, u_int peer_confirm_hash_len) | ||
1443 | { | ||
1444 | Buffer m; | ||
1445 | int success = 0; | ||
1446 | |||
1447 | debug3("%s entering", __func__); | ||
1448 | |||
1449 | buffer_init(&m); | ||
1450 | /* k is dummy in slave, ignored */ | ||
1451 | /* monitor knows all the ids */ | ||
1452 | buffer_put_string(&m, peer_confirm_hash, peer_confirm_hash_len); | ||
1453 | mm_request_send(pmonitor->m_recvfd, | ||
1454 | MONITOR_REQ_JPAKE_CHECK_CONFIRM, &m); | ||
1455 | |||
1456 | debug3("%s: waiting for MONITOR_ANS_JPAKE_CHECK_CONFIRM", __func__); | ||
1457 | mm_request_receive_expect(pmonitor->m_recvfd, | ||
1458 | MONITOR_ANS_JPAKE_CHECK_CONFIRM, &m); | ||
1459 | |||
1460 | success = buffer_get_int(&m); | ||
1461 | buffer_free(&m); | ||
1462 | |||
1463 | debug3("%s: success = %d", __func__, success); | ||
1464 | return success; | ||
1465 | } | ||
1466 | #endif /* JPAKE */ | ||