1 files changed, 31 insertions, 25 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index d806bb2e7..7b2d06c65 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.94 2017/10/02 19:33:20 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.99 2018/03/03 03:15:51 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -76,7 +76,6 @@
 #include "atomicio.h"
 #include "monitor_fdpass.h"
 #include "misc.h"
-#include "uuencode.h"
 #include "channels.h"
 #include "session.h"
@@ -287,19 +286,15 @@ out:
                        newopts->x = buffer_get_string(&m, NULL); \
        } while (0)
 #define M_CP_STRARRAYOPT(x, nx) do { \
-                for (i = 0; i < newopts->nx; i++) \
-                        newopts->x[i] = buffer_get_string(&m, NULL); \
-        } while (0)
-#define M_CP_STRARRAYOPT_ALLOC(x, nx) do { \
                newopts->x = newopts->nx == 0 ? \
                    NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \
-                M_CP_STRARRAYOPT(x, nx); \
+                for (i = 0; i < newopts->nx; i++) \
+                        newopts->x[i] = buffer_get_string(&m, NULL); \
        } while (0)
        /* See comment in servconf.h */
        COPY_MATCH_STRING_OPTS();
 #undef M_CP_STROPT
 #undef M_CP_STRARRAYOPT
-#undef M_CP_STRARRAYOPT_ALLOC
        copy_set_server_options(&options, newopts, 1);
        log_change_level(options.log_level);
@@ -374,7 +369,7 @@ mm_inform_authrole(char *role)
 /* Do the password authentication */
 int
-mm_auth_password(Authctxt *authctxt, char *password)
+mm_auth_password(struct ssh *ssh, char *password)
 {
        Buffer m;
        int authenticated = 0;
@@ -401,34 +396,38 @@ mm_auth_password(Authctxt *authctxt, char *password)
 }
 int
-mm_user_key_allowed(struct passwd *pw, struct sshkey *key,
+mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
-    int pubkey_auth_attempt)
+    int pubkey_auth_attempt, struct sshauthopt **authoptp)
 {
        return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
-            pubkey_auth_attempt));
+            pubkey_auth_attempt, authoptp));
 }
 int
 mm_hostbased_key_allowed(struct passwd *pw, const char *user, const char *host,
    struct sshkey *key)
 {
-        return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0));
+        return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
 }
 int
 mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
-    struct sshkey *key, int pubkey_auth_attempt)
+    struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp)
 {
        Buffer m;
        u_char *blob;
        u_int len;
-        int allowed = 0, have_forced = 0;
+        int r, allowed = 0;
+        struct sshauthopt *opts = NULL;
        debug3("%s entering", __func__);
+        if (authoptp != NULL)
+                *authoptp = NULL;
        /* Convert the key to a blob and the pass it over */
        if (!key_to_blob(key, &blob, &len))
-                return (0);
+                return 0;
        buffer_init(&m);
        buffer_put_int(&m, type);
@@ -441,18 +440,24 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
        debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_KEYALLOWED, &m);
        allowed = buffer_get_int(&m);
+        if (allowed && type == MM_USERKEY) {
-        /* fake forced command */
+                if ((r = sshauthopt_deserialise(&m, &opts)) != 0)
-        auth_clear_options();
+                        fatal("%s: sshauthopt_deserialise: %s",
-        have_forced = buffer_get_int(&m);
+                            __func__, ssh_err(r));
-        forced_command = have_forced ? xstrdup("true") : NULL;
+        }
        buffer_free(&m);
-        return (allowed);
+        if (authoptp != NULL) {
+                *authoptp = opts;
+                opts = NULL;
+        }
+        sshauthopt_free(opts);
+        return allowed;
 }
 /*
@@ -463,7 +468,7 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
 int
 mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
-    const u_char *data, size_t datalen, u_int compat)
+    const u_char *data, size_t datalen, const char *sigalg, u_int compat)
 {
        Buffer m;
        u_char *blob;
@@ -480,6 +485,7 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
        buffer_put_string(&m, blob, len);
        buffer_put_string(&m, sig, siglen);
        buffer_put_string(&m, data, datalen);
+        buffer_put_cstring(&m, sigalg == NULL ? "" : sigalg);
        free(blob);
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);

diff --git a/monitor_wrap.c b/monitor_wrap.c index d806bb2e7..7b2d06c65 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: monitor_wrap.c,v 1.94 2017/10/02 19:33:20 djm Exp $ */	1	/* $OpenBSD: monitor_wrap.c,v 1.99 2018/03/03 03:15:51 djm Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -76,7 +76,6 @@
76	#include "atomicio.h"	76	#include "atomicio.h"
77	#include "monitor_fdpass.h"	77	#include "monitor_fdpass.h"
78	#include "misc.h"	78	#include "misc.h"
79	#include "uuencode.h"
80		79
81	#include "channels.h"	80	#include "channels.h"
82	#include "session.h"	81	#include "session.h"
@@ -287,19 +286,15 @@ out:
287	newopts->x = buffer_get_string(&m, NULL); \	286	newopts->x = buffer_get_string(&m, NULL); \
288	} while (0)	287	} while (0)
289	#define M_CP_STRARRAYOPT(x, nx) do { \	288	#define M_CP_STRARRAYOPT(x, nx) do { \
290	for (i = 0; i < newopts->nx; i++) \
291	newopts->x[i] = buffer_get_string(&m, NULL); \
292	} while (0)
293	#define M_CP_STRARRAYOPT_ALLOC(x, nx) do { \
294	newopts->x = newopts->nx == 0 ? \	289	newopts->x = newopts->nx == 0 ? \
295	NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \	290	NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \
296	M_CP_STRARRAYOPT(x, nx); \	291	for (i = 0; i < newopts->nx; i++) \
		292	newopts->x[i] = buffer_get_string(&m, NULL); \
297	} while (0)	293	} while (0)
298	/* See comment in servconf.h */	294	/* See comment in servconf.h */
299	COPY_MATCH_STRING_OPTS();	295	COPY_MATCH_STRING_OPTS();
300	#undef M_CP_STROPT	296	#undef M_CP_STROPT
301	#undef M_CP_STRARRAYOPT	297	#undef M_CP_STRARRAYOPT
302	#undef M_CP_STRARRAYOPT_ALLOC
303		298
304	copy_set_server_options(&options, newopts, 1);	299	copy_set_server_options(&options, newopts, 1);
305	log_change_level(options.log_level);	300	log_change_level(options.log_level);
@@ -374,7 +369,7 @@ mm_inform_authrole(char *role)
374		369
375	/* Do the password authentication */	370	/* Do the password authentication */
376	int	371	int
377	mm_auth_password(Authctxt authctxt, char password)	372	mm_auth_password(struct ssh ssh, char password)
378	{	373	{
379	Buffer m;	374	Buffer m;
380	int authenticated = 0;	375	int authenticated = 0;
@@ -401,34 +396,38 @@ mm_auth_password(Authctxt authctxt, char password)
401	}	396	}
402		397
403	int	398	int
404	mm_user_key_allowed(struct passwd pw, struct sshkey key,	399	mm_user_key_allowed(struct ssh ssh, struct passwd pw, struct sshkey *key,
405	int pubkey_auth_attempt)	400	int pubkey_auth_attempt, struct sshauthopt **authoptp)
406	{	401	{
407	return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,	402	return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
408	pubkey_auth_attempt));	403	pubkey_auth_attempt, authoptp));
409	}	404	}
410		405
411	int	406	int
412	mm_hostbased_key_allowed(struct passwd pw, const char user, const char *host,	407	mm_hostbased_key_allowed(struct passwd pw, const char user, const char *host,
413	struct sshkey *key)	408	struct sshkey *key)
414	{	409	{
415	return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0));	410	return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
416	}	411	}
417		412
418	int	413	int
419	mm_key_allowed(enum mm_keytype type, const char user, const char host,	414	mm_key_allowed(enum mm_keytype type, const char user, const char host,
420	struct sshkey *key, int pubkey_auth_attempt)	415	struct sshkey key, int pubkey_auth_attempt, struct sshauthopt *authoptp)
421	{	416	{
422	Buffer m;	417	Buffer m;
423	u_char *blob;	418	u_char *blob;
424	u_int len;	419	u_int len;
425	int allowed = 0, have_forced = 0;	420	int r, allowed = 0;
		421	struct sshauthopt *opts = NULL;
426		422
427	debug3("%s entering", __func__);	423	debug3("%s entering", __func__);
428		424
		425	if (authoptp != NULL)
		426	*authoptp = NULL;
		427
429	/* Convert the key to a blob and the pass it over */	428	/* Convert the key to a blob and the pass it over */
430	if (!key_to_blob(key, &blob, &len))	429	if (!key_to_blob(key, &blob, &len))
431	return (0);	430	return 0;
432		431
433	buffer_init(&m);	432	buffer_init(&m);
434	buffer_put_int(&m, type);	433	buffer_put_int(&m, type);
@@ -441,18 +440,24 @@ mm_key_allowed(enum mm_keytype type, const char user, const char host,
441	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);	440	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
442		441
443	debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);	442	debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
444	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);	443	mm_request_receive_expect(pmonitor->m_recvfd,
		444	MONITOR_ANS_KEYALLOWED, &m);
445		445
446	allowed = buffer_get_int(&m);	446	allowed = buffer_get_int(&m);
447		447	if (allowed && type == MM_USERKEY) {
448	/* fake forced command */	448	if ((r = sshauthopt_deserialise(&m, &opts)) != 0)
449	auth_clear_options();	449	fatal("%s: sshauthopt_deserialise: %s",
450	have_forced = buffer_get_int(&m);	450	__func__, ssh_err(r));
451	forced_command = have_forced ? xstrdup("true") : NULL;	451	}
452
453	buffer_free(&m);	452	buffer_free(&m);
454		453
455	return (allowed);	454	if (authoptp != NULL) {
		455	*authoptp = opts;
		456	opts = NULL;
		457	}
		458	sshauthopt_free(opts);
		459
		460	return allowed;
456	}	461	}
457		462
458	/*	463	/*
@@ -463,7 +468,7 @@ mm_key_allowed(enum mm_keytype type, const char user, const char host,
463		468
464	int	469	int
465	mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,	470	mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,
466	const u_char *data, size_t datalen, u_int compat)	471	const u_char data, size_t datalen, const char sigalg, u_int compat)
467	{	472	{
468	Buffer m;	473	Buffer m;
469	u_char *blob;	474	u_char *blob;
@@ -480,6 +485,7 @@ mm_sshkey_verify(const struct sshkey key, const u_char sig, size_t siglen,
480	buffer_put_string(&m, blob, len);	485	buffer_put_string(&m, blob, len);
481	buffer_put_string(&m, sig, siglen);	486	buffer_put_string(&m, sig, siglen);
482	buffer_put_string(&m, data, datalen);	487	buffer_put_string(&m, data, datalen);
		488	buffer_put_cstring(&m, sigalg == NULL ? "" : sigalg);
483	free(blob);	489	free(blob);
484		490
485	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);	491	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);