]> andersk Git - openssh.git/blame - monitor.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- djm@cvs.openbsd.org 2007/05/17 20:48:13
[openssh.git] / monitor.c
CommitLineData
03bcbf84 1/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
1853d1ef 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28#include "includes.h"
aa2eae64 29
30#include <sys/types.h>
536c14e8 31#include <sys/param.h>
5b04a8bf 32#include <sys/socket.h>
31652869 33#include "openbsd-compat/sys-tree.h"
aa2eae64 34#include <sys/wait.h>
1853d1ef 35
028094f4 36#include <errno.h>
d3221cca 37#include <fcntl.h>
b5b88c19 38#ifdef HAVE_PATHS_H
a75f5360 39#include <paths.h>
b5b88c19 40#endif
b1842393 41#include <pwd.h>
ada68823 42#include <signal.h>
24436b92 43#include <stdarg.h>
ffa517a8 44#include <stdlib.h>
00146caa 45#include <string.h>
aa751414 46#include <unistd.h>
1853d1ef 47
48#ifdef SKEY
49#include <skey.h>
50#endif
51
a75f5360 52#include <openssl/dh.h>
53
31652869 54#include "xmalloc.h"
1853d1ef 55#include "ssh.h"
31652869 56#include "key.h"
57#include "buffer.h"
58#include "hostfile.h"
1853d1ef 59#include "auth.h"
31652869 60#include "cipher.h"
1853d1ef 61#include "kex.h"
62#include "dh.h"
a655c012 63#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
64#undef TARGET_OS_MAC
9b08c23f 65#include "zlib.h"
a655c012 66#define TARGET_OS_MAC 1
67#else
68#include "zlib.h"
69#endif
1853d1ef 70#include "packet.h"
71#include "auth-options.h"
72#include "sshpty.h"
73#include "channels.h"
74#include "session.h"
75#include "sshlogin.h"
76#include "canohost.h"
77#include "log.h"
78#include "servconf.h"
79#include "monitor.h"
80#include "monitor_mm.h"
31652869 81#ifdef GSSAPI
82#include "ssh-gss.h"
83#endif
1853d1ef 84#include "monitor_wrap.h"
85#include "monitor_fdpass.h"
1853d1ef 86#include "misc.h"
1853d1ef 87#include "compat.h"
88#include "ssh2.h"
1853d1ef 89
7364bd04 90#ifdef GSSAPI
7364bd04 91static Gssctxt *gsscontext = NULL;
92#endif
93
1853d1ef 94/* Imports */
95extern ServerOptions options;
96extern u_int utmp_len;
97extern Newkeys *current_keys[];
98extern z_stream incoming_stream;
99extern z_stream outgoing_stream;
100extern u_char session_id[];
101extern Buffer input, output;
102extern Buffer auth_debug;
103extern int auth_debug_init;
be2ca0c9 104extern Buffer loginmsg;
1853d1ef 105
106/* State exported from the child */
107
108struct {
109 z_stream incoming;
110 z_stream outgoing;
111 u_char *keyin;
112 u_int keyinlen;
113 u_char *keyout;
114 u_int keyoutlen;
115 u_char *ivin;
116 u_int ivinlen;
117 u_char *ivout;
118 u_int ivoutlen;
9459414c 119 u_char *ssh1key;
120 u_int ssh1keylen;
1853d1ef 121 int ssh1cipher;
122 int ssh1protoflags;
123 u_char *input;
124 u_int ilen;
125 u_char *output;
126 u_int olen;
127} child_state;
128
b8e04133 129/* Functions on the monitor that answer unprivileged requests */
1853d1ef 130
131int mm_answer_moduli(int, Buffer *);
132int mm_answer_sign(int, Buffer *);
133int mm_answer_pwnamallow(int, Buffer *);
94a73cdc 134int mm_answer_auth2_read_banner(int, Buffer *);
1853d1ef 135int mm_answer_authserv(int, Buffer *);
136int mm_answer_authpassword(int, Buffer *);
137int mm_answer_bsdauthquery(int, Buffer *);
138int mm_answer_bsdauthrespond(int, Buffer *);
139int mm_answer_skeyquery(int, Buffer *);
140int mm_answer_skeyrespond(int, Buffer *);
141int mm_answer_keyallowed(int, Buffer *);
142int mm_answer_keyverify(int, Buffer *);
143int mm_answer_pty(int, Buffer *);
144int mm_answer_pty_cleanup(int, Buffer *);
145int mm_answer_term(int, Buffer *);
146int mm_answer_rsa_keyallowed(int, Buffer *);
147int mm_answer_rsa_challenge(int, Buffer *);
148int mm_answer_rsa_response(int, Buffer *);
149int mm_answer_sesskey(int, Buffer *);
150int mm_answer_sessid(int, Buffer *);
151
ad200abb 152#ifdef USE_PAM
153int mm_answer_pam_start(int, Buffer *);
5b9e2464 154int mm_answer_pam_account(int, Buffer *);
05114c74 155int mm_answer_pam_init_ctx(int, Buffer *);
156int mm_answer_pam_query(int, Buffer *);
157int mm_answer_pam_respond(int, Buffer *);
158int mm_answer_pam_free_ctx(int, Buffer *);
ad200abb 159#endif
160
7364bd04 161#ifdef GSSAPI
162int mm_answer_gss_setup_ctx(int, Buffer *);
163int mm_answer_gss_accept_ctx(int, Buffer *);
164int mm_answer_gss_userok(int, Buffer *);
0789992b 165int mm_answer_gss_checkmic(int, Buffer *);
7364bd04 166#endif
696f6bef 167
6039eeef 168#ifdef SSH_AUDIT_EVENTS
c00e4d75 169int mm_answer_audit_event(int, Buffer *);
170int mm_answer_audit_command(int, Buffer *);
171#endif
172
1853d1ef 173static Authctxt *authctxt;
174static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
175
176/* local state for key verify */
177static u_char *key_blob = NULL;
178static u_int key_bloblen = 0;
179static int key_blobtype = MM_NOKEY;
661e45a0 180static char *hostbased_cuser = NULL;
181static char *hostbased_chost = NULL;
1853d1ef 182static char *auth_method = "unknown";
a27002e5 183static u_int session_id2_len = 0;
521d606b 184static u_char *session_id2 = NULL;
3a39206f 185static pid_t monitor_child_pid;
1853d1ef 186
187struct mon_table {
188 enum monitor_reqtype type;
189 int flags;
190 int (*f)(int, Buffer *);
191};
192
193#define MON_ISAUTH 0x0004 /* Required for Authentication */
194#define MON_AUTHDECIDE 0x0008 /* Decides Authentication */
195#define MON_ONCE 0x0010 /* Disable after calling */
c023a130 196#define MON_ALOG 0x0020 /* Log auth attempt without authenticating */
1853d1ef 197
198#define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE)
199
200#define MON_PERMIT 0x1000 /* Request is permitted */
201
202struct mon_table mon_dispatch_proto20[] = {
203 {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
204 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
205 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
206 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
94a73cdc 207 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
1853d1ef 208 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
ad200abb 209#ifdef USE_PAM
210 {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
5b9e2464 211 {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
05114c74 212 {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
213 {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
214 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
215 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
8b314ec9 216#endif
6039eeef 217#ifdef SSH_AUDIT_EVENTS
d9bc3cde 218 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
c00e4d75 219#endif
1853d1ef 220#ifdef BSD_AUTH
221 {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
1720c23b 222 {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
1853d1ef 223#endif
224#ifdef SKEY
225 {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
226 {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
227#endif
228 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
229 {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
7364bd04 230#ifdef GSSAPI
231 {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
232 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
233 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
0789992b 234 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
802e01b8 235#endif
1853d1ef 236 {0, 0, NULL}
237};
238
239struct mon_table mon_dispatch_postauth20[] = {
240 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
241 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
242 {MONITOR_REQ_PTY, 0, mm_answer_pty},
243 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
244 {MONITOR_REQ_TERM, 0, mm_answer_term},
6039eeef 245#ifdef SSH_AUDIT_EVENTS
c00e4d75 246 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
247 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
248#endif
1853d1ef 249 {0, 0, NULL}
250};
251
252struct mon_table mon_dispatch_proto15[] = {
253 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
254 {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
255 {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
256 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
c023a130 257 {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed},
258 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed},
1853d1ef 259 {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
260 {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
261#ifdef BSD_AUTH
262 {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
1720c23b 263 {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
1853d1ef 264#endif
265#ifdef SKEY
266 {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
267 {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
efe44db6 268#endif
269#ifdef USE_PAM
270 {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
5b9e2464 271 {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
05114c74 272 {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
273 {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
274 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
275 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
c00e4d75 276#endif
6039eeef 277#ifdef SSH_AUDIT_EVENTS
d9bc3cde 278 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
1853d1ef 279#endif
280 {0, 0, NULL}
281};
282
283struct mon_table mon_dispatch_postauth15[] = {
284 {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
285 {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
286 {MONITOR_REQ_TERM, 0, mm_answer_term},
6039eeef 287#ifdef SSH_AUDIT_EVENTS
c00e4d75 288 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
bb09a477 289 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
c00e4d75 290#endif
1853d1ef 291 {0, 0, NULL}
292};
293
294struct mon_table *mon_dispatch;
295
296/* Specifies if a certain message is allowed at the moment */
297
298static void
299monitor_permit(struct mon_table *ent, enum monitor_reqtype type, int permit)
300{
301 while (ent->f != NULL) {
302 if (ent->type == type) {
303 ent->flags &= ~MON_PERMIT;
304 ent->flags |= permit ? MON_PERMIT : 0;
305 return;
306 }
307 ent++;
308 }
309}
310
311static void
312monitor_permit_authentications(int permit)
313{
314 struct mon_table *ent = mon_dispatch;
315
316 while (ent->f != NULL) {
317 if (ent->flags & MON_AUTH) {
318 ent->flags &= ~MON_PERMIT;
319 ent->flags |= permit ? MON_PERMIT : 0;
320 }
321 ent++;
322 }
323}
324
2362db19 325void
326monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
1853d1ef 327{
328 struct mon_table *ent;
329 int authenticated = 0;
330
331 debug3("preauth child monitor started");
332
2362db19 333 authctxt = _authctxt;
334 memset(authctxt, 0, sizeof(*authctxt));
335
e05df884 336 authctxt->loginmsg = &loginmsg;
337
1853d1ef 338 if (compat20) {
339 mon_dispatch = mon_dispatch_proto20;
340
341 /* Permit requests for moduli and signatures */
342 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
343 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
344 } else {
345 mon_dispatch = mon_dispatch_proto15;
346
347 monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
348 }
349
1853d1ef 350 /* The first few requests do not require asynchronous access */
351 while (!authenticated) {
c023a130 352 auth_method = "unknown";
89916e8c 353 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
1853d1ef 354 if (authenticated) {
355 if (!(ent->flags & MON_AUTHDECIDE))
356 fatal("%s: unexpected authentication from %d",
1588c277 357 __func__, ent->type);
1853d1ef 358 if (authctxt->pw->pw_uid == 0 &&
359 !auth_root_allowed(auth_method))
360 authenticated = 0;
5b9e2464 361#ifdef USE_PAM
362 /* PAM needs to perform account checks after auth */
4d1de3a3 363 if (options.use_pam && authenticated) {
5b9e2464 364 Buffer m;
365
366 buffer_init(&m);
aff51935 367 mm_request_receive_expect(pmonitor->m_sendfd,
5b9e2464 368 MONITOR_REQ_PAM_ACCOUNT, &m);
369 authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
370 buffer_free(&m);
371 }
372#endif
1853d1ef 373 }
374
c023a130 375 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
1853d1ef 376 auth_log(authctxt, authenticated, auth_method,
377 compat20 ? " ssh2" : "");
378 if (!authenticated)
379 authctxt->failures++;
380 }
381 }
382
383 if (!authctxt->valid)
1588c277 384 fatal("%s: authenticated invalid user", __func__);
c023a130 385 if (strcmp(auth_method, "unknown") == 0)
386 fatal("%s: authentication method name unknown", __func__);
1853d1ef 387
388 debug("%s: %s has been authenticated by privileged process",
1588c277 389 __func__, authctxt->user);
1853d1ef 390
b5a28cbc 391 mm_get_keystate(pmonitor);
1853d1ef 392}
393
3a39206f 394static void
395monitor_set_child_handler(pid_t pid)
396{
397 monitor_child_pid = pid;
398}
399
400static void
ca75d7de 401monitor_child_handler(int sig)
3a39206f 402{
ca75d7de 403 kill(monitor_child_pid, sig);
3a39206f 404}
405
1853d1ef 406void
b5a28cbc 407monitor_child_postauth(struct monitor *pmonitor)
1853d1ef 408{
3a39206f 409 monitor_set_child_handler(pmonitor->m_pid);
410 signal(SIGHUP, &monitor_child_handler);
411 signal(SIGTERM, &monitor_child_handler);
412
1853d1ef 413 if (compat20) {
414 mon_dispatch = mon_dispatch_postauth20;
415
416 /* Permit requests for moduli and signatures */
417 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
418 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
419 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
1853d1ef 420 } else {
421 mon_dispatch = mon_dispatch_postauth15;
422 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
423 }
424 if (!no_pty_flag) {
425 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
426 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
427 }
428
429 for (;;)
b5a28cbc 430 monitor_read(pmonitor, mon_dispatch, NULL);
1853d1ef 431}
432
433void
b5a28cbc 434monitor_sync(struct monitor *pmonitor)
1853d1ef 435{
0496cf34 436 if (options.compression) {
437 /* The member allocation is not visible, so sync it */
438 mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
439 }
1853d1ef 440}
441
442int
b5a28cbc 443monitor_read(struct monitor *pmonitor, struct mon_table *ent,
1853d1ef 444 struct mon_table **pent)
445{
446 Buffer m;
447 int ret;
448 u_char type;
449
450 buffer_init(&m);
451
b5a28cbc 452 mm_request_receive(pmonitor->m_sendfd, &m);
1853d1ef 453 type = buffer_get_char(&m);
454
1588c277 455 debug3("%s: checking request %d", __func__, type);
1853d1ef 456
457 while (ent->f != NULL) {
458 if (ent->type == type)
459 break;
460 ent++;
461 }
462
463 if (ent->f != NULL) {
464 if (!(ent->flags & MON_PERMIT))
1588c277 465 fatal("%s: unpermitted request %d", __func__,
1853d1ef 466 type);
b5a28cbc 467 ret = (*ent->f)(pmonitor->m_sendfd, &m);
1853d1ef 468 buffer_free(&m);
469
470 /* The child may use this request only once, disable it */
471 if (ent->flags & MON_ONCE) {
1588c277 472 debug2("%s: %d used once, disabling now", __func__,
1853d1ef 473 type);
474 ent->flags &= ~MON_PERMIT;
475 }
476
477 if (pent != NULL)
478 *pent = ent;
479
480 return ret;
481 }
482
1588c277 483 fatal("%s: unsupported request: %d", __func__, type);
1853d1ef 484
485 /* NOTREACHED */
486 return (-1);
487}
488
489/* allowed key state */
490static int
491monitor_allowed_key(u_char *blob, u_int bloblen)
492{
493 /* make sure key is allowed */
494 if (key_blob == NULL || key_bloblen != bloblen ||
495 memcmp(key_blob, blob, key_bloblen))
496 return (0);
497 return (1);
498}
499
500static void
501monitor_reset_key_state(void)
502{
503 /* reset state */
504 if (key_blob != NULL)
505 xfree(key_blob);
506 if (hostbased_cuser != NULL)
507 xfree(hostbased_cuser);
508 if (hostbased_chost != NULL)
509 xfree(hostbased_chost);
510 key_blob = NULL;
511 key_bloblen = 0;
512 key_blobtype = MM_NOKEY;
513 hostbased_cuser = NULL;
514 hostbased_chost = NULL;
515}
516
517int
ca75d7de 518mm_answer_moduli(int sock, Buffer *m)
1853d1ef 519{
520 DH *dh;
521 int min, want, max;
522
523 min = buffer_get_int(m);
524 want = buffer_get_int(m);
525 max = buffer_get_int(m);
526
527 debug3("%s: got parameters: %d %d %d",
1588c277 528 __func__, min, want, max);
1853d1ef 529 /* We need to check here, too, in case the child got corrupted */
530 if (max < min || want < min || max < want)
531 fatal("%s: bad parameters: %d %d %d",
1588c277 532 __func__, min, want, max);
1853d1ef 533
534 buffer_clear(m);
535
536 dh = choose_dh(min, want, max);
537 if (dh == NULL) {
538 buffer_put_char(m, 0);
539 return (0);
540 } else {
541 /* Send first bignum */
542 buffer_put_char(m, 1);
543 buffer_put_bignum2(m, dh->p);
544 buffer_put_bignum2(m, dh->g);
545
546 DH_free(dh);
547 }
ca75d7de 548 mm_request_send(sock, MONITOR_ANS_MODULI, m);
1853d1ef 549 return (0);
550}
551
552int
ca75d7de 553mm_answer_sign(int sock, Buffer *m)
1853d1ef 554{
555 Key *key;
556 u_char *p;
557 u_char *signature;
558 u_int siglen, datlen;
559 int keyid;
560
1588c277 561 debug3("%s", __func__);
1853d1ef 562
563 keyid = buffer_get_int(m);
564 p = buffer_get_string(m, &datlen);
565
2ff8003a 566 /*
b4bbf172 567 * Supported KEX types will only return SHA1 (20 byte) or
2ff8003a 568 * SHA256 (32 byte) hashes
569 */
570 if (datlen != 20 && datlen != 32)
d1ff09ba 571 fatal("%s: data length incorrect: %u", __func__, datlen);
1853d1ef 572
521d606b 573 /* save session id, it will be passed on the first call */
574 if (session_id2_len == 0) {
575 session_id2_len = datlen;
576 session_id2 = xmalloc(session_id2_len);
577 memcpy(session_id2, p, session_id2_len);
578 }
579
1853d1ef 580 if ((key = get_hostkey_by_index(keyid)) == NULL)
1588c277 581 fatal("%s: no hostkey from index %d", __func__, keyid);
1853d1ef 582 if (key_sign(key, &signature, &siglen, p, datlen) < 0)
1588c277 583 fatal("%s: key_sign failed", __func__);
1853d1ef 584
d1ff09ba 585 debug3("%s: signature %p(%u)", __func__, signature, siglen);
1853d1ef 586
587 buffer_clear(m);
588 buffer_put_string(m, signature, siglen);
589
590 xfree(p);
591 xfree(signature);
592
ca75d7de 593 mm_request_send(sock, MONITOR_ANS_SIGN, m);
1853d1ef 594
595 /* Turn on permissions for getpwnam */
596 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
597
598 return (0);
599}
600
601/* Retrieves the password entry and also checks if the user is permitted */
602
603int
ca75d7de 604mm_answer_pwnamallow(int sock, Buffer *m)
1853d1ef 605{
18a8f313 606 char *username;
1853d1ef 607 struct passwd *pwent;
608 int allowed = 0;
609
1588c277 610 debug3("%s", __func__);
1853d1ef 611
612 if (authctxt->attempt++ != 0)
1588c277 613 fatal("%s: multiple attempts for getpwnam", __func__);
1853d1ef 614
18a8f313 615 username = buffer_get_string(m, NULL);
1853d1ef 616
18a8f313 617 pwent = getpwnamallow(username);
1853d1ef 618
18a8f313 619 authctxt->user = xstrdup(username);
620 setproctitle("%s [priv]", pwent ? username : "unknown");
621 xfree(username);
1853d1ef 622
623 buffer_clear(m);
624
625 if (pwent == NULL) {
626 buffer_put_char(m, 0);
b2a5802b 627 authctxt->pw = fakepw();
1853d1ef 628 goto out;
629 }
630
631 allowed = 1;
632 authctxt->pw = pwent;
633 authctxt->valid = 1;
634
635 buffer_put_char(m, 1);
636 buffer_put_string(m, pwent, sizeof(struct passwd));
637 buffer_put_cstring(m, pwent->pw_name);
638 buffer_put_cstring(m, "*");
639 buffer_put_cstring(m, pwent->pw_gecos);
7b18c353 640#ifdef HAVE_PW_CLASS_IN_PASSWD
1853d1ef 641 buffer_put_cstring(m, pwent->pw_class);
7b18c353 642#endif
1853d1ef 643 buffer_put_cstring(m, pwent->pw_dir);
644 buffer_put_cstring(m, pwent->pw_shell);
03bcbf84 645 buffer_put_string(m, &options, sizeof(options));
646 if (options.banner != NULL)
647 buffer_put_cstring(m, options.banner);
1853d1ef 648
649 out:
1588c277 650 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
ca75d7de 651 mm_request_send(sock, MONITOR_ANS_PWNAM, m);
1853d1ef 652
653 /* For SSHv1 allow authentication now */
654 if (!compat20)
655 monitor_permit_authentications(1);
94a73cdc 656 else {
1853d1ef 657 /* Allow service/style information on the auth context */
658 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
94a73cdc 659 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
660 }
1853d1ef 661
efe44db6 662#ifdef USE_PAM
7fceb20d 663 if (options.use_pam)
664 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
efe44db6 665#endif
1853d1ef 666
667 return (0);
668}
669
ca75d7de 670int mm_answer_auth2_read_banner(int sock, Buffer *m)
94a73cdc 671{
672 char *banner;
673
674 buffer_clear(m);
675 banner = auth2_read_banner();
676 buffer_put_cstring(m, banner != NULL ? banner : "");
ca75d7de 677 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
94a73cdc 678
679 if (banner != NULL)
30e37ee6 680 xfree(banner);
94a73cdc 681
682 return (0);
683}
684
1853d1ef 685int
ca75d7de 686mm_answer_authserv(int sock, Buffer *m)
1853d1ef 687{
688 monitor_permit_authentications(1);
689
690 authctxt->service = buffer_get_string(m, NULL);
691 authctxt->style = buffer_get_string(m, NULL);
692 debug3("%s: service=%s, style=%s",
1588c277 693 __func__, authctxt->service, authctxt->style);
1853d1ef 694
695 if (strlen(authctxt->style) == 0) {
696 xfree(authctxt->style);
697 authctxt->style = NULL;
698 }
699
700 return (0);
701}
702
703int
ca75d7de 704mm_answer_authpassword(int sock, Buffer *m)
1853d1ef 705{
706 static int call_count;
707 char *passwd;
d341742a 708 int authenticated;
709 u_int plen;
1853d1ef 710
711 passwd = buffer_get_string(m, &plen);
712 /* Only authenticate if the context is valid */
aa586f8e 713 authenticated = options.password_authentication &&
96d0bf74 714 auth_password(authctxt, passwd);
1853d1ef 715 memset(passwd, 0, strlen(passwd));
716 xfree(passwd);
717
718 buffer_clear(m);
719 buffer_put_int(m, authenticated);
720
1588c277 721 debug3("%s: sending result %d", __func__, authenticated);
ca75d7de 722 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);
1853d1ef 723
724 call_count++;
725 if (plen == 0 && call_count == 1)
726 auth_method = "none";
727 else
728 auth_method = "password";
729
730 /* Causes monitor loop to terminate if authenticated */
731 return (authenticated);
732}
733
734#ifdef BSD_AUTH
735int
ca75d7de 736mm_answer_bsdauthquery(int sock, Buffer *m)
1853d1ef 737{
738 char *name, *infotxt;
739 u_int numprompts;
740 u_int *echo_on;
741 char **prompts;
6d6c25e3 742 u_int success;
1853d1ef 743
6d6c25e3 744 success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
745 &prompts, &echo_on) < 0 ? 0 : 1;
1853d1ef 746
747 buffer_clear(m);
6d6c25e3 748 buffer_put_int(m, success);
749 if (success)
1853d1ef 750 buffer_put_cstring(m, prompts[0]);
751
6d6c25e3 752 debug3("%s: sending challenge success: %u", __func__, success);
ca75d7de 753 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
1853d1ef 754
6d6c25e3 755 if (success) {
1853d1ef 756 xfree(name);
757 xfree(infotxt);
758 xfree(prompts);
759 xfree(echo_on);
760 }
761
762 return (0);
763}
764
765int
ca75d7de 766mm_answer_bsdauthrespond(int sock, Buffer *m)
1853d1ef 767{
768 char *response;
769 int authok;
770
771 if (authctxt->as == 0)
1588c277 772 fatal("%s: no bsd auth session", __func__);
1853d1ef 773
774 response = buffer_get_string(m, NULL);
aa586f8e 775 authok = options.challenge_response_authentication &&
776 auth_userresponse(authctxt->as, response, 0);
1853d1ef 777 authctxt->as = NULL;
1588c277 778 debug3("%s: <%s> = <%d>", __func__, response, authok);
1853d1ef 779 xfree(response);
780
781 buffer_clear(m);
782 buffer_put_int(m, authok);
783
1588c277 784 debug3("%s: sending authenticated: %d", __func__, authok);
ca75d7de 785 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
1853d1ef 786
787 auth_method = "bsdauth";
788
789 return (authok != 0);
790}
791#endif
792
793#ifdef SKEY
794int
ca75d7de 795mm_answer_skeyquery(int sock, Buffer *m)
1853d1ef 796{
797 struct skey skey;
798 char challenge[1024];
6d6c25e3 799 u_int success;
1853d1ef 800
f2b7b5c8 801 success = _compat_skeychallenge(&skey, authctxt->user, challenge,
802 sizeof(challenge)) < 0 ? 0 : 1;
1853d1ef 803
804 buffer_clear(m);
6d6c25e3 805 buffer_put_int(m, success);
806 if (success)
1853d1ef 807 buffer_put_cstring(m, challenge);
808
6d6c25e3 809 debug3("%s: sending challenge success: %u", __func__, success);
ca75d7de 810 mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
1853d1ef 811
812 return (0);
813}
814
815int
ca75d7de 816mm_answer_skeyrespond(int sock, Buffer *m)
1853d1ef 817{
818 char *response;
819 int authok;
820
821 response = buffer_get_string(m, NULL);
822
aa586f8e 823 authok = (options.challenge_response_authentication &&
824 authctxt->valid &&
1853d1ef 825 skey_haskey(authctxt->pw->pw_name) == 0 &&
826 skey_passcheck(authctxt->pw->pw_name, response) != -1);
827
828 xfree(response);
829
830 buffer_clear(m);
831 buffer_put_int(m, authok);
832
1588c277 833 debug3("%s: sending authenticated: %d", __func__, authok);
ca75d7de 834 mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
1853d1ef 835
836 auth_method = "skey";
837
838 return (authok != 0);
839}
840#endif
841
ad200abb 842#ifdef USE_PAM
843int
8b3ec5fd 844mm_answer_pam_start(int sock, Buffer *m)
ad200abb 845{
7fceb20d 846 if (!options.use_pam)
847 fatal("UsePAM not set, but ended up in %s anyway", __func__);
848
529d73ab 849 start_pam(authctxt);
ad200abb 850
5b9e2464 851 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
852
ad200abb 853 return (0);
854}
05114c74 855
5b9e2464 856int
8b3ec5fd 857mm_answer_pam_account(int sock, Buffer *m)
5b9e2464 858{
859 u_int ret;
b6453d99 860
5b9e2464 861 if (!options.use_pam)
862 fatal("UsePAM not set, but ended up in %s anyway", __func__);
863
864 ret = do_pam_account();
865
866 buffer_put_int(m, ret);
cfb60d3a 867 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
5b9e2464 868
8b3ec5fd 869 mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
5b9e2464 870
871 return (ret);
872}
873
05114c74 874static void *sshpam_ctxt, *sshpam_authok;
875extern KbdintDevice sshpam_device;
876
877int
8b3ec5fd 878mm_answer_pam_init_ctx(int sock, Buffer *m)
05114c74 879{
880
881 debug3("%s", __func__);
882 authctxt->user = buffer_get_string(m, NULL);
883 sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
884 sshpam_authok = NULL;
885 buffer_clear(m);
886 if (sshpam_ctxt != NULL) {
887 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
888 buffer_put_int(m, 1);
889 } else {
890 buffer_put_int(m, 0);
891 }
8b3ec5fd 892 mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
05114c74 893 return (0);
894}
895
896int
8b3ec5fd 897mm_answer_pam_query(int sock, Buffer *m)
05114c74 898{
899 char *name, *info, **prompts;
a1a073cc 900 u_int i, num, *echo_on;
901 int ret;
05114c74 902
903 debug3("%s", __func__);
904 sshpam_authok = NULL;
905 ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
906 if (ret == 0 && num == 0)
907 sshpam_authok = sshpam_ctxt;
908 if (num > 1 || name == NULL || info == NULL)
909 ret = -1;
910 buffer_clear(m);
911 buffer_put_int(m, ret);
912 buffer_put_cstring(m, name);
913 xfree(name);
914 buffer_put_cstring(m, info);
915 xfree(info);
916 buffer_put_int(m, num);
917 for (i = 0; i < num; ++i) {
918 buffer_put_cstring(m, prompts[i]);
919 xfree(prompts[i]);
920 buffer_put_int(m, echo_on[i]);
921 }
922 if (prompts != NULL)
923 xfree(prompts);
924 if (echo_on != NULL)
925 xfree(echo_on);
2ae7f715 926 auth_method = "keyboard-interactive/pam";
8b3ec5fd 927 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
05114c74 928 return (0);
929}
930
931int
8b3ec5fd 932mm_answer_pam_respond(int sock, Buffer *m)
05114c74 933{
934 char **resp;
a1a073cc 935 u_int i, num;
936 int ret;
05114c74 937
938 debug3("%s", __func__);
939 sshpam_authok = NULL;
940 num = buffer_get_int(m);
941 if (num > 0) {
01d35895 942 resp = xcalloc(num, sizeof(char *));
05114c74 943 for (i = 0; i < num; ++i)
944 resp[i] = buffer_get_string(m, NULL);
945 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
946 for (i = 0; i < num; ++i)
947 xfree(resp[i]);
948 xfree(resp);
949 } else {
950 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
951 }
952 buffer_clear(m);
953 buffer_put_int(m, ret);
8b3ec5fd 954 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
05114c74 955 auth_method = "keyboard-interactive/pam";
956 if (ret == 0)
957 sshpam_authok = sshpam_ctxt;
958 return (0);
959}
960
961int
8b3ec5fd 962mm_answer_pam_free_ctx(int sock, Buffer *m)
05114c74 963{
964
965 debug3("%s", __func__);
966 (sshpam_device.free_ctx)(sshpam_ctxt);
967 buffer_clear(m);
8b3ec5fd 968 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
2ae7f715 969 auth_method = "keyboard-interactive/pam";
05114c74 970 return (sshpam_authok == sshpam_ctxt);
971}
ad200abb 972#endif
973
1853d1ef 974static void
975mm_append_debug(Buffer *m)
976{
977 if (auth_debug_init && buffer_len(&auth_debug)) {
1588c277 978 debug3("%s: Appending debug messages for child", __func__);
1853d1ef 979 buffer_append(m, buffer_ptr(&auth_debug),
980 buffer_len(&auth_debug));
981 buffer_clear(&auth_debug);
982 }
983}
984
985int
ca75d7de 986mm_answer_keyallowed(int sock, Buffer *m)
1853d1ef 987{
988 Key *key;
661e45a0 989 char *cuser, *chost;
990 u_char *blob;
1853d1ef 991 u_int bloblen;
992 enum mm_keytype type = 0;
993 int allowed = 0;
994
1588c277 995 debug3("%s entering", __func__);
1853d1ef 996
997 type = buffer_get_int(m);
998 cuser = buffer_get_string(m, NULL);
999 chost = buffer_get_string(m, NULL);
1000 blob = buffer_get_string(m, &bloblen);
1001
1002 key = key_from_blob(blob, bloblen);
1003
1004 if ((compat20 && type == MM_RSAHOSTKEY) ||
1005 (!compat20 && type != MM_RSAHOSTKEY))
1588c277 1006 fatal("%s: key type and protocol mismatch", __func__);
1853d1ef 1007
1588c277 1008 debug3("%s: key_from_blob: %p", __func__, key);
1853d1ef 1009
fdaef11e 1010 if (key != NULL && authctxt->valid) {
f8cc7664 1011 switch (type) {
1853d1ef 1012 case MM_USERKEY:
aa586f8e 1013 allowed = options.pubkey_authentication &&
1014 user_key_allowed(authctxt->pw, key);
c023a130 1015 auth_method = "publickey";
1853d1ef 1016 break;
1017 case MM_HOSTKEY:
aa586f8e 1018 allowed = options.hostbased_authentication &&
1019 hostbased_key_allowed(authctxt->pw,
1853d1ef 1020 cuser, chost, key);
c023a130 1021 auth_method = "hostbased";
1853d1ef 1022 break;
1023 case MM_RSAHOSTKEY:
1024 key->type = KEY_RSA1; /* XXX */
aa586f8e 1025 allowed = options.rhosts_rsa_authentication &&
1026 auth_rhosts_rsa_key_allowed(authctxt->pw,
1853d1ef 1027 cuser, chost, key);
c023a130 1028 auth_method = "rsa";
1853d1ef 1029 break;
1030 default:
1588c277 1031 fatal("%s: unknown key type %d", __func__, type);
1853d1ef 1032 break;
1033 }
1853d1ef 1034 }
3e2f2431 1035 if (key != NULL)
1036 key_free(key);
1853d1ef 1037
1038 /* clear temporarily storage (used by verify) */
1039 monitor_reset_key_state();
1040
1041 if (allowed) {
1042 /* Save temporarily for comparison in verify */
1043 key_blob = blob;
1044 key_bloblen = bloblen;
1045 key_blobtype = type;
1046 hostbased_cuser = cuser;
1047 hostbased_chost = chost;
98d40a74 1048 } else {
c023a130 1049 /* Log failed attempt */
1050 auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
98d40a74 1051 xfree(blob);
1052 xfree(cuser);
1053 xfree(chost);
1853d1ef 1054 }
1055
1056 debug3("%s: key %p is %s",
1588c277 1057 __func__, key, allowed ? "allowed" : "disallowed");
1853d1ef 1058
1059 buffer_clear(m);
1060 buffer_put_int(m, allowed);
92e15201 1061 buffer_put_int(m, forced_command != NULL);
1853d1ef 1062
1063 mm_append_debug(m);
1064
ca75d7de 1065 mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);
1853d1ef 1066
1067 if (type == MM_RSAHOSTKEY)
1068 monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
1069
1070 return (0);
1071}
1072
1073static int
1074monitor_valid_userblob(u_char *data, u_int datalen)
1075{
1076 Buffer b;
661e45a0 1077 char *p;
1853d1ef 1078 u_int len;
1079 int fail = 0;
1853d1ef 1080
1081 buffer_init(&b);
1082 buffer_append(&b, data, datalen);
1083
1084 if (datafellows & SSH_OLD_SESSIONID) {
521d606b 1085 p = buffer_ptr(&b);
1086 len = buffer_len(&b);
1087 if ((session_id2 == NULL) ||
1088 (len < session_id2_len) ||
1089 (memcmp(p, session_id2, session_id2_len) != 0))
1090 fail++;
1853d1ef 1091 buffer_consume(&b, session_id2_len);
1092 } else {
521d606b 1093 p = buffer_get_string(&b, &len);
1094 if ((session_id2 == NULL) ||
1095 (len != session_id2_len) ||
1096 (memcmp(p, session_id2, session_id2_len) != 0))
1853d1ef 1097 fail++;
521d606b 1098 xfree(p);
1853d1ef 1099 }
1100 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1101 fail++;
1102 p = buffer_get_string(&b, NULL);
1103 if (strcmp(authctxt->user, p) != 0) {
bbe88b6d 1104 logit("wrong user name passed to monitor: expected %s != %.100s",
1853d1ef 1105 authctxt->user, p);
1106 fail++;
1107 }
1108 xfree(p);
1109 buffer_skip_string(&b);
1110 if (datafellows & SSH_BUG_PKAUTH) {
1111 if (!buffer_get_char(&b))
1112 fail++;
1113 } else {
1114 p = buffer_get_string(&b, NULL);
1115 if (strcmp("publickey", p) != 0)
1116 fail++;
1117 xfree(p);
1118 if (!buffer_get_char(&b))
1119 fail++;
1120 buffer_skip_string(&b);
1121 }
1122 buffer_skip_string(&b);
1123 if (buffer_len(&b) != 0)
1124 fail++;
1125 buffer_free(&b);
1126 return (fail == 0);
1127}
1128
1129static int
661e45a0 1130monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1131 char *chost)
1853d1ef 1132{
1133 Buffer b;
661e45a0 1134 char *p;
1853d1ef 1135 u_int len;
1136 int fail = 0;
1853d1ef 1137
1138 buffer_init(&b);
1139 buffer_append(&b, data, datalen);
1140
521d606b 1141 p = buffer_get_string(&b, &len);
1142 if ((session_id2 == NULL) ||
1143 (len != session_id2_len) ||
1144 (memcmp(p, session_id2, session_id2_len) != 0))
1853d1ef 1145 fail++;
521d606b 1146 xfree(p);
1147
1853d1ef 1148 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1149 fail++;
1150 p = buffer_get_string(&b, NULL);
1151 if (strcmp(authctxt->user, p) != 0) {
bbe88b6d 1152 logit("wrong user name passed to monitor: expected %s != %.100s",
1853d1ef 1153 authctxt->user, p);
1154 fail++;
1155 }
1156 xfree(p);
1157 buffer_skip_string(&b); /* service */
1158 p = buffer_get_string(&b, NULL);
1159 if (strcmp(p, "hostbased") != 0)
1160 fail++;
1161 xfree(p);
1162 buffer_skip_string(&b); /* pkalg */
1163 buffer_skip_string(&b); /* pkblob */
1164
1165 /* verify client host, strip trailing dot if necessary */
1166 p = buffer_get_string(&b, NULL);
1167 if (((len = strlen(p)) > 0) && p[len - 1] == '.')
1168 p[len - 1] = '\0';
1169 if (strcmp(p, chost) != 0)
1170 fail++;
1171 xfree(p);
1172
1173 /* verify client user */
1174 p = buffer_get_string(&b, NULL);
1175 if (strcmp(p, cuser) != 0)
1176 fail++;
1177 xfree(p);
1178
1179 if (buffer_len(&b) != 0)
1180 fail++;
1181 buffer_free(&b);
1182 return (fail == 0);
1183}
1184
1185int
ca75d7de 1186mm_answer_keyverify(int sock, Buffer *m)
1853d1ef 1187{
1188 Key *key;
1189 u_char *signature, *data, *blob;
1190 u_int signaturelen, datalen, bloblen;
1191 int verified = 0;
1192 int valid_data = 0;
1193
1194 blob = buffer_get_string(m, &bloblen);
1195 signature = buffer_get_string(m, &signaturelen);
1196 data = buffer_get_string(m, &datalen);
1197
1198 if (hostbased_cuser == NULL || hostbased_chost == NULL ||
300e01c4 1199 !monitor_allowed_key(blob, bloblen))
1588c277 1200 fatal("%s: bad key, not previously allowed", __func__);
1853d1ef 1201
1202 key = key_from_blob(blob, bloblen);
1203 if (key == NULL)
1588c277 1204 fatal("%s: bad public key blob", __func__);
1853d1ef 1205
1206 switch (key_blobtype) {
1207 case MM_USERKEY:
1208 valid_data = monitor_valid_userblob(data, datalen);
1209 break;
1210 case MM_HOSTKEY:
1211 valid_data = monitor_valid_hostbasedblob(data, datalen,
1212 hostbased_cuser, hostbased_chost);
1213 break;
1214 default:
1215 valid_data = 0;
1216 break;
1217 }
1218 if (!valid_data)
1588c277 1219 fatal("%s: bad signature data blob", __func__);
1853d1ef 1220
1221 verified = key_verify(key, signature, signaturelen, data, datalen);
1222 debug3("%s: key %p signature %s",
89916e8c 1223 __func__, key, (verified == 1) ? "verified" : "unverified");
1853d1ef 1224
1225 key_free(key);
1226 xfree(blob);
1227 xfree(signature);
1228 xfree(data);
1229
d17ef027 1230 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1231
1853d1ef 1232 monitor_reset_key_state();
1233
1234 buffer_clear(m);
1235 buffer_put_int(m, verified);
ca75d7de 1236 mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
1853d1ef 1237
89916e8c 1238 return (verified == 1);
1853d1ef 1239}
1240
1241static void
1242mm_record_login(Session *s, struct passwd *pw)
1243{
1244 socklen_t fromlen;
1245 struct sockaddr_storage from;
1246
1247 /*
1248 * Get IP address of client. If the connection is not a socket, let
1249 * the address be 0.0.0.0.
1250 */
1251 memset(&from, 0, sizeof(from));
ba1566dd 1252 fromlen = sizeof(from);
1853d1ef 1253 if (packet_connection_is_on_socket()) {
1853d1ef 1254 if (getpeername(packet_get_connection_in(),
b248a875 1255 (struct sockaddr *)&from, &fromlen) < 0) {
1853d1ef 1256 debug("getpeername: %.100s", strerror(errno));
2362db19 1257 cleanup_exit(255);
1853d1ef 1258 }
1259 }
1260 /* Record that there was a login on that tty from the remote host. */
1261 record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
c5a7d788 1262 get_remote_name_or_ip(utmp_len, options.use_dns),
ba1566dd 1263 (struct sockaddr *)&from, fromlen);
1853d1ef 1264}
1265
1266static void
1267mm_session_close(Session *s)
1268{
b9ed513a 1269 debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
1853d1ef 1270 if (s->ttyfd != -1) {
c56969f9 1271 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
1853d1ef 1272 session_pty_cleanup2(s);
1273 }
1274 s->used = 0;
1275}
1276
1277int
ca75d7de 1278mm_answer_pty(int sock, Buffer *m)
1853d1ef 1279{
b5a28cbc 1280 extern struct monitor *pmonitor;
1853d1ef 1281 Session *s;
1282 int res, fd0;
1283
1588c277 1284 debug3("%s entering", __func__);
1853d1ef 1285
1286 buffer_clear(m);
1287 s = session_new();
1288 if (s == NULL)
1289 goto error;
1290 s->authctxt = authctxt;
1291 s->pw = authctxt->pw;
b5a28cbc 1292 s->pid = pmonitor->m_pid;
1853d1ef 1293 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1294 if (res == 0)
1295 goto error;
1853d1ef 1296 pty_setowner(authctxt->pw, s->tty);
1297
1298 buffer_put_int(m, 1);
1299 buffer_put_cstring(m, s->tty);
1853d1ef 1300
1301 /* We need to trick ttyslot */
1302 if (dup2(s->ttyfd, 0) == -1)
1588c277 1303 fatal("%s: dup2", __func__);
1853d1ef 1304
1305 mm_record_login(s, authctxt->pw);
1306
1307 /* Now we can close the file descriptor again */
1308 close(0);
1309
be2ca0c9 1310 /* send messages generated by record_login */
1311 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
1312 buffer_clear(&loginmsg);
1313
1314 mm_request_send(sock, MONITOR_ANS_PTY, m);
1315
1316 mm_send_fd(sock, s->ptyfd);
1317 mm_send_fd(sock, s->ttyfd);
1318
1853d1ef 1319 /* make sure nothing uses fd 0 */
1320 if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)
1588c277 1321 fatal("%s: open(/dev/null): %s", __func__, strerror(errno));
1853d1ef 1322 if (fd0 != 0)
1588c277 1323 error("%s: fd0 %d != 0", __func__, fd0);
1853d1ef 1324
1325 /* slave is not needed */
1326 close(s->ttyfd);
1327 s->ttyfd = s->ptyfd;
1328 /* no need to dup() because nobody closes ptyfd */
1329 s->ptymaster = s->ptyfd;
1330
c56969f9 1331 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd);
1853d1ef 1332
1333 return (0);
1334
1335 error:
1336 if (s != NULL)
1337 mm_session_close(s);
1338 buffer_put_int(m, 0);
ca75d7de 1339 mm_request_send(sock, MONITOR_ANS_PTY, m);
1853d1ef 1340 return (0);
1341}
1342
1343int
ca75d7de 1344mm_answer_pty_cleanup(int sock, Buffer *m)
1853d1ef 1345{
1346 Session *s;
1347 char *tty;
1348
1588c277 1349 debug3("%s entering", __func__);
1853d1ef 1350
1351 tty = buffer_get_string(m, NULL);
1352 if ((s = session_by_tty(tty)) != NULL)
1353 mm_session_close(s);
1354 buffer_clear(m);
1355 xfree(tty);
1356 return (0);
1357}
1358
1359int
ca75d7de 1360mm_answer_sesskey(int sock, Buffer *m)
1853d1ef 1361{
1362 BIGNUM *p;
1363 int rsafail;
1364
1365 /* Turn off permissions */
75cccc2c 1366 monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0);
1853d1ef 1367
1368 if ((p = BN_new()) == NULL)
1588c277 1369 fatal("%s: BN_new", __func__);
1853d1ef 1370
1371 buffer_get_bignum2(m, p);
1372
1373 rsafail = ssh1_session_key(p);
1374
1375 buffer_clear(m);
1376 buffer_put_int(m, rsafail);
1377 buffer_put_bignum2(m, p);
1378
1379 BN_clear_free(p);
1380
ca75d7de 1381 mm_request_send(sock, MONITOR_ANS_SESSKEY, m);
1853d1ef 1382
1383 /* Turn on permissions for sessid passing */
1384 monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1);
1385
1386 return (0);
1387}
1388
1389int
ca75d7de 1390mm_answer_sessid(int sock, Buffer *m)
1853d1ef 1391{
1392 int i;
1393
1588c277 1394 debug3("%s entering", __func__);
1853d1ef 1395
1396 if (buffer_len(m) != 16)
1588c277 1397 fatal("%s: bad ssh1 session id", __func__);
1853d1ef 1398 for (i = 0; i < 16; i++)
1399 session_id[i] = buffer_get_char(m);
1400
1401 /* Turn on permissions for getpwnam */
1402 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
1403
1404 return (0);
1405}
1406
1407int
ca75d7de 1408mm_answer_rsa_keyallowed(int sock, Buffer *m)
1853d1ef 1409{
1410 BIGNUM *client_n;
1411 Key *key = NULL;
1412 u_char *blob = NULL;
1413 u_int blen = 0;
1414 int allowed = 0;
1415
1588c277 1416 debug3("%s entering", __func__);
1853d1ef 1417
c023a130 1418 auth_method = "rsa";
aa586f8e 1419 if (options.rsa_authentication && authctxt->valid) {
1853d1ef 1420 if ((client_n = BN_new()) == NULL)
1588c277 1421 fatal("%s: BN_new", __func__);
1853d1ef 1422 buffer_get_bignum2(m, client_n);
1423 allowed = auth_rsa_key_allowed(authctxt->pw, client_n, &key);
1424 BN_clear_free(client_n);
1425 }
1426 buffer_clear(m);
1427 buffer_put_int(m, allowed);
92e15201 1428 buffer_put_int(m, forced_command != NULL);
1853d1ef 1429
1430 /* clear temporarily storage (used by generate challenge) */
1431 monitor_reset_key_state();
1432
1433 if (allowed && key != NULL) {
1434 key->type = KEY_RSA; /* cheat for key_to_blob */
1435 if (key_to_blob(key, &blob, &blen) == 0)
1588c277 1436 fatal("%s: key_to_blob failed", __func__);
1853d1ef 1437 buffer_put_string(m, blob, blen);
1438
1439 /* Save temporarily for comparison in verify */
1440 key_blob = blob;
1441 key_bloblen = blen;
1442 key_blobtype = MM_RSAUSERKEY;
1853d1ef 1443 }
3e2f2431 1444 if (key != NULL)
1445 key_free(key);
1853d1ef 1446
1447 mm_append_debug(m);
1448
ca75d7de 1449 mm_request_send(sock, MONITOR_ANS_RSAKEYALLOWED, m);
1853d1ef 1450
1451 monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
1452 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0);
1453 return (0);
1454}
1455
1456int
ca75d7de 1457mm_answer_rsa_challenge(int sock, Buffer *m)
1853d1ef 1458{
1459 Key *key = NULL;
1460 u_char *blob;
1461 u_int blen;
1462
1588c277 1463 debug3("%s entering", __func__);
1853d1ef 1464
1465 if (!authctxt->valid)
1588c277 1466 fatal("%s: authctxt not valid", __func__);
1853d1ef 1467 blob = buffer_get_string(m, &blen);
1468 if (!monitor_allowed_key(blob, blen))
1588c277 1469 fatal("%s: bad key, not previously allowed", __func__);
1853d1ef 1470 if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
1588c277 1471 fatal("%s: key type mismatch", __func__);
1853d1ef 1472 if ((key = key_from_blob(blob, blen)) == NULL)
1588c277 1473 fatal("%s: received bad key", __func__);
1853d1ef 1474
1475 if (ssh1_challenge)
1476 BN_clear_free(ssh1_challenge);
1477 ssh1_challenge = auth_rsa_generate_challenge(key);
1478
1479 buffer_clear(m);
1480 buffer_put_bignum2(m, ssh1_challenge);
1481
1588c277 1482 debug3("%s sending reply", __func__);
ca75d7de 1483 mm_request_send(sock, MONITOR_ANS_RSACHALLENGE, m);
1853d1ef 1484
1485 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
3e2f2431 1486
1487 xfree(blob);
1488 key_free(key);
1853d1ef 1489 return (0);
1490}
1491
1492int
ca75d7de 1493mm_answer_rsa_response(int sock, Buffer *m)
1853d1ef 1494{
1495 Key *key = NULL;
1496 u_char *blob, *response;
1497 u_int blen, len;
1498 int success;
1499
1588c277 1500 debug3("%s entering", __func__);
1853d1ef 1501
1502 if (!authctxt->valid)
1588c277 1503 fatal("%s: authctxt not valid", __func__);
1853d1ef 1504 if (ssh1_challenge == NULL)
1588c277 1505 fatal("%s: no ssh1_challenge", __func__);
1853d1ef 1506
1507 blob = buffer_get_string(m, &blen);
1508 if (!monitor_allowed_key(blob, blen))
1588c277 1509 fatal("%s: bad key, not previously allowed", __func__);
1853d1ef 1510 if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
1588c277 1511 fatal("%s: key type mismatch: %d", __func__, key_blobtype);
1853d1ef 1512 if ((key = key_from_blob(blob, blen)) == NULL)
1588c277 1513 fatal("%s: received bad key", __func__);
1853d1ef 1514 response = buffer_get_string(m, &len);
1515 if (len != 16)
1588c277 1516 fatal("%s: received bad response to challenge", __func__);
1853d1ef 1517 success = auth_rsa_verify_response(key, ssh1_challenge, response);
1518
3e2f2431 1519 xfree(blob);
1853d1ef 1520 key_free(key);
1521 xfree(response);
1522
1523 auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
1524
1525 /* reset state */
1526 BN_clear_free(ssh1_challenge);
1527 ssh1_challenge = NULL;
1528 monitor_reset_key_state();
1529
1530 buffer_clear(m);
1531 buffer_put_int(m, success);
ca75d7de 1532 mm_request_send(sock, MONITOR_ANS_RSARESPONSE, m);
1853d1ef 1533
1534 return (success);
1535}
1536
1537int
ca75d7de 1538mm_answer_term(int sock, Buffer *req)
1853d1ef 1539{
b5a28cbc 1540 extern struct monitor *pmonitor;
1853d1ef 1541 int res, status;
1542
1588c277 1543 debug3("%s: tearing down sessions", __func__);
1853d1ef 1544
1545 /* The child is terminating */
1546 session_destroy_all(&mm_session_close);
1547
b5a28cbc 1548 while (waitpid(pmonitor->m_pid, &status, 0) == -1)
8c38e88b 1549 if (errno != EINTR)
1550 exit(1);
1853d1ef 1551
1552 res = WIFEXITED(status) ? WEXITSTATUS(status) : 1;
1553
1554 /* Terminate process */
f6be21a0 1555 exit(res);
1853d1ef 1556}
1557
6039eeef 1558#ifdef SSH_AUDIT_EVENTS
c00e4d75 1559/* Report that an audit event occurred */
1560int
1561mm_answer_audit_event(int socket, Buffer *m)
1562{
1563 ssh_audit_event_t event;
1564
1565 debug3("%s entering", __func__);
1566
1567 event = buffer_get_int(m);
c00e4d75 1568 switch(event) {
6039eeef 1569 case SSH_AUTH_FAIL_PUBKEY:
1570 case SSH_AUTH_FAIL_HOSTBASED:
1571 case SSH_AUTH_FAIL_GSSAPI:
1572 case SSH_LOGIN_EXCEED_MAXTRIES:
1573 case SSH_LOGIN_ROOT_DENIED:
1574 case SSH_CONNECTION_CLOSE:
1575 case SSH_INVALID_USER:
c00e4d75 1576 audit_event(event);
1577 break;
1578 default:
1579 fatal("Audit event type %d not permitted", event);
1580 }
1581
1582 return (0);
1583}
1584
1585int
1586mm_answer_audit_command(int socket, Buffer *m)
1587{
1588 u_int len;
1589 char *cmd;
1590
1591 debug3("%s entering", __func__);
1592 cmd = buffer_get_string(m, &len);
1593 /* sanity check command, if so how? */
1594 audit_run_command(cmd);
1595 xfree(cmd);
c00e4d75 1596 return (0);
1597}
6039eeef 1598#endif /* SSH_AUDIT_EVENTS */
c00e4d75 1599
1853d1ef 1600void
b5a28cbc 1601monitor_apply_keystate(struct monitor *pmonitor)
1853d1ef 1602{
1603 if (compat20) {
1604 set_newkeys(MODE_IN);
1605 set_newkeys(MODE_OUT);
1606 } else {
1853d1ef 1607 packet_set_protocol_flags(child_state.ssh1protoflags);
9459414c 1608 packet_set_encryption_key(child_state.ssh1key,
1609 child_state.ssh1keylen, child_state.ssh1cipher);
1610 xfree(child_state.ssh1key);
1853d1ef 1611 }
1612
9459414c 1613 /* for rc4 and other stateful ciphers */
1853d1ef 1614 packet_set_keycontext(MODE_OUT, child_state.keyout);
1615 xfree(child_state.keyout);
1616 packet_set_keycontext(MODE_IN, child_state.keyin);
1617 xfree(child_state.keyin);
1618
1619 if (!compat20) {
1620 packet_set_iv(MODE_OUT, child_state.ivout);
1621 xfree(child_state.ivout);
1622 packet_set_iv(MODE_IN, child_state.ivin);
1623 xfree(child_state.ivin);
1624 }
1625
1626 memcpy(&incoming_stream, &child_state.incoming,
1627 sizeof(incoming_stream));
1628 memcpy(&outgoing_stream, &child_state.outgoing,
1629 sizeof(outgoing_stream));
1630
1631 /* Update with new address */
0496cf34 1632 if (options.compression)
1633 mm_init_compression(pmonitor->m_zlib);
1853d1ef 1634
1635 /* Network I/O buffers */
1636 /* XXX inefficient for large buffers, need: buffer_init_from_string */
1637 buffer_clear(&input);
1638 buffer_append(&input, child_state.input, child_state.ilen);
1639 memset(child_state.input, 0, child_state.ilen);
1640 xfree(child_state.input);
1641
1642 buffer_clear(&output);
1643 buffer_append(&output, child_state.output, child_state.olen);
1644 memset(child_state.output, 0, child_state.olen);
1645 xfree(child_state.output);
1646}
1647
1648static Kex *
1649mm_get_kex(Buffer *m)
1650{
1651 Kex *kex;
1652 void *blob;
1653 u_int bloblen;
1654
52e3daed 1655 kex = xcalloc(1, sizeof(*kex));
1853d1ef 1656 kex->session_id = buffer_get_string(m, &kex->session_id_len);
521d606b 1657 if ((session_id2 == NULL) ||
1658 (kex->session_id_len != session_id2_len) ||
1659 (memcmp(kex->session_id, session_id2, session_id2_len) != 0))
1660 fatal("mm_get_get: internal error: bad session id");
1853d1ef 1661 kex->we_need = buffer_get_int(m);
cdb64c4d 1662 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
41e5bd9a 1663 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
cdb64c4d 1664 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2ff8003a 1665 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1853d1ef 1666 kex->server = 1;
1667 kex->hostkey_type = buffer_get_int(m);
1668 kex->kex_type = buffer_get_int(m);
1669 blob = buffer_get_string(m, &bloblen);
1670 buffer_init(&kex->my);
1671 buffer_append(&kex->my, blob, bloblen);
1672 xfree(blob);
1673 blob = buffer_get_string(m, &bloblen);
1674 buffer_init(&kex->peer);
1675 buffer_append(&kex->peer, blob, bloblen);
1676 xfree(blob);
1677 kex->done = 1;
1678 kex->flags = buffer_get_int(m);
1679 kex->client_version_string = buffer_get_string(m, NULL);
1680 kex->server_version_string = buffer_get_string(m, NULL);
1681 kex->load_host_key=&get_hostkey_by_type;
1682 kex->host_key_index=&get_hostkey_index;
1683
1684 return (kex);
1685}
1686
1687/* This function requries careful sanity checking */
1688
1689void
b5a28cbc 1690mm_get_keystate(struct monitor *pmonitor)
1853d1ef 1691{
1692 Buffer m;
1693 u_char *blob, *p;
1694 u_int bloblen, plen;
ffd7b36b 1695 u_int32_t seqnr, packets;
1696 u_int64_t blocks;
1853d1ef 1697
1588c277 1698 debug3("%s: Waiting for new keys", __func__);
1853d1ef 1699
1700 buffer_init(&m);
b5a28cbc 1701 mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, &m);
1853d1ef 1702 if (!compat20) {
1703 child_state.ssh1protoflags = buffer_get_int(&m);
1704 child_state.ssh1cipher = buffer_get_int(&m);
9459414c 1705 child_state.ssh1key = buffer_get_string(&m,
1706 &child_state.ssh1keylen);
1853d1ef 1707 child_state.ivout = buffer_get_string(&m,
1708 &child_state.ivoutlen);
1709 child_state.ivin = buffer_get_string(&m, &child_state.ivinlen);
1710 goto skip;
1711 } else {
1712 /* Get the Kex for rekeying */
b5a28cbc 1713 *pmonitor->m_pkex = mm_get_kex(&m);
1853d1ef 1714 }
1715
1716 blob = buffer_get_string(&m, &bloblen);
1717 current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
1718 xfree(blob);
1719
1588c277 1720 debug3("%s: Waiting for second key", __func__);
1853d1ef 1721 blob = buffer_get_string(&m, &bloblen);
1722 current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
1723 xfree(blob);
1724
1725 /* Now get sequence numbers for the packets */
ffd7b36b 1726 seqnr = buffer_get_int(&m);
1727 blocks = buffer_get_int64(&m);
1728 packets = buffer_get_int(&m);
1729 packet_set_state(MODE_OUT, seqnr, blocks, packets);
1730 seqnr = buffer_get_int(&m);
1731 blocks = buffer_get_int64(&m);
1732 packets = buffer_get_int(&m);
1733 packet_set_state(MODE_IN, seqnr, blocks, packets);
1853d1ef 1734
1735 skip:
1736 /* Get the key context */
1737 child_state.keyout = buffer_get_string(&m, &child_state.keyoutlen);
1738 child_state.keyin = buffer_get_string(&m, &child_state.keyinlen);
1739
1588c277 1740 debug3("%s: Getting compression state", __func__);
1853d1ef 1741 /* Get compression state */
1742 p = buffer_get_string(&m, &plen);
1743 if (plen != sizeof(child_state.outgoing))
1588c277 1744 fatal("%s: bad request size", __func__);
1853d1ef 1745 memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing));
1746 xfree(p);
1747
1748 p = buffer_get_string(&m, &plen);
1749 if (plen != sizeof(child_state.incoming))
1588c277 1750 fatal("%s: bad request size", __func__);
1853d1ef 1751 memcpy(&child_state.incoming, p, sizeof(child_state.incoming));
1752 xfree(p);
1753
1754 /* Network I/O buffers */
1588c277 1755 debug3("%s: Getting Network I/O buffers", __func__);
1853d1ef 1756 child_state.input = buffer_get_string(&m, &child_state.ilen);
1757 child_state.output = buffer_get_string(&m, &child_state.olen);
1758
1759 buffer_free(&m);
1760}
1761
1762
1763/* Allocation functions for zlib */
1764void *
1765mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
1766{
39e71188 1767 size_t len = (size_t) size * ncount;
1853d1ef 1768 void *address;
1769
b85698ab 1770 if (len == 0 || ncount > SIZE_T_MAX / size)
2f095a0e 1771 fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
1772
1773 address = mm_malloc(mm, len);
1853d1ef 1774
1775 return (address);
1776}
1777
1778void
1779mm_zfree(struct mm_master *mm, void *address)
1780{
1781 mm_free(mm, address);
1782}
1783
1784void
1785mm_init_compression(struct mm_master *mm)
1786{
1787 outgoing_stream.zalloc = (alloc_func)mm_zalloc;
1788 outgoing_stream.zfree = (free_func)mm_zfree;
1789 outgoing_stream.opaque = mm;
1790
1791 incoming_stream.zalloc = (alloc_func)mm_zalloc;
1792 incoming_stream.zfree = (free_func)mm_zfree;
1793 incoming_stream.opaque = mm;
1794}
1795
1796/* XXX */
1797
1798#define FD_CLOSEONEXEC(x) do { \
1799 if (fcntl(x, F_SETFD, 1) == -1) \
1800 fatal("fcntl(%d, F_SETFD)", x); \
1801} while (0)
1802
1803static void
1804monitor_socketpair(int *pair)
1805{
f1af2dbf 1806#ifdef HAVE_SOCKETPAIR
1853d1ef 1807 if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1)
1588c277 1808 fatal("%s: socketpair", __func__);
f1af2dbf 1809#else
1810 fatal("%s: UsePrivilegeSeparation=yes not supported",
1588c277 1811 __func__);
f1af2dbf 1812#endif
1853d1ef 1813 FD_CLOSEONEXEC(pair[0]);
1814 FD_CLOSEONEXEC(pair[1]);
1815}
1816
1817#define MM_MEMSIZE 65536
1818
1819struct monitor *
1820monitor_init(void)
1821{
1822 struct monitor *mon;
1823 int pair[2];
1824
52e3daed 1825 mon = xcalloc(1, sizeof(*mon));
1853d1ef 1826
1827 monitor_socketpair(pair);
1828
1829 mon->m_recvfd = pair[0];
1830 mon->m_sendfd = pair[1];
1831
1832 /* Used to share zlib space across processes */
0496cf34 1833 if (options.compression) {
1834 mon->m_zback = mm_create(NULL, MM_MEMSIZE);
1835 mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
1853d1ef 1836
0496cf34 1837 /* Compression needs to share state across borders */
1838 mm_init_compression(mon->m_zlib);
1839 }
1853d1ef 1840
1841 return mon;
1842}
1843
1844void
1845monitor_reinit(struct monitor *mon)
1846{
1847 int pair[2];
1848
1849 monitor_socketpair(pair);
1850
1851 mon->m_recvfd = pair[0];
1852 mon->m_sendfd = pair[1];
1853}
7364bd04 1854
1855#ifdef GSSAPI
1856int
ca75d7de 1857mm_answer_gss_setup_ctx(int sock, Buffer *m)
7364bd04 1858{
ca75d7de 1859 gss_OID_desc goid;
7364bd04 1860 OM_uint32 major;
1861 u_int len;
1862
ca75d7de 1863 goid.elements = buffer_get_string(m, &len);
1864 goid.length = len;
7364bd04 1865
ca75d7de 1866 major = ssh_gssapi_server_ctx(&gsscontext, &goid);
7364bd04 1867
ca75d7de 1868 xfree(goid.elements);
7364bd04 1869
1870 buffer_clear(m);
1871 buffer_put_int(m, major);
1872
8442cc66 1873 mm_request_send(sock, MONITOR_ANS_GSSSETUP, m);
7364bd04 1874
1875 /* Now we have a context, enable the step */
1876 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
1877
1878 return (0);
1879}
1880
1881int
ca75d7de 1882mm_answer_gss_accept_ctx(int sock, Buffer *m)
7364bd04 1883{
1884 gss_buffer_desc in;
1885 gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
8442cc66 1886 OM_uint32 major, minor;
7364bd04 1887 OM_uint32 flags = 0; /* GSI needs this */
f99e1ca4 1888 u_int len;
7364bd04 1889
f99e1ca4 1890 in.value = buffer_get_string(m, &len);
1891 in.length = len;
7364bd04 1892 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
1893 xfree(in.value);
1894
1895 buffer_clear(m);
1896 buffer_put_int(m, major);
1897 buffer_put_string(m, out.value, out.length);
1898 buffer_put_int(m, flags);
ca75d7de 1899 mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
7364bd04 1900
1901 gss_release_buffer(&minor, &out);
1902
8442cc66 1903 if (major == GSS_S_COMPLETE) {
7364bd04 1904 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1905 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
0789992b 1906 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
7364bd04 1907 }
1908 return (0);
1909}
1910
0789992b 1911int
ca75d7de 1912mm_answer_gss_checkmic(int sock, Buffer *m)
0789992b 1913{
1914 gss_buffer_desc gssbuf, mic;
1915 OM_uint32 ret;
1916 u_int len;
b6453d99 1917
0789992b 1918 gssbuf.value = buffer_get_string(m, &len);
1919 gssbuf.length = len;
1920 mic.value = buffer_get_string(m, &len);
1921 mic.length = len;
b6453d99 1922
0789992b 1923 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
b6453d99 1924
0789992b 1925 xfree(gssbuf.value);
1926 xfree(mic.value);
b6453d99 1927
0789992b 1928 buffer_clear(m);
1929 buffer_put_int(m, ret);
b6453d99 1930
ca75d7de 1931 mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m);
b6453d99 1932
0789992b 1933 if (!GSS_ERROR(ret))
1934 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
b6453d99 1935
0789992b 1936 return (0);
1937}
1938
7364bd04 1939int
ca75d7de 1940mm_answer_gss_userok(int sock, Buffer *m)
7364bd04 1941{
1942 int authenticated;
1943
1944 authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
1945
1946 buffer_clear(m);
1947 buffer_put_int(m, authenticated);
1948
1949 debug3("%s: sending result %d", __func__, authenticated);
ca75d7de 1950 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
7364bd04 1951
8442cc66 1952 auth_method = "gssapi-with-mic";
7364bd04 1953
1954 /* Monitor loop will terminate if authenticated */
1955 return (authenticated);
1956}
1957#endif /* GSSAPI */
git-cvsimport mirror of OpenSSH
This page took 1.88079 seconds and 5 git commands to generate.