Annotation of src/usr.bin/ssh/monitor.c, Revision 1.14
1.1 provos 1: /*
2: * Copyright 2002 Niels Provos <provos@citi.umich.edu>
3: * Copyright 2002 Markus Friedl <markus@openbsd.org>
4: * All rights reserved.
5: *
6: * Redistribution and use in source and binary forms, with or without
7: * modification, are permitted provided that the following conditions
8: * are met:
9: * 1. Redistributions of source code must retain the above copyright
10: * notice, this list of conditions and the following disclaimer.
11: * 2. Redistributions in binary form must reproduce the above copyright
12: * notice, this list of conditions and the following disclaimer in the
13: * documentation and/or other materials provided with the distribution.
14: *
15: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25: */
26:
27: #include "includes.h"
1.14 ! markus 28: RCSID("$OpenBSD: monitor.c,v 1.13 2002/06/04 19:53:40 markus Exp $");
1.1 provos 29:
30: #include <openssl/dh.h>
31:
32: #ifdef SKEY
33: #include <skey.h>
34: #endif
35:
36: #include "ssh.h"
37: #include "auth.h"
38: #include "kex.h"
39: #include "dh.h"
40: #include "zlib.h"
41: #include "packet.h"
42: #include "auth-options.h"
43: #include "sshpty.h"
44: #include "channels.h"
45: #include "session.h"
46: #include "sshlogin.h"
47: #include "canohost.h"
48: #include "log.h"
49: #include "servconf.h"
50: #include "monitor.h"
51: #include "monitor_mm.h"
52: #include "monitor_wrap.h"
53: #include "monitor_fdpass.h"
54: #include "xmalloc.h"
55: #include "misc.h"
56: #include "buffer.h"
57: #include "bufaux.h"
58: #include "compat.h"
59: #include "ssh2.h"
60: #include "mpaux.h"
61:
62: /* Imports */
63: extern ServerOptions options;
64: extern u_int utmp_len;
65: extern Newkeys *current_keys[];
66: extern z_stream incoming_stream;
67: extern z_stream outgoing_stream;
68: extern u_char session_id[];
69: extern Buffer input, output;
70: extern Buffer auth_debug;
71: extern int auth_debug_init;
72:
73: /* State exported from the child */
74:
75: struct {
76: z_stream incoming;
77: z_stream outgoing;
78: u_char *keyin;
79: u_int keyinlen;
80: u_char *keyout;
81: u_int keyoutlen;
82: u_char *ivin;
83: u_int ivinlen;
84: u_char *ivout;
85: u_int ivoutlen;
86: int ssh1cipher;
87: int ssh1protoflags;
88: u_char *input;
89: u_int ilen;
90: u_char *output;
91: u_int olen;
92: } child_state;
93:
94: /* Functions on the montior that answer unprivileged requests */
95:
96: int mm_answer_moduli(int, Buffer *);
97: int mm_answer_sign(int, Buffer *);
98: int mm_answer_pwnamallow(int, Buffer *);
1.10 djm 99: int mm_answer_auth2_read_banner(int, Buffer *);
1.1 provos 100: int mm_answer_authserv(int, Buffer *);
101: int mm_answer_authpassword(int, Buffer *);
102: int mm_answer_bsdauthquery(int, Buffer *);
103: int mm_answer_bsdauthrespond(int, Buffer *);
104: int mm_answer_skeyquery(int, Buffer *);
105: int mm_answer_skeyrespond(int, Buffer *);
106: int mm_answer_keyallowed(int, Buffer *);
107: int mm_answer_keyverify(int, Buffer *);
108: int mm_answer_pty(int, Buffer *);
109: int mm_answer_pty_cleanup(int, Buffer *);
110: int mm_answer_term(int, Buffer *);
111: int mm_answer_rsa_keyallowed(int, Buffer *);
112: int mm_answer_rsa_challenge(int, Buffer *);
113: int mm_answer_rsa_response(int, Buffer *);
114: int mm_answer_sesskey(int, Buffer *);
115: int mm_answer_sessid(int, Buffer *);
116:
117: static Authctxt *authctxt;
118: static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
119:
120: /* local state for key verify */
121: static u_char *key_blob = NULL;
122: static u_int key_bloblen = 0;
123: static int key_blobtype = MM_NOKEY;
124: static u_char *hostbased_cuser = NULL;
125: static u_char *hostbased_chost = NULL;
126: static char *auth_method = "unknown";
1.13 markus 127: static int session_id2_len = 0;
128: static u_char *session_id2 = NULL;
1.1 provos 129:
130: struct mon_table {
131: enum monitor_reqtype type;
132: int flags;
133: int (*f)(int, Buffer *);
134: };
135:
136: #define MON_ISAUTH 0x0004 /* Required for Authentication */
137: #define MON_AUTHDECIDE 0x0008 /* Decides Authentication */
138: #define MON_ONCE 0x0010 /* Disable after calling */
139:
140: #define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE)
141:
142: #define MON_PERMIT 0x1000 /* Request is permitted */
143:
144: struct mon_table mon_dispatch_proto20[] = {
145: {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
146: {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
147: {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
148: {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
1.10 djm 149: {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
1.1 provos 150: {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
151: #ifdef BSD_AUTH
152: {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
153: {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
154: #endif
155: #ifdef SKEY
156: {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
157: {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
158: #endif
159: {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
160: {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
161: {0, 0, NULL}
162: };
163:
164: struct mon_table mon_dispatch_postauth20[] = {
165: {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
166: {MONITOR_REQ_SIGN, 0, mm_answer_sign},
167: {MONITOR_REQ_PTY, 0, mm_answer_pty},
168: {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
169: {MONITOR_REQ_TERM, 0, mm_answer_term},
170: {0, 0, NULL}
171: };
172:
173: struct mon_table mon_dispatch_proto15[] = {
174: {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
175: {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
176: {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
177: {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
178: {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
179: {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
180: {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
181: {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
182: #ifdef BSD_AUTH
183: {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
184: {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
185: #endif
186: #ifdef SKEY
187: {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
188: {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
189: #endif
190: {0, 0, NULL}
191: };
192:
193: struct mon_table mon_dispatch_postauth15[] = {
194: {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
195: {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
196: {MONITOR_REQ_TERM, 0, mm_answer_term},
197: {0, 0, NULL}
198: };
199:
200: struct mon_table *mon_dispatch;
201:
202: /* Specifies if a certain message is allowed at the moment */
203:
204: static void
205: monitor_permit(struct mon_table *ent, enum monitor_reqtype type, int permit)
206: {
207: while (ent->f != NULL) {
208: if (ent->type == type) {
209: ent->flags &= ~MON_PERMIT;
210: ent->flags |= permit ? MON_PERMIT : 0;
211: return;
212: }
213: ent++;
214: }
215: }
216:
217: static void
218: monitor_permit_authentications(int permit)
219: {
220: struct mon_table *ent = mon_dispatch;
221:
222: while (ent->f != NULL) {
223: if (ent->flags & MON_AUTH) {
224: ent->flags &= ~MON_PERMIT;
225: ent->flags |= permit ? MON_PERMIT : 0;
226: }
227: ent++;
228: }
229: }
230:
231: Authctxt *
1.11 mouring 232: monitor_child_preauth(struct monitor *pmonitor)
1.1 provos 233: {
234: struct mon_table *ent;
235: int authenticated = 0;
236:
237: debug3("preauth child monitor started");
238:
239: if (compat20) {
240: mon_dispatch = mon_dispatch_proto20;
241:
242: /* Permit requests for moduli and signatures */
243: monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
244: monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
245: } else {
246: mon_dispatch = mon_dispatch_proto15;
247:
248: monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
249: }
250:
251: authctxt = authctxt_new();
252:
253: /* The first few requests do not require asynchronous access */
254: while (!authenticated) {
1.11 mouring 255: authenticated = monitor_read(pmonitor, mon_dispatch, &ent);
1.1 provos 256: if (authenticated) {
257: if (!(ent->flags & MON_AUTHDECIDE))
258: fatal("%s: unexpected authentication from %d",
1.14 ! markus 259: __func__, ent->type);
1.1 provos 260: if (authctxt->pw->pw_uid == 0 &&
261: !auth_root_allowed(auth_method))
262: authenticated = 0;
263: }
264:
265: if (ent->flags & MON_AUTHDECIDE) {
266: auth_log(authctxt, authenticated, auth_method,
267: compat20 ? " ssh2" : "");
268: if (!authenticated)
269: authctxt->failures++;
270: }
271: }
272:
273: if (!authctxt->valid)
1.14 ! markus 274: fatal("%s: authenticated invalid user", __func__);
1.1 provos 275:
276: debug("%s: %s has been authenticated by privileged process",
1.14 ! markus 277: __func__, authctxt->user);
1.1 provos 278:
1.11 mouring 279: mm_get_keystate(pmonitor);
1.1 provos 280:
281: return (authctxt);
282: }
283:
284: void
1.11 mouring 285: monitor_child_postauth(struct monitor *pmonitor)
1.1 provos 286: {
287: if (compat20) {
288: mon_dispatch = mon_dispatch_postauth20;
289:
290: /* Permit requests for moduli and signatures */
291: monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
292: monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
293: monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
294:
295: } else {
296: mon_dispatch = mon_dispatch_postauth15;
297: monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
298: }
299: if (!no_pty_flag) {
300: monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
301: monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
302: }
303:
304: for (;;)
1.11 mouring 305: monitor_read(pmonitor, mon_dispatch, NULL);
1.1 provos 306: }
307:
308: void
1.11 mouring 309: monitor_sync(struct monitor *pmonitor)
1.1 provos 310: {
311: /* The member allocation is not visible, so sync it */
1.11 mouring 312: mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
1.1 provos 313: }
314:
315: int
1.11 mouring 316: monitor_read(struct monitor *pmonitor, struct mon_table *ent,
1.1 provos 317: struct mon_table **pent)
318: {
319: Buffer m;
320: int ret;
321: u_char type;
322:
323: buffer_init(&m);
324:
1.11 mouring 325: mm_request_receive(pmonitor->m_sendfd, &m);
1.1 provos 326: type = buffer_get_char(&m);
327:
1.14 ! markus 328: debug3("%s: checking request %d", __func__, type);
1.1 provos 329:
330: while (ent->f != NULL) {
331: if (ent->type == type)
332: break;
333: ent++;
334: }
335:
336: if (ent->f != NULL) {
337: if (!(ent->flags & MON_PERMIT))
1.14 ! markus 338: fatal("%s: unpermitted request %d", __func__,
1.1 provos 339: type);
1.11 mouring 340: ret = (*ent->f)(pmonitor->m_sendfd, &m);
1.1 provos 341: buffer_free(&m);
342:
343: /* The child may use this request only once, disable it */
344: if (ent->flags & MON_ONCE) {
1.14 ! markus 345: debug2("%s: %d used once, disabling now", __func__,
1.1 provos 346: type);
347: ent->flags &= ~MON_PERMIT;
348: }
349:
350: if (pent != NULL)
351: *pent = ent;
1.3 markus 352:
1.1 provos 353: return ret;
354: }
355:
1.14 ! markus 356: fatal("%s: unsupported request: %d", __func__, type);
1.1 provos 357:
358: /* NOTREACHED */
359: return (-1);
360: }
361:
362: /* allowed key state */
363: static int
364: monitor_allowed_key(u_char *blob, u_int bloblen)
365: {
366: /* make sure key is allowed */
367: if (key_blob == NULL || key_bloblen != bloblen ||
368: memcmp(key_blob, blob, key_bloblen))
369: return (0);
370: return (1);
371: }
372:
373: static void
374: monitor_reset_key_state(void)
375: {
376: /* reset state */
377: if (key_blob != NULL)
378: xfree(key_blob);
379: if (hostbased_cuser != NULL)
380: xfree(hostbased_cuser);
381: if (hostbased_chost != NULL)
382: xfree(hostbased_chost);
383: key_blob = NULL;
384: key_bloblen = 0;
385: key_blobtype = MM_NOKEY;
386: hostbased_cuser = NULL;
387: hostbased_chost = NULL;
388: }
389:
390: int
391: mm_answer_moduli(int socket, Buffer *m)
392: {
393: DH *dh;
394: int min, want, max;
395:
396: min = buffer_get_int(m);
397: want = buffer_get_int(m);
398: max = buffer_get_int(m);
399:
400: debug3("%s: got parameters: %d %d %d",
1.14 ! markus 401: __func__, min, want, max);
1.1 provos 402: /* We need to check here, too, in case the child got corrupted */
403: if (max < min || want < min || max < want)
404: fatal("%s: bad parameters: %d %d %d",
1.14 ! markus 405: __func__, min, want, max);
1.1 provos 406:
407: buffer_clear(m);
408:
409: dh = choose_dh(min, want, max);
410: if (dh == NULL) {
411: buffer_put_char(m, 0);
412: return (0);
413: } else {
414: /* Send first bignum */
415: buffer_put_char(m, 1);
416: buffer_put_bignum2(m, dh->p);
417: buffer_put_bignum2(m, dh->g);
1.3 markus 418:
1.1 provos 419: DH_free(dh);
420: }
421: mm_request_send(socket, MONITOR_ANS_MODULI, m);
422: return (0);
423: }
424:
425: int
426: mm_answer_sign(int socket, Buffer *m)
427: {
428: Key *key;
429: u_char *p;
430: u_char *signature;
431: u_int siglen, datlen;
432: int keyid;
1.3 markus 433:
1.14 ! markus 434: debug3("%s", __func__);
1.1 provos 435:
1.3 markus 436: keyid = buffer_get_int(m);
437: p = buffer_get_string(m, &datlen);
1.1 provos 438:
439: if (datlen != 20)
1.14 ! markus 440: fatal("%s: data length incorrect: %d", __func__, datlen);
1.1 provos 441:
1.13 markus 442: /* save session id, it will be passed on the first call */
443: if (session_id2_len == 0) {
444: session_id2_len = datlen;
445: session_id2 = xmalloc(session_id2_len);
446: memcpy(session_id2, p, session_id2_len);
447: }
448:
1.1 provos 449: if ((key = get_hostkey_by_index(keyid)) == NULL)
1.14 ! markus 450: fatal("%s: no hostkey from index %d", __func__, keyid);
1.1 provos 451: if (key_sign(key, &signature, &siglen, p, datlen) < 0)
1.14 ! markus 452: fatal("%s: key_sign failed", __func__);
1.1 provos 453:
1.14 ! markus 454: debug3("%s: signature %p(%d)", __func__, signature, siglen);
1.1 provos 455:
456: buffer_clear(m);
457: buffer_put_string(m, signature, siglen);
458:
459: xfree(p);
460: xfree(signature);
461:
462: mm_request_send(socket, MONITOR_ANS_SIGN, m);
463:
464: /* Turn on permissions for getpwnam */
465: monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
466:
467: return (0);
468: }
469:
470: /* Retrieves the password entry and also checks if the user is permitted */
471:
472: int
473: mm_answer_pwnamallow(int socket, Buffer *m)
474: {
475: char *login;
476: struct passwd *pwent;
477: int allowed = 0;
1.3 markus 478:
1.14 ! markus 479: debug3("%s", __func__);
1.1 provos 480:
481: if (authctxt->attempt++ != 0)
1.14 ! markus 482: fatal("%s: multiple attempts for getpwnam", __func__);
1.1 provos 483:
484: login = buffer_get_string(m, NULL);
485:
486: pwent = getpwnamallow(login);
487:
488: authctxt->user = xstrdup(login);
489: setproctitle("%s [priv]", pwent ? login : "unknown");
490: xfree(login);
491:
492: buffer_clear(m);
493:
494: if (pwent == NULL) {
495: buffer_put_char(m, 0);
496: goto out;
497: }
498:
499: allowed = 1;
1.4 markus 500: authctxt->pw = pwent;
1.1 provos 501: authctxt->valid = 1;
502:
503: buffer_put_char(m, 1);
504: buffer_put_string(m, pwent, sizeof(struct passwd));
505: buffer_put_cstring(m, pwent->pw_name);
506: buffer_put_cstring(m, "*");
507: buffer_put_cstring(m, pwent->pw_gecos);
508: buffer_put_cstring(m, pwent->pw_class);
509: buffer_put_cstring(m, pwent->pw_dir);
510: buffer_put_cstring(m, pwent->pw_shell);
511:
512: out:
1.14 ! markus 513: debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
1.1 provos 514: mm_request_send(socket, MONITOR_ANS_PWNAM, m);
515:
516: /* For SSHv1 allow authentication now */
517: if (!compat20)
518: monitor_permit_authentications(1);
1.10 djm 519: else {
1.1 provos 520: /* Allow service/style information on the auth context */
521: monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
1.10 djm 522: monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
523: }
524:
525:
526: return (0);
527: }
528:
529: int mm_answer_auth2_read_banner(int socket, Buffer *m)
530: {
531: char *banner;
532:
533: buffer_clear(m);
534: banner = auth2_read_banner();
535: buffer_put_cstring(m, banner != NULL ? banner : "");
536: mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m);
1.1 provos 537:
1.10 djm 538: if (banner != NULL)
539: free(banner);
1.1 provos 540:
541: return (0);
542: }
543:
544: int
545: mm_answer_authserv(int socket, Buffer *m)
546: {
547: monitor_permit_authentications(1);
548:
549: authctxt->service = buffer_get_string(m, NULL);
550: authctxt->style = buffer_get_string(m, NULL);
1.6 stevesk 551: debug3("%s: service=%s, style=%s",
1.14 ! markus 552: __func__, authctxt->service, authctxt->style);
1.6 stevesk 553:
1.1 provos 554: if (strlen(authctxt->style) == 0) {
555: xfree(authctxt->style);
556: authctxt->style = NULL;
557: }
558:
559: return (0);
560: }
561:
562: int
563: mm_answer_authpassword(int socket, Buffer *m)
564: {
565: static int call_count;
566: char *passwd;
567: int authenticated, plen;
568:
569: passwd = buffer_get_string(m, &plen);
570: /* Only authenticate if the context is valid */
1.12 markus 571: authenticated = options.password_authentication &&
572: authctxt->valid && auth_password(authctxt, passwd);
1.1 provos 573: memset(passwd, 0, strlen(passwd));
574: xfree(passwd);
575:
576: buffer_clear(m);
577: buffer_put_int(m, authenticated);
578:
1.14 ! markus 579: debug3("%s: sending result %d", __func__, authenticated);
1.1 provos 580: mm_request_send(socket, MONITOR_ANS_AUTHPASSWORD, m);
581:
582: call_count++;
583: if (plen == 0 && call_count == 1)
584: auth_method = "none";
585: else
586: auth_method = "password";
587:
588: /* Causes monitor loop to terminate if authenticated */
589: return (authenticated);
590: }
591:
592: #ifdef BSD_AUTH
593: int
594: mm_answer_bsdauthquery(int socket, Buffer *m)
595: {
596: char *name, *infotxt;
597: u_int numprompts;
598: u_int *echo_on;
599: char **prompts;
600: int res;
601:
602: res = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
603: &prompts, &echo_on);
604:
605: buffer_clear(m);
606: buffer_put_int(m, res);
607: if (res != -1)
608: buffer_put_cstring(m, prompts[0]);
609:
1.14 ! markus 610: debug3("%s: sending challenge res: %d", __func__, res);
1.1 provos 611: mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m);
612:
613: if (res != -1) {
614: xfree(name);
615: xfree(infotxt);
616: xfree(prompts);
617: xfree(echo_on);
618: }
619:
620: return (0);
621: }
622:
623: int
624: mm_answer_bsdauthrespond(int socket, Buffer *m)
625: {
626: char *response;
627: int authok;
628:
629: if (authctxt->as == 0)
1.14 ! markus 630: fatal("%s: no bsd auth session", __func__);
1.1 provos 631:
632: response = buffer_get_string(m, NULL);
1.12 markus 633: authok = options.challenge_response_authentication &&
634: auth_userresponse(authctxt->as, response, 0);
1.1 provos 635: authctxt->as = NULL;
1.14 ! markus 636: debug3("%s: <%s> = <%d>", __func__, response, authok);
1.1 provos 637: xfree(response);
638:
639: buffer_clear(m);
640: buffer_put_int(m, authok);
641:
1.14 ! markus 642: debug3("%s: sending authenticated: %d", __func__, authok);
1.1 provos 643: mm_request_send(socket, MONITOR_ANS_BSDAUTHRESPOND, m);
644:
645: auth_method = "bsdauth";
646:
647: return (authok != 0);
648: }
649: #endif
650:
651: #ifdef SKEY
652: int
653: mm_answer_skeyquery(int socket, Buffer *m)
654: {
655: struct skey skey;
656: char challenge[1024];
657: int res;
658:
659: res = skeychallenge(&skey, authctxt->user, challenge);
660:
661: buffer_clear(m);
662: buffer_put_int(m, res);
663: if (res != -1)
664: buffer_put_cstring(m, challenge);
665:
1.14 ! markus 666: debug3("%s: sending challenge res: %d", __func__, res);
1.1 provos 667: mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m);
668:
669: return (0);
670: }
671:
672: int
673: mm_answer_skeyrespond(int socket, Buffer *m)
674: {
675: char *response;
676: int authok;
677:
678: response = buffer_get_string(m, NULL);
679:
1.12 markus 680: authok = (options.challenge_response_authentication &&
681: authctxt->valid &&
1.1 provos 682: skey_haskey(authctxt->pw->pw_name) == 0 &&
683: skey_passcheck(authctxt->pw->pw_name, response) != -1);
684:
685: xfree(response);
686:
687: buffer_clear(m);
688: buffer_put_int(m, authok);
689:
1.14 ! markus 690: debug3("%s: sending authenticated: %d", __func__, authok);
1.1 provos 691: mm_request_send(socket, MONITOR_ANS_SKEYRESPOND, m);
692:
693: auth_method = "skey";
694:
695: return (authok != 0);
696: }
697: #endif
698:
1.2 markus 699: static void
1.1 provos 700: mm_append_debug(Buffer *m)
701: {
702: if (auth_debug_init && buffer_len(&auth_debug)) {
1.14 ! markus 703: debug3("%s: Appending debug messages for child", __func__);
1.1 provos 704: buffer_append(m, buffer_ptr(&auth_debug),
705: buffer_len(&auth_debug));
706: buffer_clear(&auth_debug);
707: }
708: }
709:
710: int
711: mm_answer_keyallowed(int socket, Buffer *m)
712: {
713: Key *key;
714: u_char *cuser, *chost, *blob;
715: u_int bloblen;
716: enum mm_keytype type = 0;
717: int allowed = 0;
718:
1.14 ! markus 719: debug3("%s entering", __func__);
1.3 markus 720:
1.1 provos 721: type = buffer_get_int(m);
722: cuser = buffer_get_string(m, NULL);
723: chost = buffer_get_string(m, NULL);
724: blob = buffer_get_string(m, &bloblen);
725:
726: key = key_from_blob(blob, bloblen);
727:
728: if ((compat20 && type == MM_RSAHOSTKEY) ||
729: (!compat20 && type != MM_RSAHOSTKEY))
1.14 ! markus 730: fatal("%s: key type and protocol mismatch", __func__);
1.1 provos 731:
1.14 ! markus 732: debug3("%s: key_from_blob: %p", __func__, key);
1.1 provos 733:
734: if (key != NULL && authctxt->pw != NULL) {
735: switch(type) {
736: case MM_USERKEY:
1.12 markus 737: allowed = options.pubkey_authentication &&
738: user_key_allowed(authctxt->pw, key);
1.1 provos 739: break;
740: case MM_HOSTKEY:
1.12 markus 741: allowed = options.hostbased_authentication &&
742: hostbased_key_allowed(authctxt->pw,
1.1 provos 743: cuser, chost, key);
744: break;
745: case MM_RSAHOSTKEY:
746: key->type = KEY_RSA1; /* XXX */
1.12 markus 747: allowed = options.rhosts_rsa_authentication &&
748: auth_rhosts_rsa_key_allowed(authctxt->pw,
1.1 provos 749: cuser, chost, key);
750: break;
751: default:
1.14 ! markus 752: fatal("%s: unknown key type %d", __func__, type);
1.1 provos 753: break;
754: }
755: key_free(key);
756: }
757:
758: /* clear temporarily storage (used by verify) */
759: monitor_reset_key_state();
760:
761: if (allowed) {
762: /* Save temporarily for comparison in verify */
763: key_blob = blob;
764: key_bloblen = bloblen;
765: key_blobtype = type;
766: hostbased_cuser = cuser;
767: hostbased_chost = chost;
768: }
769:
770: debug3("%s: key %p is %s",
1.14 ! markus 771: __func__, key, allowed ? "allowed" : "disallowed");
1.1 provos 772:
773: buffer_clear(m);
774: buffer_put_int(m, allowed);
775:
776: mm_append_debug(m);
777:
778: mm_request_send(socket, MONITOR_ANS_KEYALLOWED, m);
779:
780: if (type == MM_RSAHOSTKEY)
781: monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
782:
783: return (0);
784: }
785:
786: static int
787: monitor_valid_userblob(u_char *data, u_int datalen)
788: {
789: Buffer b;
790: u_char *p;
791: u_int len;
792: int fail = 0;
793:
794: buffer_init(&b);
795: buffer_append(&b, data, datalen);
1.3 markus 796:
1.1 provos 797: if (datafellows & SSH_OLD_SESSIONID) {
1.13 markus 798: p = buffer_ptr(&b);
799: len = buffer_len(&b);
800: if ((session_id2 == NULL) ||
801: (len < session_id2_len) ||
802: (memcmp(p, session_id2, session_id2_len) != 0))
803: fail++;
1.1 provos 804: buffer_consume(&b, session_id2_len);
805: } else {
1.13 markus 806: p = buffer_get_string(&b, &len);
807: if ((session_id2 == NULL) ||
808: (len != session_id2_len) ||
809: (memcmp(p, session_id2, session_id2_len) != 0))
1.1 provos 810: fail++;
1.13 markus 811: xfree(p);
1.1 provos 812: }
813: if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
814: fail++;
815: p = buffer_get_string(&b, NULL);
816: if (strcmp(authctxt->user, p) != 0) {
817: log("wrong user name passed to monitor: expected %s != %.100s",
818: authctxt->user, p);
819: fail++;
820: }
821: xfree(p);
822: buffer_skip_string(&b);
823: if (datafellows & SSH_BUG_PKAUTH) {
824: if (!buffer_get_char(&b))
825: fail++;
826: } else {
827: p = buffer_get_string(&b, NULL);
828: if (strcmp("publickey", p) != 0)
829: fail++;
830: xfree(p);
831: if (!buffer_get_char(&b))
832: fail++;
833: buffer_skip_string(&b);
834: }
835: buffer_skip_string(&b);
836: if (buffer_len(&b) != 0)
837: fail++;
838: buffer_free(&b);
839: return (fail == 0);
840: }
841:
842: static int
843: monitor_valid_hostbasedblob(u_char *data, u_int datalen, u_char *cuser,
844: u_char *chost)
845: {
846: Buffer b;
847: u_char *p;
848: u_int len;
849: int fail = 0;
850:
851: buffer_init(&b);
852: buffer_append(&b, data, datalen);
1.3 markus 853:
1.13 markus 854: p = buffer_get_string(&b, &len);
855: if ((session_id2 == NULL) ||
856: (len != session_id2_len) ||
857: (memcmp(p, session_id2, session_id2_len) != 0))
1.1 provos 858: fail++;
1.13 markus 859: xfree(p);
860:
1.1 provos 861: if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
862: fail++;
863: p = buffer_get_string(&b, NULL);
864: if (strcmp(authctxt->user, p) != 0) {
865: log("wrong user name passed to monitor: expected %s != %.100s",
866: authctxt->user, p);
867: fail++;
868: }
869: xfree(p);
870: buffer_skip_string(&b); /* service */
871: p = buffer_get_string(&b, NULL);
872: if (strcmp(p, "hostbased") != 0)
873: fail++;
874: xfree(p);
875: buffer_skip_string(&b); /* pkalg */
876: buffer_skip_string(&b); /* pkblob */
877:
878: /* verify client host, strip trailing dot if necessary */
879: p = buffer_get_string(&b, NULL);
880: if (((len = strlen(p)) > 0) && p[len - 1] == '.')
881: p[len - 1] = '\0';
882: if (strcmp(p, chost) != 0)
883: fail++;
884: xfree(p);
885:
886: /* verify client user */
887: p = buffer_get_string(&b, NULL);
888: if (strcmp(p, cuser) != 0)
889: fail++;
890: xfree(p);
891:
892: if (buffer_len(&b) != 0)
893: fail++;
894: buffer_free(&b);
895: return (fail == 0);
896: }
897:
898: int
899: mm_answer_keyverify(int socket, Buffer *m)
900: {
901: Key *key;
902: u_char *signature, *data, *blob;
903: u_int signaturelen, datalen, bloblen;
904: int verified = 0;
905: int valid_data = 0;
906:
907: blob = buffer_get_string(m, &bloblen);
908: signature = buffer_get_string(m, &signaturelen);
909: data = buffer_get_string(m, &datalen);
910:
911: if (hostbased_cuser == NULL || hostbased_chost == NULL ||
1.8 mouring 912: !monitor_allowed_key(blob, bloblen))
1.14 ! markus 913: fatal("%s: bad key, not previously allowed", __func__);
1.1 provos 914:
915: key = key_from_blob(blob, bloblen);
916: if (key == NULL)
1.14 ! markus 917: fatal("%s: bad public key blob", __func__);
1.1 provos 918:
919: switch (key_blobtype) {
920: case MM_USERKEY:
921: valid_data = monitor_valid_userblob(data, datalen);
922: break;
923: case MM_HOSTKEY:
924: valid_data = monitor_valid_hostbasedblob(data, datalen,
925: hostbased_cuser, hostbased_chost);
926: break;
927: default:
928: valid_data = 0;
929: break;
930: }
931: if (!valid_data)
1.14 ! markus 932: fatal("%s: bad signature data blob", __func__);
1.1 provos 933:
934: verified = key_verify(key, signature, signaturelen, data, datalen);
935: debug3("%s: key %p signature %s",
1.14 ! markus 936: __func__, key, verified ? "verified" : "unverified");
1.1 provos 937:
938: key_free(key);
939: xfree(blob);
940: xfree(signature);
941: xfree(data);
942:
943: monitor_reset_key_state();
1.3 markus 944:
1.1 provos 945: buffer_clear(m);
946: buffer_put_int(m, verified);
947: mm_request_send(socket, MONITOR_ANS_KEYVERIFY, m);
948:
1.12 markus 949: auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1.1 provos 950:
951: return (verified);
952: }
953:
1.2 markus 954: static void
1.1 provos 955: mm_record_login(Session *s, struct passwd *pw)
956: {
957: socklen_t fromlen;
958: struct sockaddr_storage from;
959:
960: /*
961: * Get IP address of client. If the connection is not a socket, let
962: * the address be 0.0.0.0.
963: */
964: memset(&from, 0, sizeof(from));
965: if (packet_connection_is_on_socket()) {
966: fromlen = sizeof(from);
967: if (getpeername(packet_get_connection_in(),
968: (struct sockaddr *) & from, &fromlen) < 0) {
969: debug("getpeername: %.100s", strerror(errno));
970: fatal_cleanup();
971: }
972: }
973: /* Record that there was a login on that tty from the remote host. */
974: record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
975: get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
976: (struct sockaddr *)&from);
977: }
978:
979: static void
980: mm_session_close(Session *s)
981: {
1.14 ! markus 982: debug3("%s: session %d pid %d", __func__, s->self, s->pid);
1.1 provos 983: if (s->ttyfd != -1) {
1.14 ! markus 984: debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
1.1 provos 985: fatal_remove_cleanup(session_pty_cleanup2, (void *)s);
986: session_pty_cleanup2(s);
987: }
988: s->used = 0;
989: }
990:
991: int
992: mm_answer_pty(int socket, Buffer *m)
993: {
1.11 mouring 994: extern struct monitor *pmonitor;
1.1 provos 995: Session *s;
996: int res, fd0;
997:
1.14 ! markus 998: debug3("%s entering", __func__);
1.1 provos 999:
1000: buffer_clear(m);
1001: s = session_new();
1002: if (s == NULL)
1003: goto error;
1004: s->authctxt = authctxt;
1005: s->pw = authctxt->pw;
1.11 mouring 1006: s->pid = pmonitor->m_pid;
1.1 provos 1007: res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1008: if (res == 0)
1009: goto error;
1010: fatal_add_cleanup(session_pty_cleanup2, (void *)s);
1011: pty_setowner(authctxt->pw, s->tty);
1012:
1013: buffer_put_int(m, 1);
1014: buffer_put_cstring(m, s->tty);
1015: mm_request_send(socket, MONITOR_ANS_PTY, m);
1016:
1017: mm_send_fd(socket, s->ptyfd);
1018: mm_send_fd(socket, s->ttyfd);
1019:
1020: /* We need to trick ttyslot */
1021: if (dup2(s->ttyfd, 0) == -1)
1.14 ! markus 1022: fatal("%s: dup2", __func__);
1.1 provos 1023:
1024: mm_record_login(s, authctxt->pw);
1025:
1026: /* Now we can close the file descriptor again */
1027: close(0);
1028:
1029: /* make sure nothing uses fd 0 */
1030: if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)
1.14 ! markus 1031: fatal("%s: open(/dev/null): %s", __func__, strerror(errno));
1.1 provos 1032: if (fd0 != 0)
1.14 ! markus 1033: error("%s: fd0 %d != 0", __func__, fd0);
1.1 provos 1034:
1035: /* slave is not needed */
1036: close(s->ttyfd);
1037: s->ttyfd = s->ptyfd;
1038: /* no need to dup() because nobody closes ptyfd */
1039: s->ptymaster = s->ptyfd;
1040:
1.14 ! markus 1041: debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd);
1.1 provos 1042:
1043: return (0);
1044:
1045: error:
1046: if (s != NULL)
1047: mm_session_close(s);
1048: buffer_put_int(m, 0);
1049: mm_request_send(socket, MONITOR_ANS_PTY, m);
1050: return (0);
1051: }
1052:
1053: int
1054: mm_answer_pty_cleanup(int socket, Buffer *m)
1055: {
1056: Session *s;
1057: char *tty;
1058:
1.14 ! markus 1059: debug3("%s entering", __func__);
1.1 provos 1060:
1061: tty = buffer_get_string(m, NULL);
1062: if ((s = session_by_tty(tty)) != NULL)
1063: mm_session_close(s);
1064: buffer_clear(m);
1065: xfree(tty);
1066: return (0);
1067: }
1068:
1069: int
1070: mm_answer_sesskey(int socket, Buffer *m)
1071: {
1072: BIGNUM *p;
1073: int rsafail;
1074:
1075: /* Turn off permissions */
1076: monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
1077:
1078: if ((p = BN_new()) == NULL)
1.14 ! markus 1079: fatal("%s: BN_new", __func__);
1.1 provos 1080:
1081: buffer_get_bignum2(m, p);
1082:
1083: rsafail = ssh1_session_key(p);
1084:
1085: buffer_clear(m);
1086: buffer_put_int(m, rsafail);
1087: buffer_put_bignum2(m, p);
1088:
1089: BN_clear_free(p);
1090:
1091: mm_request_send(socket, MONITOR_ANS_SESSKEY, m);
1092:
1093: /* Turn on permissions for sessid passing */
1094: monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1);
1095:
1096: return (0);
1097: }
1098:
1099: int
1100: mm_answer_sessid(int socket, Buffer *m)
1101: {
1102: int i;
1103:
1.14 ! markus 1104: debug3("%s entering", __func__);
1.1 provos 1105:
1106: if (buffer_len(m) != 16)
1.14 ! markus 1107: fatal("%s: bad ssh1 session id", __func__);
1.1 provos 1108: for (i = 0; i < 16; i++)
1109: session_id[i] = buffer_get_char(m);
1110:
1111: /* Turn on permissions for getpwnam */
1112: monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
1113:
1114: return (0);
1115: }
1116:
1117: int
1118: mm_answer_rsa_keyallowed(int socket, Buffer *m)
1119: {
1120: BIGNUM *client_n;
1121: Key *key = NULL;
1.3 markus 1122: u_char *blob = NULL;
1123: u_int blen = 0;
1.1 provos 1124: int allowed = 0;
1125:
1.14 ! markus 1126: debug3("%s entering", __func__);
1.1 provos 1127:
1.12 markus 1128: if (options.rsa_authentication && authctxt->valid) {
1.1 provos 1129: if ((client_n = BN_new()) == NULL)
1.14 ! markus 1130: fatal("%s: BN_new", __func__);
1.1 provos 1131: buffer_get_bignum2(m, client_n);
1132: allowed = auth_rsa_key_allowed(authctxt->pw, client_n, &key);
1133: BN_clear_free(client_n);
1134: }
1135: buffer_clear(m);
1136: buffer_put_int(m, allowed);
1137:
1138: /* clear temporarily storage (used by generate challenge) */
1139: monitor_reset_key_state();
1140:
1141: if (allowed && key != NULL) {
1142: key->type = KEY_RSA; /* cheat for key_to_blob */
1143: if (key_to_blob(key, &blob, &blen) == 0)
1.14 ! markus 1144: fatal("%s: key_to_blob failed", __func__);
1.1 provos 1145: buffer_put_string(m, blob, blen);
1146:
1147: /* Save temporarily for comparison in verify */
1148: key_blob = blob;
1149: key_bloblen = blen;
1150: key_blobtype = MM_RSAUSERKEY;
1151: key_free(key);
1152: }
1153:
1154: mm_append_debug(m);
1155:
1156: mm_request_send(socket, MONITOR_ANS_RSAKEYALLOWED, m);
1157:
1158: monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
1159: monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0);
1160: return (0);
1161: }
1162:
1163: int
1164: mm_answer_rsa_challenge(int socket, Buffer *m)
1165: {
1166: Key *key = NULL;
1.3 markus 1167: u_char *blob;
1168: u_int blen;
1.1 provos 1169:
1.14 ! markus 1170: debug3("%s entering", __func__);
1.1 provos 1171:
1172: if (!authctxt->valid)
1.14 ! markus 1173: fatal("%s: authctxt not valid", __func__);
1.1 provos 1174: blob = buffer_get_string(m, &blen);
1175: if (!monitor_allowed_key(blob, blen))
1.14 ! markus 1176: fatal("%s: bad key, not previously allowed", __func__);
1.1 provos 1177: if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
1.14 ! markus 1178: fatal("%s: key type mismatch", __func__);
1.1 provos 1179: if ((key = key_from_blob(blob, blen)) == NULL)
1.14 ! markus 1180: fatal("%s: received bad key", __func__);
1.1 provos 1181:
1182: if (ssh1_challenge)
1183: BN_clear_free(ssh1_challenge);
1184: ssh1_challenge = auth_rsa_generate_challenge(key);
1185:
1186: buffer_clear(m);
1187: buffer_put_bignum2(m, ssh1_challenge);
1188:
1.14 ! markus 1189: debug3("%s sending reply", __func__);
1.1 provos 1190: mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m);
1191:
1192: monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
1193: return (0);
1194: }
1195:
1196: int
1197: mm_answer_rsa_response(int socket, Buffer *m)
1198: {
1199: Key *key = NULL;
1.3 markus 1200: u_char *blob, *response;
1201: u_int blen, len;
1202: int success;
1.1 provos 1203:
1.14 ! markus 1204: debug3("%s entering", __func__);
1.1 provos 1205:
1206: if (!authctxt->valid)
1.14 ! markus 1207: fatal("%s: authctxt not valid", __func__);
1.1 provos 1208: if (ssh1_challenge == NULL)
1.14 ! markus 1209: fatal("%s: no ssh1_challenge", __func__);
1.1 provos 1210:
1211: blob = buffer_get_string(m, &blen);
1212: if (!monitor_allowed_key(blob, blen))
1.14 ! markus 1213: fatal("%s: bad key, not previously allowed", __func__);
1.1 provos 1214: if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
1.14 ! markus 1215: fatal("%s: key type mismatch: %d", __func__, key_blobtype);
1.1 provos 1216: if ((key = key_from_blob(blob, blen)) == NULL)
1.14 ! markus 1217: fatal("%s: received bad key", __func__);
1.1 provos 1218: response = buffer_get_string(m, &len);
1219: if (len != 16)
1.14 ! markus 1220: fatal("%s: received bad response to challenge", __func__);
1.1 provos 1221: success = auth_rsa_verify_response(key, ssh1_challenge, response);
1222:
1223: key_free(key);
1224: xfree(response);
1225:
1226: auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
1227:
1228: /* reset state */
1229: BN_clear_free(ssh1_challenge);
1230: ssh1_challenge = NULL;
1231: monitor_reset_key_state();
1232:
1233: buffer_clear(m);
1234: buffer_put_int(m, success);
1235: mm_request_send(socket, MONITOR_ANS_RSARESPONSE, m);
1236:
1237: return (success);
1238: }
1239:
1240: int
1241: mm_answer_term(int socket, Buffer *req)
1242: {
1.11 mouring 1243: extern struct monitor *pmonitor;
1.1 provos 1244: int res, status;
1245:
1.14 ! markus 1246: debug3("%s: tearing down sessions", __func__);
1.1 provos 1247:
1248: /* The child is terminating */
1249: session_destroy_all(&mm_session_close);
1250:
1.11 mouring 1251: while (waitpid(pmonitor->m_pid, &status, 0) == -1)
1.9 markus 1252: if (errno != EINTR)
1253: exit(1);
1.1 provos 1254:
1255: res = WIFEXITED(status) ? WEXITSTATUS(status) : 1;
1256:
1257: /* Terminate process */
1258: exit (res);
1259: }
1260:
1261: void
1.11 mouring 1262: monitor_apply_keystate(struct monitor *pmonitor)
1.1 provos 1263: {
1264: if (compat20) {
1265: set_newkeys(MODE_IN);
1266: set_newkeys(MODE_OUT);
1267: } else {
1.5 markus 1268: u_char key[SSH_SESSION_KEY_LENGTH];
1269:
1270: memset(key, 'a', sizeof(key));
1.1 provos 1271: packet_set_protocol_flags(child_state.ssh1protoflags);
1272: packet_set_encryption_key(key, SSH_SESSION_KEY_LENGTH,
1273: child_state.ssh1cipher);
1274: }
1275:
1276: packet_set_keycontext(MODE_OUT, child_state.keyout);
1277: xfree(child_state.keyout);
1278: packet_set_keycontext(MODE_IN, child_state.keyin);
1279: xfree(child_state.keyin);
1280:
1281: if (!compat20) {
1282: packet_set_iv(MODE_OUT, child_state.ivout);
1283: xfree(child_state.ivout);
1284: packet_set_iv(MODE_IN, child_state.ivin);
1285: xfree(child_state.ivin);
1286: }
1287:
1288: memcpy(&incoming_stream, &child_state.incoming,
1289: sizeof(incoming_stream));
1290: memcpy(&outgoing_stream, &child_state.outgoing,
1291: sizeof(outgoing_stream));
1.3 markus 1292:
1.1 provos 1293: /* Update with new address */
1.11 mouring 1294: mm_init_compression(pmonitor->m_zlib);
1.1 provos 1295:
1296: /* Network I/O buffers */
1297: /* XXX inefficient for large buffers, need: buffer_init_from_string */
1298: buffer_clear(&input);
1299: buffer_append(&input, child_state.input, child_state.ilen);
1300: memset(child_state.input, 0, child_state.ilen);
1301: xfree(child_state.input);
1302:
1303: buffer_clear(&output);
1304: buffer_append(&output, child_state.output, child_state.olen);
1305: memset(child_state.output, 0, child_state.olen);
1306: xfree(child_state.output);
1307: }
1308:
1.2 markus 1309: static Kex *
1.1 provos 1310: mm_get_kex(Buffer *m)
1311: {
1312: Kex *kex;
1313: void *blob;
1314: u_int bloblen;
1315:
1316: kex = xmalloc(sizeof(*kex));
1317: memset(kex, 0, sizeof(*kex));
1318: kex->session_id = buffer_get_string(m, &kex->session_id_len);
1.13 markus 1319: if ((session_id2 == NULL) ||
1320: (kex->session_id_len != session_id2_len) ||
1321: (memcmp(kex->session_id, session_id2, session_id2_len) != 0))
1322: fatal("mm_get_get: internal error: bad session id");
1.1 provos 1323: kex->we_need = buffer_get_int(m);
1324: kex->server = 1;
1325: kex->hostkey_type = buffer_get_int(m);
1326: kex->kex_type = buffer_get_int(m);
1327: blob = buffer_get_string(m, &bloblen);
1328: buffer_init(&kex->my);
1329: buffer_append(&kex->my, blob, bloblen);
1330: xfree(blob);
1331: blob = buffer_get_string(m, &bloblen);
1332: buffer_init(&kex->peer);
1333: buffer_append(&kex->peer, blob, bloblen);
1334: xfree(blob);
1335: kex->done = 1;
1336: kex->flags = buffer_get_int(m);
1337: kex->client_version_string = buffer_get_string(m, NULL);
1338: kex->server_version_string = buffer_get_string(m, NULL);
1339: kex->load_host_key=&get_hostkey_by_type;
1340: kex->host_key_index=&get_hostkey_index;
1341:
1342: return (kex);
1343: }
1344:
1345: /* This function requries careful sanity checking */
1346:
1347: void
1.11 mouring 1348: mm_get_keystate(struct monitor *pmonitor)
1.1 provos 1349: {
1350: Buffer m;
1351: u_char *blob, *p;
1352: u_int bloblen, plen;
1353:
1.14 ! markus 1354: debug3("%s: Waiting for new keys", __func__);
1.1 provos 1355:
1356: buffer_init(&m);
1.11 mouring 1357: mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, &m);
1.1 provos 1358: if (!compat20) {
1359: child_state.ssh1protoflags = buffer_get_int(&m);
1360: child_state.ssh1cipher = buffer_get_int(&m);
1361: child_state.ivout = buffer_get_string(&m,
1362: &child_state.ivoutlen);
1363: child_state.ivin = buffer_get_string(&m, &child_state.ivinlen);
1364: goto skip;
1365: } else {
1366: /* Get the Kex for rekeying */
1.11 mouring 1367: *pmonitor->m_pkex = mm_get_kex(&m);
1.1 provos 1368: }
1369:
1370: blob = buffer_get_string(&m, &bloblen);
1371: current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
1372: xfree(blob);
1373:
1.14 ! markus 1374: debug3("%s: Waiting for second key", __func__);
1.1 provos 1375: blob = buffer_get_string(&m, &bloblen);
1376: current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
1377: xfree(blob);
1.3 markus 1378:
1.1 provos 1379: /* Now get sequence numbers for the packets */
1380: packet_set_seqnr(MODE_OUT, buffer_get_int(&m));
1381: packet_set_seqnr(MODE_IN, buffer_get_int(&m));
1382:
1383: skip:
1384: /* Get the key context */
1385: child_state.keyout = buffer_get_string(&m, &child_state.keyoutlen);
1386: child_state.keyin = buffer_get_string(&m, &child_state.keyinlen);
1387:
1.14 ! markus 1388: debug3("%s: Getting compression state", __func__);
1.1 provos 1389: /* Get compression state */
1390: p = buffer_get_string(&m, &plen);
1391: if (plen != sizeof(child_state.outgoing))
1.14 ! markus 1392: fatal("%s: bad request size", __func__);
1.1 provos 1393: memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing));
1394: xfree(p);
1395:
1396: p = buffer_get_string(&m, &plen);
1397: if (plen != sizeof(child_state.incoming))
1.14 ! markus 1398: fatal("%s: bad request size", __func__);
1.1 provos 1399: memcpy(&child_state.incoming, p, sizeof(child_state.incoming));
1400: xfree(p);
1401:
1402: /* Network I/O buffers */
1.14 ! markus 1403: debug3("%s: Getting Network I/O buffers", __func__);
1.1 provos 1404: child_state.input = buffer_get_string(&m, &child_state.ilen);
1405: child_state.output = buffer_get_string(&m, &child_state.olen);
1406:
1407: buffer_free(&m);
1408: }
1409:
1410:
1411: /* Allocation functions for zlib */
1412: void *
1413: mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
1414: {
1415: void *address;
1416:
1417: address = mm_malloc(mm, size * ncount);
1418:
1419: return (address);
1420: }
1421:
1422: void
1423: mm_zfree(struct mm_master *mm, void *address)
1424: {
1425: mm_free(mm, address);
1426: }
1427:
1428: void
1429: mm_init_compression(struct mm_master *mm)
1430: {
1431: outgoing_stream.zalloc = (alloc_func)mm_zalloc;
1432: outgoing_stream.zfree = (free_func)mm_zfree;
1433: outgoing_stream.opaque = mm;
1434:
1435: incoming_stream.zalloc = (alloc_func)mm_zalloc;
1436: incoming_stream.zfree = (free_func)mm_zfree;
1437: incoming_stream.opaque = mm;
1438: }
1439:
1440: /* XXX */
1441:
1442: #define FD_CLOSEONEXEC(x) do { \
1443: if (fcntl(x, F_SETFD, 1) == -1) \
1444: fatal("fcntl(%d, F_SETFD)", x); \
1445: } while (0)
1446:
1.2 markus 1447: static void
1.1 provos 1448: monitor_socketpair(int *pair)
1.3 markus 1449: {
1.1 provos 1450: if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1)
1.14 ! markus 1451: fatal("%s: socketpair", __func__);
1.1 provos 1452: FD_CLOSEONEXEC(pair[0]);
1453: FD_CLOSEONEXEC(pair[1]);
1454: }
1455:
1456: #define MM_MEMSIZE 65536
1457:
1458: struct monitor *
1459: monitor_init(void)
1460: {
1461: struct monitor *mon;
1462: int pair[2];
1463:
1464: mon = xmalloc(sizeof(*mon));
1465:
1466: monitor_socketpair(pair);
1467:
1468: mon->m_recvfd = pair[0];
1469: mon->m_sendfd = pair[1];
1470:
1471: /* Used to share zlib space across processes */
1472: mon->m_zback = mm_create(NULL, MM_MEMSIZE);
1473: mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
1474:
1475: /* Compression needs to share state across borders */
1476: mm_init_compression(mon->m_zlib);
1477:
1478: return mon;
1479: }
1480:
1481: void
1482: monitor_reinit(struct monitor *mon)
1483: {
1484: int pair[2];
1485:
1486: monitor_socketpair(pair);
1487:
1488: mon->m_recvfd = pair[0];
1489: mon->m_sendfd = pair[1];
1490: }