Annotation of src/usr.bin/ssh/monitor_wrap.c, Revision 1.81
1.81 ! markus 1: /* $OpenBSD: monitor_wrap.c,v 1.80 2014/04/29 18:01:49 markus Exp $ */
1.1 provos 2: /*
3: * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4: * Copyright 2002 Markus Friedl <markus@openbsd.org>
5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: *
16: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26: */
27:
1.46 stevesk 28: #include <sys/types.h>
1.51 dtucker 29: #include <sys/uio.h>
1.61 djm 30: #include <sys/queue.h>
1.46 stevesk 31:
1.47 stevesk 32: #include <errno.h>
1.46 stevesk 33: #include <pwd.h>
1.50 deraadt 34: #include <signal.h>
1.49 stevesk 35: #include <stdio.h>
1.48 stevesk 36: #include <string.h>
1.51 dtucker 37: #include <unistd.h>
1.68 dtucker 38:
1.80 markus 39: #ifdef WITH_OPENSSL
1.68 dtucker 40: #include <openssl/bn.h>
41: #include <openssl/dh.h>
1.80 markus 42: #endif
1.1 provos 43:
1.50 deraadt 44: #include "xmalloc.h"
1.1 provos 45: #include "ssh.h"
1.80 markus 46: #ifdef WITH_OPENSSL
1.1 provos 47: #include "dh.h"
1.80 markus 48: #endif
1.50 deraadt 49: #include "buffer.h"
50: #include "key.h"
51: #include "cipher.h"
1.1 provos 52: #include "kex.h"
1.50 deraadt 53: #include "hostfile.h"
1.1 provos 54: #include "auth.h"
1.22 markus 55: #include "auth-options.h"
1.1 provos 56: #include "packet.h"
57: #include "mac.h"
58: #include "log.h"
1.54 miod 59: #include <zlib.h>
1.1 provos 60: #include "monitor.h"
1.50 deraadt 61: #ifdef GSSAPI
62: #include "ssh-gss.h"
63: #endif
1.1 provos 64: #include "monitor_wrap.h"
65: #include "atomicio.h"
66: #include "monitor_fdpass.h"
1.45 djm 67: #include "misc.h"
1.70 djm 68: #include "uuencode.h"
1.1 provos 69:
70: #include "channels.h"
71: #include "session.h"
1.55 dtucker 72: #include "servconf.h"
1.67 andreas 73: #include "roaming.h"
1.29 markus 74:
1.1 provos 75: /* Imports */
76: extern int compat20;
77: extern z_stream incoming_stream;
78: extern z_stream outgoing_stream;
1.7 mouring 79: extern struct monitor *pmonitor;
1.39 dtucker 80: extern Buffer loginmsg;
1.55 dtucker 81: extern ServerOptions options;
1.73 djm 82:
83: void
84: mm_log_handler(LogLevel level, const char *msg, void *ctx)
85: {
86: Buffer log_msg;
87: struct monitor *mon = (struct monitor *)ctx;
88:
89: if (mon->m_log_sendfd == -1)
90: fatal("%s: no log channel", __func__);
91:
92: buffer_init(&log_msg);
93: /*
94: * Placeholder for packet length. Will be filled in with the actual
95: * packet length once the packet has been constucted. This saves
96: * fragile math.
97: */
98: buffer_put_int(&log_msg, 0);
99:
100: buffer_put_int(&log_msg, level);
101: buffer_put_cstring(&log_msg, msg);
102: put_u32(buffer_ptr(&log_msg), buffer_len(&log_msg) - 4);
103: if (atomicio(vwrite, mon->m_log_sendfd, buffer_ptr(&log_msg),
104: buffer_len(&log_msg)) != buffer_len(&log_msg))
105: fatal("%s: write: %s", __func__, strerror(errno));
106: buffer_free(&log_msg);
107: }
1.1 provos 108:
1.32 markus 109: int
110: mm_is_monitor(void)
111: {
112: /*
113: * m_pid is only set in the privileged part, and
114: * points to the unprivileged child.
115: */
1.34 markus 116: return (pmonitor && pmonitor->m_pid > 0);
1.32 markus 117: }
118:
1.1 provos 119: void
1.36 avsm 120: mm_request_send(int sock, enum monitor_reqtype type, Buffer *m)
1.1 provos 121: {
1.13 deraadt 122: u_int mlen = buffer_len(m);
1.1 provos 123: u_char buf[5];
124:
1.8 markus 125: debug3("%s entering: type %d", __func__, type);
1.1 provos 126:
1.45 djm 127: put_u32(buf, mlen + 1);
1.10 deraadt 128: buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
1.36 avsm 129: if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
1.40 avsm 130: fatal("%s: write: %s", __func__, strerror(errno));
1.36 avsm 131: if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen)
1.40 avsm 132: fatal("%s: write: %s", __func__, strerror(errno));
1.1 provos 133: }
134:
135: void
1.36 avsm 136: mm_request_receive(int sock, Buffer *m)
1.1 provos 137: {
138: u_char buf[4];
1.13 deraadt 139: u_int msg_len;
1.1 provos 140:
1.8 markus 141: debug3("%s entering", __func__);
1.1 provos 142:
1.40 avsm 143: if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
144: if (errno == EPIPE)
1.32 markus 145: cleanup_exit(255);
1.40 avsm 146: fatal("%s: read: %s", __func__, strerror(errno));
1.1 provos 147: }
1.45 djm 148: msg_len = get_u32(buf);
1.1 provos 149: if (msg_len > 256 * 1024)
1.8 markus 150: fatal("%s: read: bad msg_len %d", __func__, msg_len);
1.1 provos 151: buffer_clear(m);
152: buffer_append_space(m, msg_len);
1.40 avsm 153: if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len)
154: fatal("%s: read: %s", __func__, strerror(errno));
1.1 provos 155: }
156:
157: void
1.36 avsm 158: mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m)
1.1 provos 159: {
160: u_char rtype;
161:
1.8 markus 162: debug3("%s entering: type %d", __func__, type);
1.1 provos 163:
1.36 avsm 164: mm_request_receive(sock, m);
1.1 provos 165: rtype = buffer_get_char(m);
166: if (rtype != type)
1.8 markus 167: fatal("%s: read: rtype %d != type %d", __func__,
1.1 provos 168: rtype, type);
169: }
170:
1.80 markus 171: #ifdef WITH_OPENSSL
1.1 provos 172: DH *
173: mm_choose_dh(int min, int nbits, int max)
174: {
175: BIGNUM *p, *g;
176: int success = 0;
177: Buffer m;
178:
179: buffer_init(&m);
180: buffer_put_int(&m, min);
181: buffer_put_int(&m, nbits);
182: buffer_put_int(&m, max);
183:
1.7 mouring 184: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m);
1.1 provos 185:
1.8 markus 186: debug3("%s: waiting for MONITOR_ANS_MODULI", __func__);
1.7 mouring 187: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m);
1.1 provos 188:
189: success = buffer_get_char(&m);
190: if (success == 0)
1.8 markus 191: fatal("%s: MONITOR_ANS_MODULI failed", __func__);
1.1 provos 192:
193: if ((p = BN_new()) == NULL)
1.8 markus 194: fatal("%s: BN_new failed", __func__);
1.3 markus 195: if ((g = BN_new()) == NULL)
1.8 markus 196: fatal("%s: BN_new failed", __func__);
1.1 provos 197: buffer_get_bignum2(&m, p);
198: buffer_get_bignum2(&m, g);
199:
1.8 markus 200: debug3("%s: remaining %d", __func__, buffer_len(&m));
1.1 provos 201: buffer_free(&m);
202:
203: return (dh_new_group(g, p));
204: }
1.80 markus 205: #endif
1.1 provos 206:
207: int
208: mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen)
209: {
1.7 mouring 210: Kex *kex = *pmonitor->m_pkex;
1.1 provos 211: Buffer m;
212:
1.8 markus 213: debug3("%s entering", __func__);
1.1 provos 214:
215: buffer_init(&m);
216: buffer_put_int(&m, kex->host_key_index(key));
217: buffer_put_string(&m, data, datalen);
218:
1.7 mouring 219: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m);
1.1 provos 220:
1.8 markus 221: debug3("%s: waiting for MONITOR_ANS_SIGN", __func__);
1.7 mouring 222: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m);
1.1 provos 223: *sigp = buffer_get_string(&m, lenp);
224: buffer_free(&m);
225:
226: return (0);
227: }
228:
229: struct passwd *
1.37 dtucker 230: mm_getpwnamallow(const char *username)
1.1 provos 231: {
232: Buffer m;
233: struct passwd *pw;
1.72 djm 234: u_int len, i;
1.55 dtucker 235: ServerOptions *newopts;
1.1 provos 236:
1.8 markus 237: debug3("%s entering", __func__);
1.1 provos 238:
239: buffer_init(&m);
1.37 dtucker 240: buffer_put_cstring(&m, username);
1.1 provos 241:
1.7 mouring 242: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m);
1.1 provos 243:
1.8 markus 244: debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__);
1.7 mouring 245: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m);
1.1 provos 246:
247: if (buffer_get_char(&m) == 0) {
1.60 dtucker 248: pw = NULL;
249: goto out;
1.1 provos 250: }
1.55 dtucker 251: pw = buffer_get_string(&m, &len);
252: if (len != sizeof(struct passwd))
1.8 markus 253: fatal("%s: struct passwd size mismatch", __func__);
1.1 provos 254: pw->pw_name = buffer_get_string(&m, NULL);
255: pw->pw_passwd = buffer_get_string(&m, NULL);
256: pw->pw_gecos = buffer_get_string(&m, NULL);
257: pw->pw_class = buffer_get_string(&m, NULL);
258: pw->pw_dir = buffer_get_string(&m, NULL);
259: pw->pw_shell = buffer_get_string(&m, NULL);
1.55 dtucker 260:
1.60 dtucker 261: out:
1.55 dtucker 262: /* copy options block as a Match directive may have changed some */
263: newopts = buffer_get_string(&m, &len);
264: if (len != sizeof(*newopts))
265: fatal("%s: option block size mismatch", __func__);
1.71 djm 266:
267: #define M_CP_STROPT(x) do { \
268: if (newopts->x != NULL) \
269: newopts->x = buffer_get_string(&m, NULL); \
270: } while (0)
1.72 djm 271: #define M_CP_STRARRAYOPT(x, nx) do { \
272: for (i = 0; i < newopts->nx; i++) \
273: newopts->x[i] = buffer_get_string(&m, NULL); \
274: } while (0)
1.71 djm 275: /* See comment in servconf.h */
276: COPY_MATCH_STRING_OPTS();
277: #undef M_CP_STROPT
1.72 djm 278: #undef M_CP_STRARRAYOPT
1.71 djm 279:
1.55 dtucker 280: copy_set_server_options(&options, newopts, 1);
1.76 djm 281: free(newopts);
1.55 dtucker 282:
1.1 provos 283: buffer_free(&m);
284:
285: return (pw);
1.6 djm 286: }
287:
1.33 markus 288: char *
289: mm_auth2_read_banner(void)
1.6 djm 290: {
291: Buffer m;
292: char *banner;
293:
1.8 markus 294: debug3("%s entering", __func__);
1.6 djm 295:
296: buffer_init(&m);
1.7 mouring 297: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m);
1.6 djm 298: buffer_clear(&m);
299:
1.33 markus 300: mm_request_receive_expect(pmonitor->m_recvfd,
301: MONITOR_ANS_AUTH2_READ_BANNER, &m);
1.6 djm 302: banner = buffer_get_string(&m, NULL);
303: buffer_free(&m);
1.10 deraadt 304:
1.33 markus 305: /* treat empty banner as missing banner */
306: if (strlen(banner) == 0) {
1.76 djm 307: free(banner);
1.33 markus 308: banner = NULL;
309: }
1.6 djm 310: return (banner);
1.1 provos 311: }
312:
313: /* Inform the privileged process about service and style */
314:
315: void
316: mm_inform_authserv(char *service, char *style)
317: {
318: Buffer m;
319:
1.8 markus 320: debug3("%s entering", __func__);
1.1 provos 321:
322: buffer_init(&m);
323: buffer_put_cstring(&m, service);
324: buffer_put_cstring(&m, style ? style : "");
325:
1.7 mouring 326: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
1.1 provos 327:
328: buffer_free(&m);
329: }
330:
331: /* Do the password authentication */
332: int
333: mm_auth_password(Authctxt *authctxt, char *password)
334: {
335: Buffer m;
336: int authenticated = 0;
337:
1.8 markus 338: debug3("%s entering", __func__);
1.1 provos 339:
340: buffer_init(&m);
341: buffer_put_cstring(&m, password);
1.7 mouring 342: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m);
1.1 provos 343:
1.8 markus 344: debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__);
1.7 mouring 345: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m);
1.1 provos 346:
347: authenticated = buffer_get_int(&m);
348:
349: buffer_free(&m);
350:
1.3 markus 351: debug3("%s: user %sauthenticated",
1.8 markus 352: __func__, authenticated ? "" : "not ");
1.1 provos 353: return (authenticated);
354: }
355:
356: int
357: mm_user_key_allowed(struct passwd *pw, Key *key)
358: {
359: return (mm_key_allowed(MM_USERKEY, NULL, NULL, key));
360: }
361:
362: int
363: mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host,
364: Key *key)
365: {
366: return (mm_key_allowed(MM_HOSTKEY, user, host, key));
367: }
368:
369: int
370: mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user,
371: char *host, Key *key)
372: {
373: int ret;
374:
375: key->type = KEY_RSA; /* XXX hack for key_to_blob */
376: ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key);
377: key->type = KEY_RSA1;
378: return (ret);
379: }
380:
381: int
382: mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
383: {
384: Buffer m;
385: u_char *blob;
386: u_int len;
1.22 markus 387: int allowed = 0, have_forced = 0;
1.1 provos 388:
1.8 markus 389: debug3("%s entering", __func__);
1.1 provos 390:
391: /* Convert the key to a blob and the pass it over */
392: if (!key_to_blob(key, &blob, &len))
393: return (0);
394:
395: buffer_init(&m);
396: buffer_put_int(&m, type);
397: buffer_put_cstring(&m, user ? user : "");
398: buffer_put_cstring(&m, host ? host : "");
399: buffer_put_string(&m, blob, len);
1.76 djm 400: free(blob);
1.1 provos 401:
1.7 mouring 402: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
1.1 provos 403:
1.8 markus 404: debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
1.7 mouring 405: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);
1.1 provos 406:
407: allowed = buffer_get_int(&m);
408:
1.22 markus 409: /* fake forced command */
410: auth_clear_options();
411: have_forced = buffer_get_int(&m);
412: forced_command = have_forced ? xstrdup("true") : NULL;
413:
1.1 provos 414: buffer_free(&m);
415:
416: return (allowed);
417: }
418:
1.3 markus 419: /*
1.1 provos 420: * This key verify needs to send the key type along, because the
421: * privileged parent makes the decision if the key is allowed
422: * for authentication.
423: */
424:
425: int
426: mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
427: {
428: Buffer m;
429: u_char *blob;
430: u_int len;
431: int verified = 0;
432:
1.8 markus 433: debug3("%s entering", __func__);
1.1 provos 434:
435: /* Convert the key to a blob and the pass it over */
436: if (!key_to_blob(key, &blob, &len))
437: return (0);
438:
439: buffer_init(&m);
440: buffer_put_string(&m, blob, len);
441: buffer_put_string(&m, sig, siglen);
442: buffer_put_string(&m, data, datalen);
1.76 djm 443: free(blob);
1.1 provos 444:
1.7 mouring 445: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
1.1 provos 446:
1.8 markus 447: debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__);
1.7 mouring 448: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m);
1.1 provos 449:
450: verified = buffer_get_int(&m);
451:
452: buffer_free(&m);
453:
454: return (verified);
455: }
456:
457: /* Export key state after authentication */
458: Newkeys *
459: mm_newkeys_from_blob(u_char *blob, int blen)
460: {
461: Buffer b;
462: u_int len;
463: Newkeys *newkey = NULL;
464: Enc *enc;
465: Mac *mac;
466: Comp *comp;
467:
1.8 markus 468: debug3("%s: %p(%d)", __func__, blob, blen);
1.1 provos 469: #ifdef DEBUG_PK
470: dump_base64(stderr, blob, blen);
471: #endif
472: buffer_init(&b);
473: buffer_append(&b, blob, blen);
474:
1.77 markus 475: newkey = xcalloc(1, sizeof(*newkey));
1.1 provos 476: enc = &newkey->enc;
477: mac = &newkey->mac;
478: comp = &newkey->comp;
479:
480: /* Enc structure */
481: enc->name = buffer_get_string(&b, NULL);
482: buffer_get(&b, &enc->cipher, sizeof(enc->cipher));
483: enc->enabled = buffer_get_int(&b);
484: enc->block_size = buffer_get_int(&b);
485: enc->key = buffer_get_string(&b, &enc->key_len);
1.75 markus 486: enc->iv = buffer_get_string(&b, &enc->iv_len);
1.1 provos 487:
488: if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher)
1.8 markus 489: fatal("%s: bad cipher name %s or pointer %p", __func__,
1.1 provos 490: enc->name, enc->cipher);
491:
492: /* Mac structure */
1.75 markus 493: if (cipher_authlen(enc->cipher) == 0) {
494: mac->name = buffer_get_string(&b, NULL);
1.81 ! markus 495: if (mac->name == NULL || mac_setup(mac, mac->name) != 0)
1.75 markus 496: fatal("%s: can not setup mac %s", __func__, mac->name);
497: mac->enabled = buffer_get_int(&b);
498: mac->key = buffer_get_string(&b, &len);
499: if (len > mac->key_len)
500: fatal("%s: bad mac key length: %u > %d", __func__, len,
501: mac->key_len);
502: mac->key_len = len;
503: }
1.1 provos 504:
505: /* Comp structure */
506: comp->type = buffer_get_int(&b);
507: comp->enabled = buffer_get_int(&b);
508: comp->name = buffer_get_string(&b, NULL);
509:
510: len = buffer_len(&b);
511: if (len != 0)
1.12 deraadt 512: error("newkeys_from_blob: remaining bytes in blob %u", len);
1.1 provos 513: buffer_free(&b);
514: return (newkey);
515: }
516:
517: int
518: mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
519: {
520: Buffer b;
521: int len;
522: Enc *enc;
523: Mac *mac;
524: Comp *comp;
1.66 andreas 525: Newkeys *newkey = (Newkeys *)packet_get_newkeys(mode);
1.1 provos 526:
1.8 markus 527: debug3("%s: converting %p", __func__, newkey);
1.1 provos 528:
529: if (newkey == NULL) {
1.8 markus 530: error("%s: newkey == NULL", __func__);
1.1 provos 531: return 0;
532: }
533: enc = &newkey->enc;
534: mac = &newkey->mac;
535: comp = &newkey->comp;
536:
537: buffer_init(&b);
538: /* Enc structure */
539: buffer_put_cstring(&b, enc->name);
540: /* The cipher struct is constant and shared, you export pointer */
541: buffer_append(&b, &enc->cipher, sizeof(enc->cipher));
542: buffer_put_int(&b, enc->enabled);
543: buffer_put_int(&b, enc->block_size);
544: buffer_put_string(&b, enc->key, enc->key_len);
1.75 markus 545: packet_get_keyiv(mode, enc->iv, enc->iv_len);
546: buffer_put_string(&b, enc->iv, enc->iv_len);
1.1 provos 547:
548: /* Mac structure */
1.75 markus 549: if (cipher_authlen(enc->cipher) == 0) {
550: buffer_put_cstring(&b, mac->name);
551: buffer_put_int(&b, mac->enabled);
552: buffer_put_string(&b, mac->key, mac->key_len);
553: }
1.1 provos 554:
555: /* Comp structure */
556: buffer_put_int(&b, comp->type);
557: buffer_put_int(&b, comp->enabled);
558: buffer_put_cstring(&b, comp->name);
559:
560: len = buffer_len(&b);
1.16 markus 561: if (lenp != NULL)
562: *lenp = len;
563: if (blobp != NULL) {
564: *blobp = xmalloc(len);
565: memcpy(*blobp, buffer_ptr(&b), len);
566: }
1.79 djm 567: explicit_bzero(buffer_ptr(&b), len);
1.1 provos 568: buffer_free(&b);
569: return len;
570: }
571:
1.2 markus 572: static void
1.1 provos 573: mm_send_kex(Buffer *m, Kex *kex)
574: {
575: buffer_put_string(m, kex->session_id, kex->session_id_len);
576: buffer_put_int(m, kex->we_need);
577: buffer_put_int(m, kex->hostkey_type);
578: buffer_put_int(m, kex->kex_type);
579: buffer_put_string(m, buffer_ptr(&kex->my), buffer_len(&kex->my));
580: buffer_put_string(m, buffer_ptr(&kex->peer), buffer_len(&kex->peer));
581: buffer_put_int(m, kex->flags);
582: buffer_put_cstring(m, kex->client_version_string);
583: buffer_put_cstring(m, kex->server_version_string);
584: }
585:
586: void
1.36 avsm 587: mm_send_keystate(struct monitor *monitor)
1.1 provos 588: {
1.66 andreas 589: Buffer m, *input, *output;
1.1 provos 590: u_char *blob, *p;
591: u_int bloblen, plen;
1.25 markus 592: u_int32_t seqnr, packets;
1.63 markus 593: u_int64_t blocks, bytes;
1.1 provos 594:
595: buffer_init(&m);
596:
597: if (!compat20) {
598: u_char iv[24];
1.11 markus 599: u_char *key;
600: u_int ivlen, keylen;
1.1 provos 601:
602: buffer_put_int(&m, packet_get_protocol_flags());
603:
604: buffer_put_int(&m, packet_get_ssh1_cipher());
605:
1.11 markus 606: debug3("%s: Sending ssh1 KEY+IV", __func__);
607: keylen = packet_get_encryption_key(NULL);
608: key = xmalloc(keylen+1); /* add 1 if keylen == 0 */
609: keylen = packet_get_encryption_key(key);
610: buffer_put_string(&m, key, keylen);
1.79 djm 611: explicit_bzero(key, keylen);
1.76 djm 612: free(key);
1.11 markus 613:
1.1 provos 614: ivlen = packet_get_keyiv_len(MODE_OUT);
615: packet_get_keyiv(MODE_OUT, iv, ivlen);
616: buffer_put_string(&m, iv, ivlen);
1.74 naddy 617: ivlen = packet_get_keyiv_len(MODE_IN);
1.1 provos 618: packet_get_keyiv(MODE_IN, iv, ivlen);
619: buffer_put_string(&m, iv, ivlen);
620: goto skip;
621: } else {
622: /* Kex for rekeying */
1.36 avsm 623: mm_send_kex(&m, *monitor->m_pkex);
1.1 provos 624: }
625:
626: debug3("%s: Sending new keys: %p %p",
1.66 andreas 627: __func__, packet_get_newkeys(MODE_OUT),
628: packet_get_newkeys(MODE_IN));
1.1 provos 629:
630: /* Keys from Kex */
631: if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen))
1.8 markus 632: fatal("%s: conversion of newkeys failed", __func__);
1.1 provos 633:
634: buffer_put_string(&m, blob, bloblen);
1.76 djm 635: free(blob);
1.1 provos 636:
637: if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
1.8 markus 638: fatal("%s: conversion of newkeys failed", __func__);
1.1 provos 639:
640: buffer_put_string(&m, blob, bloblen);
1.76 djm 641: free(blob);
1.1 provos 642:
1.63 markus 643: packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
1.25 markus 644: buffer_put_int(&m, seqnr);
645: buffer_put_int64(&m, blocks);
646: buffer_put_int(&m, packets);
1.63 markus 647: buffer_put_int64(&m, bytes);
648: packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes);
1.25 markus 649: buffer_put_int(&m, seqnr);
650: buffer_put_int64(&m, blocks);
651: buffer_put_int(&m, packets);
1.63 markus 652: buffer_put_int64(&m, bytes);
1.1 provos 653:
1.8 markus 654: debug3("%s: New keys have been sent", __func__);
1.1 provos 655: skip:
656: /* More key context */
657: plen = packet_get_keycontext(MODE_OUT, NULL);
658: p = xmalloc(plen+1);
659: packet_get_keycontext(MODE_OUT, p);
660: buffer_put_string(&m, p, plen);
1.76 djm 661: free(p);
1.1 provos 662:
663: plen = packet_get_keycontext(MODE_IN, NULL);
664: p = xmalloc(plen+1);
665: packet_get_keycontext(MODE_IN, p);
666: buffer_put_string(&m, p, plen);
1.76 djm 667: free(p);
1.1 provos 668:
669: /* Compression state */
1.8 markus 670: debug3("%s: Sending compression state", __func__);
1.1 provos 671: buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream));
672: buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream));
673:
674: /* Network I/O buffers */
1.66 andreas 675: input = (Buffer *)packet_get_input();
676: output = (Buffer *)packet_get_output();
677: buffer_put_string(&m, buffer_ptr(input), buffer_len(input));
678: buffer_put_string(&m, buffer_ptr(output), buffer_len(output));
1.67 andreas 679:
680: /* Roaming */
681: if (compat20) {
682: buffer_put_int64(&m, get_sent_bytes());
683: buffer_put_int64(&m, get_recv_bytes());
684: }
1.1 provos 685:
1.36 avsm 686: mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m);
1.8 markus 687: debug3("%s: Finished sending state", __func__);
1.1 provos 688:
689: buffer_free(&m);
690: }
691:
692: int
1.42 deraadt 693: mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
1.1 provos 694: {
695: Buffer m;
1.39 dtucker 696: char *p, *msg;
1.62 djm 697: int success = 0, tmp1 = -1, tmp2 = -1;
698:
699: /* Kludge: ensure there are fds free to receive the pty/tty */
700: if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
701: (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
702: error("%s: cannot allocate fds for pty", __func__);
703: if (tmp1 > 0)
704: close(tmp1);
705: if (tmp2 > 0)
706: close(tmp2);
707: return 0;
708: }
709: close(tmp1);
710: close(tmp2);
1.1 provos 711:
712: buffer_init(&m);
1.7 mouring 713: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m);
1.1 provos 714:
1.8 markus 715: debug3("%s: waiting for MONITOR_ANS_PTY", __func__);
1.7 mouring 716: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m);
1.1 provos 717:
718: success = buffer_get_int(&m);
719: if (success == 0) {
1.8 markus 720: debug3("%s: pty alloc failed", __func__);
1.1 provos 721: buffer_free(&m);
722: return (0);
723: }
724: p = buffer_get_string(&m, NULL);
1.39 dtucker 725: msg = buffer_get_string(&m, NULL);
1.1 provos 726: buffer_free(&m);
727:
728: strlcpy(namebuf, p, namebuflen); /* Possible truncation */
1.76 djm 729: free(p);
1.39 dtucker 730:
731: buffer_append(&loginmsg, msg, strlen(msg));
1.76 djm 732: free(msg);
1.1 provos 733:
1.58 djm 734: if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 ||
735: (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1)
736: fatal("%s: receive fds failed", __func__);
1.1 provos 737:
738: /* Success */
739: return (1);
740: }
741:
742: void
1.32 markus 743: mm_session_pty_cleanup2(Session *s)
1.1 provos 744: {
745: Buffer m;
746:
747: if (s->ttyfd == -1)
748: return;
749: buffer_init(&m);
750: buffer_put_cstring(&m, s->tty);
1.7 mouring 751: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, &m);
1.1 provos 752: buffer_free(&m);
1.3 markus 753:
1.1 provos 754: /* closed dup'ed master */
1.62 djm 755: if (s->ptymaster != -1 && close(s->ptymaster) < 0)
756: error("close(s->ptymaster/%d): %s",
757: s->ptymaster, strerror(errno));
1.1 provos 758:
759: /* unlink pty from session */
760: s->ttyfd = -1;
761: }
762:
763: /* Request process termination */
764:
765: void
766: mm_terminate(void)
767: {
768: Buffer m;
769:
770: buffer_init(&m);
1.7 mouring 771: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, &m);
1.1 provos 772: buffer_free(&m);
773: }
774:
1.80 markus 775: #ifdef WITH_SSH1
1.1 provos 776: int
777: mm_ssh1_session_key(BIGNUM *num)
778: {
779: int rsafail;
780: Buffer m;
781:
782: buffer_init(&m);
783: buffer_put_bignum2(&m, num);
1.7 mouring 784: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSKEY, &m);
1.1 provos 785:
1.7 mouring 786: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SESSKEY, &m);
1.1 provos 787:
788: rsafail = buffer_get_int(&m);
789: buffer_get_bignum2(&m, num);
790:
791: buffer_free(&m);
792:
793: return (rsafail);
794: }
1.80 markus 795: #endif
1.1 provos 796:
1.2 markus 797: static void
1.1 provos 798: mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
799: char ***prompts, u_int **echo_on)
800: {
1.10 deraadt 801: *name = xstrdup("");
802: *infotxt = xstrdup("");
1.1 provos 803: *numprompts = 1;
1.43 djm 804: *prompts = xcalloc(*numprompts, sizeof(char *));
805: *echo_on = xcalloc(*numprompts, sizeof(u_int));
1.1 provos 806: (*echo_on)[0] = 0;
807: }
808:
809: int
810: mm_bsdauth_query(void *ctx, char **name, char **infotxt,
811: u_int *numprompts, char ***prompts, u_int **echo_on)
812: {
813: Buffer m;
1.21 markus 814: u_int success;
1.1 provos 815: char *challenge;
816:
1.8 markus 817: debug3("%s: entering", __func__);
1.1 provos 818:
819: buffer_init(&m);
1.7 mouring 820: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m);
1.1 provos 821:
1.7 mouring 822: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY,
1.1 provos 823: &m);
1.21 markus 824: success = buffer_get_int(&m);
825: if (success == 0) {
1.8 markus 826: debug3("%s: no challenge", __func__);
1.1 provos 827: buffer_free(&m);
828: return (-1);
829: }
830:
831: /* Get the challenge, and format the response */
832: challenge = buffer_get_string(&m, NULL);
833: buffer_free(&m);
834:
835: mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
836: (*prompts)[0] = challenge;
837:
1.8 markus 838: debug3("%s: received challenge: %s", __func__, challenge);
1.1 provos 839:
840: return (0);
841: }
842:
843: int
844: mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses)
845: {
846: Buffer m;
847: int authok;
848:
1.8 markus 849: debug3("%s: entering", __func__);
1.1 provos 850: if (numresponses != 1)
851: return (-1);
852:
853: buffer_init(&m);
854: buffer_put_cstring(&m, responses[0]);
1.7 mouring 855: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, &m);
1.1 provos 856:
1.7 mouring 857: mm_request_receive_expect(pmonitor->m_recvfd,
1.1 provos 858: MONITOR_ANS_BSDAUTHRESPOND, &m);
859:
860: authok = buffer_get_int(&m);
861: buffer_free(&m);
862:
863: return ((authok == 0) ? -1 : 0);
864: }
865:
866:
867: void
868: mm_ssh1_session_id(u_char session_id[16])
869: {
870: Buffer m;
871: int i;
872:
1.8 markus 873: debug3("%s entering", __func__);
1.1 provos 874:
875: buffer_init(&m);
876: for (i = 0; i < 16; i++)
877: buffer_put_char(&m, session_id[i]);
878:
1.7 mouring 879: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSID, &m);
1.1 provos 880: buffer_free(&m);
881: }
882:
1.80 markus 883: #ifdef WITH_SSH1
1.1 provos 884: int
885: mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
886: {
887: Buffer m;
888: Key *key;
889: u_char *blob;
890: u_int blen;
1.22 markus 891: int allowed = 0, have_forced = 0;
1.1 provos 892:
1.8 markus 893: debug3("%s entering", __func__);
1.1 provos 894:
895: buffer_init(&m);
896: buffer_put_bignum2(&m, client_n);
897:
1.7 mouring 898: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSAKEYALLOWED, &m);
899: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSAKEYALLOWED, &m);
1.1 provos 900:
901: allowed = buffer_get_int(&m);
1.22 markus 902:
903: /* fake forced command */
904: auth_clear_options();
905: have_forced = buffer_get_int(&m);
906: forced_command = have_forced ? xstrdup("true") : NULL;
1.1 provos 907:
908: if (allowed && rkey != NULL) {
909: blob = buffer_get_string(&m, &blen);
910: if ((key = key_from_blob(blob, blen)) == NULL)
1.8 markus 911: fatal("%s: key_from_blob failed", __func__);
1.1 provos 912: *rkey = key;
1.76 djm 913: free(blob);
1.1 provos 914: }
915: buffer_free(&m);
916:
917: return (allowed);
918: }
919:
920: BIGNUM *
921: mm_auth_rsa_generate_challenge(Key *key)
922: {
923: Buffer m;
924: BIGNUM *challenge;
925: u_char *blob;
926: u_int blen;
927:
1.8 markus 928: debug3("%s entering", __func__);
1.1 provos 929:
930: if ((challenge = BN_new()) == NULL)
1.8 markus 931: fatal("%s: BN_new failed", __func__);
1.1 provos 932:
933: key->type = KEY_RSA; /* XXX cheat for key_to_blob */
934: if (key_to_blob(key, &blob, &blen) == 0)
1.8 markus 935: fatal("%s: key_to_blob failed", __func__);
1.1 provos 936: key->type = KEY_RSA1;
937:
938: buffer_init(&m);
939: buffer_put_string(&m, blob, blen);
1.76 djm 940: free(blob);
1.1 provos 941:
1.7 mouring 942: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m);
943: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m);
1.1 provos 944:
945: buffer_get_bignum2(&m, challenge);
946: buffer_free(&m);
947:
948: return (challenge);
949: }
950:
951: int
952: mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
953: {
954: Buffer m;
955: u_char *blob;
956: u_int blen;
957: int success = 0;
958:
1.8 markus 959: debug3("%s entering", __func__);
1.1 provos 960:
961: key->type = KEY_RSA; /* XXX cheat for key_to_blob */
962: if (key_to_blob(key, &blob, &blen) == 0)
1.8 markus 963: fatal("%s: key_to_blob failed", __func__);
1.1 provos 964: key->type = KEY_RSA1;
965:
966: buffer_init(&m);
967: buffer_put_string(&m, blob, blen);
968: buffer_put_string(&m, response, 16);
1.76 djm 969: free(blob);
1.1 provos 970:
1.7 mouring 971: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m);
972: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m);
1.1 provos 973:
974: success = buffer_get_int(&m);
975: buffer_free(&m);
976:
977: return (success);
978: }
1.80 markus 979: #endif
1.29 markus 980:
981: #ifdef GSSAPI
982: OM_uint32
1.36 avsm 983: mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
1.29 markus 984: {
985: Buffer m;
986: OM_uint32 major;
987:
988: /* Client doesn't get to see the context */
989: *ctx = NULL;
990:
991: buffer_init(&m);
1.36 avsm 992: buffer_put_string(&m, goid->elements, goid->length);
1.29 markus 993:
994: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m);
995: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m);
996:
997: major = buffer_get_int(&m);
998:
999: buffer_free(&m);
1000: return (major);
1001: }
1002:
1003: OM_uint32
1004: mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in,
1005: gss_buffer_desc *out, OM_uint32 *flags)
1006: {
1007: Buffer m;
1008: OM_uint32 major;
1.30 deraadt 1009: u_int len;
1.29 markus 1010:
1011: buffer_init(&m);
1012: buffer_put_string(&m, in->value, in->length);
1013:
1014: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m);
1015: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m);
1016:
1017: major = buffer_get_int(&m);
1.30 deraadt 1018: out->value = buffer_get_string(&m, &len);
1019: out->length = len;
1.29 markus 1020: if (flags)
1021: *flags = buffer_get_int(&m);
1022:
1023: buffer_free(&m);
1024:
1025: return (major);
1.35 markus 1026: }
1027:
1028: OM_uint32
1029: mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
1030: {
1031: Buffer m;
1032: OM_uint32 major;
1033:
1034: buffer_init(&m);
1035: buffer_put_string(&m, gssbuf->value, gssbuf->length);
1036: buffer_put_string(&m, gssmic->value, gssmic->length);
1037:
1038: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m);
1039: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC,
1040: &m);
1041:
1042: major = buffer_get_int(&m);
1043: buffer_free(&m);
1044: return(major);
1.29 markus 1045: }
1046:
1047: int
1048: mm_ssh_gssapi_userok(char *user)
1049: {
1050: Buffer m;
1051: int authenticated = 0;
1052:
1053: buffer_init(&m);
1054:
1055: mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m);
1056: mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK,
1057: &m);
1058:
1059: authenticated = buffer_get_int(&m);
1060:
1061: buffer_free(&m);
1062: debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1063: return (authenticated);
1064: }
1065: #endif /* GSSAPI */
1.64 djm 1066: