=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd.c,v retrieving revision 1.563 retrieving revision 1.564 diff -u -r1.563 -r1.564 --- src/usr.bin/ssh/sshd.c 2020/10/16 13:26:13 1.563 +++ src/usr.bin/ssh/sshd.c 2020/10/18 11:32:02 1.564 @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.563 2020/10/16 13:26:13 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.564 2020/10/18 11:32:02 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -387,9 +387,8 @@ if (sensitive_data.host_keys[i]) { if ((r = sshkey_from_private( sensitive_data.host_keys[i], &tmp)) != 0) - fatal("could not demote host %s key: %s", - sshkey_type(sensitive_data.host_keys[i]), - ssh_err(r)); + fatal_r(r, "could not demote host %s key", + sshkey_type(sensitive_data.host_keys[i])); sshkey_free(sensitive_data.host_keys[i]); sensitive_data.host_keys[i] = tmp; } @@ -467,8 +466,7 @@ if (have_agent) { r = ssh_get_authentication_socket(&auth_sock); if (r != 0) { - error("Could not get agent socket: %s", - ssh_err(r)); + error_r(r, "Could not get agent socket"); have_agent = 0; } } @@ -481,17 +479,17 @@ if (errno == EINTR) continue; pmonitor->m_pid = -1; - fatal("%s: waitpid: %s", __func__, strerror(errno)); + fatal_f("waitpid: %s", strerror(errno)); } privsep_is_preauth = 0; pmonitor->m_pid = -1; if (WIFEXITED(status)) { if (WEXITSTATUS(status) != 0) - fatal("%s: preauth child exited with status %d", - __func__, WEXITSTATUS(status)); + fatal_f("preauth child exited with status %d", + WEXITSTATUS(status)); } else if (WIFSIGNALED(status)) - fatal("%s: preauth child terminated by signal %d", - __func__, WTERMSIG(status)); + fatal_f("preauth child terminated by signal %d", + WTERMSIG(status)); if (box != NULL) ssh_sandbox_parent_finish(box); return 1; @@ -565,12 +563,11 @@ int r; if (match_pattern_list(s, options.hostkeyalgorithms, 0) != 1) { - debug3("%s: %s key not permitted by HostkeyAlgorithms", - __func__, s); + debug3_f("%s key not permitted by HostkeyAlgorithms", s); return; } if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) > 0 ? "," : "", s)) != 0) - fatal("%s: sshbuf_putf: %s", __func__, ssh_err(r)); + fatal_fr(r, "sshbuf_putf"); } static char * @@ -582,7 +579,7 @@ u_int i; if ((b = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); for (i = 0; i < options.num_host_key_files; i++) { key = sensitive_data.host_keys[i]; if (key == NULL) @@ -627,9 +624,9 @@ } } if ((ret = sshbuf_dup_string(b)) == NULL) - fatal("%s: sshbuf_dup_string failed", __func__); + fatal_f("sshbuf_dup_string failed"); sshbuf_free(b); - debug("%s: %s", __func__, ret); + debug_f("%s", ret); return ret; } @@ -743,7 +740,7 @@ return; if ((buf = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new", __func__); + fatal_f("sshbuf_new"); for (i = nkeys = 0; i < options.num_host_key_files; i++) { key = get_hostkey_public_by_index(i, ssh); if (key == NULL || key->type == KEY_UNSPEC || @@ -751,8 +748,7 @@ continue; fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); - debug3("%s: key %d: %s %s", __func__, i, - sshkey_ssh_name(key), fp); + debug3_f("key %d: %s %s", i, sshkey_ssh_name(key), fp); free(fp); if (nkeys == 0) { /* @@ -767,15 +763,14 @@ /* Append the key to the request */ sshbuf_reset(buf); if ((r = sshkey_putb(key, buf)) != 0) - fatal("%s: couldn't put hostkey %d: %s", - __func__, i, ssh_err(r)); + fatal_fr(r, "couldn't put hostkey %d", i); if ((r = sshpkt_put_stringb(ssh, buf)) != 0) sshpkt_fatal(ssh, r, "%s: append key", __func__); nkeys++; } - debug3("%s: sent %u hostkeys", __func__, nkeys); + debug3_f("sent %u hostkeys", nkeys); if (nkeys == 0) - fatal("%s: no hostkeys", __func__); + fatal_f("no hostkeys"); if ((r = sshpkt_send(ssh)) != 0) sshpkt_fatal(ssh, r, "%s: send", __func__); sshbuf_free(buf); @@ -805,7 +800,7 @@ p += options.max_startups_rate; r = arc4random_uniform(100); - debug("%s: p %d, r %d", __func__, p, r); + debug_f("p %d, r %d", p, r); return (r < p) ? 1 : 0; } @@ -893,18 +888,18 @@ struct include_item *item = NULL; int r; - debug3("%s: entering fd = %d config len %zu", __func__, fd, + debug3_f("entering fd = %d config len %zu", fd, sshbuf_len(conf)); if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); /* pack includes into a string */ TAILQ_FOREACH(item, &includes, entry) { if ((r = sshbuf_put_cstring(inc, item->selector)) != 0 || (r = sshbuf_put_cstring(inc, item->filename)) != 0 || (r = sshbuf_put_stringb(inc, item->contents)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "compose includes"); } /* @@ -918,14 +913,14 @@ */ if ((r = sshbuf_put_stringb(m, conf)) != 0 || (r = sshbuf_put_stringb(m, inc)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "compose config"); if (ssh_msg_send(fd, 0, m) == -1) - error("%s: ssh_msg_send failed", __func__); + error_f("ssh_msg_send failed"); sshbuf_free(m); sshbuf_free(inc); - debug3("%s: done", __func__); + debug3_f("done"); } static void @@ -937,38 +932,38 @@ int r; struct include_item *item; - debug3("%s: entering fd = %d", __func__, fd); + debug3_f("entering fd = %d", fd); if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); if (ssh_msg_recv(fd, m) == -1) - fatal("%s: ssh_msg_recv failed", __func__); + fatal_f("ssh_msg_recv failed"); if ((r = sshbuf_get_u8(m, &ver)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse version"); if (ver != 0) - fatal("%s: rexec version mismatch", __func__); + fatal_f("rexec version mismatch"); if ((r = sshbuf_get_string(m, &cp, &len)) != 0 || (r = sshbuf_get_stringb(m, inc)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse config"); if (conf != NULL && (r = sshbuf_put(conf, cp, len))) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "sshbuf_put"); while (sshbuf_len(inc) != 0) { item = xcalloc(1, sizeof(*item)); if ((item->contents = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); if ((r = sshbuf_get_cstring(inc, &item->selector, NULL)) != 0 || (r = sshbuf_get_cstring(inc, &item->filename, NULL)) != 0 || (r = sshbuf_get_stringb(inc, item->contents)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse includes"); TAILQ_INSERT_TAIL(&includes, item, entry); } free(cp); sshbuf_free(m); - debug3("%s: done", __func__); + debug3_f("done"); } /* Accept a connection from inetd */ @@ -988,7 +983,7 @@ * ttyfd happens to be one of those. */ if (stdfd_devnull(1, 1, !log_stderr) == -1) - error("%s: stdfd_devnull failed", __func__); + error_f("stdfd_devnull failed"); debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); } @@ -1165,9 +1160,9 @@ if (errno == EINTR || errno == EAGAIN) continue; if (errno != EPIPE) { - error("%s: startup pipe %d (fd=%d): " - "read %s", __func__, i, - startup_pipes[i], strerror(errno)); + error_f("startup pipe %d (fd=%d): " + "read %s", i, startup_pipes[i], + strerror(errno)); } /* FALLTHROUGH */ case 0: @@ -1374,7 +1369,7 @@ if (rtable != ortable && setrtable(rtable) != 0) fatal("Unable to set routing domain %d: %s", rtable, strerror(errno)); - debug("%s: set routing domain %d (was %d)", __func__, rtable, ortable); + debug_f("set routing domain %d (was %d)", rtable, ortable); } static void @@ -1388,16 +1383,16 @@ int r; if (ctx == NULL && (ctx = ssh_digest_start(SSH_DIGEST_SHA512)) == NULL) - fatal("%s: ssh_digest_start", __func__); + fatal_f("ssh_digest_start"); if (key == NULL) { /* finalize */ /* add server config in case we are using agent for host keys */ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), sshbuf_len(server_cfg)) != 0) - fatal("%s: ssh_digest_update", __func__); + fatal_f("ssh_digest_update"); len = ssh_digest_bytes(SSH_DIGEST_SHA512); hash = xmalloc(len); if (ssh_digest_final(ctx, hash, len) != 0) - fatal("%s: ssh_digest_final", __func__); + fatal_f("ssh_digest_final"); options.timing_secret = PEEK_U64(hash); freezero(hash, len); ssh_digest_free(ctx); @@ -1405,11 +1400,11 @@ return; } if ((buf = sshbuf_new()) == NULL) - fatal("%s could not allocate buffer", __func__); + fatal_f("could not allocate buffer"); if ((r = sshkey_private_serialize(key, buf)) != 0) - fatal("sshkey_private_serialize: %s", ssh_err(r)); + fatal_fr(r, "decode key"); if (ssh_digest_update(ctx, sshbuf_ptr(buf), sshbuf_len(buf)) != 0) - fatal("%s: ssh_digest_update", __func__); + fatal_f("ssh_digest_update"); sshbuf_reset(buf); sshbuf_free(buf); } @@ -1606,7 +1601,7 @@ /* Fetch our configuration */ if ((cfg = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); if (rexeced_flag) { setproctitle("%s", "[rexeced]"); recv_rexec_state(REEXEC_CONFIG_PASS_FD, cfg); @@ -1688,8 +1683,8 @@ if ((r = ssh_get_authentication_socket(NULL)) == 0) have_agent = 1; else - error("Could not connect to agent \"%s\": %s", - options.host_key_agent, ssh_err(r)); + error_r(r, "Could not connect to agent \"%s\"", + options.host_key_agent); } for (i = 0; i < options.num_host_key_files; i++) { @@ -1700,8 +1695,8 @@ continue; if ((r = sshkey_load_private(options.host_key_files[i], "", &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) - do_log2(ll, "Unable to load host key \"%s\": %s", - options.host_key_files[i], ssh_err(r)); + do_log2_r(r, ll, "Unable to load host key \"%s\"", + options.host_key_files[i]); if (sshkey_is_sk(key) && key->sk_flags & SSH_SK_USER_PRESENCE_REQD) { debug("host key %s requires user presence, ignoring", @@ -1710,15 +1705,15 @@ } if (r == 0 && key != NULL && (r = sshkey_shield_private(key)) != 0) { - do_log2(ll, "Unable to shield host key \"%s\": %s", - options.host_key_files[i], ssh_err(r)); + do_log2_r(r, ll, "Unable to shield host key \"%s\"", + options.host_key_files[i]); sshkey_free(key); key = NULL; } if ((r = sshkey_load_public(options.host_key_files[i], &pubkey, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) - do_log2(ll, "Unable to load host key \"%s\": %s", - options.host_key_files[i], ssh_err(r)); + do_log2_r(r, ll, "Unable to load host key \"%s\"", + options.host_key_files[i]); if (pubkey != NULL && key != NULL) { if (!sshkey_equal(pubkey, key)) { error("Public key for %s does not match " @@ -1729,8 +1724,8 @@ } if (pubkey == NULL && key != NULL) { if ((r = sshkey_from_private(key, &pubkey)) != 0) - fatal("Could not demote key: \"%s\": %s", - options.host_key_files[i], ssh_err(r)); + fatal_r(r, "Could not demote key: \"%s\"", + options.host_key_files[i]); } sensitive_data.host_keys[i] = key; sensitive_data.host_pubkeys[i] = pubkey; @@ -1789,8 +1784,8 @@ continue; if ((r = sshkey_load_public(options.host_cert_files[i], &key, NULL)) != 0) { - error("Could not load host certificate \"%s\": %s", - options.host_cert_files[i], ssh_err(r)); + error_r(r, "Could not load host certificate \"%s\"", + options.host_cert_files[i]); continue; } if (!sshkey_is_cert(key)) { @@ -1971,7 +1966,7 @@ close(REEXEC_CONFIG_PASS_FD); newsock = sock_out = sock_in = dup(STDIN_FILENO); if (stdfd_devnull(1, 1, 0) == -1) - error("%s: stdfd_devnull failed", __func__); + error_f("stdfd_devnull failed"); debug("rexec cleanup in %d out %d newsock %d pipe %d sock %d", sock_in, sock_out, newsock, startup_pipe, config_s[0]); } @@ -2062,7 +2057,7 @@ /* prepare buffer to collect messages to display to user after login */ if ((loginmsg = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); auth_debug_reset(); if (use_privsep) { @@ -2070,7 +2065,7 @@ goto authenticated; } else if (have_agent) { if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { - error("Unable to get agent socket: %s", ssh_err(r)); + error_r(r, "Unable to get agent socket"); have_agent = 0; } } @@ -2150,24 +2145,23 @@ if (mm_sshkey_sign(ssh, privkey, signature, slenp, data, dlen, alg, options.sk_provider, NULL, ssh->compat) < 0) - fatal("%s: privkey sign failed", __func__); + fatal_f("privkey sign failed"); } else { if (mm_sshkey_sign(ssh, pubkey, signature, slenp, data, dlen, alg, options.sk_provider, NULL, ssh->compat) < 0) - fatal("%s: pubkey sign failed", __func__); + fatal_f("pubkey sign failed"); } } else { if (privkey) { if (sshkey_sign(privkey, signature, slenp, data, dlen, alg, options.sk_provider, NULL, ssh->compat) < 0) - fatal("%s: privkey sign failed", __func__); + fatal_f("privkey sign failed"); } else { if ((r = ssh_agent_sign(auth_sock, pubkey, signature, slenp, data, dlen, alg, ssh->compat)) != 0) { - fatal("%s: agent sign failed: %s", - __func__, ssh_err(r)); + fatal_fr(r, "agent sign failed"); } } } @@ -2205,7 +2199,7 @@ /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) - fatal("kex_setup: %s", ssh_err(r)); + fatal_r(r, "kex_setup"); kex = ssh->kex; #ifdef WITH_OPENSSL kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server; @@ -2235,7 +2229,7 @@ (r = sshpkt_put_cstring(ssh, "markus")) != 0 || (r = sshpkt_send(ssh)) != 0 || (r = ssh_packet_write_wait(ssh)) != 0) - fatal("%s: send test: %s", __func__, ssh_err(r)); + fatal_fr(r, "send test"); #endif debug("KEX done"); } @@ -2250,9 +2244,10 @@ pmonitor != NULL && pmonitor->m_pid > 1) { debug("Killing privsep child %d", pmonitor->m_pid); if (kill(pmonitor->m_pid, SIGKILL) != 0 && - errno != ESRCH) - error("%s: kill(%d): %s", __func__, - pmonitor->m_pid, strerror(errno)); + errno != ESRCH) { + error_f("kill(%d): %s", pmonitor->m_pid, + strerror(errno)); + } } } _exit(i);