1/*
2 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
3 * Copyright 2002 Markus Friedl <markus@openbsd.org>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
--- 11 unchanged lines hidden (view full) ---
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $");
29RCSID("$FreeBSD: head/crypto/openssh/monitor.c 137019 2004-10-28 16:11:31Z des $");
30
31#include <openssl/dh.h>
32
33#ifdef SKEY
34#ifdef OPIE
35#include <opie.h>
36#define skey opie
37#define skeychallenge(k, u, c) opiechallenge((k), (u), (c))
--- 29 unchanged lines hidden (view full) ---
67#include "monitor_wrap.h"
68#include "monitor_fdpass.h"
69#include "xmalloc.h"
70#include "misc.h"
71#include "buffer.h"
72#include "bufaux.h"
73#include "compat.h"
74#include "ssh2.h"
75
76#ifdef GSSAPI
77#include "ssh-gss.h"
78static Gssctxt *gsscontext = NULL;
79#endif
80
81/* Imports */
82extern ServerOptions options;
83extern u_int utmp_len;
84extern Newkeys *current_keys[];
85extern z_stream incoming_stream;
86extern z_stream outgoing_stream;
87extern u_char session_id[];
88extern Buffer input, output;
89extern Buffer auth_debug;
90extern int auth_debug_init;
91extern Buffer loginmsg;
92
93/* State exported from the child */
94
95struct {
96 z_stream incoming;
97 z_stream outgoing;
98 u_char *keyin;
99 u_int keyinlen;
--- 255 unchanged lines hidden (view full) ---
355
356static void
357monitor_set_child_handler(pid_t pid)
358{
359 monitor_child_pid = pid;
360}
361
362static void
363monitor_child_handler(int sig)
364{
365 kill(monitor_child_pid, sig);
366}
367
368void
369monitor_child_postauth(struct monitor *pmonitor)
370{
371 monitor_set_child_handler(pmonitor->m_pid);
372 signal(SIGHUP, &monitor_child_handler);
373 signal(SIGTERM, &monitor_child_handler);
--- 98 unchanged lines hidden (view full) ---
472 key_blob = NULL;
473 key_bloblen = 0;
474 key_blobtype = MM_NOKEY;
475 hostbased_cuser = NULL;
476 hostbased_chost = NULL;
477}
478
479int
480mm_answer_moduli(int sock, Buffer *m)
481{
482 DH *dh;
483 int min, want, max;
484
485 min = buffer_get_int(m);
486 want = buffer_get_int(m);
487 max = buffer_get_int(m);
488
--- 13 unchanged lines hidden (view full) ---
502 } else {
503 /* Send first bignum */
504 buffer_put_char(m, 1);
505 buffer_put_bignum2(m, dh->p);
506 buffer_put_bignum2(m, dh->g);
507
508 DH_free(dh);
509 }
510 mm_request_send(sock, MONITOR_ANS_MODULI, m);
511 return (0);
512}
513
514int
515mm_answer_sign(int sock, Buffer *m)
516{
517 Key *key;
518 u_char *p;
519 u_char *signature;
520 u_int siglen, datlen;
521 int keyid;
522
523 debug3("%s", __func__);
--- 19 unchanged lines hidden (view full) ---
543 debug3("%s: signature %p(%u)", __func__, signature, siglen);
544
545 buffer_clear(m);
546 buffer_put_string(m, signature, siglen);
547
548 xfree(p);
549 xfree(signature);
550
551 mm_request_send(sock, MONITOR_ANS_SIGN, m);
552
553 /* Turn on permissions for getpwnam */
554 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
555
556 return (0);
557}
558
559/* Retrieves the password entry and also checks if the user is permitted */
560
561int
562mm_answer_pwnamallow(int sock, Buffer *m)
563{
564 char *username;
565 struct passwd *pwent;
566 int allowed = 0;
567
568 debug3("%s", __func__);
569
570 if (authctxt->attempt++ != 0)
571 fatal("%s: multiple attempts for getpwnam", __func__);
572
573 username = buffer_get_string(m, NULL);
574
575 pwent = getpwnamallow(username);
576
577 authctxt->user = xstrdup(username);
578 setproctitle("%s [priv]", pwent ? username : "unknown");
579 xfree(username);
580
581 buffer_clear(m);
582
583 if (pwent == NULL) {
584 buffer_put_char(m, 0);
585 authctxt->pw = fakepw();
586 goto out;
587 }
--- 10 unchanged lines hidden (view full) ---
598#ifdef HAVE_PW_CLASS_IN_PASSWD
599 buffer_put_cstring(m, pwent->pw_class);
600#endif
601 buffer_put_cstring(m, pwent->pw_dir);
602 buffer_put_cstring(m, pwent->pw_shell);
603
604 out:
605 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
606 mm_request_send(sock, MONITOR_ANS_PWNAM, m);
607
608 /* For SSHv1 allow authentication now */
609 if (!compat20)
610 monitor_permit_authentications(1);
611 else {
612 /* Allow service/style information on the auth context */
613 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
614 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
615 }
616
617#ifdef USE_PAM
618 if (options.use_pam)
619 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
620#endif
621
622 return (0);
623}
624
625int mm_answer_auth2_read_banner(int sock, Buffer *m)
626{
627 char *banner;
628
629 buffer_clear(m);
630 banner = auth2_read_banner();
631 buffer_put_cstring(m, banner != NULL ? banner : "");
632 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
633
634 if (banner != NULL)
635 xfree(banner);
636
637 return (0);
638}
639
640int
641mm_answer_authserv(int sock, Buffer *m)
642{
643 monitor_permit_authentications(1);
644
645 authctxt->service = buffer_get_string(m, NULL);
646 authctxt->style = buffer_get_string(m, NULL);
647 debug3("%s: service=%s, style=%s",
648 __func__, authctxt->service, authctxt->style);
649
650 if (strlen(authctxt->style) == 0) {
651 xfree(authctxt->style);
652 authctxt->style = NULL;
653 }
654
655 return (0);
656}
657
658int
659mm_answer_authpassword(int sock, Buffer *m)
660{
661 static int call_count;
662 char *passwd;
663 int authenticated;
664 u_int plen;
665
666 passwd = buffer_get_string(m, &plen);
667 /* Only authenticate if the context is valid */
668 authenticated = options.password_authentication &&
669 auth_password(authctxt, passwd);
670 memset(passwd, 0, strlen(passwd));
671 xfree(passwd);
672
673 buffer_clear(m);
674 buffer_put_int(m, authenticated);
675
676 debug3("%s: sending result %d", __func__, authenticated);
677 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);
678
679 call_count++;
680 if (plen == 0 && call_count == 1)
681 auth_method = "none";
682 else
683 auth_method = "password";
684
685 /* Causes monitor loop to terminate if authenticated */
686 return (authenticated);
687}
688
689#ifdef BSD_AUTH
690int
691mm_answer_bsdauthquery(int sock, Buffer *m)
692{
693 char *name, *infotxt;
694 u_int numprompts;
695 u_int *echo_on;
696 char **prompts;
697 u_int success;
698
699 success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
700 &prompts, &echo_on) < 0 ? 0 : 1;
701
702 buffer_clear(m);
703 buffer_put_int(m, success);
704 if (success)
705 buffer_put_cstring(m, prompts[0]);
706
707 debug3("%s: sending challenge success: %u", __func__, success);
708 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
709
710 if (success) {
711 xfree(name);
712 xfree(infotxt);
713 xfree(prompts);
714 xfree(echo_on);
715 }
716
717 return (0);
718}
719
720int
721mm_answer_bsdauthrespond(int sock, Buffer *m)
722{
723 char *response;
724 int authok;
725
726 if (authctxt->as == 0)
727 fatal("%s: no bsd auth session", __func__);
728
729 response = buffer_get_string(m, NULL);
730 authok = options.challenge_response_authentication &&
731 auth_userresponse(authctxt->as, response, 0);
732 authctxt->as = NULL;
733 debug3("%s: <%s> = <%d>", __func__, response, authok);
734 xfree(response);
735
736 buffer_clear(m);
737 buffer_put_int(m, authok);
738
739 debug3("%s: sending authenticated: %d", __func__, authok);
740 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
741
742 auth_method = "bsdauth";
743
744 return (authok != 0);
745}
746#endif
747
748#ifdef SKEY
749int
750mm_answer_skeyquery(int sock, Buffer *m)
751{
752 struct skey skey;
753 char challenge[1024];
754 u_int success;
755
756 success = _compat_skeychallenge(&skey, authctxt->user, challenge,
757 sizeof(challenge)) < 0 ? 0 : 1;
758
759 buffer_clear(m);
760 buffer_put_int(m, success);
761 if (success)
762 buffer_put_cstring(m, challenge);
763
764 debug3("%s: sending challenge success: %u", __func__, success);
765 mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
766
767 return (0);
768}
769
770int
771mm_answer_skeyrespond(int sock, Buffer *m)
772{
773 char *response;
774 int authok;
775
776 response = buffer_get_string(m, NULL);
777
778 authok = (options.challenge_response_authentication &&
779 authctxt->valid &&
780 skey_haskey(authctxt->pw->pw_name) == 0 &&
781 skey_passcheck(authctxt->pw->pw_name, response) != -1);
782
783 xfree(response);
784
785 buffer_clear(m);
786 buffer_put_int(m, authok);
787
788 debug3("%s: sending authenticated: %d", __func__, authok);
789 mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
790
791 auth_method = "skey";
792
793 return (authok != 0);
794}
795#endif
796
797#ifdef USE_PAM
798int
799mm_answer_pam_start(int sock, Buffer *m)
800{
801 if (!options.use_pam)
802 fatal("UsePAM not set, but ended up in %s anyway", __func__);
803
804 start_pam(authctxt);
805
806 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
807
808 return (0);
809}
810
811int
812mm_answer_pam_account(int sock, Buffer *m)
813{
814 u_int ret;
815
816 if (!options.use_pam)
817 fatal("UsePAM not set, but ended up in %s anyway", __func__);
818
819 ret = do_pam_account();
820
821 buffer_put_int(m, ret);
822
823 mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
824
825 return (ret);
826}
827
828static void *sshpam_ctxt, *sshpam_authok;
829extern KbdintDevice sshpam_device;
830
831int
832mm_answer_pam_init_ctx(int sock, Buffer *m)
833{
834
835 debug3("%s", __func__);
836 authctxt->user = buffer_get_string(m, NULL);
837 sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
838 sshpam_authok = NULL;
839 buffer_clear(m);
840 if (sshpam_ctxt != NULL) {
841 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
842 buffer_put_int(m, 1);
843 } else {
844 buffer_put_int(m, 0);
845 }
846 mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
847 return (0);
848}
849
850int
851mm_answer_pam_query(int sock, Buffer *m)
852{
853 char *name, *info, **prompts;
854 u_int num, *echo_on;
855 int i, ret;
856
857 debug3("%s", __func__);
858 sshpam_authok = NULL;
859 ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
--- 12 unchanged lines hidden (view full) ---
872 buffer_put_cstring(m, prompts[i]);
873 xfree(prompts[i]);
874 buffer_put_int(m, echo_on[i]);
875 }
876 if (prompts != NULL)
877 xfree(prompts);
878 if (echo_on != NULL)
879 xfree(echo_on);
880 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
881 return (0);
882}
883
884int
885mm_answer_pam_respond(int sock, Buffer *m)
886{
887 char **resp;
888 u_int num;
889 int i, ret;
890
891 debug3("%s", __func__);
892 sshpam_authok = NULL;
893 num = buffer_get_int(m);
--- 5 unchanged lines hidden (view full) ---
899 for (i = 0; i < num; ++i)
900 xfree(resp[i]);
901 xfree(resp);
902 } else {
903 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
904 }
905 buffer_clear(m);
906 buffer_put_int(m, ret);
907 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
908 auth_method = "keyboard-interactive/pam";
909 if (ret == 0)
910 sshpam_authok = sshpam_ctxt;
911 return (0);
912}
913
914int
915mm_answer_pam_free_ctx(int sock, Buffer *m)
916{
917
918 debug3("%s", __func__);
919 (sshpam_device.free_ctx)(sshpam_ctxt);
920 buffer_clear(m);
921 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
922 return (sshpam_authok == sshpam_ctxt);
923}
924#endif
925
926static void
927mm_append_debug(Buffer *m)
928{
929 if (auth_debug_init && buffer_len(&auth_debug)) {
930 debug3("%s: Appending debug messages for child", __func__);
931 buffer_append(m, buffer_ptr(&auth_debug),
932 buffer_len(&auth_debug));
933 buffer_clear(&auth_debug);
934 }
935}
936
937int
938mm_answer_keyallowed(int sock, Buffer *m)
939{
940 Key *key;
941 char *cuser, *chost;
942 u_char *blob;
943 u_int bloblen;
944 enum mm_keytype type = 0;
945 int allowed = 0;
946
--- 53 unchanged lines hidden (view full) ---
1000 __func__, key, allowed ? "allowed" : "disallowed");
1001
1002 buffer_clear(m);
1003 buffer_put_int(m, allowed);
1004 buffer_put_int(m, forced_command != NULL);
1005
1006 mm_append_debug(m);
1007
1008 mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);
1009
1010 if (type == MM_RSAHOSTKEY)
1011 monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
1012
1013 return (0);
1014}
1015
1016static int
--- 104 unchanged lines hidden (view full) ---
1121
1122 if (buffer_len(&b) != 0)
1123 fail++;
1124 buffer_free(&b);
1125 return (fail == 0);
1126}
1127
1128int
1129mm_answer_keyverify(int sock, Buffer *m)
1130{
1131 Key *key;
1132 u_char *signature, *data, *blob;
1133 u_int signaturelen, datalen, bloblen;
1134 int verified = 0;
1135 int valid_data = 0;
1136
1137 blob = buffer_get_string(m, &bloblen);
--- 33 unchanged lines hidden (view full) ---
1171 xfree(data);
1172
1173 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1174
1175 monitor_reset_key_state();
1176
1177 buffer_clear(m);
1178 buffer_put_int(m, verified);
1179 mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
1180
1181 return (verified);
1182}
1183
1184static void
1185mm_record_login(Session *s, struct passwd *pw)
1186{
1187 socklen_t fromlen;
--- 25 unchanged lines hidden (view full) ---
1213 if (s->ttyfd != -1) {
1214 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
1215 session_pty_cleanup2(s);
1216 }
1217 s->used = 0;
1218}
1219
1220int
1221mm_answer_pty(int sock, Buffer *m)
1222{
1223 extern struct monitor *pmonitor;
1224 Session *s;
1225 int res, fd0;
1226
1227 debug3("%s entering", __func__);
1228
1229 buffer_clear(m);
--- 5 unchanged lines hidden (view full) ---
1235 s->pid = pmonitor->m_pid;
1236 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1237 if (res == 0)
1238 goto error;
1239 pty_setowner(authctxt->pw, s->tty);
1240
1241 buffer_put_int(m, 1);
1242 buffer_put_cstring(m, s->tty);
1243
1244 /* We need to trick ttyslot */
1245 if (dup2(s->ttyfd, 0) == -1)
1246 fatal("%s: dup2", __func__);
1247
1248 mm_record_login(s, authctxt->pw);
1249
1250 /* Now we can close the file descriptor again */
1251 close(0);
1252
1253 /* send messages generated by record_login */
1254 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
1255 buffer_clear(&loginmsg);
1256
1257 mm_request_send(sock, MONITOR_ANS_PTY, m);
1258
1259 mm_send_fd(sock, s->ptyfd);
1260 mm_send_fd(sock, s->ttyfd);
1261
1262 /* make sure nothing uses fd 0 */
1263 if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)
1264 fatal("%s: open(/dev/null): %s", __func__, strerror(errno));
1265 if (fd0 != 0)
1266 error("%s: fd0 %d != 0", __func__, fd0);
1267
1268 /* slave is not needed */
1269 close(s->ttyfd);
--- 4 unchanged lines hidden (view full) ---
1274 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd);
1275
1276 return (0);
1277
1278 error:
1279 if (s != NULL)
1280 mm_session_close(s);
1281 buffer_put_int(m, 0);
1282 mm_request_send(sock, MONITOR_ANS_PTY, m);
1283 return (0);
1284}
1285
1286int
1287mm_answer_pty_cleanup(int sock, Buffer *m)
1288{
1289 Session *s;
1290 char *tty;
1291
1292 debug3("%s entering", __func__);
1293
1294 tty = buffer_get_string(m, NULL);
1295 if ((s = session_by_tty(tty)) != NULL)
1296 mm_session_close(s);
1297 buffer_clear(m);
1298 xfree(tty);
1299 return (0);
1300}
1301
1302int
1303mm_answer_sesskey(int sock, Buffer *m)
1304{
1305 BIGNUM *p;
1306 int rsafail;
1307
1308 /* Turn off permissions */
1309 monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
1310
1311 if ((p = BN_new()) == NULL)
--- 4 unchanged lines hidden (view full) ---
1316 rsafail = ssh1_session_key(p);
1317
1318 buffer_clear(m);
1319 buffer_put_int(m, rsafail);
1320 buffer_put_bignum2(m, p);
1321
1322 BN_clear_free(p);
1323
1324 mm_request_send(sock, MONITOR_ANS_SESSKEY, m);
1325
1326 /* Turn on permissions for sessid passing */
1327 monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1);
1328
1329 return (0);
1330}
1331
1332int
1333mm_answer_sessid(int sock, Buffer *m)
1334{
1335 int i;
1336
1337 debug3("%s entering", __func__);
1338
1339 if (buffer_len(m) != 16)
1340 fatal("%s: bad ssh1 session id", __func__);
1341 for (i = 0; i < 16; i++)
1342 session_id[i] = buffer_get_char(m);
1343
1344 /* Turn on permissions for getpwnam */
1345 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
1346
1347 return (0);
1348}
1349
1350int
1351mm_answer_rsa_keyallowed(int sock, Buffer *m)
1352{
1353 BIGNUM *client_n;
1354 Key *key = NULL;
1355 u_char *blob = NULL;
1356 u_int blen = 0;
1357 int allowed = 0;
1358
1359 debug3("%s entering", __func__);
--- 23 unchanged lines hidden (view full) ---
1383 key_bloblen = blen;
1384 key_blobtype = MM_RSAUSERKEY;
1385 }
1386 if (key != NULL)
1387 key_free(key);
1388
1389 mm_append_debug(m);
1390
1391 mm_request_send(sock, MONITOR_ANS_RSAKEYALLOWED, m);
1392
1393 monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
1394 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0);
1395 return (0);
1396}
1397
1398int
1399mm_answer_rsa_challenge(int sock, Buffer *m)
1400{
1401 Key *key = NULL;
1402 u_char *blob;
1403 u_int blen;
1404
1405 debug3("%s entering", __func__);
1406
1407 if (!authctxt->valid)
--- 9 unchanged lines hidden (view full) ---
1417 if (ssh1_challenge)
1418 BN_clear_free(ssh1_challenge);
1419 ssh1_challenge = auth_rsa_generate_challenge(key);
1420
1421 buffer_clear(m);
1422 buffer_put_bignum2(m, ssh1_challenge);
1423
1424 debug3("%s sending reply", __func__);
1425 mm_request_send(sock, MONITOR_ANS_RSACHALLENGE, m);
1426
1427 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
1428
1429 xfree(blob);
1430 key_free(key);
1431 return (0);
1432}
1433
1434int
1435mm_answer_rsa_response(int sock, Buffer *m)
1436{
1437 Key *key = NULL;
1438 u_char *blob, *response;
1439 u_int blen, len;
1440 int success;
1441
1442 debug3("%s entering", __func__);
1443
--- 22 unchanged lines hidden (view full) ---
1466
1467 /* reset state */
1468 BN_clear_free(ssh1_challenge);
1469 ssh1_challenge = NULL;
1470 monitor_reset_key_state();
1471
1472 buffer_clear(m);
1473 buffer_put_int(m, success);
1474 mm_request_send(sock, MONITOR_ANS_RSARESPONSE, m);
1475
1476 return (success);
1477}
1478
1479int
1480mm_answer_term(int sock, Buffer *req)
1481{
1482 extern struct monitor *pmonitor;
1483 int res, status;
1484
1485 debug3("%s: tearing down sessions", __func__);
1486
1487 /* The child is terminating */
1488 session_destroy_all(&mm_session_close);
1489
1490 while (waitpid(pmonitor->m_pid, &status, 0) == -1)
1491 if (errno != EINTR)
1492 exit(1);
1493
1494 res = WIFEXITED(status) ? WEXITSTATUS(status) : 1;
1495
1496 /* Terminate process */
1497 exit(res);
1498}
1499
1500void
1501monitor_apply_keystate(struct monitor *pmonitor)
1502{
1503 if (compat20) {
1504 set_newkeys(MODE_IN);
1505 set_newkeys(MODE_OUT);
--- 50 unchanged lines hidden (view full) ---
1556 memset(kex, 0, sizeof(*kex));
1557 kex->session_id = buffer_get_string(m, &kex->session_id_len);
1558 if ((session_id2 == NULL) ||
1559 (kex->session_id_len != session_id2_len) ||
1560 (memcmp(kex->session_id, session_id2, session_id2_len) != 0))
1561 fatal("mm_get_get: internal error: bad session id");
1562 kex->we_need = buffer_get_int(m);
1563 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1564 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1565 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1566 kex->server = 1;
1567 kex->hostkey_type = buffer_get_int(m);
1568 kex->kex_type = buffer_get_int(m);
1569 blob = buffer_get_string(m, &bloblen);
1570 buffer_init(&kex->my);
1571 buffer_append(&kex->my, blob, bloblen);
1572 xfree(blob);
--- 177 unchanged lines hidden (view full) ---
1750 monitor_socketpair(pair);
1751
1752 mon->m_recvfd = pair[0];
1753 mon->m_sendfd = pair[1];
1754}
1755
1756#ifdef GSSAPI
1757int
1758mm_answer_gss_setup_ctx(int sock, Buffer *m)
1759{
1760 gss_OID_desc goid;
1761 OM_uint32 major;
1762 u_int len;
1763
1764 goid.elements = buffer_get_string(m, &len);
1765 goid.length = len;
1766
1767 major = ssh_gssapi_server_ctx(&gsscontext, &goid);
1768
1769 xfree(goid.elements);
1770
1771 buffer_clear(m);
1772 buffer_put_int(m, major);
1773
1774 mm_request_send(sock,MONITOR_ANS_GSSSETUP, m);
1775
1776 /* Now we have a context, enable the step */
1777 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
1778
1779 return (0);
1780}
1781
1782int
1783mm_answer_gss_accept_ctx(int sock, Buffer *m)
1784{
1785 gss_buffer_desc in;
1786 gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
1787 OM_uint32 major,minor;
1788 OM_uint32 flags = 0; /* GSI needs this */
1789 u_int len;
1790
1791 in.value = buffer_get_string(m, &len);
1792 in.length = len;
1793 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
1794 xfree(in.value);
1795
1796 buffer_clear(m);
1797 buffer_put_int(m, major);
1798 buffer_put_string(m, out.value, out.length);
1799 buffer_put_int(m, flags);
1800 mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
1801
1802 gss_release_buffer(&minor, &out);
1803
1804 if (major==GSS_S_COMPLETE) {
1805 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1806 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1807 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
1808 }
1809 return (0);
1810}
1811
1812int
1813mm_answer_gss_checkmic(int sock, Buffer *m)
1814{
1815 gss_buffer_desc gssbuf, mic;
1816 OM_uint32 ret;
1817 u_int len;
1818
1819 gssbuf.value = buffer_get_string(m, &len);
1820 gssbuf.length = len;
1821 mic.value = buffer_get_string(m, &len);
1822 mic.length = len;
1823
1824 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
1825
1826 xfree(gssbuf.value);
1827 xfree(mic.value);
1828
1829 buffer_clear(m);
1830 buffer_put_int(m, ret);
1831
1832 mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m);
1833
1834 if (!GSS_ERROR(ret))
1835 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1836
1837 return (0);
1838}
1839
1840int
1841mm_answer_gss_userok(int sock, Buffer *m)
1842{
1843 int authenticated;
1844
1845 authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
1846
1847 buffer_clear(m);
1848 buffer_put_int(m, authenticated);
1849
1850 debug3("%s: sending result %d", __func__, authenticated);
1851 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
1852
1853 auth_method="gssapi-with-mic";
1854
1855 /* Monitor loop will terminate if authenticated */
1856 return (authenticated);
1857}
1858#endif /* GSSAPI */
2 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
3 * Copyright 2002 Markus Friedl <markus@openbsd.org>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
--- 11 unchanged lines hidden (view full) ---
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $");
29RCSID("$FreeBSD: head/crypto/openssh/monitor.c 137019 2004-10-28 16:11:31Z des $");
30
31#include <openssl/dh.h>
32
33#ifdef SKEY
34#ifdef OPIE
35#include <opie.h>
36#define skey opie
37#define skeychallenge(k, u, c) opiechallenge((k), (u), (c))
--- 29 unchanged lines hidden (view full) ---
67#include "monitor_wrap.h"
68#include "monitor_fdpass.h"
69#include "xmalloc.h"
70#include "misc.h"
71#include "buffer.h"
72#include "bufaux.h"
73#include "compat.h"
74#include "ssh2.h"
75
76#ifdef GSSAPI
77#include "ssh-gss.h"
78static Gssctxt *gsscontext = NULL;
79#endif
80
81/* Imports */
82extern ServerOptions options;
83extern u_int utmp_len;
84extern Newkeys *current_keys[];
85extern z_stream incoming_stream;
86extern z_stream outgoing_stream;
87extern u_char session_id[];
88extern Buffer input, output;
89extern Buffer auth_debug;
90extern int auth_debug_init;
91extern Buffer loginmsg;
92
93/* State exported from the child */
94
95struct {
96 z_stream incoming;
97 z_stream outgoing;
98 u_char *keyin;
99 u_int keyinlen;
--- 255 unchanged lines hidden (view full) ---
355
356static void
357monitor_set_child_handler(pid_t pid)
358{
359 monitor_child_pid = pid;
360}
361
362static void
363monitor_child_handler(int sig)
364{
365 kill(monitor_child_pid, sig);
366}
367
368void
369monitor_child_postauth(struct monitor *pmonitor)
370{
371 monitor_set_child_handler(pmonitor->m_pid);
372 signal(SIGHUP, &monitor_child_handler);
373 signal(SIGTERM, &monitor_child_handler);
--- 98 unchanged lines hidden (view full) ---
472 key_blob = NULL;
473 key_bloblen = 0;
474 key_blobtype = MM_NOKEY;
475 hostbased_cuser = NULL;
476 hostbased_chost = NULL;
477}
478
479int
480mm_answer_moduli(int sock, Buffer *m)
481{
482 DH *dh;
483 int min, want, max;
484
485 min = buffer_get_int(m);
486 want = buffer_get_int(m);
487 max = buffer_get_int(m);
488
--- 13 unchanged lines hidden (view full) ---
502 } else {
503 /* Send first bignum */
504 buffer_put_char(m, 1);
505 buffer_put_bignum2(m, dh->p);
506 buffer_put_bignum2(m, dh->g);
507
508 DH_free(dh);
509 }
510 mm_request_send(sock, MONITOR_ANS_MODULI, m);
511 return (0);
512}
513
514int
515mm_answer_sign(int sock, Buffer *m)
516{
517 Key *key;
518 u_char *p;
519 u_char *signature;
520 u_int siglen, datlen;
521 int keyid;
522
523 debug3("%s", __func__);
--- 19 unchanged lines hidden (view full) ---
543 debug3("%s: signature %p(%u)", __func__, signature, siglen);
544
545 buffer_clear(m);
546 buffer_put_string(m, signature, siglen);
547
548 xfree(p);
549 xfree(signature);
550
551 mm_request_send(sock, MONITOR_ANS_SIGN, m);
552
553 /* Turn on permissions for getpwnam */
554 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
555
556 return (0);
557}
558
559/* Retrieves the password entry and also checks if the user is permitted */
560
561int
562mm_answer_pwnamallow(int sock, Buffer *m)
563{
564 char *username;
565 struct passwd *pwent;
566 int allowed = 0;
567
568 debug3("%s", __func__);
569
570 if (authctxt->attempt++ != 0)
571 fatal("%s: multiple attempts for getpwnam", __func__);
572
573 username = buffer_get_string(m, NULL);
574
575 pwent = getpwnamallow(username);
576
577 authctxt->user = xstrdup(username);
578 setproctitle("%s [priv]", pwent ? username : "unknown");
579 xfree(username);
580
581 buffer_clear(m);
582
583 if (pwent == NULL) {
584 buffer_put_char(m, 0);
585 authctxt->pw = fakepw();
586 goto out;
587 }
--- 10 unchanged lines hidden (view full) ---
598#ifdef HAVE_PW_CLASS_IN_PASSWD
599 buffer_put_cstring(m, pwent->pw_class);
600#endif
601 buffer_put_cstring(m, pwent->pw_dir);
602 buffer_put_cstring(m, pwent->pw_shell);
603
604 out:
605 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
606 mm_request_send(sock, MONITOR_ANS_PWNAM, m);
607
608 /* For SSHv1 allow authentication now */
609 if (!compat20)
610 monitor_permit_authentications(1);
611 else {
612 /* Allow service/style information on the auth context */
613 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
614 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
615 }
616
617#ifdef USE_PAM
618 if (options.use_pam)
619 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
620#endif
621
622 return (0);
623}
624
625int mm_answer_auth2_read_banner(int sock, Buffer *m)
626{
627 char *banner;
628
629 buffer_clear(m);
630 banner = auth2_read_banner();
631 buffer_put_cstring(m, banner != NULL ? banner : "");
632 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
633
634 if (banner != NULL)
635 xfree(banner);
636
637 return (0);
638}
639
640int
641mm_answer_authserv(int sock, Buffer *m)
642{
643 monitor_permit_authentications(1);
644
645 authctxt->service = buffer_get_string(m, NULL);
646 authctxt->style = buffer_get_string(m, NULL);
647 debug3("%s: service=%s, style=%s",
648 __func__, authctxt->service, authctxt->style);
649
650 if (strlen(authctxt->style) == 0) {
651 xfree(authctxt->style);
652 authctxt->style = NULL;
653 }
654
655 return (0);
656}
657
658int
659mm_answer_authpassword(int sock, Buffer *m)
660{
661 static int call_count;
662 char *passwd;
663 int authenticated;
664 u_int plen;
665
666 passwd = buffer_get_string(m, &plen);
667 /* Only authenticate if the context is valid */
668 authenticated = options.password_authentication &&
669 auth_password(authctxt, passwd);
670 memset(passwd, 0, strlen(passwd));
671 xfree(passwd);
672
673 buffer_clear(m);
674 buffer_put_int(m, authenticated);
675
676 debug3("%s: sending result %d", __func__, authenticated);
677 mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);
678
679 call_count++;
680 if (plen == 0 && call_count == 1)
681 auth_method = "none";
682 else
683 auth_method = "password";
684
685 /* Causes monitor loop to terminate if authenticated */
686 return (authenticated);
687}
688
689#ifdef BSD_AUTH
690int
691mm_answer_bsdauthquery(int sock, Buffer *m)
692{
693 char *name, *infotxt;
694 u_int numprompts;
695 u_int *echo_on;
696 char **prompts;
697 u_int success;
698
699 success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
700 &prompts, &echo_on) < 0 ? 0 : 1;
701
702 buffer_clear(m);
703 buffer_put_int(m, success);
704 if (success)
705 buffer_put_cstring(m, prompts[0]);
706
707 debug3("%s: sending challenge success: %u", __func__, success);
708 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
709
710 if (success) {
711 xfree(name);
712 xfree(infotxt);
713 xfree(prompts);
714 xfree(echo_on);
715 }
716
717 return (0);
718}
719
720int
721mm_answer_bsdauthrespond(int sock, Buffer *m)
722{
723 char *response;
724 int authok;
725
726 if (authctxt->as == 0)
727 fatal("%s: no bsd auth session", __func__);
728
729 response = buffer_get_string(m, NULL);
730 authok = options.challenge_response_authentication &&
731 auth_userresponse(authctxt->as, response, 0);
732 authctxt->as = NULL;
733 debug3("%s: <%s> = <%d>", __func__, response, authok);
734 xfree(response);
735
736 buffer_clear(m);
737 buffer_put_int(m, authok);
738
739 debug3("%s: sending authenticated: %d", __func__, authok);
740 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
741
742 auth_method = "bsdauth";
743
744 return (authok != 0);
745}
746#endif
747
748#ifdef SKEY
749int
750mm_answer_skeyquery(int sock, Buffer *m)
751{
752 struct skey skey;
753 char challenge[1024];
754 u_int success;
755
756 success = _compat_skeychallenge(&skey, authctxt->user, challenge,
757 sizeof(challenge)) < 0 ? 0 : 1;
758
759 buffer_clear(m);
760 buffer_put_int(m, success);
761 if (success)
762 buffer_put_cstring(m, challenge);
763
764 debug3("%s: sending challenge success: %u", __func__, success);
765 mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
766
767 return (0);
768}
769
770int
771mm_answer_skeyrespond(int sock, Buffer *m)
772{
773 char *response;
774 int authok;
775
776 response = buffer_get_string(m, NULL);
777
778 authok = (options.challenge_response_authentication &&
779 authctxt->valid &&
780 skey_haskey(authctxt->pw->pw_name) == 0 &&
781 skey_passcheck(authctxt->pw->pw_name, response) != -1);
782
783 xfree(response);
784
785 buffer_clear(m);
786 buffer_put_int(m, authok);
787
788 debug3("%s: sending authenticated: %d", __func__, authok);
789 mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
790
791 auth_method = "skey";
792
793 return (authok != 0);
794}
795#endif
796
797#ifdef USE_PAM
798int
799mm_answer_pam_start(int sock, Buffer *m)
800{
801 if (!options.use_pam)
802 fatal("UsePAM not set, but ended up in %s anyway", __func__);
803
804 start_pam(authctxt);
805
806 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
807
808 return (0);
809}
810
811int
812mm_answer_pam_account(int sock, Buffer *m)
813{
814 u_int ret;
815
816 if (!options.use_pam)
817 fatal("UsePAM not set, but ended up in %s anyway", __func__);
818
819 ret = do_pam_account();
820
821 buffer_put_int(m, ret);
822
823 mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
824
825 return (ret);
826}
827
828static void *sshpam_ctxt, *sshpam_authok;
829extern KbdintDevice sshpam_device;
830
831int
832mm_answer_pam_init_ctx(int sock, Buffer *m)
833{
834
835 debug3("%s", __func__);
836 authctxt->user = buffer_get_string(m, NULL);
837 sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
838 sshpam_authok = NULL;
839 buffer_clear(m);
840 if (sshpam_ctxt != NULL) {
841 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
842 buffer_put_int(m, 1);
843 } else {
844 buffer_put_int(m, 0);
845 }
846 mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
847 return (0);
848}
849
850int
851mm_answer_pam_query(int sock, Buffer *m)
852{
853 char *name, *info, **prompts;
854 u_int num, *echo_on;
855 int i, ret;
856
857 debug3("%s", __func__);
858 sshpam_authok = NULL;
859 ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
--- 12 unchanged lines hidden (view full) ---
872 buffer_put_cstring(m, prompts[i]);
873 xfree(prompts[i]);
874 buffer_put_int(m, echo_on[i]);
875 }
876 if (prompts != NULL)
877 xfree(prompts);
878 if (echo_on != NULL)
879 xfree(echo_on);
880 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
881 return (0);
882}
883
884int
885mm_answer_pam_respond(int sock, Buffer *m)
886{
887 char **resp;
888 u_int num;
889 int i, ret;
890
891 debug3("%s", __func__);
892 sshpam_authok = NULL;
893 num = buffer_get_int(m);
--- 5 unchanged lines hidden (view full) ---
899 for (i = 0; i < num; ++i)
900 xfree(resp[i]);
901 xfree(resp);
902 } else {
903 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
904 }
905 buffer_clear(m);
906 buffer_put_int(m, ret);
907 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
908 auth_method = "keyboard-interactive/pam";
909 if (ret == 0)
910 sshpam_authok = sshpam_ctxt;
911 return (0);
912}
913
914int
915mm_answer_pam_free_ctx(int sock, Buffer *m)
916{
917
918 debug3("%s", __func__);
919 (sshpam_device.free_ctx)(sshpam_ctxt);
920 buffer_clear(m);
921 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
922 return (sshpam_authok == sshpam_ctxt);
923}
924#endif
925
926static void
927mm_append_debug(Buffer *m)
928{
929 if (auth_debug_init && buffer_len(&auth_debug)) {
930 debug3("%s: Appending debug messages for child", __func__);
931 buffer_append(m, buffer_ptr(&auth_debug),
932 buffer_len(&auth_debug));
933 buffer_clear(&auth_debug);
934 }
935}
936
937int
938mm_answer_keyallowed(int sock, Buffer *m)
939{
940 Key *key;
941 char *cuser, *chost;
942 u_char *blob;
943 u_int bloblen;
944 enum mm_keytype type = 0;
945 int allowed = 0;
946
--- 53 unchanged lines hidden (view full) ---
1000 __func__, key, allowed ? "allowed" : "disallowed");
1001
1002 buffer_clear(m);
1003 buffer_put_int(m, allowed);
1004 buffer_put_int(m, forced_command != NULL);
1005
1006 mm_append_debug(m);
1007
1008 mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);
1009
1010 if (type == MM_RSAHOSTKEY)
1011 monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
1012
1013 return (0);
1014}
1015
1016static int
--- 104 unchanged lines hidden (view full) ---
1121
1122 if (buffer_len(&b) != 0)
1123 fail++;
1124 buffer_free(&b);
1125 return (fail == 0);
1126}
1127
1128int
1129mm_answer_keyverify(int sock, Buffer *m)
1130{
1131 Key *key;
1132 u_char *signature, *data, *blob;
1133 u_int signaturelen, datalen, bloblen;
1134 int verified = 0;
1135 int valid_data = 0;
1136
1137 blob = buffer_get_string(m, &bloblen);
--- 33 unchanged lines hidden (view full) ---
1171 xfree(data);
1172
1173 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1174
1175 monitor_reset_key_state();
1176
1177 buffer_clear(m);
1178 buffer_put_int(m, verified);
1179 mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
1180
1181 return (verified);
1182}
1183
1184static void
1185mm_record_login(Session *s, struct passwd *pw)
1186{
1187 socklen_t fromlen;
--- 25 unchanged lines hidden (view full) ---
1213 if (s->ttyfd != -1) {
1214 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
1215 session_pty_cleanup2(s);
1216 }
1217 s->used = 0;
1218}
1219
1220int
1221mm_answer_pty(int sock, Buffer *m)
1222{
1223 extern struct monitor *pmonitor;
1224 Session *s;
1225 int res, fd0;
1226
1227 debug3("%s entering", __func__);
1228
1229 buffer_clear(m);
--- 5 unchanged lines hidden (view full) ---
1235 s->pid = pmonitor->m_pid;
1236 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1237 if (res == 0)
1238 goto error;
1239 pty_setowner(authctxt->pw, s->tty);
1240
1241 buffer_put_int(m, 1);
1242 buffer_put_cstring(m, s->tty);
1243
1244 /* We need to trick ttyslot */
1245 if (dup2(s->ttyfd, 0) == -1)
1246 fatal("%s: dup2", __func__);
1247
1248 mm_record_login(s, authctxt->pw);
1249
1250 /* Now we can close the file descriptor again */
1251 close(0);
1252
1253 /* send messages generated by record_login */
1254 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
1255 buffer_clear(&loginmsg);
1256
1257 mm_request_send(sock, MONITOR_ANS_PTY, m);
1258
1259 mm_send_fd(sock, s->ptyfd);
1260 mm_send_fd(sock, s->ttyfd);
1261
1262 /* make sure nothing uses fd 0 */
1263 if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)
1264 fatal("%s: open(/dev/null): %s", __func__, strerror(errno));
1265 if (fd0 != 0)
1266 error("%s: fd0 %d != 0", __func__, fd0);
1267
1268 /* slave is not needed */
1269 close(s->ttyfd);
--- 4 unchanged lines hidden (view full) ---
1274 debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd);
1275
1276 return (0);
1277
1278 error:
1279 if (s != NULL)
1280 mm_session_close(s);
1281 buffer_put_int(m, 0);
1282 mm_request_send(sock, MONITOR_ANS_PTY, m);
1283 return (0);
1284}
1285
1286int
1287mm_answer_pty_cleanup(int sock, Buffer *m)
1288{
1289 Session *s;
1290 char *tty;
1291
1292 debug3("%s entering", __func__);
1293
1294 tty = buffer_get_string(m, NULL);
1295 if ((s = session_by_tty(tty)) != NULL)
1296 mm_session_close(s);
1297 buffer_clear(m);
1298 xfree(tty);
1299 return (0);
1300}
1301
1302int
1303mm_answer_sesskey(int sock, Buffer *m)
1304{
1305 BIGNUM *p;
1306 int rsafail;
1307
1308 /* Turn off permissions */
1309 monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
1310
1311 if ((p = BN_new()) == NULL)
--- 4 unchanged lines hidden (view full) ---
1316 rsafail = ssh1_session_key(p);
1317
1318 buffer_clear(m);
1319 buffer_put_int(m, rsafail);
1320 buffer_put_bignum2(m, p);
1321
1322 BN_clear_free(p);
1323
1324 mm_request_send(sock, MONITOR_ANS_SESSKEY, m);
1325
1326 /* Turn on permissions for sessid passing */
1327 monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1);
1328
1329 return (0);
1330}
1331
1332int
1333mm_answer_sessid(int sock, Buffer *m)
1334{
1335 int i;
1336
1337 debug3("%s entering", __func__);
1338
1339 if (buffer_len(m) != 16)
1340 fatal("%s: bad ssh1 session id", __func__);
1341 for (i = 0; i < 16; i++)
1342 session_id[i] = buffer_get_char(m);
1343
1344 /* Turn on permissions for getpwnam */
1345 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
1346
1347 return (0);
1348}
1349
1350int
1351mm_answer_rsa_keyallowed(int sock, Buffer *m)
1352{
1353 BIGNUM *client_n;
1354 Key *key = NULL;
1355 u_char *blob = NULL;
1356 u_int blen = 0;
1357 int allowed = 0;
1358
1359 debug3("%s entering", __func__);
--- 23 unchanged lines hidden (view full) ---
1383 key_bloblen = blen;
1384 key_blobtype = MM_RSAUSERKEY;
1385 }
1386 if (key != NULL)
1387 key_free(key);
1388
1389 mm_append_debug(m);
1390
1391 mm_request_send(sock, MONITOR_ANS_RSAKEYALLOWED, m);
1392
1393 monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
1394 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0);
1395 return (0);
1396}
1397
1398int
1399mm_answer_rsa_challenge(int sock, Buffer *m)
1400{
1401 Key *key = NULL;
1402 u_char *blob;
1403 u_int blen;
1404
1405 debug3("%s entering", __func__);
1406
1407 if (!authctxt->valid)
--- 9 unchanged lines hidden (view full) ---
1417 if (ssh1_challenge)
1418 BN_clear_free(ssh1_challenge);
1419 ssh1_challenge = auth_rsa_generate_challenge(key);
1420
1421 buffer_clear(m);
1422 buffer_put_bignum2(m, ssh1_challenge);
1423
1424 debug3("%s sending reply", __func__);
1425 mm_request_send(sock, MONITOR_ANS_RSACHALLENGE, m);
1426
1427 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
1428
1429 xfree(blob);
1430 key_free(key);
1431 return (0);
1432}
1433
1434int
1435mm_answer_rsa_response(int sock, Buffer *m)
1436{
1437 Key *key = NULL;
1438 u_char *blob, *response;
1439 u_int blen, len;
1440 int success;
1441
1442 debug3("%s entering", __func__);
1443
--- 22 unchanged lines hidden (view full) ---
1466
1467 /* reset state */
1468 BN_clear_free(ssh1_challenge);
1469 ssh1_challenge = NULL;
1470 monitor_reset_key_state();
1471
1472 buffer_clear(m);
1473 buffer_put_int(m, success);
1474 mm_request_send(sock, MONITOR_ANS_RSARESPONSE, m);
1475
1476 return (success);
1477}
1478
1479int
1480mm_answer_term(int sock, Buffer *req)
1481{
1482 extern struct monitor *pmonitor;
1483 int res, status;
1484
1485 debug3("%s: tearing down sessions", __func__);
1486
1487 /* The child is terminating */
1488 session_destroy_all(&mm_session_close);
1489
1490 while (waitpid(pmonitor->m_pid, &status, 0) == -1)
1491 if (errno != EINTR)
1492 exit(1);
1493
1494 res = WIFEXITED(status) ? WEXITSTATUS(status) : 1;
1495
1496 /* Terminate process */
1497 exit(res);
1498}
1499
1500void
1501monitor_apply_keystate(struct monitor *pmonitor)
1502{
1503 if (compat20) {
1504 set_newkeys(MODE_IN);
1505 set_newkeys(MODE_OUT);
--- 50 unchanged lines hidden (view full) ---
1556 memset(kex, 0, sizeof(*kex));
1557 kex->session_id = buffer_get_string(m, &kex->session_id_len);
1558 if ((session_id2 == NULL) ||
1559 (kex->session_id_len != session_id2_len) ||
1560 (memcmp(kex->session_id, session_id2, session_id2_len) != 0))
1561 fatal("mm_get_get: internal error: bad session id");
1562 kex->we_need = buffer_get_int(m);
1563 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1564 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1565 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1566 kex->server = 1;
1567 kex->hostkey_type = buffer_get_int(m);
1568 kex->kex_type = buffer_get_int(m);
1569 blob = buffer_get_string(m, &bloblen);
1570 buffer_init(&kex->my);
1571 buffer_append(&kex->my, blob, bloblen);
1572 xfree(blob);
--- 177 unchanged lines hidden (view full) ---
1750 monitor_socketpair(pair);
1751
1752 mon->m_recvfd = pair[0];
1753 mon->m_sendfd = pair[1];
1754}
1755
1756#ifdef GSSAPI
1757int
1758mm_answer_gss_setup_ctx(int sock, Buffer *m)
1759{
1760 gss_OID_desc goid;
1761 OM_uint32 major;
1762 u_int len;
1763
1764 goid.elements = buffer_get_string(m, &len);
1765 goid.length = len;
1766
1767 major = ssh_gssapi_server_ctx(&gsscontext, &goid);
1768
1769 xfree(goid.elements);
1770
1771 buffer_clear(m);
1772 buffer_put_int(m, major);
1773
1774 mm_request_send(sock,MONITOR_ANS_GSSSETUP, m);
1775
1776 /* Now we have a context, enable the step */
1777 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
1778
1779 return (0);
1780}
1781
1782int
1783mm_answer_gss_accept_ctx(int sock, Buffer *m)
1784{
1785 gss_buffer_desc in;
1786 gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
1787 OM_uint32 major,minor;
1788 OM_uint32 flags = 0; /* GSI needs this */
1789 u_int len;
1790
1791 in.value = buffer_get_string(m, &len);
1792 in.length = len;
1793 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
1794 xfree(in.value);
1795
1796 buffer_clear(m);
1797 buffer_put_int(m, major);
1798 buffer_put_string(m, out.value, out.length);
1799 buffer_put_int(m, flags);
1800 mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
1801
1802 gss_release_buffer(&minor, &out);
1803
1804 if (major==GSS_S_COMPLETE) {
1805 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1806 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1807 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
1808 }
1809 return (0);
1810}
1811
1812int
1813mm_answer_gss_checkmic(int sock, Buffer *m)
1814{
1815 gss_buffer_desc gssbuf, mic;
1816 OM_uint32 ret;
1817 u_int len;
1818
1819 gssbuf.value = buffer_get_string(m, &len);
1820 gssbuf.length = len;
1821 mic.value = buffer_get_string(m, &len);
1822 mic.length = len;
1823
1824 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
1825
1826 xfree(gssbuf.value);
1827 xfree(mic.value);
1828
1829 buffer_clear(m);
1830 buffer_put_int(m, ret);
1831
1832 mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m);
1833
1834 if (!GSS_ERROR(ret))
1835 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1836
1837 return (0);
1838}
1839
1840int
1841mm_answer_gss_userok(int sock, Buffer *m)
1842{
1843 int authenticated;
1844
1845 authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
1846
1847 buffer_clear(m);
1848 buffer_put_int(m, authenticated);
1849
1850 debug3("%s: sending result %d", __func__, authenticated);
1851 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
1852
1853 auth_method="gssapi-with-mic";
1854
1855 /* Monitor loop will terminate if authenticated */
1856 return (authenticated);
1857}
1858#endif /* GSSAPI */