1 /* 2 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $"); 29 30 #include <openssl/bn.h> 31 #include <openssl/dh.h> 32 33 #include "ssh.h" 34 #include "dh.h" 35 #include "kex.h" 36 #include "auth.h" 37 #include "auth-options.h" 38 #include "buffer.h" 39 #include "bufaux.h" 40 #include "packet.h" 41 #include "mac.h" 42 #include "log.h" 43 #include "zlib.h" 44 #include "monitor.h" 45 #include "monitor_wrap.h" 46 #include "xmalloc.h" 47 #include "atomicio.h" 48 #include "monitor_fdpass.h" 49 #include "getput.h" 50 51 #include "auth.h" 52 #include "channels.h" 53 #include "session.h" 54 55 #ifdef GSSAPI 56 #include "ssh-gss.h" 57 #endif 58 59 /* Imports */ 60 extern int compat20; 61 extern Newkeys *newkeys[]; 62 extern z_stream incoming_stream; 63 extern z_stream outgoing_stream; 64 extern struct monitor *pmonitor; 65 extern Buffer input, output; 66 67 void 68 mm_request_send(int socket, enum monitor_reqtype type, Buffer *m) 69 { 70 u_int mlen = buffer_len(m); 71 u_char buf[5]; 72 73 debug3("%s entering: type %d", __func__, type); 74 75 PUT_32BIT(buf, mlen + 1); 76 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ 77 if (atomicio(vwrite, socket, buf, sizeof(buf)) != sizeof(buf)) 78 fatal("%s: write", __func__); 79 if (atomicio(vwrite, socket, buffer_ptr(m), mlen) != mlen) 80 fatal("%s: write", __func__); 81 } 82 83 void 84 mm_request_receive(int socket, Buffer *m) 85 { 86 u_char buf[4]; 87 u_int msg_len; 88 ssize_t res; 89 90 debug3("%s entering", __func__); 91 92 res = atomicio(read, socket, buf, sizeof(buf)); 93 if (res != sizeof(buf)) { 94 if (res == 0) 95 fatal_cleanup(); 96 fatal("%s: read: %ld", __func__, (long)res); 97 } 98 msg_len = GET_32BIT(buf); 99 if (msg_len > 256 * 1024) 100 fatal("%s: read: bad msg_len %d", __func__, msg_len); 101 buffer_clear(m); 102 buffer_append_space(m, msg_len); 103 res = atomicio(read, socket, buffer_ptr(m), msg_len); 104 if (res != msg_len) 105 fatal("%s: read: %ld != msg_len", __func__, (long)res); 106 } 107 108 void 109 mm_request_receive_expect(int socket, enum monitor_reqtype type, Buffer *m) 110 { 111 u_char rtype; 112 113 debug3("%s entering: type %d", __func__, type); 114 115 mm_request_receive(socket, m); 116 rtype = buffer_get_char(m); 117 if (rtype != type) 118 fatal("%s: read: rtype %d != type %d", __func__, 119 rtype, type); 120 } 121 122 DH * 123 mm_choose_dh(int min, int nbits, int max) 124 { 125 BIGNUM *p, *g; 126 int success = 0; 127 Buffer m; 128 129 buffer_init(&m); 130 buffer_put_int(&m, min); 131 buffer_put_int(&m, nbits); 132 buffer_put_int(&m, max); 133 134 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m); 135 136 debug3("%s: waiting for MONITOR_ANS_MODULI", __func__); 137 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m); 138 139 success = buffer_get_char(&m); 140 if (success == 0) 141 fatal("%s: MONITOR_ANS_MODULI failed", __func__); 142 143 if ((p = BN_new()) == NULL) 144 fatal("%s: BN_new failed", __func__); 145 if ((g = BN_new()) == NULL) 146 fatal("%s: BN_new failed", __func__); 147 buffer_get_bignum2(&m, p); 148 buffer_get_bignum2(&m, g); 149 150 debug3("%s: remaining %d", __func__, buffer_len(&m)); 151 buffer_free(&m); 152 153 return (dh_new_group(g, p)); 154 } 155 156 int 157 mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen) 158 { 159 Kex *kex = *pmonitor->m_pkex; 160 Buffer m; 161 162 debug3("%s entering", __func__); 163 164 buffer_init(&m); 165 buffer_put_int(&m, kex->host_key_index(key)); 166 buffer_put_string(&m, data, datalen); 167 168 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m); 169 170 debug3("%s: waiting for MONITOR_ANS_SIGN", __func__); 171 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m); 172 *sigp = buffer_get_string(&m, lenp); 173 buffer_free(&m); 174 175 return (0); 176 } 177 178 struct passwd * 179 mm_getpwnamallow(const char *login) 180 { 181 Buffer m; 182 struct passwd *pw; 183 u_int pwlen; 184 185 debug3("%s entering", __func__); 186 187 buffer_init(&m); 188 buffer_put_cstring(&m, login); 189 190 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m); 191 192 debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__); 193 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m); 194 195 if (buffer_get_char(&m) == 0) { 196 buffer_free(&m); 197 return (NULL); 198 } 199 pw = buffer_get_string(&m, &pwlen); 200 if (pwlen != sizeof(struct passwd)) 201 fatal("%s: struct passwd size mismatch", __func__); 202 pw->pw_name = buffer_get_string(&m, NULL); 203 pw->pw_passwd = buffer_get_string(&m, NULL); 204 pw->pw_gecos = buffer_get_string(&m, NULL); 205 pw->pw_class = buffer_get_string(&m, NULL); 206 pw->pw_dir = buffer_get_string(&m, NULL); 207 pw->pw_shell = buffer_get_string(&m, NULL); 208 buffer_free(&m); 209 210 return (pw); 211 } 212 213 char *mm_auth2_read_banner(void) 214 { 215 Buffer m; 216 char *banner; 217 218 debug3("%s entering", __func__); 219 220 buffer_init(&m); 221 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); 222 buffer_clear(&m); 223 224 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m); 225 banner = buffer_get_string(&m, NULL); 226 buffer_free(&m); 227 228 return (banner); 229 } 230 231 /* Inform the privileged process about service and style */ 232 233 void 234 mm_inform_authserv(char *service, char *style) 235 { 236 Buffer m; 237 238 debug3("%s entering", __func__); 239 240 buffer_init(&m); 241 buffer_put_cstring(&m, service); 242 buffer_put_cstring(&m, style ? style : ""); 243 244 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); 245 246 buffer_free(&m); 247 } 248 249 /* Do the password authentication */ 250 int 251 mm_auth_password(Authctxt *authctxt, char *password) 252 { 253 Buffer m; 254 int authenticated = 0; 255 256 debug3("%s entering", __func__); 257 258 buffer_init(&m); 259 buffer_put_cstring(&m, password); 260 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); 261 262 debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); 263 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); 264 265 authenticated = buffer_get_int(&m); 266 267 buffer_free(&m); 268 269 debug3("%s: user %sauthenticated", 270 __func__, authenticated ? "" : "not "); 271 return (authenticated); 272 } 273 274 int 275 mm_user_key_allowed(struct passwd *pw, Key *key) 276 { 277 return (mm_key_allowed(MM_USERKEY, NULL, NULL, key)); 278 } 279 280 int 281 mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, 282 Key *key) 283 { 284 return (mm_key_allowed(MM_HOSTKEY, user, host, key)); 285 } 286 287 int 288 mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, 289 char *host, Key *key) 290 { 291 int ret; 292 293 key->type = KEY_RSA; /* XXX hack for key_to_blob */ 294 ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key); 295 key->type = KEY_RSA1; 296 return (ret); 297 } 298 299 static void 300 mm_send_debug(Buffer *m) 301 { 302 char *msg; 303 304 while (buffer_len(m)) { 305 msg = buffer_get_string(m, NULL); 306 debug3("%s: Sending debug: %s", __func__, msg); 307 packet_send_debug("%s", msg); 308 xfree(msg); 309 } 310 } 311 312 int 313 mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) 314 { 315 Buffer m; 316 u_char *blob; 317 u_int len; 318 int allowed = 0, have_forced = 0; 319 320 debug3("%s entering", __func__); 321 322 /* Convert the key to a blob and the pass it over */ 323 if (!key_to_blob(key, &blob, &len)) 324 return (0); 325 326 buffer_init(&m); 327 buffer_put_int(&m, type); 328 buffer_put_cstring(&m, user ? user : ""); 329 buffer_put_cstring(&m, host ? host : ""); 330 buffer_put_string(&m, blob, len); 331 xfree(blob); 332 333 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); 334 335 debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__); 336 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m); 337 338 allowed = buffer_get_int(&m); 339 340 /* fake forced command */ 341 auth_clear_options(); 342 have_forced = buffer_get_int(&m); 343 forced_command = have_forced ? xstrdup("true") : NULL; 344 345 /* Send potential debug messages */ 346 mm_send_debug(&m); 347 348 buffer_free(&m); 349 350 return (allowed); 351 } 352 353 /* 354 * This key verify needs to send the key type along, because the 355 * privileged parent makes the decision if the key is allowed 356 * for authentication. 357 */ 358 359 int 360 mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) 361 { 362 Buffer m; 363 u_char *blob; 364 u_int len; 365 int verified = 0; 366 367 debug3("%s entering", __func__); 368 369 /* Convert the key to a blob and the pass it over */ 370 if (!key_to_blob(key, &blob, &len)) 371 return (0); 372 373 buffer_init(&m); 374 buffer_put_string(&m, blob, len); 375 buffer_put_string(&m, sig, siglen); 376 buffer_put_string(&m, data, datalen); 377 xfree(blob); 378 379 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); 380 381 debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); 382 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m); 383 384 verified = buffer_get_int(&m); 385 386 buffer_free(&m); 387 388 return (verified); 389 } 390 391 /* Export key state after authentication */ 392 Newkeys * 393 mm_newkeys_from_blob(u_char *blob, int blen) 394 { 395 Buffer b; 396 u_int len; 397 Newkeys *newkey = NULL; 398 Enc *enc; 399 Mac *mac; 400 Comp *comp; 401 402 debug3("%s: %p(%d)", __func__, blob, blen); 403 #ifdef DEBUG_PK 404 dump_base64(stderr, blob, blen); 405 #endif 406 buffer_init(&b); 407 buffer_append(&b, blob, blen); 408 409 newkey = xmalloc(sizeof(*newkey)); 410 enc = &newkey->enc; 411 mac = &newkey->mac; 412 comp = &newkey->comp; 413 414 /* Enc structure */ 415 enc->name = buffer_get_string(&b, NULL); 416 buffer_get(&b, &enc->cipher, sizeof(enc->cipher)); 417 enc->enabled = buffer_get_int(&b); 418 enc->block_size = buffer_get_int(&b); 419 enc->key = buffer_get_string(&b, &enc->key_len); 420 enc->iv = buffer_get_string(&b, &len); 421 if (len != enc->block_size) 422 fatal("%s: bad ivlen: expected %u != %u", __func__, 423 enc->block_size, len); 424 425 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) 426 fatal("%s: bad cipher name %s or pointer %p", __func__, 427 enc->name, enc->cipher); 428 429 /* Mac structure */ 430 mac->name = buffer_get_string(&b, NULL); 431 if (mac->name == NULL || mac_init(mac, mac->name) == -1) 432 fatal("%s: can not init mac %s", __func__, mac->name); 433 mac->enabled = buffer_get_int(&b); 434 mac->key = buffer_get_string(&b, &len); 435 if (len > mac->key_len) 436 fatal("%s: bad mac key length: %u > %d", __func__, len, 437 mac->key_len); 438 mac->key_len = len; 439 440 /* Comp structure */ 441 comp->type = buffer_get_int(&b); 442 comp->enabled = buffer_get_int(&b); 443 comp->name = buffer_get_string(&b, NULL); 444 445 len = buffer_len(&b); 446 if (len != 0) 447 error("newkeys_from_blob: remaining bytes in blob %u", len); 448 buffer_free(&b); 449 return (newkey); 450 } 451 452 int 453 mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp) 454 { 455 Buffer b; 456 int len; 457 Enc *enc; 458 Mac *mac; 459 Comp *comp; 460 Newkeys *newkey = newkeys[mode]; 461 462 debug3("%s: converting %p", __func__, newkey); 463 464 if (newkey == NULL) { 465 error("%s: newkey == NULL", __func__); 466 return 0; 467 } 468 enc = &newkey->enc; 469 mac = &newkey->mac; 470 comp = &newkey->comp; 471 472 buffer_init(&b); 473 /* Enc structure */ 474 buffer_put_cstring(&b, enc->name); 475 /* The cipher struct is constant and shared, you export pointer */ 476 buffer_append(&b, &enc->cipher, sizeof(enc->cipher)); 477 buffer_put_int(&b, enc->enabled); 478 buffer_put_int(&b, enc->block_size); 479 buffer_put_string(&b, enc->key, enc->key_len); 480 packet_get_keyiv(mode, enc->iv, enc->block_size); 481 buffer_put_string(&b, enc->iv, enc->block_size); 482 483 /* Mac structure */ 484 buffer_put_cstring(&b, mac->name); 485 buffer_put_int(&b, mac->enabled); 486 buffer_put_string(&b, mac->key, mac->key_len); 487 488 /* Comp structure */ 489 buffer_put_int(&b, comp->type); 490 buffer_put_int(&b, comp->enabled); 491 buffer_put_cstring(&b, comp->name); 492 493 len = buffer_len(&b); 494 if (lenp != NULL) 495 *lenp = len; 496 if (blobp != NULL) { 497 *blobp = xmalloc(len); 498 memcpy(*blobp, buffer_ptr(&b), len); 499 } 500 memset(buffer_ptr(&b), 0, len); 501 buffer_free(&b); 502 return len; 503 } 504 505 static void 506 mm_send_kex(Buffer *m, Kex *kex) 507 { 508 buffer_put_string(m, kex->session_id, kex->session_id_len); 509 buffer_put_int(m, kex->we_need); 510 buffer_put_int(m, kex->hostkey_type); 511 buffer_put_int(m, kex->kex_type); 512 buffer_put_string(m, buffer_ptr(&kex->my), buffer_len(&kex->my)); 513 buffer_put_string(m, buffer_ptr(&kex->peer), buffer_len(&kex->peer)); 514 buffer_put_int(m, kex->flags); 515 buffer_put_cstring(m, kex->client_version_string); 516 buffer_put_cstring(m, kex->server_version_string); 517 } 518 519 void 520 mm_send_keystate(struct monitor *pmonitor) 521 { 522 Buffer m; 523 u_char *blob, *p; 524 u_int bloblen, plen; 525 u_int32_t seqnr, packets; 526 u_int64_t blocks; 527 528 buffer_init(&m); 529 530 if (!compat20) { 531 u_char iv[24]; 532 u_char *key; 533 u_int ivlen, keylen; 534 535 buffer_put_int(&m, packet_get_protocol_flags()); 536 537 buffer_put_int(&m, packet_get_ssh1_cipher()); 538 539 debug3("%s: Sending ssh1 KEY+IV", __func__); 540 keylen = packet_get_encryption_key(NULL); 541 key = xmalloc(keylen+1); /* add 1 if keylen == 0 */ 542 keylen = packet_get_encryption_key(key); 543 buffer_put_string(&m, key, keylen); 544 memset(key, 0, keylen); 545 xfree(key); 546 547 ivlen = packet_get_keyiv_len(MODE_OUT); 548 packet_get_keyiv(MODE_OUT, iv, ivlen); 549 buffer_put_string(&m, iv, ivlen); 550 ivlen = packet_get_keyiv_len(MODE_OUT); 551 packet_get_keyiv(MODE_IN, iv, ivlen); 552 buffer_put_string(&m, iv, ivlen); 553 goto skip; 554 } else { 555 /* Kex for rekeying */ 556 mm_send_kex(&m, *pmonitor->m_pkex); 557 } 558 559 debug3("%s: Sending new keys: %p %p", 560 __func__, newkeys[MODE_OUT], newkeys[MODE_IN]); 561 562 /* Keys from Kex */ 563 if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen)) 564 fatal("%s: conversion of newkeys failed", __func__); 565 566 buffer_put_string(&m, blob, bloblen); 567 xfree(blob); 568 569 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) 570 fatal("%s: conversion of newkeys failed", __func__); 571 572 buffer_put_string(&m, blob, bloblen); 573 xfree(blob); 574 575 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets); 576 buffer_put_int(&m, seqnr); 577 buffer_put_int64(&m, blocks); 578 buffer_put_int(&m, packets); 579 packet_get_state(MODE_IN, &seqnr, &blocks, &packets); 580 buffer_put_int(&m, seqnr); 581 buffer_put_int64(&m, blocks); 582 buffer_put_int(&m, packets); 583 584 debug3("%s: New keys have been sent", __func__); 585 skip: 586 /* More key context */ 587 plen = packet_get_keycontext(MODE_OUT, NULL); 588 p = xmalloc(plen+1); 589 packet_get_keycontext(MODE_OUT, p); 590 buffer_put_string(&m, p, plen); 591 xfree(p); 592 593 plen = packet_get_keycontext(MODE_IN, NULL); 594 p = xmalloc(plen+1); 595 packet_get_keycontext(MODE_IN, p); 596 buffer_put_string(&m, p, plen); 597 xfree(p); 598 599 /* Compression state */ 600 debug3("%s: Sending compression state", __func__); 601 buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream)); 602 buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream)); 603 604 /* Network I/O buffers */ 605 buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input)); 606 buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output)); 607 608 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m); 609 debug3("%s: Finished sending state", __func__); 610 611 buffer_free(&m); 612 } 613 614 int 615 mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) 616 { 617 Buffer m; 618 char *p; 619 int success = 0; 620 621 buffer_init(&m); 622 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); 623 624 debug3("%s: waiting for MONITOR_ANS_PTY", __func__); 625 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m); 626 627 success = buffer_get_int(&m); 628 if (success == 0) { 629 debug3("%s: pty alloc failed", __func__); 630 buffer_free(&m); 631 return (0); 632 } 633 p = buffer_get_string(&m, NULL); 634 buffer_free(&m); 635 636 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 637 xfree(p); 638 639 *ptyfd = mm_receive_fd(pmonitor->m_recvfd); 640 *ttyfd = mm_receive_fd(pmonitor->m_recvfd); 641 642 /* Success */ 643 return (1); 644 } 645 646 void 647 mm_session_pty_cleanup2(void *session) 648 { 649 Session *s = session; 650 Buffer m; 651 652 if (s->ttyfd == -1) 653 return; 654 buffer_init(&m); 655 buffer_put_cstring(&m, s->tty); 656 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, &m); 657 buffer_free(&m); 658 659 /* closed dup'ed master */ 660 if (close(s->ptymaster) < 0) 661 error("close(s->ptymaster): %s", strerror(errno)); 662 663 /* unlink pty from session */ 664 s->ttyfd = -1; 665 } 666 667 /* Request process termination */ 668 669 void 670 mm_terminate(void) 671 { 672 Buffer m; 673 674 buffer_init(&m); 675 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, &m); 676 buffer_free(&m); 677 } 678 679 int 680 mm_ssh1_session_key(BIGNUM *num) 681 { 682 int rsafail; 683 Buffer m; 684 685 buffer_init(&m); 686 buffer_put_bignum2(&m, num); 687 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSKEY, &m); 688 689 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SESSKEY, &m); 690 691 rsafail = buffer_get_int(&m); 692 buffer_get_bignum2(&m, num); 693 694 buffer_free(&m); 695 696 return (rsafail); 697 } 698 699 static void 700 mm_chall_setup(char **name, char **infotxt, u_int *numprompts, 701 char ***prompts, u_int **echo_on) 702 { 703 *name = xstrdup(""); 704 *infotxt = xstrdup(""); 705 *numprompts = 1; 706 *prompts = xmalloc(*numprompts * sizeof(char *)); 707 *echo_on = xmalloc(*numprompts * sizeof(u_int)); 708 (*echo_on)[0] = 0; 709 } 710 711 int 712 mm_bsdauth_query(void *ctx, char **name, char **infotxt, 713 u_int *numprompts, char ***prompts, u_int **echo_on) 714 { 715 Buffer m; 716 u_int success; 717 char *challenge; 718 719 debug3("%s: entering", __func__); 720 721 buffer_init(&m); 722 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m); 723 724 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY, 725 &m); 726 success = buffer_get_int(&m); 727 if (success == 0) { 728 debug3("%s: no challenge", __func__); 729 buffer_free(&m); 730 return (-1); 731 } 732 733 /* Get the challenge, and format the response */ 734 challenge = buffer_get_string(&m, NULL); 735 buffer_free(&m); 736 737 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 738 (*prompts)[0] = challenge; 739 740 debug3("%s: received challenge: %s", __func__, challenge); 741 742 return (0); 743 } 744 745 int 746 mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) 747 { 748 Buffer m; 749 int authok; 750 751 debug3("%s: entering", __func__); 752 if (numresponses != 1) 753 return (-1); 754 755 buffer_init(&m); 756 buffer_put_cstring(&m, responses[0]); 757 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, &m); 758 759 mm_request_receive_expect(pmonitor->m_recvfd, 760 MONITOR_ANS_BSDAUTHRESPOND, &m); 761 762 authok = buffer_get_int(&m); 763 buffer_free(&m); 764 765 return ((authok == 0) ? -1 : 0); 766 } 767 768 int 769 mm_skey_query(void *ctx, char **name, char **infotxt, 770 u_int *numprompts, char ***prompts, u_int **echo_on) 771 { 772 Buffer m; 773 int len; 774 u_int success; 775 char *p, *challenge; 776 777 debug3("%s: entering", __func__); 778 779 buffer_init(&m); 780 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, &m); 781 782 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, 783 &m); 784 success = buffer_get_int(&m); 785 if (success == 0) { 786 debug3("%s: no challenge", __func__); 787 buffer_free(&m); 788 return (-1); 789 } 790 791 /* Get the challenge, and format the response */ 792 challenge = buffer_get_string(&m, NULL); 793 buffer_free(&m); 794 795 debug3("%s: received challenge: %s", __func__, challenge); 796 797 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 798 799 len = strlen(challenge) + strlen(SKEY_PROMPT) + 1; 800 p = xmalloc(len); 801 strlcpy(p, challenge, len); 802 strlcat(p, SKEY_PROMPT, len); 803 (*prompts)[0] = p; 804 xfree(challenge); 805 806 return (0); 807 } 808 809 int 810 mm_skey_respond(void *ctx, u_int numresponses, char **responses) 811 { 812 Buffer m; 813 int authok; 814 815 debug3("%s: entering", __func__); 816 if (numresponses != 1) 817 return (-1); 818 819 buffer_init(&m); 820 buffer_put_cstring(&m, responses[0]); 821 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, &m); 822 823 mm_request_receive_expect(pmonitor->m_recvfd, 824 MONITOR_ANS_SKEYRESPOND, &m); 825 826 authok = buffer_get_int(&m); 827 buffer_free(&m); 828 829 return ((authok == 0) ? -1 : 0); 830 } 831 832 void 833 mm_ssh1_session_id(u_char session_id[16]) 834 { 835 Buffer m; 836 int i; 837 838 debug3("%s entering", __func__); 839 840 buffer_init(&m); 841 for (i = 0; i < 16; i++) 842 buffer_put_char(&m, session_id[i]); 843 844 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSID, &m); 845 buffer_free(&m); 846 } 847 848 int 849 mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) 850 { 851 Buffer m; 852 Key *key; 853 u_char *blob; 854 u_int blen; 855 int allowed = 0, have_forced = 0; 856 857 debug3("%s entering", __func__); 858 859 buffer_init(&m); 860 buffer_put_bignum2(&m, client_n); 861 862 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSAKEYALLOWED, &m); 863 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSAKEYALLOWED, &m); 864 865 allowed = buffer_get_int(&m); 866 867 /* fake forced command */ 868 auth_clear_options(); 869 have_forced = buffer_get_int(&m); 870 forced_command = have_forced ? xstrdup("true") : NULL; 871 872 if (allowed && rkey != NULL) { 873 blob = buffer_get_string(&m, &blen); 874 if ((key = key_from_blob(blob, blen)) == NULL) 875 fatal("%s: key_from_blob failed", __func__); 876 *rkey = key; 877 xfree(blob); 878 } 879 mm_send_debug(&m); 880 buffer_free(&m); 881 882 return (allowed); 883 } 884 885 BIGNUM * 886 mm_auth_rsa_generate_challenge(Key *key) 887 { 888 Buffer m; 889 BIGNUM *challenge; 890 u_char *blob; 891 u_int blen; 892 893 debug3("%s entering", __func__); 894 895 if ((challenge = BN_new()) == NULL) 896 fatal("%s: BN_new failed", __func__); 897 898 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 899 if (key_to_blob(key, &blob, &blen) == 0) 900 fatal("%s: key_to_blob failed", __func__); 901 key->type = KEY_RSA1; 902 903 buffer_init(&m); 904 buffer_put_string(&m, blob, blen); 905 xfree(blob); 906 907 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); 908 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); 909 910 buffer_get_bignum2(&m, challenge); 911 buffer_free(&m); 912 913 return (challenge); 914 } 915 916 int 917 mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) 918 { 919 Buffer m; 920 u_char *blob; 921 u_int blen; 922 int success = 0; 923 924 debug3("%s entering", __func__); 925 926 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 927 if (key_to_blob(key, &blob, &blen) == 0) 928 fatal("%s: key_to_blob failed", __func__); 929 key->type = KEY_RSA1; 930 931 buffer_init(&m); 932 buffer_put_string(&m, blob, blen); 933 buffer_put_string(&m, response, 16); 934 xfree(blob); 935 936 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); 937 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); 938 939 success = buffer_get_int(&m); 940 buffer_free(&m); 941 942 return (success); 943 } 944 945 #ifdef GSSAPI 946 OM_uint32 947 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 948 { 949 Buffer m; 950 OM_uint32 major; 951 952 /* Client doesn't get to see the context */ 953 *ctx = NULL; 954 955 buffer_init(&m); 956 buffer_put_string(&m, oid->elements, oid->length); 957 958 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); 959 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); 960 961 major = buffer_get_int(&m); 962 963 buffer_free(&m); 964 return (major); 965 } 966 967 OM_uint32 968 mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, 969 gss_buffer_desc *out, OM_uint32 *flags) 970 { 971 Buffer m; 972 OM_uint32 major; 973 u_int len; 974 975 buffer_init(&m); 976 buffer_put_string(&m, in->value, in->length); 977 978 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); 979 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); 980 981 major = buffer_get_int(&m); 982 out->value = buffer_get_string(&m, &len); 983 out->length = len; 984 if (flags) 985 *flags = buffer_get_int(&m); 986 987 buffer_free(&m); 988 989 return (major); 990 } 991 992 int 993 mm_ssh_gssapi_userok(char *user) 994 { 995 Buffer m; 996 int authenticated = 0; 997 998 buffer_init(&m); 999 1000 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); 1001 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, 1002 &m); 1003 1004 authenticated = buffer_get_int(&m); 1005 1006 buffer_free(&m); 1007 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 1008 return (authenticated); 1009 } 1010 #endif /* GSSAPI */ 1011