Commit c7d39ac8 authored by markus@openbsd.org's avatar markus@openbsd.org Committed by Damien Miller

upstream: sshd: switch authentication to sshbuf API; ok djm@

OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641
parent c3cb7790
/* $OpenBSD: auth-bsdauth.c,v 1.14 2015/10/20 23:24:25 mmcc Exp $ */
/* $OpenBSD: auth-bsdauth.c,v 1.15 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
......@@ -33,11 +33,11 @@
#ifdef BSD_AUTH
#include "xmalloc.h"
#include "key.h"
#include "sshkey.h"
#include "sshbuf.h"
#include "hostfile.h"
#include "auth.h"
#include "log.h"
#include "buffer.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
......
/* $OpenBSD: auth-krb5.c,v 1.22 2016/05/04 14:22:33 markus Exp $ */
/* $OpenBSD: auth-krb5.c,v 1.23 2018/07/09 21:35:50 markus Exp $ */
/*
* Kerberos v5 authentication and ticket-passing routines.
*
......@@ -38,11 +38,11 @@
#include "ssh.h"
#include "packet.h"
#include "log.h"
#include "buffer.h"
#include "sshbuf.h"
#include "sshkey.h"
#include "misc.h"
#include "servconf.h"
#include "uidswap.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
......
/* $OpenBSD: auth-rhosts.c,v 1.48 2016/08/13 17:47:41 markus Exp $ */
/* $OpenBSD: auth-rhosts.c,v 1.49 2018/07/09 21:35:50 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -34,8 +34,8 @@
#include "pathnames.h"
#include "log.h"
#include "misc.h"
#include "buffer.h" /* XXX */
#include "key.h" /* XXX */
#include "sshbuf.h"
#include "sshkey.h"
#include "servconf.h"
#include "canohost.h"
#include "sshkey.h"
......
/* $OpenBSD: auth.c,v 1.130 2018/06/06 18:23:32 djm Exp $ */
/* $OpenBSD: auth.c,v 1.131 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -55,10 +55,10 @@
#include "match.h"
#include "groupaccess.h"
#include "log.h"
#include "buffer.h"
#include "sshbuf.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
#include "auth-options.h"
......@@ -84,8 +84,7 @@ extern struct passwd *privsep_pw;
extern struct sshauthopt *auth_opts;
/* Debugging messages */
Buffer auth_debug;
int auth_debug_init;
static struct sshbuf *auth_debug;
/*
* Check if the user is allowed to log in via ssh. If user is listed
......@@ -281,7 +280,7 @@ format_method_key(Authctxt *authctxt)
if (key == NULL)
return NULL;
if (key_is_cert(key)) {
if (sshkey_is_cert(key)) {
fp = sshkey_fingerprint(key->cert->signature_key,
options.fingerprint_hash, SSH_FP_DEFAULT);
xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s",
......@@ -672,26 +671,32 @@ auth_debug_add(const char *fmt,...)
{
char buf[1024];
va_list args;
int r;
if (!auth_debug_init)
if (auth_debug == NULL)
return;
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
buffer_put_cstring(&auth_debug, buf);
if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0)
fatal("%s: sshbuf_put_cstring: %s", __func__, ssh_err(r));
}
void
auth_debug_send(void)
{
struct ssh *ssh = active_state; /* XXX */
char *msg;
int r;
if (!auth_debug_init)
if (auth_debug == NULL)
return;
while (buffer_len(&auth_debug)) {
msg = buffer_get_string(&auth_debug, NULL);
packet_send_debug("%s", msg);
while (sshbuf_len(auth_debug) != 0) {
if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0)
fatal("%s: sshbuf_get_cstring: %s",
__func__, ssh_err(r));
ssh_packet_send_debug(ssh, "%s", msg);
free(msg);
}
}
......@@ -699,12 +704,10 @@ auth_debug_send(void)
void
auth_debug_reset(void)
{
if (auth_debug_init)
buffer_clear(&auth_debug);
else {
buffer_init(&auth_debug);
auth_debug_init = 1;
}
if (auth_debug != NULL)
sshbuf_reset(auth_debug);
else if ((auth_debug = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
}
struct passwd *
......
/* $OpenBSD: auth2-chall.c,v 1.48 2017/05/30 14:29:59 markus Exp $ */
/* $OpenBSD: auth2-chall.c,v 1.49 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
......@@ -34,12 +34,13 @@
#include "xmalloc.h"
#include "ssh2.h"
#include "key.h"
#include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
#include "buffer.h"
#include "sshbuf.h"
#include "packet.h"
#include "dispatch.h"
#include "ssherr.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
......@@ -48,7 +49,7 @@
extern ServerOptions options;
static int auth2_challenge_start(struct ssh *);
static int send_userauth_info_request(Authctxt *);
static int send_userauth_info_request(struct ssh *);
static int input_userauth_info_response(int, u_int32_t, struct ssh *);
#ifdef BSD_AUTH
......@@ -105,8 +106,8 @@ static KbdintAuthctxt *
kbdint_alloc(const char *devs)
{
KbdintAuthctxt *kbdintctxt;
Buffer b;
int i;
struct sshbuf *b;
int i, r;
#ifdef USE_PAM
if (!options.use_pam)
......@@ -115,16 +116,17 @@ kbdint_alloc(const char *devs)
kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt));
if (strcmp(devs, "") == 0) {
buffer_init(&b);
if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
for (i = 0; devices[i]; i++) {
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
buffer_append(&b, devices[i]->name,
strlen(devices[i]->name));
if ((r = sshbuf_putf(b, "%s%s",
sshbuf_len(b) ? "," : "", devices[i]->name)) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
}
if ((kbdintctxt->devices = sshbuf_dup_string(&b)) == NULL)
if ((kbdintctxt->devices = sshbuf_dup_string(b)) == NULL)
fatal("%s: sshbuf_dup_string failed", __func__);
buffer_free(&b);
sshbuf_free(b);
} else {
kbdintctxt->devices = xstrdup(devs);
}
......@@ -243,7 +245,7 @@ auth2_challenge_start(struct ssh *ssh)
auth2_challenge_stop(ssh);
return 0;
}
if (send_userauth_info_request(authctxt) == 0) {
if (send_userauth_info_request(ssh) == 0) {
auth2_challenge_stop(ssh);
return 0;
}
......@@ -255,28 +257,32 @@ auth2_challenge_start(struct ssh *ssh)
}
static int
send_userauth_info_request(Authctxt *authctxt)
send_userauth_info_request(struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
KbdintAuthctxt *kbdintctxt;
char *name, *instr, **prompts;
u_int i, *echo_on;
u_int r, i, *echo_on;
kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt->device->query(kbdintctxt->ctxt,
&name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
return 0;
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
packet_put_cstring(name);
packet_put_cstring(instr);
packet_put_cstring(""); /* language not used */
packet_put_int(kbdintctxt->nreq);
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_INFO_REQUEST)) != 0 ||
(r = sshpkt_put_cstring(ssh, name)) != 0 ||
(r = sshpkt_put_cstring(ssh, instr)) != 0 ||
(r = sshpkt_put_cstring(ssh, "")) != 0 || /* language not used */
(r = sshpkt_put_u32(ssh, kbdintctxt->nreq)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
for (i = 0; i < kbdintctxt->nreq; i++) {
packet_put_cstring(prompts[i]);
packet_put_char(echo_on[i]);
if ((r = sshpkt_put_cstring(ssh, prompts[i])) != 0 ||
(r = sshpkt_put_u8(ssh, echo_on[i])) != 0)
fatal("%s: %s", __func__, ssh_err(r));
}
packet_send();
packet_write_wait();
if ((r = sshpkt_send(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
ssh_packet_write_wait(ssh);
for (i = 0; i < kbdintctxt->nreq; i++)
free(prompts[i]);
......@@ -293,6 +299,7 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
Authctxt *authctxt = ssh->authctxt;
KbdintAuthctxt *kbdintctxt;
int authenticated = 0, res;
int r;
u_int i, nresp;
const char *devicename = NULL;
char **response = NULL;
......@@ -306,7 +313,8 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
fatal("input_userauth_info_response: no device");
authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
if ((r = sshpkt_get_u32(ssh, &nresp)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
if (nresp != kbdintctxt->nreq)
fatal("input_userauth_info_response: wrong number of replies");
if (nresp > 100)
......@@ -314,9 +322,12 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
if (nresp > 0) {
response = xcalloc(nresp, sizeof(char *));
for (i = 0; i < nresp; i++)
response[i] = packet_get_string(NULL);
if ((r = sshpkt_get_cstring(ssh, &response[i],
NULL)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
}
packet_check_eom();
if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
......@@ -333,7 +344,7 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
break;
case 1:
/* Authentication needs further interaction */
if (send_userauth_info_request(authctxt) == 1)
if (send_userauth_info_request(ssh) == 1)
authctxt->postponed = 1;
break;
default:
......
/* $OpenBSD: auth2-hostbased.c,v 1.34 2018/07/03 11:39:54 djm Exp $ */
/* $OpenBSD: auth2-hostbased.c,v 1.35 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -34,7 +34,7 @@
#include "xmalloc.h"
#include "ssh2.h"
#include "packet.h"
#include "buffer.h"
#include "sshbuf.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
......
/* $OpenBSD: auth2-kbdint.c,v 1.8 2017/05/30 14:29:59 markus Exp $ */
/* $OpenBSD: auth2-kbdint.c,v 1.9 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -31,13 +31,12 @@
#include "xmalloc.h"
#include "packet.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "ssherr.h"
/* import */
extern ServerOptions options;
......@@ -45,12 +44,13 @@ extern ServerOptions options;
static int
userauth_kbdint(struct ssh *ssh)
{
int authenticated = 0;
int r, authenticated = 0;
char *lang, *devs;
lang = packet_get_string(NULL);
devs = packet_get_string(NULL);
packet_check_eom();
if ((r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0 ||
(r = sshpkt_get_cstring(ssh, &devs, NULL)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
debug("keyboard-interactive devs %s", devs);
......
/* $OpenBSD: auth2-none.c,v 1.21 2018/03/03 03:15:51 djm Exp $ */
/* $OpenBSD: auth2-none.c,v 1.22 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -42,7 +42,6 @@
#include "auth.h"
#include "packet.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "compat.h"
......
/* $OpenBSD: auth2-passwd.c,v 1.15 2018/03/03 03:15:51 djm Exp $ */
/* $OpenBSD: auth2-passwd.c,v 1.16 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -36,7 +36,6 @@
#include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
#include "buffer.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
......
/* $OpenBSD: auth2-pubkey.c,v 1.80 2018/07/03 11:39:54 djm Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.81 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -46,7 +46,7 @@
#include "ssh.h"
#include "ssh2.h"
#include "packet.h"
#include "buffer.h"
#include "sshbuf.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
......
/* $OpenBSD: auth2.c,v 1.147 2018/05/11 03:22:55 dtucker Exp $ */
/* $OpenBSD: auth2.c,v 1.148 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -41,7 +41,7 @@
#include "ssh2.h"
#include "packet.h"
#include "log.h"
#include "buffer.h"
#include "sshbuf.h"
#include "misc.h"
#include "servconf.h"
#include "compat.h"
......@@ -451,11 +451,12 @@ auth2_method_allowed(Authctxt *authctxt, const char *method,
static char *
authmethods_get(Authctxt *authctxt)
{
Buffer b;
struct sshbuf *b;
char *list;
u_int i;
int i, r;
buffer_init(&b);
if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
for (i = 0; authmethods[i] != NULL; i++) {
if (strcmp(authmethods[i]->name, "none") == 0)
continue;
......@@ -465,14 +466,13 @@ authmethods_get(Authctxt *authctxt)
if (!auth2_method_allowed(authctxt, authmethods[i]->name,
NULL))
continue;
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
buffer_append(&b, authmethods[i]->name,
strlen(authmethods[i]->name));
if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "",
authmethods[i]->name)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
}
if ((list = sshbuf_dup_string(&b)) == NULL)
if ((list = sshbuf_dup_string(b)) == NULL)
fatal("%s: sshbuf_dup_string failed", __func__);
buffer_free(&b);
sshbuf_free(b);
return list;
}
......
/* $OpenBSD: monitor.c,v 1.181 2018/07/09 21:26:02 markus Exp $ */
/* $OpenBSD: monitor.c,v 1.182 2018/07/09 21:35:50 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
......@@ -113,8 +113,6 @@ static Gssctxt *gsscontext = NULL;
extern ServerOptions options;
extern u_int utmp_len;
extern u_char session_id[];
extern Buffer auth_debug;
extern int auth_debug_init;
extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment