Commit eb272ea4 authored by markus@openbsd.org's avatar markus@openbsd.org Committed by Damien Miller

upstream commit

switch auth2 to ssh_dispatch API; ok djm@

Upstream-ID: a752ca19e2782900dd83060b5c6344008106215f
parent 5a146bbd
/* $OpenBSD: auth.h,v 1.90 2017/05/30 08:52:19 markus Exp $ */
/* $OpenBSD: auth.h,v 1.91 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
......@@ -91,7 +91,7 @@ struct Authctxt {
struct Authmethod {
char *name;
int (*userauth)(Authctxt *authctxt);
int (*userauth)(struct ssh *);
int *enabled;
};
......@@ -155,7 +155,7 @@ void auth_info(Authctxt *authctxt, const char *, ...)
__attribute__((__nonnull__ (2)));
void auth_log(Authctxt *, int, int, const char *, const char *);
void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
void userauth_finish(Authctxt *, int, const char *, const char *);
void userauth_finish(struct ssh *, int, const char *, const char *);
int auth_root_allowed(const char *);
void userauth_send_banner(const char *);
......@@ -168,8 +168,8 @@ int auth2_method_allowed(Authctxt *, const char *, const char *);
void privsep_challenge_enable(void);
int auth2_challenge(Authctxt *, char *);
void auth2_challenge_stop(Authctxt *);
int auth2_challenge(struct ssh *, char *);
void auth2_challenge_stop(struct ssh *);
int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
int bsdauth_respond(void *, u_int, char **);
int skey_query(void *, char **, char **, u_int *, char ***, u_int **);
......
/* $OpenBSD: auth2-chall.c,v 1.47 2017/05/30 14:23:52 markus Exp $ */
/* $OpenBSD: auth2-chall.c,v 1.48 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
......@@ -47,7 +47,7 @@
/* import */
extern ServerOptions options;
static int auth2_challenge_start(Authctxt *);
static int auth2_challenge_start(struct ssh *);
static int send_userauth_info_request(Authctxt *);
static int input_userauth_info_response(int, u_int32_t, struct ssh *);
......@@ -195,8 +195,9 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
* wait for the response.
*/
int
auth2_challenge(Authctxt *authctxt, char *devs)
auth2_challenge(struct ssh *ssh, char *devs)
{
Authctxt *authctxt = ssh->authctxt;
debug("auth2_challenge: user=%s devs=%s",
authctxt->user ? authctxt->user : "<nouser>",
devs ? devs : "<no devs>");
......@@ -205,15 +206,16 @@ auth2_challenge(Authctxt *authctxt, char *devs)
return 0;
if (authctxt->kbdintctxt == NULL)
authctxt->kbdintctxt = kbdint_alloc(devs);
return auth2_challenge_start(authctxt);
return auth2_challenge_start(ssh);
}
/* unregister kbd-int callbacks and context */
void
auth2_challenge_stop(Authctxt *authctxt)
auth2_challenge_stop(struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
/* unregister callback */
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
if (authctxt->kbdintctxt != NULL) {
kbdint_free(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
......@@ -222,29 +224,30 @@ auth2_challenge_stop(Authctxt *authctxt)
/* side effect: sets authctxt->postponed if a reply was sent*/
static int
auth2_challenge_start(Authctxt *authctxt)
auth2_challenge_start(struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
debug2("auth2_challenge_start: devices %s",
kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
auth2_challenge_stop(authctxt);
auth2_challenge_stop(ssh);
return 0;
}
debug("auth2_challenge_start: trying authentication method '%s'",
kbdintctxt->device->name);
if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
auth2_challenge_stop(authctxt);
auth2_challenge_stop(ssh);
return 0;
}
if (send_userauth_info_request(authctxt) == 0) {
auth2_challenge_stop(authctxt);
auth2_challenge_stop(ssh);
return 0;
}
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE,
&input_userauth_info_response);
authctxt->postponed = 1;
......@@ -340,14 +343,14 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
devicename = kbdintctxt->device->name;
if (!authctxt->postponed) {
if (authenticated) {
auth2_challenge_stop(authctxt);
auth2_challenge_stop(ssh);
} else {
/* start next device */
/* may set authctxt->postponed */
auth2_challenge_start(authctxt);
auth2_challenge_start(ssh);
}
}
userauth_finish(authctxt, authenticated, "keyboard-interactive",
userauth_finish(ssh, authenticated, "keyboard-interactive",
devicename);
return 0;
}
......
/* $OpenBSD: auth2-gss.c,v 1.24 2017/05/30 14:23:52 markus Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.25 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
......@@ -58,8 +58,9 @@ static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
* how to check local user kuserok and the like)
*/
static int
userauth_gssapi(Authctxt *authctxt)
userauth_gssapi(struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
gss_OID_desc goid = {0, NULL};
Gssctxt *ctxt = NULL;
int mechs;
......@@ -119,8 +120,8 @@ userauth_gssapi(Authctxt *authctxt)
packet_send();
free(doid);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
authctxt->postponed = 1;
return (0);
......@@ -157,8 +158,8 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
packet_send();
}
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
userauth_finish(ssh, 0, "gssapi-with-mic", NULL);
} else {
if (send_tok.length != 0) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
......@@ -166,12 +167,12 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
packet_send();
}
if (maj_status == GSS_S_COMPLETE) {
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
if (flags & GSS_C_INTEG_FLAG)
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC,
&input_gssapi_mic);
else
dispatch_set(
ssh_dispatch_set(ssh,
SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
&input_gssapi_exchange_complete);
}
......@@ -207,8 +208,8 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
free(recv_tok.value);
/* We can't return anything to the client, even if we wanted to */
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
/* The client will have already moved on to the next auth */
......@@ -241,11 +242,11 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL);
return 0;
}
......@@ -282,11 +283,11 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
free(mic.value);
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL);
return 0;
}
......
/* $OpenBSD: auth2-hostbased.c,v 1.29 2017/05/30 14:25:42 markus Exp $ */
/* $OpenBSD: auth2-hostbased.c,v 1.30 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -57,9 +57,9 @@ extern u_char *session_id2;
extern u_int session_id2_len;
static int
userauth_hostbased(Authctxt *authctxt)
userauth_hostbased(struct ssh *ssh)
{
struct ssh *ssh = active_state; /* XXX */
Authctxt *authctxt = ssh->authctxt;
struct sshbuf *b;
struct sshkey *key = NULL;
char *pkalg, *cuser, *chost, *service;
......
/* $OpenBSD: auth2-kbdint.c,v 1.7 2014/07/15 15:54:14 millert Exp $ */
/* $OpenBSD: auth2-kbdint.c,v 1.8 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -43,7 +43,7 @@
extern ServerOptions options;
static int
userauth_kbdint(Authctxt *authctxt)
userauth_kbdint(struct ssh *ssh)
{
int authenticated = 0;
char *lang, *devs;
......@@ -55,7 +55,7 @@ userauth_kbdint(Authctxt *authctxt)
debug("keyboard-interactive devs %s", devs);
if (options.challenge_response_authentication)
authenticated = auth2_challenge(authctxt, devs);
authenticated = auth2_challenge(ssh, devs);
free(devs);
free(lang);
......
/* $OpenBSD: auth2-none.c,v 1.19 2017/05/30 14:27:22 markus Exp $ */
/* $OpenBSD: auth2-none.c,v 1.20 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -60,9 +60,8 @@ extern ServerOptions options;
static int none_enabled = 1;
static int
userauth_none(Authctxt *authctxt)
userauth_none(struct ssh *ssh)
{
struct ssh *ssh = active_state; /* XXX */
int r;
none_enabled = 0;
......
/* $OpenBSD: auth2-passwd.c,v 1.13 2017/05/30 14:26:49 markus Exp $ */
/* $OpenBSD: auth2-passwd.c,v 1.14 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -48,9 +48,8 @@
extern ServerOptions options;
static int
userauth_passwd(Authctxt *authctxt)
userauth_passwd(struct ssh *ssh)
{
struct ssh *ssh = active_state; /* XXX */
char *password;
int authenticated = 0, r;
u_char change;
......
/* $OpenBSD: auth2-pubkey.c,v 1.64 2017/05/30 14:10:53 markus Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.65 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -75,9 +75,9 @@ extern u_char *session_id2;
extern u_int session_id2_len;
static int
userauth_pubkey(Authctxt *authctxt)
userauth_pubkey(struct ssh *ssh)
{
struct ssh *ssh = active_state; /* XXX */
Authctxt *authctxt = ssh->authctxt;
struct sshbuf *b;
struct sshkey *key = NULL;
char *pkalg, *userstyle = NULL, *fp = NULL;
......
/* $OpenBSD: auth2.c,v 1.139 2017/05/30 14:23:52 markus Exp $ */
/* $OpenBSD: auth2.c,v 1.140 2017/05/30 14:29:59 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -170,9 +170,9 @@ do_authentication2(Authctxt *authctxt)
{
struct ssh *ssh = active_state; /* XXX */
ssh->authctxt = authctxt; /* XXX move to caller */
dispatch_init(&dispatch_protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
dispatch_run(DISPATCH_BLOCK, &authctxt->success, ssh);
ssh_dispatch_init(ssh, &dispatch_protocol_error);
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_REQUEST, &input_service_request);
ssh_dispatch_run(ssh, DISPATCH_BLOCK, &authctxt->success, ssh);
ssh->authctxt = NULL;
}
......@@ -193,7 +193,7 @@ input_service_request(int type, u_int32_t seq, struct ssh *ssh)
if (!authctxt->success) {
acceptit = 1;
/* now we can handle user-auth requests */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
}
}
/* XXX all other service requests are denied */
......@@ -269,12 +269,12 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
authctxt->user, authctxt->service, user, service);
}
/* reset state */
auth2_challenge_stop(authctxt);
auth2_challenge_stop(ssh);
#ifdef GSSAPI
/* XXX move to auth2_gssapi_stop() */
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
#endif
authctxt->postponed = 0;
......@@ -284,9 +284,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
m = authmethod_lookup(authctxt, method);
if (m != NULL && authctxt->failures < options.max_authtries) {
debug2("input_userauth_request: try method %s", method);
authenticated = m->userauth(authctxt);
authenticated = m->userauth(ssh);
}
userauth_finish(authctxt, authenticated, method, NULL);
userauth_finish(ssh, authenticated, method, NULL);
free(service);
free(user);
......@@ -295,10 +295,10 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
}
void
userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
userauth_finish(struct ssh *ssh, int authenticated, const char *method,
const char *submethod)
{
struct ssh *ssh = active_state; /* XXX */
Authctxt *authctxt = ssh->authctxt;
char *methods;
int partial = 0;
......@@ -354,7 +354,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
if (authenticated == 1) {
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
packet_start(SSH2_MSG_USERAUTH_SUCCESS);
packet_send();
packet_write_wait();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment