1 /* $OpenBSD: monitor_wrap.c,v 1.136 2024/06/19 23:24:47 djm Exp $ */
2 /*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include "includes.h"
29
30 #include <sys/types.h>
31 #include <sys/uio.h>
32 #include <sys/wait.h>
33
34 #include <errno.h>
35 #include <pwd.h>
36 #include <signal.h>
37 #include <stdarg.h>
38 #include <stdio.h>
39 #include <string.h>
40 #include <unistd.h>
41
42 #ifdef WITH_OPENSSL
43 #include <openssl/bn.h>
44 #include <openssl/dh.h>
45 #include <openssl/evp.h>
46 #endif
47
48 #include "openbsd-compat/sys-queue.h"
49 #include "xmalloc.h"
50 #include "ssh.h"
51 #ifdef WITH_OPENSSL
52 #include "dh.h"
53 #endif
54 #include "sshbuf.h"
55 #include "sshkey.h"
56 #include "cipher.h"
57 #include "kex.h"
58 #include "hostfile.h"
59 #include "auth.h"
60 #include "auth-options.h"
61 #include "packet.h"
62 #include "mac.h"
63 #include "log.h"
64 #include "auth-pam.h"
65 #include "monitor.h"
66 #ifdef GSSAPI
67 #include "ssh-gss.h"
68 #endif
69 #include "atomicio.h"
70 #include "monitor_fdpass.h"
71 #include "misc.h"
72
73 #include "channels.h"
74 #include "session.h"
75 #include "servconf.h"
76 #include "monitor_wrap.h"
77 #include "srclimit.h"
78
79 #include "ssherr.h"
80
81 /* Imports */
82 extern struct monitor *pmonitor;
83 extern struct sshbuf *loginmsg;
84 extern ServerOptions options;
85
86 void
mm_log_handler(LogLevel level,int forced,const char * msg,void * ctx)87 mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx)
88 {
89 struct sshbuf *log_msg;
90 struct monitor *mon = (struct monitor *)ctx;
91 int r;
92 size_t len;
93
94 if (mon->m_log_sendfd == -1)
95 fatal_f("no log channel");
96
97 if ((log_msg = sshbuf_new()) == NULL)
98 fatal_f("sshbuf_new failed");
99
100 if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */
101 (r = sshbuf_put_u32(log_msg, level)) != 0 ||
102 (r = sshbuf_put_u32(log_msg, forced)) != 0 ||
103 (r = sshbuf_put_cstring(log_msg, msg)) != 0)
104 fatal_fr(r, "assemble");
105 if ((len = sshbuf_len(log_msg)) < 4 || len > 0xffffffff)
106 fatal_f("bad length %zu", len);
107 POKE_U32(sshbuf_mutable_ptr(log_msg), len - 4);
108 if (atomicio(vwrite, mon->m_log_sendfd,
109 sshbuf_mutable_ptr(log_msg), len) != len)
110 fatal_f("write: %s", strerror(errno));
111 sshbuf_free(log_msg);
112 }
113
114 int
mm_is_monitor(void)115 mm_is_monitor(void)
116 {
117 /*
118 * m_pid is only set in the privileged part, and
119 * points to the unprivileged child.
120 */
121 return (pmonitor && pmonitor->m_pid > 0);
122 }
123
124 static void
mm_reap(void)125 mm_reap(void)
126 {
127 int status = -1;
128
129 if (!mm_is_monitor())
130 return;
131 while (waitpid(pmonitor->m_pid, &status, 0) == -1) {
132 if (errno == EINTR)
133 continue;
134 pmonitor->m_pid = -1;
135 fatal_f("waitpid: %s", strerror(errno));
136 }
137 if (WIFEXITED(status)) {
138 if (WEXITSTATUS(status) != 0) {
139 debug_f("preauth child exited with status %d",
140 WEXITSTATUS(status));
141 cleanup_exit(255);
142 }
143 } else if (WIFSIGNALED(status)) {
144 error_f("preauth child terminated by signal %d",
145 WTERMSIG(status));
146 cleanup_exit(signal_is_crash(WTERMSIG(status)) ?
147 EXIT_CHILD_CRASH : 255);
148 } else {
149 error_f("preauth child terminated abnormally (status=0x%x)",
150 status);
151 cleanup_exit(EXIT_CHILD_CRASH);
152 }
153 }
154
155 void
mm_request_send(int sock,enum monitor_reqtype type,struct sshbuf * m)156 mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m)
157 {
158 size_t mlen = sshbuf_len(m);
159 u_char buf[5];
160
161 debug3_f("entering, type %d", type);
162
163 if (mlen >= 0xffffffff)
164 fatal_f("bad length %zu", mlen);
165 POKE_U32(buf, mlen + 1);
166 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
167 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf) ||
168 atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen) {
169 if (errno == EPIPE) {
170 debug3_f("monitor fd closed");
171 mm_reap();
172 cleanup_exit(255);
173 }
174 fatal_f("write: %s", strerror(errno));
175 }
176 }
177
178 void
mm_request_receive(int sock,struct sshbuf * m)179 mm_request_receive(int sock, struct sshbuf *m)
180 {
181 u_char buf[4], *p = NULL;
182 u_int msg_len;
183 int oerrno, r;
184
185 debug3_f("entering");
186
187 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
188 if (errno == EPIPE) {
189 debug3_f("monitor fd closed");
190 mm_reap();
191 cleanup_exit(255);
192 }
193 fatal_f("read: %s", strerror(errno));
194 }
195 msg_len = PEEK_U32(buf);
196 if (msg_len > 256 * 1024)
197 fatal_f("read: bad msg_len %d", msg_len);
198 sshbuf_reset(m);
199 if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
200 fatal_fr(r, "reserve");
201 if (atomicio(read, sock, p, msg_len) != msg_len) {
202 oerrno = errno;
203 error_f("read: %s", strerror(errno));
204 if (oerrno == EPIPE)
205 mm_reap();
206 cleanup_exit(255);
207 }
208 }
209
210 void
mm_request_receive_expect(int sock,enum monitor_reqtype type,struct sshbuf * m)211 mm_request_receive_expect(int sock, enum monitor_reqtype type, struct sshbuf *m)
212 {
213 u_char rtype;
214 int r;
215
216 debug3_f("entering, type %d", type);
217
218 mm_request_receive(sock, m);
219 if ((r = sshbuf_get_u8(m, &rtype)) != 0)
220 fatal_fr(r, "parse");
221 if (rtype != type)
222 fatal_f("read: rtype %d != type %d", rtype, type);
223 }
224
225 #ifdef WITH_OPENSSL
226 DH *
mm_choose_dh(int min,int nbits,int max)227 mm_choose_dh(int min, int nbits, int max)
228 {
229 BIGNUM *p, *g;
230 int r;
231 u_char success = 0;
232 struct sshbuf *m;
233
234 if ((m = sshbuf_new()) == NULL)
235 fatal_f("sshbuf_new failed");
236 if ((r = sshbuf_put_u32(m, min)) != 0 ||
237 (r = sshbuf_put_u32(m, nbits)) != 0 ||
238 (r = sshbuf_put_u32(m, max)) != 0)
239 fatal_fr(r, "assemble");
240
241 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, m);
242
243 debug3_f("waiting for MONITOR_ANS_MODULI");
244 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, m);
245
246 if ((r = sshbuf_get_u8(m, &success)) != 0)
247 fatal_fr(r, "parse success");
248 if (success == 0)
249 fatal_f("MONITOR_ANS_MODULI failed");
250
251 if ((r = sshbuf_get_bignum2(m, &p)) != 0 ||
252 (r = sshbuf_get_bignum2(m, &g)) != 0)
253 fatal_fr(r, "parse group");
254
255 debug3_f("remaining %zu", sshbuf_len(m));
256 sshbuf_free(m);
257
258 return (dh_new_group(g, p));
259 }
260 #endif
261
262 int
mm_sshkey_sign(struct ssh * ssh,struct sshkey * key,u_char ** sigp,size_t * lenp,const u_char * data,size_t datalen,const char * hostkey_alg,const char * sk_provider,const char * sk_pin,u_int compat)263 mm_sshkey_sign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
264 const u_char *data, size_t datalen, const char *hostkey_alg,
265 const char *sk_provider, const char *sk_pin, u_int compat)
266 {
267 struct kex *kex = *pmonitor->m_pkex;
268 struct sshbuf *m;
269 u_int ndx = kex->host_key_index(key, 0, ssh);
270 int r;
271
272 debug3_f("entering");
273 if ((m = sshbuf_new()) == NULL)
274 fatal_f("sshbuf_new failed");
275 if ((r = sshbuf_put_u32(m, ndx)) != 0 ||
276 (r = sshbuf_put_string(m, data, datalen)) != 0 ||
277 (r = sshbuf_put_cstring(m, hostkey_alg)) != 0 ||
278 (r = sshbuf_put_u32(m, compat)) != 0)
279 fatal_fr(r, "assemble");
280
281 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, m);
282
283 debug3_f("waiting for MONITOR_ANS_SIGN");
284 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, m);
285 if ((r = sshbuf_get_string(m, sigp, lenp)) != 0)
286 fatal_fr(r, "parse");
287 sshbuf_free(m);
288
289 return (0);
290 }
291
292 void
mm_decode_activate_server_options(struct ssh * ssh,struct sshbuf * m)293 mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m)
294 {
295 const u_char *p;
296 size_t len;
297 u_int i;
298 ServerOptions *newopts;
299 int r;
300
301 if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0)
302 fatal_fr(r, "parse opts");
303 if (len != sizeof(*newopts))
304 fatal_f("option block size mismatch");
305 newopts = xcalloc(sizeof(*newopts), 1);
306 memcpy(newopts, p, sizeof(*newopts));
307
308 #define M_CP_STROPT(x) do { \
309 if (newopts->x != NULL && \
310 (r = sshbuf_get_cstring(m, &newopts->x, NULL)) != 0) \
311 fatal_fr(r, "parse %s", #x); \
312 } while (0)
313 #define M_CP_STRARRAYOPT(x, nx) do { \
314 newopts->x = newopts->nx == 0 ? \
315 NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \
316 for (i = 0; i < newopts->nx; i++) { \
317 if ((r = sshbuf_get_cstring(m, \
318 &newopts->x[i], NULL)) != 0) \
319 fatal_fr(r, "parse %s", #x); \
320 } \
321 } while (0)
322 /* See comment in servconf.h */
323 COPY_MATCH_STRING_OPTS();
324 #undef M_CP_STROPT
325 #undef M_CP_STRARRAYOPT
326
327 copy_set_server_options(&options, newopts, 1);
328 log_change_level(options.log_level);
329 log_verbose_reset();
330 for (i = 0; i < options.num_log_verbose; i++)
331 log_verbose_add(options.log_verbose[i]);
332 free(newopts);
333 }
334
335 #define GETPW(b, id) \
336 do { \
337 if ((r = sshbuf_get_string_direct(b, &p, &len)) != 0) \
338 fatal_fr(r, "parse pw %s", #id); \
339 if (len != sizeof(pw->id)) \
340 fatal_fr(r, "bad length for %s", #id); \
341 memcpy(&pw->id, p, len); \
342 } while (0)
343
344 struct passwd *
mm_getpwnamallow(struct ssh * ssh,const char * username)345 mm_getpwnamallow(struct ssh *ssh, const char *username)
346 {
347 struct sshbuf *m;
348 struct passwd *pw;
349 size_t len;
350 int r;
351 u_char ok;
352 const u_char *p;
353
354 debug3_f("entering");
355
356 if ((m = sshbuf_new()) == NULL)
357 fatal_f("sshbuf_new failed");
358 if ((r = sshbuf_put_cstring(m, username)) != 0)
359 fatal_fr(r, "assemble");
360
361 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, m);
362
363 debug3_f("waiting for MONITOR_ANS_PWNAM");
364 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, m);
365
366 if ((r = sshbuf_get_u8(m, &ok)) != 0)
367 fatal_fr(r, "parse success");
368 if (ok == 0) {
369 pw = NULL;
370 goto out;
371 }
372
373 /* XXX don't like passing struct passwd like this */
374 pw = xcalloc(sizeof(*pw), 1);
375 GETPW(m, pw_uid);
376 GETPW(m, pw_gid);
377 #ifdef HAVE_STRUCT_PASSWD_PW_CHANGE
378 GETPW(m, pw_change);
379 #endif
380 #ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE
381 GETPW(m, pw_expire);
382 #endif
383 if ((r = sshbuf_get_cstring(m, &pw->pw_name, NULL)) != 0 ||
384 (r = sshbuf_get_cstring(m, &pw->pw_passwd, NULL)) != 0 ||
385 #ifdef HAVE_STRUCT_PASSWD_PW_GECOS
386 (r = sshbuf_get_cstring(m, &pw->pw_gecos, NULL)) != 0 ||
387 #endif
388 #ifdef HAVE_STRUCT_PASSWD_PW_CLASS
389 (r = sshbuf_get_cstring(m, &pw->pw_class, NULL)) != 0 ||
390 #endif
391 (r = sshbuf_get_cstring(m, &pw->pw_dir, NULL)) != 0 ||
392 (r = sshbuf_get_cstring(m, &pw->pw_shell, NULL)) != 0)
393 fatal_fr(r, "parse pw");
394
395 out:
396 /* copy options block as a Match directive may have changed some */
397 mm_decode_activate_server_options(ssh, m);
398 server_process_permitopen(ssh);
399 server_process_channel_timeouts(ssh);
400 kex_set_server_sig_algs(ssh, options.pubkey_accepted_algos);
401 sshbuf_free(m);
402
403 return (pw);
404 }
405
406 char *
mm_auth2_read_banner(void)407 mm_auth2_read_banner(void)
408 {
409 struct sshbuf *m;
410 char *banner;
411 int r;
412
413 debug3_f("entering");
414
415 if ((m = sshbuf_new()) == NULL)
416 fatal_f("sshbuf_new failed");
417 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, m);
418 sshbuf_reset(m);
419
420 mm_request_receive_expect(pmonitor->m_recvfd,
421 MONITOR_ANS_AUTH2_READ_BANNER, m);
422 if ((r = sshbuf_get_cstring(m, &banner, NULL)) != 0)
423 fatal_fr(r, "parse");
424 sshbuf_free(m);
425
426 /* treat empty banner as missing banner */
427 if (strlen(banner) == 0) {
428 free(banner);
429 banner = NULL;
430 }
431 return (banner);
432 }
433
434 /* Inform the privileged process about service and style */
435
436 void
mm_inform_authserv(char * service,char * style)437 mm_inform_authserv(char *service, char *style)
438 {
439 struct sshbuf *m;
440 int r;
441
442 debug3_f("entering");
443
444 if ((m = sshbuf_new()) == NULL)
445 fatal_f("sshbuf_new failed");
446 if ((r = sshbuf_put_cstring(m, service)) != 0 ||
447 (r = sshbuf_put_cstring(m, style ? style : "")) != 0)
448 fatal_fr(r, "assemble");
449
450 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
451
452 sshbuf_free(m);
453 }
454
455 /* Do the password authentication */
456 int
mm_auth_password(struct ssh * ssh,char * password)457 mm_auth_password(struct ssh *ssh, char *password)
458 {
459 struct sshbuf *m;
460 int r, authenticated = 0;
461 #ifdef USE_PAM
462 u_int maxtries = 0;
463 #endif
464
465 debug3_f("entering");
466
467 if ((m = sshbuf_new()) == NULL)
468 fatal_f("sshbuf_new failed");
469 if ((r = sshbuf_put_cstring(m, password)) != 0)
470 fatal_fr(r, "assemble");
471 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, m);
472
473 debug3_f("waiting for MONITOR_ANS_AUTHPASSWORD");
474 mm_request_receive_expect(pmonitor->m_recvfd,
475 MONITOR_ANS_AUTHPASSWORD, m);
476
477 if ((r = sshbuf_get_u32(m, &authenticated)) != 0)
478 fatal_fr(r, "parse");
479 #ifdef USE_PAM
480 if ((r = sshbuf_get_u32(m, &maxtries)) != 0)
481 fatal_fr(r, "parse PAM");
482 if (maxtries > INT_MAX)
483 fatal_fr(r, "bad maxtries");
484 sshpam_set_maxtries_reached(maxtries);
485 #endif
486
487 sshbuf_free(m);
488
489 debug3_f("user %sauthenticated", authenticated ? "" : "not ");
490 return (authenticated);
491 }
492
493 int
mm_user_key_allowed(struct ssh * ssh,struct passwd * pw,struct sshkey * key,int pubkey_auth_attempt,struct sshauthopt ** authoptp)494 mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
495 int pubkey_auth_attempt, struct sshauthopt **authoptp)
496 {
497 return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
498 pubkey_auth_attempt, authoptp));
499 }
500
501 int
mm_hostbased_key_allowed(struct ssh * ssh,struct passwd * pw,const char * user,const char * host,struct sshkey * key)502 mm_hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
503 const char *user, const char *host, struct sshkey *key)
504 {
505 return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
506 }
507
508 int
mm_key_allowed(enum mm_keytype type,const char * user,const char * host,struct sshkey * key,int pubkey_auth_attempt,struct sshauthopt ** authoptp)509 mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
510 struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp)
511 {
512 struct sshbuf *m;
513 int r, allowed = 0;
514 struct sshauthopt *opts = NULL;
515
516 debug3_f("entering");
517
518 if (authoptp != NULL)
519 *authoptp = NULL;
520
521 if ((m = sshbuf_new()) == NULL)
522 fatal_f("sshbuf_new failed");
523 if ((r = sshbuf_put_u32(m, type)) != 0 ||
524 (r = sshbuf_put_cstring(m, user ? user : "")) != 0 ||
525 (r = sshbuf_put_cstring(m, host ? host : "")) != 0 ||
526 (r = sshkey_puts(key, m)) != 0 ||
527 (r = sshbuf_put_u32(m, pubkey_auth_attempt)) != 0)
528 fatal_fr(r, "assemble");
529
530 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, m);
531
532 debug3_f("waiting for MONITOR_ANS_KEYALLOWED");
533 mm_request_receive_expect(pmonitor->m_recvfd,
534 MONITOR_ANS_KEYALLOWED, m);
535
536 if ((r = sshbuf_get_u32(m, &allowed)) != 0)
537 fatal_fr(r, "parse");
538 if (allowed && type == MM_USERKEY &&
539 (r = sshauthopt_deserialise(m, &opts)) != 0)
540 fatal_fr(r, "sshauthopt_deserialise");
541 sshbuf_free(m);
542
543 if (authoptp != NULL) {
544 *authoptp = opts;
545 opts = NULL;
546 }
547 sshauthopt_free(opts);
548
549 return allowed;
550 }
551
552 /*
553 * This key verify needs to send the key type along, because the
554 * privileged parent makes the decision if the key is allowed
555 * for authentication.
556 */
557
558 int
mm_sshkey_verify(const struct sshkey * key,const u_char * sig,size_t siglen,const u_char * data,size_t datalen,const char * sigalg,u_int compat,struct sshkey_sig_details ** sig_detailsp)559 mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
560 const u_char *data, size_t datalen, const char *sigalg, u_int compat,
561 struct sshkey_sig_details **sig_detailsp)
562 {
563 struct sshbuf *m;
564 u_int encoded_ret = 0;
565 int r;
566 u_char sig_details_present, flags;
567 u_int counter;
568
569 debug3_f("entering");
570
571 if (sig_detailsp != NULL)
572 *sig_detailsp = NULL;
573 if ((m = sshbuf_new()) == NULL)
574 fatal_f("sshbuf_new failed");
575 if ((r = sshkey_puts(key, m)) != 0 ||
576 (r = sshbuf_put_string(m, sig, siglen)) != 0 ||
577 (r = sshbuf_put_string(m, data, datalen)) != 0 ||
578 (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
579 fatal_fr(r, "assemble");
580
581 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, m);
582
583 debug3_f("waiting for MONITOR_ANS_KEYVERIFY");
584 mm_request_receive_expect(pmonitor->m_recvfd,
585 MONITOR_ANS_KEYVERIFY, m);
586
587 if ((r = sshbuf_get_u32(m, &encoded_ret)) != 0 ||
588 (r = sshbuf_get_u8(m, &sig_details_present)) != 0)
589 fatal_fr(r, "parse");
590 if (sig_details_present && encoded_ret == 0) {
591 if ((r = sshbuf_get_u32(m, &counter)) != 0 ||
592 (r = sshbuf_get_u8(m, &flags)) != 0)
593 fatal_fr(r, "parse sig_details");
594 if (sig_detailsp != NULL) {
595 *sig_detailsp = xcalloc(1, sizeof(**sig_detailsp));
596 (*sig_detailsp)->sk_counter = counter;
597 (*sig_detailsp)->sk_flags = flags;
598 }
599 }
600
601 sshbuf_free(m);
602
603 if (encoded_ret != 0)
604 return SSH_ERR_SIGNATURE_INVALID;
605 return 0;
606 }
607
608 void
mm_send_keystate(struct ssh * ssh,struct monitor * monitor)609 mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
610 {
611 struct sshbuf *m;
612 int r;
613
614 if ((m = sshbuf_new()) == NULL)
615 fatal_f("sshbuf_new failed");
616 if ((r = ssh_packet_get_state(ssh, m)) != 0)
617 fatal_fr(r, "ssh_packet_get_state");
618 mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, m);
619 debug3_f("Finished sending state");
620 sshbuf_free(m);
621 }
622
623 int
mm_pty_allocate(int * ptyfd,int * ttyfd,char * namebuf,size_t namebuflen)624 mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
625 {
626 struct sshbuf *m;
627 char *p, *msg;
628 int success = 0, tmp1 = -1, tmp2 = -1, r;
629
630 /* Kludge: ensure there are fds free to receive the pty/tty */
631 if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
632 (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
633 error_f("cannot allocate fds for pty");
634 if (tmp1 >= 0)
635 close(tmp1);
636 return 0;
637 }
638 close(tmp1);
639 close(tmp2);
640
641 if ((m = sshbuf_new()) == NULL)
642 fatal_f("sshbuf_new failed");
643 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, m);
644
645 debug3_f("waiting for MONITOR_ANS_PTY");
646 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, m);
647
648 if ((r = sshbuf_get_u32(m, &success)) != 0)
649 fatal_fr(r, "parse success");
650 if (success == 0) {
651 debug3_f("pty alloc failed");
652 sshbuf_free(m);
653 return (0);
654 }
655 if ((r = sshbuf_get_cstring(m, &p, NULL)) != 0 ||
656 (r = sshbuf_get_cstring(m, &msg, NULL)) != 0)
657 fatal_fr(r, "parse");
658 sshbuf_free(m);
659
660 strlcpy(namebuf, p, namebuflen); /* Possible truncation */
661 free(p);
662
663 if ((r = sshbuf_put(loginmsg, msg, strlen(msg))) != 0)
664 fatal_fr(r, "put loginmsg");
665 free(msg);
666
667 if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 ||
668 (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1)
669 fatal_f("receive fds failed");
670
671 /* Success */
672 return (1);
673 }
674
675 void
mm_session_pty_cleanup2(Session * s)676 mm_session_pty_cleanup2(Session *s)
677 {
678 struct sshbuf *m;
679 int r;
680
681 if (s->ttyfd == -1)
682 return;
683 if ((m = sshbuf_new()) == NULL)
684 fatal_f("sshbuf_new failed");
685 if ((r = sshbuf_put_cstring(m, s->tty)) != 0)
686 fatal_fr(r, "assmble");
687 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, m);
688 sshbuf_free(m);
689
690 /* closed dup'ed master */
691 if (s->ptymaster != -1 && close(s->ptymaster) == -1)
692 error("close(s->ptymaster/%d): %s",
693 s->ptymaster, strerror(errno));
694
695 /* unlink pty from session */
696 s->ttyfd = -1;
697 }
698
699 #ifdef USE_PAM
700 void
mm_start_pam(struct ssh * ssh)701 mm_start_pam(struct ssh *ssh)
702 {
703 struct sshbuf *m;
704
705 debug3("%s entering", __func__);
706 if (!options.use_pam)
707 fatal("UsePAM=no, but ended up in %s anyway", __func__);
708 if ((m = sshbuf_new()) == NULL)
709 fatal("%s: sshbuf_new failed", __func__);
710 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, m);
711
712 sshbuf_free(m);
713 }
714
715 u_int
mm_do_pam_account(void)716 mm_do_pam_account(void)
717 {
718 struct sshbuf *m;
719 u_int ret;
720 char *msg;
721 size_t msglen;
722 int r;
723
724 debug3("%s entering", __func__);
725 if (!options.use_pam)
726 fatal("UsePAM=no, but ended up in %s anyway", __func__);
727
728 if ((m = sshbuf_new()) == NULL)
729 fatal("%s: sshbuf_new failed", __func__);
730 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, m);
731
732 mm_request_receive_expect(pmonitor->m_recvfd,
733 MONITOR_ANS_PAM_ACCOUNT, m);
734 if ((r = sshbuf_get_u32(m, &ret)) != 0 ||
735 (r = sshbuf_get_cstring(m, &msg, &msglen)) != 0 ||
736 (r = sshbuf_put(loginmsg, msg, msglen)) != 0)
737 fatal("%s: buffer error: %s", __func__, ssh_err(r));
738
739 free(msg);
740 sshbuf_free(m);
741
742 debug3("%s returning %d", __func__, ret);
743
744 return (ret);
745 }
746
747 void *
mm_sshpam_init_ctx(Authctxt * authctxt)748 mm_sshpam_init_ctx(Authctxt *authctxt)
749 {
750 struct sshbuf *m;
751 int r, success;
752
753 debug3("%s", __func__);
754 if ((m = sshbuf_new()) == NULL)
755 fatal("%s: sshbuf_new failed", __func__);
756 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, m);
757 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
758 mm_request_receive_expect(pmonitor->m_recvfd,
759 MONITOR_ANS_PAM_INIT_CTX, m);
760 if ((r = sshbuf_get_u32(m, &success)) != 0)
761 fatal("%s: buffer error: %s", __func__, ssh_err(r));
762 if (success == 0) {
763 debug3("%s: pam_init_ctx failed", __func__);
764 sshbuf_free(m);
765 return (NULL);
766 }
767 sshbuf_free(m);
768 return (authctxt);
769 }
770
771 int
mm_sshpam_query(void * ctx,char ** name,char ** info,u_int * num,char *** prompts,u_int ** echo_on)772 mm_sshpam_query(void *ctx, char **name, char **info,
773 u_int *num, char ***prompts, u_int **echo_on)
774 {
775 struct sshbuf *m;
776 u_int i, n;
777 int r, ret;
778
779 debug3("%s", __func__);
780 if ((m = sshbuf_new()) == NULL)
781 fatal("%s: sshbuf_new failed", __func__);
782 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, m);
783 debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
784 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, m);
785 if ((r = sshbuf_get_u32(m, &ret)) != 0 ||
786 (r = sshbuf_get_cstring(m, name, NULL)) != 0 ||
787 (r = sshbuf_get_cstring(m, info, NULL)) != 0 ||
788 (r = sshbuf_get_u32(m, &n)) != 0 ||
789 (r = sshbuf_get_u32(m, num)) != 0)
790 fatal("%s: buffer error: %s", __func__, ssh_err(r));
791 debug3("%s: pam_query returned %d", __func__, ret);
792 sshpam_set_maxtries_reached(n);
793 if (*num > PAM_MAX_NUM_MSG)
794 fatal("%s: received %u PAM messages, expected <= %u",
795 __func__, *num, PAM_MAX_NUM_MSG);
796 *prompts = xcalloc((*num + 1), sizeof(char *));
797 *echo_on = xcalloc((*num + 1), sizeof(u_int));
798 for (i = 0; i < *num; ++i) {
799 if ((r = sshbuf_get_cstring(m, &((*prompts)[i]), NULL)) != 0 ||
800 (r = sshbuf_get_u32(m, &((*echo_on)[i]))) != 0)
801 fatal("%s: buffer error: %s", __func__, ssh_err(r));
802 }
803 sshbuf_free(m);
804 return (ret);
805 }
806
807 int
mm_sshpam_respond(void * ctx,u_int num,char ** resp)808 mm_sshpam_respond(void *ctx, u_int num, char **resp)
809 {
810 struct sshbuf *m;
811 u_int n, i;
812 int r, ret;
813
814 debug3("%s", __func__);
815 if ((m = sshbuf_new()) == NULL)
816 fatal("%s: sshbuf_new failed", __func__);
817 if ((r = sshbuf_put_u32(m, num)) != 0)
818 fatal("%s: buffer error: %s", __func__, ssh_err(r));
819 for (i = 0; i < num; ++i) {
820 if ((r = sshbuf_put_cstring(m, resp[i])) != 0)
821 fatal("%s: buffer error: %s", __func__, ssh_err(r));
822 }
823 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, m);
824 debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
825 mm_request_receive_expect(pmonitor->m_recvfd,
826 MONITOR_ANS_PAM_RESPOND, m);
827 if ((r = sshbuf_get_u32(m, &n)) != 0)
828 fatal("%s: buffer error: %s", __func__, ssh_err(r));
829 ret = (int)n; /* XXX */
830 debug3("%s: pam_respond returned %d", __func__, ret);
831 sshbuf_free(m);
832 return (ret);
833 }
834
835 void
mm_sshpam_free_ctx(void * ctxtp)836 mm_sshpam_free_ctx(void *ctxtp)
837 {
838 struct sshbuf *m;
839
840 debug3("%s", __func__);
841 if ((m = sshbuf_new()) == NULL)
842 fatal("%s: sshbuf_new failed", __func__);
843 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, m);
844 debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
845 mm_request_receive_expect(pmonitor->m_recvfd,
846 MONITOR_ANS_PAM_FREE_CTX, m);
847 sshbuf_free(m);
848 }
849 #endif /* USE_PAM */
850
851 /* Request process termination */
852
853 void
mm_terminate(void)854 mm_terminate(void)
855 {
856 struct sshbuf *m;
857
858 if ((m = sshbuf_new()) == NULL)
859 fatal_f("sshbuf_new failed");
860 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, m);
861 sshbuf_free(m);
862 }
863
864 static void
mm_chall_setup(char ** name,char ** infotxt,u_int * numprompts,char *** prompts,u_int ** echo_on)865 mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
866 char ***prompts, u_int **echo_on)
867 {
868 *name = xstrdup("");
869 *infotxt = xstrdup("");
870 *numprompts = 1;
871 *prompts = xcalloc(*numprompts, sizeof(char *));
872 *echo_on = xcalloc(*numprompts, sizeof(u_int));
873 (*echo_on)[0] = 0;
874 }
875
876 int
mm_bsdauth_query(void * ctx,char ** name,char ** infotxt,u_int * numprompts,char *** prompts,u_int ** echo_on)877 mm_bsdauth_query(void *ctx, char **name, char **infotxt,
878 u_int *numprompts, char ***prompts, u_int **echo_on)
879 {
880 struct sshbuf *m;
881 u_int success;
882 char *challenge;
883 int r;
884
885 debug3_f("entering");
886
887 if ((m = sshbuf_new()) == NULL)
888 fatal_f("sshbuf_new failed");
889 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, m);
890
891 mm_request_receive_expect(pmonitor->m_recvfd,
892 MONITOR_ANS_BSDAUTHQUERY, m);
893 if ((r = sshbuf_get_u32(m, &success)) != 0)
894 fatal_fr(r, "parse success");
895 if (success == 0) {
896 debug3_f("no challenge");
897 sshbuf_free(m);
898 return (-1);
899 }
900
901 /* Get the challenge, and format the response */
902 if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0)
903 fatal_fr(r, "parse challenge");
904 sshbuf_free(m);
905
906 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
907 (*prompts)[0] = challenge;
908
909 debug3_f("received challenge: %s", challenge);
910
911 return (0);
912 }
913
914 int
mm_bsdauth_respond(void * ctx,u_int numresponses,char ** responses)915 mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses)
916 {
917 struct sshbuf *m;
918 int r, authok;
919
920 debug3_f("entering");
921 if (numresponses != 1)
922 return (-1);
923
924 if ((m = sshbuf_new()) == NULL)
925 fatal_f("sshbuf_new failed");
926 if ((r = sshbuf_put_cstring(m, responses[0])) != 0)
927 fatal_fr(r, "assemble");
928 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, m);
929
930 mm_request_receive_expect(pmonitor->m_recvfd,
931 MONITOR_ANS_BSDAUTHRESPOND, m);
932
933 if ((r = sshbuf_get_u32(m, &authok)) != 0)
934 fatal_fr(r, "parse");
935 sshbuf_free(m);
936
937 return ((authok == 0) ? -1 : 0);
938 }
939
940 #ifdef SSH_AUDIT_EVENTS
941 void
mm_audit_event(struct ssh * ssh,ssh_audit_event_t event)942 mm_audit_event(struct ssh *ssh, ssh_audit_event_t event)
943 {
944 struct sshbuf *m;
945 int r;
946
947 debug3("%s entering", __func__);
948
949 if ((m = sshbuf_new()) == NULL)
950 fatal("%s: sshbuf_new failed", __func__);
951 if ((r = sshbuf_put_u32(m, event)) != 0)
952 fatal("%s: buffer error: %s", __func__, ssh_err(r));
953
954 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, m);
955 sshbuf_free(m);
956 }
957
958 void
mm_audit_run_command(const char * command)959 mm_audit_run_command(const char *command)
960 {
961 struct sshbuf *m;
962 int r;
963
964 debug3("%s entering command %s", __func__, command);
965
966 if ((m = sshbuf_new()) == NULL)
967 fatal("%s: sshbuf_new failed", __func__);
968 if ((r = sshbuf_put_cstring(m, command)) != 0)
969 fatal("%s: buffer error: %s", __func__, ssh_err(r));
970
971 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
972 sshbuf_free(m);
973 }
974 #endif /* SSH_AUDIT_EVENTS */
975
976 #ifdef GSSAPI
977 OM_uint32
mm_ssh_gssapi_server_ctx(Gssctxt ** ctx,gss_OID goid)978 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
979 {
980 struct sshbuf *m;
981 OM_uint32 major;
982 int r;
983
984 /* Client doesn't get to see the context */
985 *ctx = NULL;
986
987 if ((m = sshbuf_new()) == NULL)
988 fatal_f("sshbuf_new failed");
989 if ((r = sshbuf_put_string(m, goid->elements, goid->length)) != 0)
990 fatal_fr(r, "assemble");
991
992 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, m);
993 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, m);
994
995 if ((r = sshbuf_get_u32(m, &major)) != 0)
996 fatal_fr(r, "parse");
997
998 sshbuf_free(m);
999 return (major);
1000 }
1001
1002 OM_uint32
mm_ssh_gssapi_accept_ctx(Gssctxt * ctx,gss_buffer_desc * in,gss_buffer_desc * out,OM_uint32 * flagsp)1003 mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in,
1004 gss_buffer_desc *out, OM_uint32 *flagsp)
1005 {
1006 struct sshbuf *m;
1007 OM_uint32 major;
1008 u_int flags;
1009 int r;
1010
1011 if ((m = sshbuf_new()) == NULL)
1012 fatal_f("sshbuf_new failed");
1013 if ((r = sshbuf_put_string(m, in->value, in->length)) != 0)
1014 fatal_fr(r, "assemble");
1015
1016 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, m);
1017 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, m);
1018
1019 if ((r = sshbuf_get_u32(m, &major)) != 0 ||
1020 (r = ssh_gssapi_get_buffer_desc(m, out)) != 0)
1021 fatal_fr(r, "parse");
1022 if (flagsp != NULL) {
1023 if ((r = sshbuf_get_u32(m, &flags)) != 0)
1024 fatal_fr(r, "parse flags");
1025 *flagsp = flags;
1026 }
1027
1028 sshbuf_free(m);
1029
1030 return (major);
1031 }
1032
1033 OM_uint32
mm_ssh_gssapi_checkmic(Gssctxt * ctx,gss_buffer_t gssbuf,gss_buffer_t gssmic)1034 mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
1035 {
1036 struct sshbuf *m;
1037 OM_uint32 major;
1038 int r;
1039
1040 if ((m = sshbuf_new()) == NULL)
1041 fatal_f("sshbuf_new failed");
1042 if ((r = sshbuf_put_string(m, gssbuf->value, gssbuf->length)) != 0 ||
1043 (r = sshbuf_put_string(m, gssmic->value, gssmic->length)) != 0)
1044 fatal_fr(r, "assemble");
1045
1046 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, m);
1047 mm_request_receive_expect(pmonitor->m_recvfd,
1048 MONITOR_ANS_GSSCHECKMIC, m);
1049
1050 if ((r = sshbuf_get_u32(m, &major)) != 0)
1051 fatal_fr(r, "parse");
1052 sshbuf_free(m);
1053 return(major);
1054 }
1055
1056 int
mm_ssh_gssapi_userok(char * user)1057 mm_ssh_gssapi_userok(char *user)
1058 {
1059 struct sshbuf *m;
1060 int r, authenticated = 0;
1061
1062 if ((m = sshbuf_new()) == NULL)
1063 fatal_f("sshbuf_new failed");
1064
1065 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
1066 mm_request_receive_expect(pmonitor->m_recvfd,
1067 MONITOR_ANS_GSSUSEROK, m);
1068
1069 if ((r = sshbuf_get_u32(m, &authenticated)) != 0)
1070 fatal_fr(r, "parse");
1071
1072 sshbuf_free(m);
1073 debug3_f("user %sauthenticated", authenticated ? "" : "not ");
1074 return (authenticated);
1075 }
1076 #endif /* GSSAPI */
1077
1078 /*
1079 * Inform channels layer of permitopen options for a single forwarding
1080 * direction (local/remote).
1081 */
1082 static void
server_process_permitopen_list(struct ssh * ssh,int listen,char ** opens,u_int num_opens)1083 server_process_permitopen_list(struct ssh *ssh, int listen,
1084 char **opens, u_int num_opens)
1085 {
1086 u_int i;
1087 int port;
1088 char *host, *arg, *oarg;
1089 int where = listen ? FORWARD_REMOTE : FORWARD_LOCAL;
1090 const char *what = listen ? "permitlisten" : "permitopen";
1091
1092 channel_clear_permission(ssh, FORWARD_ADM, where);
1093 if (num_opens == 0)
1094 return; /* permit any */
1095
1096 /* handle keywords: "any" / "none" */
1097 if (num_opens == 1 && strcmp(opens[0], "any") == 0)
1098 return;
1099 if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
1100 channel_disable_admin(ssh, where);
1101 return;
1102 }
1103 /* Otherwise treat it as a list of permitted host:port */
1104 for (i = 0; i < num_opens; i++) {
1105 oarg = arg = xstrdup(opens[i]);
1106 host = hpdelim(&arg);
1107 if (host == NULL)
1108 fatal_f("missing host in %s", what);
1109 host = cleanhostname(host);
1110 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1111 fatal_f("bad port number in %s", what);
1112 /* Send it to channels layer */
1113 channel_add_permission(ssh, FORWARD_ADM,
1114 where, host, port);
1115 free(oarg);
1116 }
1117 }
1118
1119 /*
1120 * Inform channels layer of permitopen options from configuration.
1121 */
1122 void
server_process_permitopen(struct ssh * ssh)1123 server_process_permitopen(struct ssh *ssh)
1124 {
1125 server_process_permitopen_list(ssh, 0,
1126 options.permitted_opens, options.num_permitted_opens);
1127 server_process_permitopen_list(ssh, 1,
1128 options.permitted_listens, options.num_permitted_listens);
1129 }
1130
1131 void
server_process_channel_timeouts(struct ssh * ssh)1132 server_process_channel_timeouts(struct ssh *ssh)
1133 {
1134 u_int i, secs;
1135 char *type;
1136
1137 debug3_f("setting %u timeouts", options.num_channel_timeouts);
1138 channel_clear_timeouts(ssh);
1139 for (i = 0; i < options.num_channel_timeouts; i++) {
1140 if (parse_pattern_interval(options.channel_timeouts[i],
1141 &type, &secs) != 0) {
1142 fatal_f("internal error: bad timeout %s",
1143 options.channel_timeouts[i]);
1144 }
1145 channel_add_timeout(ssh, type, secs);
1146 free(type);
1147 }
1148 }
1149
1150 struct connection_info *
server_get_connection_info(struct ssh * ssh,int populate,int use_dns)1151 server_get_connection_info(struct ssh *ssh, int populate, int use_dns)
1152 {
1153 static struct connection_info ci;
1154
1155 if (ssh == NULL || !populate)
1156 return &ci;
1157 ci.host = use_dns ? ssh_remote_hostname(ssh) : ssh_remote_ipaddr(ssh);
1158 ci.address = ssh_remote_ipaddr(ssh);
1159 ci.laddress = ssh_local_ipaddr(ssh);
1160 ci.lport = ssh_local_port(ssh);
1161 ci.rdomain = ssh_packet_rdomain_in(ssh);
1162 return &ci;
1163 }
1164
1165