1 /* $OpenBSD: monitor_wrap.c,v 1.63 2008/07/10 18:08:11 markus Exp $ */ 2 /* 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "includes.h" 29 30 #include <sys/types.h> 31 #include <sys/uio.h> 32 33 #include <errno.h> 34 #include <pwd.h> 35 #include <signal.h> 36 #include <stdarg.h> 37 #include <stdio.h> 38 #include <string.h> 39 #include <unistd.h> 40 41 #include <openssl/bn.h> 42 #include <openssl/dh.h> 43 44 #include "openbsd-compat/sys-queue.h" 45 #include "xmalloc.h" 46 #include "ssh.h" 47 #include "dh.h" 48 #include "buffer.h" 49 #include "key.h" 50 #include "cipher.h" 51 #include "kex.h" 52 #include "hostfile.h" 53 #include "auth.h" 54 #include "auth-options.h" 55 #include "packet.h" 56 #include "mac.h" 57 #include "log.h" 58 #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ 59 #undef TARGET_OS_MAC 60 #include "zlib.h" 61 #define TARGET_OS_MAC 1 62 #else 63 #include "zlib.h" 64 #endif 65 #include "monitor.h" 66 #ifdef GSSAPI 67 #include "ssh-gss.h" 68 #endif 69 #include "monitor_wrap.h" 70 #include "atomicio.h" 71 #include "monitor_fdpass.h" 72 #include "misc.h" 73 #include "servconf.h" 74 75 #include "channels.h" 76 #include "session.h" 77 #include "servconf.h" 78 79 /* Imports */ 80 extern int compat20; 81 extern Newkeys *newkeys[]; 82 extern z_stream incoming_stream; 83 extern z_stream outgoing_stream; 84 extern struct monitor *pmonitor; 85 extern Buffer input, output; 86 extern Buffer loginmsg; 87 extern ServerOptions options; 88 89 int 90 mm_is_monitor(void) 91 { 92 /* 93 * m_pid is only set in the privileged part, and 94 * points to the unprivileged child. 95 */ 96 return (pmonitor && pmonitor->m_pid > 0); 97 } 98 99 void 100 mm_request_send(int sock, enum monitor_reqtype type, Buffer *m) 101 { 102 u_int mlen = buffer_len(m); 103 u_char buf[5]; 104 105 debug3("%s entering: type %d", __func__, type); 106 107 put_u32(buf, mlen + 1); 108 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ 109 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) 110 fatal("%s: write: %s", __func__, strerror(errno)); 111 if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen) 112 fatal("%s: write: %s", __func__, strerror(errno)); 113 } 114 115 void 116 mm_request_receive(int sock, Buffer *m) 117 { 118 u_char buf[4]; 119 u_int msg_len; 120 121 debug3("%s entering", __func__); 122 123 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { 124 if (errno == EPIPE) 125 cleanup_exit(255); 126 fatal("%s: read: %s", __func__, strerror(errno)); 127 } 128 msg_len = get_u32(buf); 129 if (msg_len > 256 * 1024) 130 fatal("%s: read: bad msg_len %d", __func__, msg_len); 131 buffer_clear(m); 132 buffer_append_space(m, msg_len); 133 if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len) 134 fatal("%s: read: %s", __func__, strerror(errno)); 135 } 136 137 void 138 mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m) 139 { 140 u_char rtype; 141 142 debug3("%s entering: type %d", __func__, type); 143 144 mm_request_receive(sock, m); 145 rtype = buffer_get_char(m); 146 if (rtype != type) 147 fatal("%s: read: rtype %d != type %d", __func__, 148 rtype, type); 149 } 150 151 DH * 152 mm_choose_dh(int min, int nbits, int max) 153 { 154 BIGNUM *p, *g; 155 int success = 0; 156 Buffer m; 157 158 buffer_init(&m); 159 buffer_put_int(&m, min); 160 buffer_put_int(&m, nbits); 161 buffer_put_int(&m, max); 162 163 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m); 164 165 debug3("%s: waiting for MONITOR_ANS_MODULI", __func__); 166 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m); 167 168 success = buffer_get_char(&m); 169 if (success == 0) 170 fatal("%s: MONITOR_ANS_MODULI failed", __func__); 171 172 if ((p = BN_new()) == NULL) 173 fatal("%s: BN_new failed", __func__); 174 if ((g = BN_new()) == NULL) 175 fatal("%s: BN_new failed", __func__); 176 buffer_get_bignum2(&m, p); 177 buffer_get_bignum2(&m, g); 178 179 debug3("%s: remaining %d", __func__, buffer_len(&m)); 180 buffer_free(&m); 181 182 return (dh_new_group(g, p)); 183 } 184 185 int 186 mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen) 187 { 188 Kex *kex = *pmonitor->m_pkex; 189 Buffer m; 190 191 debug3("%s entering", __func__); 192 193 buffer_init(&m); 194 buffer_put_int(&m, kex->host_key_index(key)); 195 buffer_put_string(&m, data, datalen); 196 197 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m); 198 199 debug3("%s: waiting for MONITOR_ANS_SIGN", __func__); 200 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m); 201 *sigp = buffer_get_string(&m, lenp); 202 buffer_free(&m); 203 204 return (0); 205 } 206 207 struct passwd * 208 mm_getpwnamallow(const char *username) 209 { 210 Buffer m; 211 struct passwd *pw; 212 u_int len; 213 ServerOptions *newopts; 214 215 debug3("%s entering", __func__); 216 217 buffer_init(&m); 218 buffer_put_cstring(&m, username); 219 220 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m); 221 222 debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__); 223 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m); 224 225 if (buffer_get_char(&m) == 0) { 226 pw = NULL; 227 goto out; 228 } 229 pw = buffer_get_string(&m, &len); 230 if (len != sizeof(struct passwd)) 231 fatal("%s: struct passwd size mismatch", __func__); 232 pw->pw_name = buffer_get_string(&m, NULL); 233 pw->pw_passwd = buffer_get_string(&m, NULL); 234 pw->pw_gecos = buffer_get_string(&m, NULL); 235 #ifdef HAVE_PW_CLASS_IN_PASSWD 236 pw->pw_class = buffer_get_string(&m, NULL); 237 #endif 238 pw->pw_dir = buffer_get_string(&m, NULL); 239 pw->pw_shell = buffer_get_string(&m, NULL); 240 241 out: 242 /* copy options block as a Match directive may have changed some */ 243 newopts = buffer_get_string(&m, &len); 244 if (len != sizeof(*newopts)) 245 fatal("%s: option block size mismatch", __func__); 246 if (newopts->banner != NULL) 247 newopts->banner = buffer_get_string(&m, NULL); 248 copy_set_server_options(&options, newopts, 1); 249 xfree(newopts); 250 251 buffer_free(&m); 252 253 return (pw); 254 } 255 256 char * 257 mm_auth2_read_banner(void) 258 { 259 Buffer m; 260 char *banner; 261 262 debug3("%s entering", __func__); 263 264 buffer_init(&m); 265 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); 266 buffer_clear(&m); 267 268 mm_request_receive_expect(pmonitor->m_recvfd, 269 MONITOR_ANS_AUTH2_READ_BANNER, &m); 270 banner = buffer_get_string(&m, NULL); 271 buffer_free(&m); 272 273 /* treat empty banner as missing banner */ 274 if (strlen(banner) == 0) { 275 xfree(banner); 276 banner = NULL; 277 } 278 return (banner); 279 } 280 281 /* Inform the privileged process about service and style */ 282 283 void 284 mm_inform_authserv(char *service, char *style) 285 { 286 Buffer m; 287 288 debug3("%s entering", __func__); 289 290 buffer_init(&m); 291 buffer_put_cstring(&m, service); 292 buffer_put_cstring(&m, style ? style : ""); 293 294 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); 295 296 buffer_free(&m); 297 } 298 299 /* Do the password authentication */ 300 int 301 mm_auth_password(Authctxt *authctxt, char *password) 302 { 303 Buffer m; 304 int authenticated = 0; 305 306 debug3("%s entering", __func__); 307 308 buffer_init(&m); 309 buffer_put_cstring(&m, password); 310 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); 311 312 debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); 313 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); 314 315 authenticated = buffer_get_int(&m); 316 317 buffer_free(&m); 318 319 debug3("%s: user %sauthenticated", 320 __func__, authenticated ? "" : "not "); 321 return (authenticated); 322 } 323 324 int 325 mm_user_key_allowed(struct passwd *pw, Key *key) 326 { 327 return (mm_key_allowed(MM_USERKEY, NULL, NULL, key)); 328 } 329 330 int 331 mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, 332 Key *key) 333 { 334 return (mm_key_allowed(MM_HOSTKEY, user, host, key)); 335 } 336 337 int 338 mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, 339 char *host, Key *key) 340 { 341 int ret; 342 343 key->type = KEY_RSA; /* XXX hack for key_to_blob */ 344 ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key); 345 key->type = KEY_RSA1; 346 return (ret); 347 } 348 349 static void 350 mm_send_debug(Buffer *m) 351 { 352 char *msg; 353 354 while (buffer_len(m)) { 355 msg = buffer_get_string(m, NULL); 356 debug3("%s: Sending debug: %s", __func__, msg); 357 packet_send_debug("%s", msg); 358 xfree(msg); 359 } 360 } 361 362 int 363 mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) 364 { 365 Buffer m; 366 u_char *blob; 367 u_int len; 368 int allowed = 0, have_forced = 0; 369 370 debug3("%s entering", __func__); 371 372 /* Convert the key to a blob and the pass it over */ 373 if (!key_to_blob(key, &blob, &len)) 374 return (0); 375 376 buffer_init(&m); 377 buffer_put_int(&m, type); 378 buffer_put_cstring(&m, user ? user : ""); 379 buffer_put_cstring(&m, host ? host : ""); 380 buffer_put_string(&m, blob, len); 381 xfree(blob); 382 383 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); 384 385 debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__); 386 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m); 387 388 allowed = buffer_get_int(&m); 389 390 /* fake forced command */ 391 auth_clear_options(); 392 have_forced = buffer_get_int(&m); 393 forced_command = have_forced ? xstrdup("true") : NULL; 394 395 /* Send potential debug messages */ 396 mm_send_debug(&m); 397 398 buffer_free(&m); 399 400 return (allowed); 401 } 402 403 /* 404 * This key verify needs to send the key type along, because the 405 * privileged parent makes the decision if the key is allowed 406 * for authentication. 407 */ 408 409 int 410 mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) 411 { 412 Buffer m; 413 u_char *blob; 414 u_int len; 415 int verified = 0; 416 417 debug3("%s entering", __func__); 418 419 /* Convert the key to a blob and the pass it over */ 420 if (!key_to_blob(key, &blob, &len)) 421 return (0); 422 423 buffer_init(&m); 424 buffer_put_string(&m, blob, len); 425 buffer_put_string(&m, sig, siglen); 426 buffer_put_string(&m, data, datalen); 427 xfree(blob); 428 429 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); 430 431 debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); 432 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m); 433 434 verified = buffer_get_int(&m); 435 436 buffer_free(&m); 437 438 return (verified); 439 } 440 441 /* Export key state after authentication */ 442 Newkeys * 443 mm_newkeys_from_blob(u_char *blob, int blen) 444 { 445 Buffer b; 446 u_int len; 447 Newkeys *newkey = NULL; 448 Enc *enc; 449 Mac *mac; 450 Comp *comp; 451 452 debug3("%s: %p(%d)", __func__, blob, blen); 453 #ifdef DEBUG_PK 454 dump_base64(stderr, blob, blen); 455 #endif 456 buffer_init(&b); 457 buffer_append(&b, blob, blen); 458 459 newkey = xmalloc(sizeof(*newkey)); 460 enc = &newkey->enc; 461 mac = &newkey->mac; 462 comp = &newkey->comp; 463 464 /* Enc structure */ 465 enc->name = buffer_get_string(&b, NULL); 466 buffer_get(&b, &enc->cipher, sizeof(enc->cipher)); 467 enc->enabled = buffer_get_int(&b); 468 enc->block_size = buffer_get_int(&b); 469 enc->key = buffer_get_string(&b, &enc->key_len); 470 enc->iv = buffer_get_string(&b, &len); 471 if (len != enc->block_size) 472 fatal("%s: bad ivlen: expected %u != %u", __func__, 473 enc->block_size, len); 474 475 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) 476 fatal("%s: bad cipher name %s or pointer %p", __func__, 477 enc->name, enc->cipher); 478 479 /* Mac structure */ 480 mac->name = buffer_get_string(&b, NULL); 481 if (mac->name == NULL || mac_setup(mac, mac->name) == -1) 482 fatal("%s: can not setup mac %s", __func__, mac->name); 483 mac->enabled = buffer_get_int(&b); 484 mac->key = buffer_get_string(&b, &len); 485 if (len > mac->key_len) 486 fatal("%s: bad mac key length: %u > %d", __func__, len, 487 mac->key_len); 488 mac->key_len = len; 489 490 /* Comp structure */ 491 comp->type = buffer_get_int(&b); 492 comp->enabled = buffer_get_int(&b); 493 comp->name = buffer_get_string(&b, NULL); 494 495 len = buffer_len(&b); 496 if (len != 0) 497 error("newkeys_from_blob: remaining bytes in blob %u", len); 498 buffer_free(&b); 499 return (newkey); 500 } 501 502 int 503 mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp) 504 { 505 Buffer b; 506 int len; 507 Enc *enc; 508 Mac *mac; 509 Comp *comp; 510 Newkeys *newkey = newkeys[mode]; 511 512 debug3("%s: converting %p", __func__, newkey); 513 514 if (newkey == NULL) { 515 error("%s: newkey == NULL", __func__); 516 return 0; 517 } 518 enc = &newkey->enc; 519 mac = &newkey->mac; 520 comp = &newkey->comp; 521 522 buffer_init(&b); 523 /* Enc structure */ 524 buffer_put_cstring(&b, enc->name); 525 /* The cipher struct is constant and shared, you export pointer */ 526 buffer_append(&b, &enc->cipher, sizeof(enc->cipher)); 527 buffer_put_int(&b, enc->enabled); 528 buffer_put_int(&b, enc->block_size); 529 buffer_put_string(&b, enc->key, enc->key_len); 530 packet_get_keyiv(mode, enc->iv, enc->block_size); 531 buffer_put_string(&b, enc->iv, enc->block_size); 532 533 /* Mac structure */ 534 buffer_put_cstring(&b, mac->name); 535 buffer_put_int(&b, mac->enabled); 536 buffer_put_string(&b, mac->key, mac->key_len); 537 538 /* Comp structure */ 539 buffer_put_int(&b, comp->type); 540 buffer_put_int(&b, comp->enabled); 541 buffer_put_cstring(&b, comp->name); 542 543 len = buffer_len(&b); 544 if (lenp != NULL) 545 *lenp = len; 546 if (blobp != NULL) { 547 *blobp = xmalloc(len); 548 memcpy(*blobp, buffer_ptr(&b), len); 549 } 550 memset(buffer_ptr(&b), 0, len); 551 buffer_free(&b); 552 return len; 553 } 554 555 static void 556 mm_send_kex(Buffer *m, Kex *kex) 557 { 558 buffer_put_string(m, kex->session_id, kex->session_id_len); 559 buffer_put_int(m, kex->we_need); 560 buffer_put_int(m, kex->hostkey_type); 561 buffer_put_int(m, kex->kex_type); 562 buffer_put_string(m, buffer_ptr(&kex->my), buffer_len(&kex->my)); 563 buffer_put_string(m, buffer_ptr(&kex->peer), buffer_len(&kex->peer)); 564 buffer_put_int(m, kex->flags); 565 buffer_put_cstring(m, kex->client_version_string); 566 buffer_put_cstring(m, kex->server_version_string); 567 } 568 569 void 570 mm_send_keystate(struct monitor *monitor) 571 { 572 Buffer m; 573 u_char *blob, *p; 574 u_int bloblen, plen; 575 u_int32_t seqnr, packets; 576 u_int64_t blocks, bytes; 577 578 buffer_init(&m); 579 580 if (!compat20) { 581 u_char iv[24]; 582 u_char *key; 583 u_int ivlen, keylen; 584 585 buffer_put_int(&m, packet_get_protocol_flags()); 586 587 buffer_put_int(&m, packet_get_ssh1_cipher()); 588 589 debug3("%s: Sending ssh1 KEY+IV", __func__); 590 keylen = packet_get_encryption_key(NULL); 591 key = xmalloc(keylen+1); /* add 1 if keylen == 0 */ 592 keylen = packet_get_encryption_key(key); 593 buffer_put_string(&m, key, keylen); 594 memset(key, 0, keylen); 595 xfree(key); 596 597 ivlen = packet_get_keyiv_len(MODE_OUT); 598 packet_get_keyiv(MODE_OUT, iv, ivlen); 599 buffer_put_string(&m, iv, ivlen); 600 ivlen = packet_get_keyiv_len(MODE_OUT); 601 packet_get_keyiv(MODE_IN, iv, ivlen); 602 buffer_put_string(&m, iv, ivlen); 603 goto skip; 604 } else { 605 /* Kex for rekeying */ 606 mm_send_kex(&m, *monitor->m_pkex); 607 } 608 609 debug3("%s: Sending new keys: %p %p", 610 __func__, newkeys[MODE_OUT], newkeys[MODE_IN]); 611 612 /* Keys from Kex */ 613 if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen)) 614 fatal("%s: conversion of newkeys failed", __func__); 615 616 buffer_put_string(&m, blob, bloblen); 617 xfree(blob); 618 619 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) 620 fatal("%s: conversion of newkeys failed", __func__); 621 622 buffer_put_string(&m, blob, bloblen); 623 xfree(blob); 624 625 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); 626 buffer_put_int(&m, seqnr); 627 buffer_put_int64(&m, blocks); 628 buffer_put_int(&m, packets); 629 buffer_put_int64(&m, bytes); 630 packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes); 631 buffer_put_int(&m, seqnr); 632 buffer_put_int64(&m, blocks); 633 buffer_put_int(&m, packets); 634 buffer_put_int64(&m, bytes); 635 636 debug3("%s: New keys have been sent", __func__); 637 skip: 638 /* More key context */ 639 plen = packet_get_keycontext(MODE_OUT, NULL); 640 p = xmalloc(plen+1); 641 packet_get_keycontext(MODE_OUT, p); 642 buffer_put_string(&m, p, plen); 643 xfree(p); 644 645 plen = packet_get_keycontext(MODE_IN, NULL); 646 p = xmalloc(plen+1); 647 packet_get_keycontext(MODE_IN, p); 648 buffer_put_string(&m, p, plen); 649 xfree(p); 650 651 /* Compression state */ 652 debug3("%s: Sending compression state", __func__); 653 buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream)); 654 buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream)); 655 656 /* Network I/O buffers */ 657 buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input)); 658 buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output)); 659 660 mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m); 661 debug3("%s: Finished sending state", __func__); 662 663 buffer_free(&m); 664 } 665 666 int 667 mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) 668 { 669 Buffer m; 670 char *p, *msg; 671 int success = 0, tmp1 = -1, tmp2 = -1; 672 673 /* Kludge: ensure there are fds free to receive the pty/tty */ 674 if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || 675 (tmp2 = dup(pmonitor->m_recvfd)) == -1) { 676 error("%s: cannot allocate fds for pty", __func__); 677 if (tmp1 > 0) 678 close(tmp1); 679 if (tmp2 > 0) 680 close(tmp2); 681 return 0; 682 } 683 close(tmp1); 684 close(tmp2); 685 686 buffer_init(&m); 687 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); 688 689 debug3("%s: waiting for MONITOR_ANS_PTY", __func__); 690 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m); 691 692 success = buffer_get_int(&m); 693 if (success == 0) { 694 debug3("%s: pty alloc failed", __func__); 695 buffer_free(&m); 696 return (0); 697 } 698 p = buffer_get_string(&m, NULL); 699 msg = buffer_get_string(&m, NULL); 700 buffer_free(&m); 701 702 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 703 xfree(p); 704 705 buffer_append(&loginmsg, msg, strlen(msg)); 706 xfree(msg); 707 708 if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 || 709 (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1) 710 fatal("%s: receive fds failed", __func__); 711 712 /* Success */ 713 return (1); 714 } 715 716 void 717 mm_session_pty_cleanup2(Session *s) 718 { 719 Buffer m; 720 721 if (s->ttyfd == -1) 722 return; 723 buffer_init(&m); 724 buffer_put_cstring(&m, s->tty); 725 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, &m); 726 buffer_free(&m); 727 728 /* closed dup'ed master */ 729 if (s->ptymaster != -1 && close(s->ptymaster) < 0) 730 error("close(s->ptymaster/%d): %s", 731 s->ptymaster, strerror(errno)); 732 733 /* unlink pty from session */ 734 s->ttyfd = -1; 735 } 736 737 #ifdef USE_PAM 738 void 739 mm_start_pam(Authctxt *authctxt) 740 { 741 Buffer m; 742 743 debug3("%s entering", __func__); 744 if (!options.use_pam) 745 fatal("UsePAM=no, but ended up in %s anyway", __func__); 746 747 buffer_init(&m); 748 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); 749 750 buffer_free(&m); 751 } 752 753 u_int 754 mm_do_pam_account(void) 755 { 756 Buffer m; 757 u_int ret; 758 char *msg; 759 760 debug3("%s entering", __func__); 761 if (!options.use_pam) 762 fatal("UsePAM=no, but ended up in %s anyway", __func__); 763 764 buffer_init(&m); 765 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m); 766 767 mm_request_receive_expect(pmonitor->m_recvfd, 768 MONITOR_ANS_PAM_ACCOUNT, &m); 769 ret = buffer_get_int(&m); 770 msg = buffer_get_string(&m, NULL); 771 buffer_append(&loginmsg, msg, strlen(msg)); 772 xfree(msg); 773 774 buffer_free(&m); 775 776 debug3("%s returning %d", __func__, ret); 777 778 return (ret); 779 } 780 781 void * 782 mm_sshpam_init_ctx(Authctxt *authctxt) 783 { 784 Buffer m; 785 int success; 786 787 debug3("%s", __func__); 788 buffer_init(&m); 789 buffer_put_cstring(&m, authctxt->user); 790 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); 791 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); 792 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); 793 success = buffer_get_int(&m); 794 if (success == 0) { 795 debug3("%s: pam_init_ctx failed", __func__); 796 buffer_free(&m); 797 return (NULL); 798 } 799 buffer_free(&m); 800 return (authctxt); 801 } 802 803 int 804 mm_sshpam_query(void *ctx, char **name, char **info, 805 u_int *num, char ***prompts, u_int **echo_on) 806 { 807 Buffer m; 808 u_int i; 809 int ret; 810 811 debug3("%s", __func__); 812 buffer_init(&m); 813 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m); 814 debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); 815 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m); 816 ret = buffer_get_int(&m); 817 debug3("%s: pam_query returned %d", __func__, ret); 818 *name = buffer_get_string(&m, NULL); 819 *info = buffer_get_string(&m, NULL); 820 *num = buffer_get_int(&m); 821 if (*num > PAM_MAX_NUM_MSG) 822 fatal("%s: recieved %u PAM messages, expected <= %u", 823 __func__, *num, PAM_MAX_NUM_MSG); 824 *prompts = xcalloc((*num + 1), sizeof(char *)); 825 *echo_on = xcalloc((*num + 1), sizeof(u_int)); 826 for (i = 0; i < *num; ++i) { 827 (*prompts)[i] = buffer_get_string(&m, NULL); 828 (*echo_on)[i] = buffer_get_int(&m); 829 } 830 buffer_free(&m); 831 return (ret); 832 } 833 834 int 835 mm_sshpam_respond(void *ctx, u_int num, char **resp) 836 { 837 Buffer m; 838 u_int i; 839 int ret; 840 841 debug3("%s", __func__); 842 buffer_init(&m); 843 buffer_put_int(&m, num); 844 for (i = 0; i < num; ++i) 845 buffer_put_cstring(&m, resp[i]); 846 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m); 847 debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); 848 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m); 849 ret = buffer_get_int(&m); 850 debug3("%s: pam_respond returned %d", __func__, ret); 851 buffer_free(&m); 852 return (ret); 853 } 854 855 void 856 mm_sshpam_free_ctx(void *ctxtp) 857 { 858 Buffer m; 859 860 debug3("%s", __func__); 861 buffer_init(&m); 862 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m); 863 debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); 864 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m); 865 buffer_free(&m); 866 } 867 #endif /* USE_PAM */ 868 869 /* Request process termination */ 870 871 void 872 mm_terminate(void) 873 { 874 Buffer m; 875 876 buffer_init(&m); 877 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, &m); 878 buffer_free(&m); 879 } 880 881 int 882 mm_ssh1_session_key(BIGNUM *num) 883 { 884 int rsafail; 885 Buffer m; 886 887 buffer_init(&m); 888 buffer_put_bignum2(&m, num); 889 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSKEY, &m); 890 891 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SESSKEY, &m); 892 893 rsafail = buffer_get_int(&m); 894 buffer_get_bignum2(&m, num); 895 896 buffer_free(&m); 897 898 return (rsafail); 899 } 900 901 static void 902 mm_chall_setup(char **name, char **infotxt, u_int *numprompts, 903 char ***prompts, u_int **echo_on) 904 { 905 *name = xstrdup(""); 906 *infotxt = xstrdup(""); 907 *numprompts = 1; 908 *prompts = xcalloc(*numprompts, sizeof(char *)); 909 *echo_on = xcalloc(*numprompts, sizeof(u_int)); 910 (*echo_on)[0] = 0; 911 } 912 913 int 914 mm_bsdauth_query(void *ctx, char **name, char **infotxt, 915 u_int *numprompts, char ***prompts, u_int **echo_on) 916 { 917 Buffer m; 918 u_int success; 919 char *challenge; 920 921 debug3("%s: entering", __func__); 922 923 buffer_init(&m); 924 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m); 925 926 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY, 927 &m); 928 success = buffer_get_int(&m); 929 if (success == 0) { 930 debug3("%s: no challenge", __func__); 931 buffer_free(&m); 932 return (-1); 933 } 934 935 /* Get the challenge, and format the response */ 936 challenge = buffer_get_string(&m, NULL); 937 buffer_free(&m); 938 939 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 940 (*prompts)[0] = challenge; 941 942 debug3("%s: received challenge: %s", __func__, challenge); 943 944 return (0); 945 } 946 947 int 948 mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) 949 { 950 Buffer m; 951 int authok; 952 953 debug3("%s: entering", __func__); 954 if (numresponses != 1) 955 return (-1); 956 957 buffer_init(&m); 958 buffer_put_cstring(&m, responses[0]); 959 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, &m); 960 961 mm_request_receive_expect(pmonitor->m_recvfd, 962 MONITOR_ANS_BSDAUTHRESPOND, &m); 963 964 authok = buffer_get_int(&m); 965 buffer_free(&m); 966 967 return ((authok == 0) ? -1 : 0); 968 } 969 970 #ifdef SKEY 971 int 972 mm_skey_query(void *ctx, char **name, char **infotxt, 973 u_int *numprompts, char ***prompts, u_int **echo_on) 974 { 975 Buffer m; 976 u_int success; 977 char *challenge; 978 979 debug3("%s: entering", __func__); 980 981 buffer_init(&m); 982 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, &m); 983 984 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, 985 &m); 986 success = buffer_get_int(&m); 987 if (success == 0) { 988 debug3("%s: no challenge", __func__); 989 buffer_free(&m); 990 return (-1); 991 } 992 993 /* Get the challenge, and format the response */ 994 challenge = buffer_get_string(&m, NULL); 995 buffer_free(&m); 996 997 debug3("%s: received challenge: %s", __func__, challenge); 998 999 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 1000 1001 xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); 1002 xfree(challenge); 1003 1004 return (0); 1005 } 1006 1007 int 1008 mm_skey_respond(void *ctx, u_int numresponses, char **responses) 1009 { 1010 Buffer m; 1011 int authok; 1012 1013 debug3("%s: entering", __func__); 1014 if (numresponses != 1) 1015 return (-1); 1016 1017 buffer_init(&m); 1018 buffer_put_cstring(&m, responses[0]); 1019 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, &m); 1020 1021 mm_request_receive_expect(pmonitor->m_recvfd, 1022 MONITOR_ANS_SKEYRESPOND, &m); 1023 1024 authok = buffer_get_int(&m); 1025 buffer_free(&m); 1026 1027 return ((authok == 0) ? -1 : 0); 1028 } 1029 #endif /* SKEY */ 1030 1031 void 1032 mm_ssh1_session_id(u_char session_id[16]) 1033 { 1034 Buffer m; 1035 int i; 1036 1037 debug3("%s entering", __func__); 1038 1039 buffer_init(&m); 1040 for (i = 0; i < 16; i++) 1041 buffer_put_char(&m, session_id[i]); 1042 1043 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSID, &m); 1044 buffer_free(&m); 1045 } 1046 1047 int 1048 mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) 1049 { 1050 Buffer m; 1051 Key *key; 1052 u_char *blob; 1053 u_int blen; 1054 int allowed = 0, have_forced = 0; 1055 1056 debug3("%s entering", __func__); 1057 1058 buffer_init(&m); 1059 buffer_put_bignum2(&m, client_n); 1060 1061 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSAKEYALLOWED, &m); 1062 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSAKEYALLOWED, &m); 1063 1064 allowed = buffer_get_int(&m); 1065 1066 /* fake forced command */ 1067 auth_clear_options(); 1068 have_forced = buffer_get_int(&m); 1069 forced_command = have_forced ? xstrdup("true") : NULL; 1070 1071 if (allowed && rkey != NULL) { 1072 blob = buffer_get_string(&m, &blen); 1073 if ((key = key_from_blob(blob, blen)) == NULL) 1074 fatal("%s: key_from_blob failed", __func__); 1075 *rkey = key; 1076 xfree(blob); 1077 } 1078 mm_send_debug(&m); 1079 buffer_free(&m); 1080 1081 return (allowed); 1082 } 1083 1084 BIGNUM * 1085 mm_auth_rsa_generate_challenge(Key *key) 1086 { 1087 Buffer m; 1088 BIGNUM *challenge; 1089 u_char *blob; 1090 u_int blen; 1091 1092 debug3("%s entering", __func__); 1093 1094 if ((challenge = BN_new()) == NULL) 1095 fatal("%s: BN_new failed", __func__); 1096 1097 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 1098 if (key_to_blob(key, &blob, &blen) == 0) 1099 fatal("%s: key_to_blob failed", __func__); 1100 key->type = KEY_RSA1; 1101 1102 buffer_init(&m); 1103 buffer_put_string(&m, blob, blen); 1104 xfree(blob); 1105 1106 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); 1107 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); 1108 1109 buffer_get_bignum2(&m, challenge); 1110 buffer_free(&m); 1111 1112 return (challenge); 1113 } 1114 1115 int 1116 mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) 1117 { 1118 Buffer m; 1119 u_char *blob; 1120 u_int blen; 1121 int success = 0; 1122 1123 debug3("%s entering", __func__); 1124 1125 key->type = KEY_RSA; /* XXX cheat for key_to_blob */ 1126 if (key_to_blob(key, &blob, &blen) == 0) 1127 fatal("%s: key_to_blob failed", __func__); 1128 key->type = KEY_RSA1; 1129 1130 buffer_init(&m); 1131 buffer_put_string(&m, blob, blen); 1132 buffer_put_string(&m, response, 16); 1133 xfree(blob); 1134 1135 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); 1136 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); 1137 1138 success = buffer_get_int(&m); 1139 buffer_free(&m); 1140 1141 return (success); 1142 } 1143 1144 #ifdef SSH_AUDIT_EVENTS 1145 void 1146 mm_audit_event(ssh_audit_event_t event) 1147 { 1148 Buffer m; 1149 1150 debug3("%s entering", __func__); 1151 1152 buffer_init(&m); 1153 buffer_put_int(&m, event); 1154 1155 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m); 1156 buffer_free(&m); 1157 } 1158 1159 void 1160 mm_audit_run_command(const char *command) 1161 { 1162 Buffer m; 1163 1164 debug3("%s entering command %s", __func__, command); 1165 1166 buffer_init(&m); 1167 buffer_put_cstring(&m, command); 1168 1169 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); 1170 buffer_free(&m); 1171 } 1172 #endif /* SSH_AUDIT_EVENTS */ 1173 1174 #ifdef GSSAPI 1175 OM_uint32 1176 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) 1177 { 1178 Buffer m; 1179 OM_uint32 major; 1180 1181 /* Client doesn't get to see the context */ 1182 *ctx = NULL; 1183 1184 buffer_init(&m); 1185 buffer_put_string(&m, goid->elements, goid->length); 1186 1187 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); 1188 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); 1189 1190 major = buffer_get_int(&m); 1191 1192 buffer_free(&m); 1193 return (major); 1194 } 1195 1196 OM_uint32 1197 mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, 1198 gss_buffer_desc *out, OM_uint32 *flags) 1199 { 1200 Buffer m; 1201 OM_uint32 major; 1202 u_int len; 1203 1204 buffer_init(&m); 1205 buffer_put_string(&m, in->value, in->length); 1206 1207 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); 1208 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); 1209 1210 major = buffer_get_int(&m); 1211 out->value = buffer_get_string(&m, &len); 1212 out->length = len; 1213 if (flags) 1214 *flags = buffer_get_int(&m); 1215 1216 buffer_free(&m); 1217 1218 return (major); 1219 } 1220 1221 OM_uint32 1222 mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 1223 { 1224 Buffer m; 1225 OM_uint32 major; 1226 1227 buffer_init(&m); 1228 buffer_put_string(&m, gssbuf->value, gssbuf->length); 1229 buffer_put_string(&m, gssmic->value, gssmic->length); 1230 1231 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m); 1232 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC, 1233 &m); 1234 1235 major = buffer_get_int(&m); 1236 buffer_free(&m); 1237 return(major); 1238 } 1239 1240 int 1241 mm_ssh_gssapi_userok(char *user) 1242 { 1243 Buffer m; 1244 int authenticated = 0; 1245 1246 buffer_init(&m); 1247 1248 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); 1249 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, 1250 &m); 1251 1252 authenticated = buffer_get_int(&m); 1253 1254 buffer_free(&m); 1255 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 1256 return (authenticated); 1257 } 1258 #endif /* GSSAPI */ 1259