diff options
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 45 |
1 files changed, 30 insertions, 15 deletions
diff --git a/monitor.c b/monitor.c index ac7dd309974c9..cb57bd066e65d 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.157 2016/02/15 23:32:37 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.161 2016/07/22 03:39:13 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -34,6 +34,7 @@ #include <errno.h> #include <fcntl.h> +#include <limits.h> #ifdef HAVE_PATHS_H #include <paths.h> #endif @@ -74,6 +75,7 @@ #include "cipher.h" #include "kex.h" #include "dh.h" +#include "auth-pam.h" #ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ #undef TARGET_OS_MAC #include "zlib.h" @@ -688,7 +690,8 @@ mm_answer_sign(int sock, Buffer *m) u_char *p = NULL, *signature = NULL; char *alg = NULL; size_t datlen, siglen, alglen; - int r, keyid, is_proof = 0; + int r, is_proof = 0; + u_int keyid; const char proof_req[] = "hostkeys-prove-00@openssh.com"; debug3("%s", __func__); @@ -697,6 +700,8 @@ mm_answer_sign(int sock, Buffer *m) (r = sshbuf_get_string(m, &p, &datlen)) != 0 || (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (keyid > INT_MAX) + fatal("%s: invalid key ID", __func__); /* * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes), @@ -916,6 +921,9 @@ mm_answer_authpassword(int sock, Buffer *m) buffer_clear(m); buffer_put_int(m, authenticated); +#ifdef USE_PAM + buffer_put_int(m, sshpam_get_maxtries_reached()); +#endif debug3("%s: sending result %d", __func__, authenticated); mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m); @@ -1115,6 +1123,7 @@ mm_answer_pam_query(int sock, Buffer *m) free(name); buffer_put_cstring(m, info); free(info); + buffer_put_int(m, sshpam_get_maxtries_reached()); buffer_put_int(m, num); for (i = 0; i < num; ++i) { buffer_put_cstring(m, prompts[i]); @@ -1249,6 +1258,10 @@ mm_answer_keyallowed(int sock, Buffer *m) break; } } + + debug3("%s: key %p is %s", + __func__, key, allowed ? "allowed" : "not allowed"); + if (key != NULL) key_free(key); @@ -1270,9 +1283,6 @@ mm_answer_keyallowed(int sock, Buffer *m) free(chost); } - debug3("%s: key %p is %s", - __func__, key, allowed ? "allowed" : "not allowed"); - buffer_clear(m); buffer_put_int(m, allowed); buffer_put_int(m, forced_command != NULL); @@ -1289,7 +1299,8 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; - char *p, *userstyle; + u_char *p; + char *userstyle, *cp; u_int len; int fail = 0; @@ -1314,26 +1325,26 @@ monitor_valid_userblob(u_char *data, u_int datalen) } if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_cstring(&b, NULL); + cp = buffer_get_cstring(&b, NULL); xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); - if (strcmp(userstyle, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", - userstyle, p); + if (strcmp(userstyle, cp) != 0) { + logit("wrong user name passed to monitor: " + "expected %s != %.100s", userstyle, cp); fail++; } free(userstyle); - free(p); + free(cp); buffer_skip_string(&b); if (datafellows & SSH_BUG_PKAUTH) { if (!buffer_get_char(&b)) fail++; } else { - p = buffer_get_cstring(&b, NULL); - if (strcmp("publickey", p) != 0) + cp = buffer_get_cstring(&b, NULL); + if (strcmp("publickey", cp) != 0) fail++; - free(p); + free(cp); if (!buffer_get_char(&b)) fail++; buffer_skip_string(&b); @@ -1469,6 +1480,7 @@ mm_answer_keyverify(int sock, Buffer *m) static void mm_record_login(Session *s, struct passwd *pw) { + struct ssh *ssh = active_state; /* XXX */ socklen_t fromlen; struct sockaddr_storage from; @@ -1490,7 +1502,7 @@ mm_record_login(Session *s, struct passwd *pw) } /* Record that there was a login on that tty from the remote host. */ record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, - get_remote_name_or_ip(utmp_len, options.use_dns), + session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns), (struct sockaddr *)&from, fromlen); } @@ -1854,6 +1866,9 @@ monitor_apply_keystate(struct monitor *pmonitor) #ifdef WITH_OPENSSL kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; + kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server; + kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server; + kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; # ifdef OPENSSL_HAS_ECC |