summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-01-19 21:42:30 +0000
committerDamien Miller <djm@mindrot.org>2019-01-20 09:45:18 +1100
commit6350e0316981489d4205952d6904d6fedba5bfe0 (patch)
tree8d8d2211d84e43d795ddc6582c23d9c6466ed1d0
parenta5e2ad88acff2b7d131ee6d5dc5d339b0f8c6a6d (diff)
upstream: convert sshd.c to new packet API
with & ok markus@ OpenBSD-Commit-ID: ea569d3eaf9b5cf1bad52779fbfa5fa0b28af891
-rw-r--r--sshd.c69
1 files changed, 39 insertions, 30 deletions
diff --git a/sshd.c b/sshd.c
index c2cd5b06..9dbb09c6 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.524 2019/01/19 21:38:24 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.525 2019/01/19 21:42:30 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -123,7 +123,6 @@
#include "version.h"
#include "ssherr.h"
-#include "opacket.h" /* XXX */
extern struct ssh *active_state; /* XXX move decl to this file */
/* Re-exec fds */
@@ -244,7 +243,7 @@ struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
void destroy_sensitive_data(void);
void demote_sensitive_data(void);
-static void do_ssh2_kex(void);
+static void do_ssh2_kex(struct ssh *);
/*
* Close all listening sockets
@@ -458,8 +457,9 @@ privsep_preauth_child(void)
}
static int
-privsep_preauth(Authctxt *authctxt)
+privsep_preauth(struct ssh *ssh)
{
+ Authctxt *authctxt = (Authctxt *)ssh->authctxt;
int status, r;
pid_t pid;
struct ssh_sandbox *box = NULL;
@@ -467,7 +467,7 @@ privsep_preauth(Authctxt *authctxt)
/* Set up unprivileged child process to deal with network data */
pmonitor = monitor_init();
/* Store a pointer to the kex for later rekeying */
- pmonitor->m_pkex = &active_state->kex;
+ pmonitor->m_pkex = &ssh->kex;
if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor);
@@ -527,7 +527,7 @@ privsep_preauth(Authctxt *authctxt)
}
static void
-privsep_postauth(Authctxt *authctxt)
+privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
{
#ifdef DISABLE_FD_PASSING
if (1) {
@@ -576,7 +576,7 @@ privsep_postauth(Authctxt *authctxt)
* Tell the packet layer that authentication was successful, since
* this information is not part of the key state.
*/
- packet_set_authenticated();
+ ssh_packet_set_authenticated(ssh);
}
static void
@@ -759,21 +759,29 @@ notify_hostkeys(struct ssh *ssh)
sshkey_ssh_name(key), fp);
free(fp);
if (nkeys == 0) {
- packet_start(SSH2_MSG_GLOBAL_REQUEST);
- packet_put_cstring("hostkeys-00@openssh.com");
- packet_put_char(0); /* want-reply */
+ /*
+ * Start building the request when we find the
+ * first usable key.
+ */
+ if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "hostkeys-00@openssh.com")) != 0 ||
+ (r = sshpkt_put_u8(ssh, 0)) != 0) /* want reply */
+ sshpkt_fatal(ssh, r, "%s: start request", __func__);
}
+ /* Append the key to the request */
sshbuf_reset(buf);
if ((r = sshkey_putb(key, buf)) != 0)
fatal("%s: couldn't put hostkey %d: %s",
__func__, i, ssh_err(r));
- packet_put_string(sshbuf_ptr(buf), sshbuf_len(buf));
+ if ((r = sshpkt_put_stringb(ssh, buf)) != 0)
+ sshpkt_fatal(ssh, r, "%s: append key", __func__);
nkeys++;
}
debug3("%s: sent %u hostkeys", __func__, nkeys);
if (nkeys == 0)
fatal("%s: no hostkeys", __func__);
- packet_send();
+ if ((r = sshpkt_send(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf);
}
@@ -1951,9 +1959,10 @@ main(int ac, char **av)
* Register our connection. This turns encryption off because we do
* not have a key.
*/
- packet_set_connection(sock_in, sock_out);
- packet_set_server();
- ssh = active_state; /* XXX */
+ if ((ssh = ssh_packet_set_connection(NULL, sock_in, sock_out)) == NULL)
+ fatal("Unable to create connection");
+ ssh_packet_set_server(ssh);
+ active_state = ssh; /* XXX needed elsewhere */
check_ip_options(ssh);
@@ -1963,7 +1972,7 @@ main(int ac, char **av)
process_permitopen(ssh, &options);
/* Set SO_KEEPALIVE if requested. */
- if (options.tcp_keep_alive && packet_connection_is_on_socket() &&
+ if (options.tcp_keep_alive && ssh_packet_connection_is_on_socket(ssh) &&
setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
@@ -2012,10 +2021,11 @@ main(int ac, char **av)
if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
cleanup_exit(255); /* error already logged */
- packet_set_nonblocking();
+ ssh_packet_set_nonblocking(ssh);
/* allocate authentication context */
authctxt = xcalloc(1, sizeof(*authctxt));
+ ssh->authctxt = authctxt;
authctxt->loginmsg = loginmsg;
@@ -2032,7 +2042,7 @@ main(int ac, char **av)
auth_debug_reset();
if (use_privsep) {
- if (privsep_preauth(authctxt) == 1)
+ if (privsep_preauth(ssh) == 1)
goto authenticated;
} else if (have_agent) {
if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) {
@@ -2043,8 +2053,7 @@ main(int ac, char **av)
/* perform the key exchange */
/* authenticate user and start session */
- do_ssh2_kex();
- ssh->authctxt = authctxt;
+ do_ssh2_kex(ssh);
do_authentication2(ssh);
/*
@@ -2053,7 +2062,7 @@ main(int ac, char **av)
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
- packet_clear_keys();
+ ssh_packet_clear_keys(ssh);
exit(0);
}
@@ -2093,11 +2102,11 @@ main(int ac, char **av)
* file descriptor passing.
*/
if (use_privsep) {
- privsep_postauth(authctxt);
+ privsep_postauth(ssh, authctxt);
/* the monitor process [priv] will not return */
}
- packet_set_timeout(options.client_alive_interval,
+ ssh_packet_set_timeout(ssh, options.client_alive_interval,
options.client_alive_count_max);
/* Try to send all our hostkeys to the client */
@@ -2107,7 +2116,7 @@ main(int ac, char **av)
do_authenticated(ssh, authctxt);
/* The connection has been terminated. */
- packet_get_bytes(&ibytes, &obytes);
+ ssh_packet_get_bytes(ssh, &ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2122,7 +2131,7 @@ main(int ac, char **av)
PRIVSEP(audit_event(SSH_CONNECTION_CLOSE));
#endif
- packet_close();
+ ssh_packet_close(ssh);
if (use_privsep)
mm_terminate();
@@ -2156,7 +2165,7 @@ sshd_hostkey_sign(struct sshkey *privkey, struct sshkey *pubkey,
/* SSH2 key exchange */
static void
-do_ssh2_kex(void)
+do_ssh2_kex(struct ssh *ssh)
{
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
struct kex *kex;
@@ -2177,16 +2186,16 @@ do_ssh2_kex(void)
}
if (options.rekey_limit || options.rekey_interval)
- packet_set_rekey_limits(options.rekey_limit,
+ ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
/* start key exchange */
- if ((r = kex_setup(active_state, myproposal)) != 0)
+ if ((r = kex_setup(ssh, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
- kex = active_state->kex;
+ kex = ssh->kex;
#ifdef WITH_OPENSSL
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
@@ -2205,7 +2214,7 @@ do_ssh2_kex(void)
kex->host_key_index=&get_hostkey_index;
kex->sign = sshd_hostkey_sign;
- ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done);
+ ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &kex->done);
session_id2 = kex->session_id;
session_id2_len = kex->session_id_len;