diff options
Diffstat (limited to 'crypto/openssh/auth2-hostbased.c')
-rw-r--r-- | crypto/openssh/auth2-hostbased.c | 71 |
1 files changed, 35 insertions, 36 deletions
diff --git a/crypto/openssh/auth2-hostbased.c b/crypto/openssh/auth2-hostbased.c index 764ceff74ee6..3a29126c37a6 100644 --- a/crypto/openssh/auth2-hostbased.c +++ b/crypto/openssh/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.38 2018/09/20 03:28:06 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.47 2021/07/23 03:37:52 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -27,6 +27,7 @@ #include <sys/types.h> +#include <stdlib.h> #include <pwd.h> #include <string.h> #include <stdarg.h> @@ -34,6 +35,7 @@ #include "xmalloc.h" #include "ssh2.h" #include "packet.h" +#include "kex.h" #include "sshbuf.h" #include "log.h" #include "misc.h" @@ -53,8 +55,6 @@ /* import */ extern ServerOptions options; -extern u_char *session_id2; -extern u_int session_id2_len; static int userauth_hostbased(struct ssh *ssh) @@ -73,9 +73,9 @@ userauth_hostbased(struct ssh *ssh) (r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 || (r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 || (r = sshpkt_get_string(ssh, &sig, &slen)) != 0) - fatal("%s: packet parsing: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse packet"); - debug("%s: cuser %s chost %s pkalg %s slen %zu", __func__, + debug_f("cuser %s chost %s pkalg %s slen %zu", cuser, chost, pkalg, slen); #ifdef DEBUG_PK debug("signature:"); @@ -84,21 +84,21 @@ userauth_hostbased(struct ssh *ssh) pktype = sshkey_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { /* this is perfectly legal */ - logit("%s: unsupported public key algorithm: %s", - __func__, pkalg); + logit_f("unsupported public key algorithm: %s", + pkalg); goto done; } if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { - error("%s: key_from_blob: %s", __func__, ssh_err(r)); + error_fr(r, "key_from_blob"); goto done; } if (key == NULL) { - error("%s: cannot decode key: %s", __func__, pkalg); + error_f("cannot decode key: %s", pkalg); goto done; } if (key->type != pktype) { - error("%s: type mismatch for decoded key " - "(received %d, expected %d)", __func__, key->type, pktype); + error_f("type mismatch for decoded key " + "(received %d, expected %d)", key->type, pktype); goto done; } if (sshkey_type_plain(key->type) == KEY_RSA && @@ -107,28 +107,28 @@ userauth_hostbased(struct ssh *ssh) "signature format"); goto done; } - if (match_pattern_list(pkalg, options.hostbased_key_types, 0) != 1) { - logit("%s: key type %s not in HostbasedAcceptedKeyTypes", - __func__, sshkey_type(key)); + if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) { + logit_f("key type %s not in HostbasedAcceptedAlgorithms", + sshkey_type(key)); goto done; } if ((r = sshkey_check_cert_sigtype(key, options.ca_sign_algorithms)) != 0) { - logit("%s: certificate signature algorithm %s: %s", __func__, + logit_fr(r, "certificate signature algorithm %s", (key->cert == NULL || key->cert->signature_type == NULL) ? - "(null)" : key->cert->signature_type, ssh_err(r)); + "(null)" : key->cert->signature_type); goto done; } if (!authctxt->valid || authctxt->user == NULL) { - debug2("%s: disabled because of invalid user", __func__); + debug2_f("disabled because of invalid user"); goto done; } if ((b = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); /* reconstruct packet */ - if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || + if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_cstring(b, authctxt->user)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || @@ -137,7 +137,7 @@ userauth_hostbased(struct ssh *ssh) (r = sshbuf_put_string(b, pkblob, blen)) != 0 || (r = sshbuf_put_cstring(b, chost)) != 0 || (r = sshbuf_put_cstring(b, cuser)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "reconstruct packet"); #ifdef DEBUG_PK sshbuf_dump(b, stderr); #endif @@ -147,15 +147,16 @@ userauth_hostbased(struct ssh *ssh) /* test for allowed key and correct signature */ authenticated = 0; - if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && + if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser, + chost, key)) && PRIVSEP(sshkey_verify(key, sig, slen, - sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0) + sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0) authenticated = 1; auth2_record_key(authctxt, authenticated, key); sshbuf_free(b); done: - debug2("%s: authenticated %d", __func__, authenticated); + debug2_f("authenticated %d", authenticated); sshkey_free(key); free(pkalg); free(pkblob); @@ -167,10 +168,9 @@ done: /* return 1 if given hostkey is allowed */ int -hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, - struct sshkey *key) +hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, + const char *cuser, char *chost, struct sshkey *key) { - struct ssh *ssh = active_state; /* XXX */ const char *resolvedname, *ipaddr, *lookup, *reason; HostStatus host_status; int len; @@ -182,7 +182,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, resolvedname = auth_get_canonical_hostname(ssh, options.use_dns); ipaddr = ssh_remote_ipaddr(ssh); - debug2("%s: chost %s resolvedname %s ipaddr %s", __func__, + debug2_f("chost %s resolvedname %s ipaddr %s", chost, resolvedname, ipaddr); if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { @@ -192,9 +192,8 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, if (options.hostbased_uses_name_from_packet_only) { if (auth_rhosts2(pw, cuser, chost, chost) == 0) { - debug2("%s: auth_rhosts2 refused " - "user \"%.100s\" host \"%.100s\" (from packet)", - __func__, cuser, chost); + debug2_f("auth_rhosts2 refused user \"%.100s\" " + "host \"%.100s\" (from packet)", cuser, chost); return 0; } lookup = chost; @@ -204,17 +203,17 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, "client sends %s, but we resolve %s to %s", chost, ipaddr, resolvedname); if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) { - debug2("%s: auth_rhosts2 refused " + debug2_f("auth_rhosts2 refused " "user \"%.100s\" host \"%.100s\" addr \"%.100s\"", - __func__, cuser, resolvedname, ipaddr); + cuser, resolvedname, ipaddr); return 0; } lookup = resolvedname; } - debug2("%s: access allowed by auth_rhosts2", __func__); + debug2_f("access allowed by auth_rhosts2"); if (sshkey_is_cert(key) && - sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) { + sshkey_cert_check_authority_now(key, 1, 0, 0, lookup, &reason)) { error("%s", reason); auth_debug_add("%s", reason); return 0; @@ -236,7 +235,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, if (sshkey_is_cert(key)) { if ((fp = sshkey_fingerprint(key->cert->signature_key, options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint fail", __func__); + fatal_f("sshkey_fingerprint fail"); verbose("Accepted certificate ID \"%s\" signed by " "%s CA %s from %s@%s", key->cert->key_id, sshkey_type(key->cert->signature_key), fp, @@ -244,7 +243,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, } else { if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint fail", __func__); + fatal_f("sshkey_fingerprint fail"); verbose("Accepted %s public key %s from %s@%s", sshkey_type(key), fp, cuser, lookup); } |