diff --git a/sshd.c b/sshd.c index c2cd5b068..9dbb09c6d 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.524 2019/01/19 21:38:24 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.525 2019/01/19 21:42:30 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -123,7 +123,6 @@ #include "version.h" #include "ssherr.h" -#include "opacket.h" /* XXX */ extern struct ssh *active_state; /* XXX move decl to this file */ /* Re-exec fds */ @@ -244,7 +243,7 @@ struct passwd *privsep_pw = NULL; /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); void demote_sensitive_data(void); -static void do_ssh2_kex(void); +static void do_ssh2_kex(struct ssh *); /* * Close all listening sockets @@ -458,8 +457,9 @@ privsep_preauth_child(void) } static int -privsep_preauth(Authctxt *authctxt) +privsep_preauth(struct ssh *ssh) { + Authctxt *authctxt = (Authctxt *)ssh->authctxt; int status, r; pid_t pid; struct ssh_sandbox *box = NULL; @@ -467,7 +467,7 @@ privsep_preauth(Authctxt *authctxt) /* Set up unprivileged child process to deal with network data */ pmonitor = monitor_init(); /* Store a pointer to the kex for later rekeying */ - pmonitor->m_pkex = &active_state->kex; + pmonitor->m_pkex = &ssh->kex; if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(pmonitor); @@ -527,7 +527,7 @@ privsep_preauth(Authctxt *authctxt) } static void -privsep_postauth(Authctxt *authctxt) +privsep_postauth(struct ssh *ssh, Authctxt *authctxt) { #ifdef DISABLE_FD_PASSING if (1) { @@ -576,7 +576,7 @@ privsep_postauth(Authctxt *authctxt) * Tell the packet layer that authentication was successful, since * this information is not part of the key state. */ - packet_set_authenticated(); + ssh_packet_set_authenticated(ssh); } static void @@ -759,21 +759,29 @@ notify_hostkeys(struct ssh *ssh) sshkey_ssh_name(key), fp); free(fp); if (nkeys == 0) { - packet_start(SSH2_MSG_GLOBAL_REQUEST); - packet_put_cstring("hostkeys-00@openssh.com"); - packet_put_char(0); /* want-reply */ + /* + * Start building the request when we find the + * first usable key. + */ + if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || + (r = sshpkt_put_cstring(ssh, "hostkeys-00@openssh.com")) != 0 || + (r = sshpkt_put_u8(ssh, 0)) != 0) /* want reply */ + sshpkt_fatal(ssh, r, "%s: start request", __func__); } + /* Append the key to the request */ sshbuf_reset(buf); if ((r = sshkey_putb(key, buf)) != 0) fatal("%s: couldn't put hostkey %d: %s", __func__, i, ssh_err(r)); - packet_put_string(sshbuf_ptr(buf), sshbuf_len(buf)); + if ((r = sshpkt_put_stringb(ssh, buf)) != 0) + sshpkt_fatal(ssh, r, "%s: append key", __func__); nkeys++; } debug3("%s: sent %u hostkeys", __func__, nkeys); if (nkeys == 0) fatal("%s: no hostkeys", __func__); - packet_send(); + if ((r = sshpkt_send(ssh)) != 0) + sshpkt_fatal(ssh, r, "%s: send", __func__); sshbuf_free(buf); } @@ -1951,9 +1959,10 @@ main(int ac, char **av) * Register our connection. This turns encryption off because we do * not have a key. */ - packet_set_connection(sock_in, sock_out); - packet_set_server(); - ssh = active_state; /* XXX */ + if ((ssh = ssh_packet_set_connection(NULL, sock_in, sock_out)) == NULL) + fatal("Unable to create connection"); + ssh_packet_set_server(ssh); + active_state = ssh; /* XXX needed elsewhere */ check_ip_options(ssh); @@ -1963,7 +1972,7 @@ main(int ac, char **av) process_permitopen(ssh, &options); /* Set SO_KEEPALIVE if requested. */ - if (options.tcp_keep_alive && packet_connection_is_on_socket() && + if (options.tcp_keep_alive && ssh_packet_connection_is_on_socket(ssh) && setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); @@ -2012,10 +2021,11 @@ main(int ac, char **av) if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0) cleanup_exit(255); /* error already logged */ - packet_set_nonblocking(); + ssh_packet_set_nonblocking(ssh); /* allocate authentication context */ authctxt = xcalloc(1, sizeof(*authctxt)); + ssh->authctxt = authctxt; authctxt->loginmsg = loginmsg; @@ -2032,7 +2042,7 @@ main(int ac, char **av) auth_debug_reset(); if (use_privsep) { - if (privsep_preauth(authctxt) == 1) + if (privsep_preauth(ssh) == 1) goto authenticated; } else if (have_agent) { if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { @@ -2043,8 +2053,7 @@ main(int ac, char **av) /* perform the key exchange */ /* authenticate user and start session */ - do_ssh2_kex(); - ssh->authctxt = authctxt; + do_ssh2_kex(ssh); do_authentication2(ssh); /* @@ -2053,7 +2062,7 @@ main(int ac, char **av) */ if (use_privsep) { mm_send_keystate(pmonitor); - packet_clear_keys(); + ssh_packet_clear_keys(ssh); exit(0); } @@ -2093,11 +2102,11 @@ main(int ac, char **av) * file descriptor passing. */ if (use_privsep) { - privsep_postauth(authctxt); + privsep_postauth(ssh, authctxt); /* the monitor process [priv] will not return */ } - packet_set_timeout(options.client_alive_interval, + ssh_packet_set_timeout(ssh, options.client_alive_interval, options.client_alive_count_max); /* Try to send all our hostkeys to the client */ @@ -2107,7 +2116,7 @@ main(int ac, char **av) do_authenticated(ssh, authctxt); /* The connection has been terminated. */ - packet_get_bytes(&ibytes, &obytes); + ssh_packet_get_bytes(ssh, &ibytes, &obytes); verbose("Transferred: sent %llu, received %llu bytes", (unsigned long long)obytes, (unsigned long long)ibytes); @@ -2122,7 +2131,7 @@ main(int ac, char **av) PRIVSEP(audit_event(SSH_CONNECTION_CLOSE)); #endif - packet_close(); + ssh_packet_close(ssh); if (use_privsep) mm_terminate(); @@ -2156,7 +2165,7 @@ sshd_hostkey_sign(struct sshkey *privkey, struct sshkey *pubkey, /* SSH2 key exchange */ static void -do_ssh2_kex(void) +do_ssh2_kex(struct ssh *ssh) { char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; struct kex *kex; @@ -2177,16 +2186,16 @@ do_ssh2_kex(void) } if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits(options.rekey_limit, + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, options.rekey_interval); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( list_hostkey_types()); /* start key exchange */ - if ((r = kex_setup(active_state, myproposal)) != 0) + if ((r = kex_setup(ssh, myproposal)) != 0) fatal("kex_setup: %s", ssh_err(r)); - kex = active_state->kex; + kex = ssh->kex; #ifdef WITH_OPENSSL kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; @@ -2205,7 +2214,7 @@ do_ssh2_kex(void) kex->host_key_index=&get_hostkey_index; kex->sign = sshd_hostkey_sign; - ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done); + ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &kex->done); session_id2 = kex->session_id; session_id2_len = kex->session_id_len;