upstream: convert monitor.c to new packet API

with & ok markus@ OpenBSD-Commit-ID: 61ecd154bd9804461a0cf5f495a29d919e0014d5
2025-07-31 01:35:11 +02:00 · 2019-01-19 21:43:07 +00:00 · 2019-01-19 21:43:07 +00:00 · ec00f918b8
commit ec00f918b8
parent 6350e03169
5 changed files with 94 additions and 105 deletions
--- a/monitor.c
+++ b/monitor.c
@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.190 2019/01/19 21:41:18 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.191 2019/01/19 21:43:07 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -96,9 +96,6 @@
 #include "match.h"
 #include "ssherr.h"
 #include "opacket.h" /* XXX */
 extern struct ssh *active_state; /* XXX */
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
 #endif
@ -115,48 +112,48 @@ static struct sshbuf *child_state;
 /* Functions on the monitor that answer unprivileged requests */
-int mm_answer_moduli(int, struct sshbuf *);
+int mm_answer_moduli(struct ssh *, int, struct sshbuf *);
-int mm_answer_sign(int, struct sshbuf *);
+int mm_answer_sign(struct ssh *, int, struct sshbuf *);
-int mm_answer_pwnamallow(int, struct sshbuf *);
+int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
-int mm_answer_auth2_read_banner(int, struct sshbuf *);
+int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
-int mm_answer_authserv(int, struct sshbuf *);
+int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
-int mm_answer_authpassword(int, struct sshbuf *);
+int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
-int mm_answer_bsdauthquery(int, struct sshbuf *);
+int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
-int mm_answer_bsdauthrespond(int, struct sshbuf *);
+int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-int mm_answer_keyallowed(int, struct sshbuf *);
+int mm_answer_skeyquery(struct ssh *, int, struct sshbuf *);
-int mm_answer_keyverify(int, struct sshbuf *);
+int mm_answer_skeyrespond(struct ssh *, int, struct sshbuf *);
-int mm_answer_pty(int, struct sshbuf *);
+int mm_answer_keyallowed(struct ssh *, int, struct sshbuf *);
-int mm_answer_pty_cleanup(int, struct sshbuf *);
+int mm_answer_keyverify(struct ssh *, int, struct sshbuf *);
-int mm_answer_term(int, struct sshbuf *);
+int mm_answer_pty(struct ssh *, int, struct sshbuf *);
-int mm_answer_rsa_keyallowed(int, struct sshbuf *);
+int mm_answer_pty_cleanup(struct ssh *, int, struct sshbuf *);
-int mm_answer_rsa_challenge(int, struct sshbuf *);
+int mm_answer_term(struct ssh *, int, struct sshbuf *);
-int mm_answer_rsa_response(int, struct sshbuf *);
+int mm_answer_rsa_keyallowed(struct ssh *, int, struct sshbuf *);
-int mm_answer_sesskey(int, struct sshbuf *);
+int mm_answer_rsa_challenge(struct ssh *, int, struct sshbuf *);
-int mm_answer_sessid(int, struct sshbuf *);
+int mm_answer_rsa_response(struct ssh *, int, struct sshbuf *);
 int mm_answer_sesskey(struct ssh *, int, struct sshbuf *);
 int mm_answer_sessid(struct ssh *, int, struct sshbuf *);
 #ifdef USE_PAM
-int mm_answer_pam_start(int, struct sshbuf *);
+int mm_answer_pam_start(struct ssh *, int, struct sshbuf *);
-int mm_answer_pam_account(int, struct sshbuf *);
+int mm_answer_pam_account(struct ssh *, int, struct sshbuf *);
-int mm_answer_pam_init_ctx(int, struct sshbuf *);
+int mm_answer_pam_init_ctx(struct ssh *, int, struct sshbuf *);
-int mm_answer_pam_query(int, struct sshbuf *);
+int mm_answer_pam_query(struct ssh *, int, struct sshbuf *);
-int mm_answer_pam_respond(int, struct sshbuf *);
+int mm_answer_pam_respond(struct ssh *, int, struct sshbuf *);
-int mm_answer_pam_free_ctx(int, struct sshbuf *);
+int mm_answer_pam_free_ctx(struct ssh *, int, struct sshbuf *);
 #endif
 #ifdef GSSAPI
-int mm_answer_gss_setup_ctx(int, struct sshbuf *);
+int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
-int mm_answer_gss_accept_ctx(int, struct sshbuf *);
+int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
-int mm_answer_gss_userok(int, struct sshbuf *);
+int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
-int mm_answer_gss_checkmic(int, struct sshbuf *);
+int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
-int mm_answer_audit_event(int, struct sshbuf *);
+int mm_answer_audit_event(struct ssh *, int, struct sshbuf *);
-int mm_answer_audit_command(int, struct sshbuf *);
+int mm_answer_audit_command(struct ssh *, int, struct sshbuf *);
 #endif
 static int monitor_read_log(struct monitor *);
 static Authctxt *authctxt;
 /* local state for key verify */
@ -175,7 +172,7 @@ static pid_t monitor_child_pid;
 struct mon_table {
 	enum monitor_reqtype type;
 	int flags;
-	int (*f)(int, struct sshbuf *);
+	int (*f)(struct ssh *, int, struct sshbuf *);
 };
 #define MON_ISAUTH	0x0004	/* Required for Authentication */
@ -187,6 +184,10 @@ struct mon_table {
 #define MON_PERMIT	0x1000	/* Request is permitted */
 static int monitor_read(struct ssh *, struct monitor *, struct mon_table *,
    struct mon_table **);
 static int monitor_read_log(struct monitor *);
 struct mon_table mon_dispatch_proto20[] = {
 #ifdef WITH_OPENSSL
    {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
@ -268,9 +269,8 @@ monitor_permit_authentications(int permit)
 }
 void
-monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	struct mon_table *ent;
 	int authenticated = 0, partial = 0;
@ -282,7 +282,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 		close(pmonitor->m_log_sendfd);
 	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
-	authctxt = _authctxt;
+	authctxt = (Authctxt *)ssh->authctxt;
 	memset(authctxt, 0, sizeof(*authctxt));
 	ssh->authctxt = authctxt;
@ -300,7 +300,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 		auth_submethod = NULL;
 		auth2_authctxt_reset_info(authctxt);
-		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
+		authenticated = (monitor_read(ssh, pmonitor,
 		    mon_dispatch, &ent) == 1);
 		/* Special handling for multiple required authentications */
 		if (options.num_auth_methods != 0) {
@ -332,7 +333,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 				mm_request_receive_expect(pmonitor->m_sendfd,
 				    MONITOR_REQ_PAM_ACCOUNT, m);
 				authenticated = mm_answer_pam_account(
-				    pmonitor->m_sendfd, m);
+				    ssh, pmonitor->m_sendfd, m);
 				sshbuf_free(m);
 			}
 #endif
@ -385,7 +386,7 @@ monitor_child_handler(int sig)
 }
 void
-monitor_child_postauth(struct monitor *pmonitor)
+monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
 {
 	close(pmonitor->m_recvfd);
 	pmonitor->m_recvfd = -1;
@ -411,7 +412,7 @@ monitor_child_postauth(struct monitor *pmonitor)
 	}
 	for (;;)
-		monitor_read(pmonitor, mon_dispatch, NULL);
+		monitor_read(ssh, pmonitor, mon_dispatch, NULL);
 }
 static int
@ -466,8 +467,8 @@ monitor_read_log(struct monitor *pmonitor)
 	return 0;
 }
-int
+static int
-monitor_read(struct monitor *pmonitor, struct mon_table *ent,
+monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent,
    struct mon_table **pent)
 {
 	struct sshbuf *m;
@ -517,7 +518,7 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent,
 		if (!(ent->flags & MON_PERMIT))
 			fatal("%s: unpermitted request %d", __func__,
 			    type);
-		ret = (*ent->f)(pmonitor->m_sendfd, m);
+		ret = (*ent->f)(ssh, pmonitor->m_sendfd, m);
 		sshbuf_free(m);
 		/* The child may use this request only once, disable it */
@ -568,7 +569,7 @@ monitor_reset_key_state(void)
 #ifdef WITH_OPENSSL
 int
-mm_answer_moduli(int sock, struct sshbuf *m)
+mm_answer_moduli(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	DH *dh;
 	const BIGNUM *dh_p, *dh_g;
@ -610,9 +611,8 @@ mm_answer_moduli(int sock, struct sshbuf *m)
 #endif
 int
-mm_answer_sign(int sock, struct sshbuf *m)
+mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	struct ssh *ssh = active_state; 	/* XXX */
 	extern int auth_sock;			/* XXX move to state struct? */
 	struct sshkey *key;
 	struct sshbuf *sigbuf = NULL;
@ -713,9 +713,8 @@ mm_answer_sign(int sock, struct sshbuf *m)
 /* Retrieves the password entry and also checks if the user is permitted */
 int
-mm_answer_pwnamallow(int sock, struct sshbuf *m)
+mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	char *username;
 	struct passwd *pwent;
 	int r, allowed = 0;
@ -813,7 +812,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m)
 	return (0);
 }
-int mm_answer_auth2_read_banner(int sock, struct sshbuf *m)
+int mm_answer_auth2_read_banner(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	char *banner;
 	int r;
@ -829,7 +828,7 @@ int mm_answer_auth2_read_banner(int sock, struct sshbuf *m)
 }
 int
-mm_answer_authserv(int sock, struct sshbuf *m)
+mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	int r;
@ -879,9 +878,8 @@ key_base_type_match(const char *method, const struct sshkey *key,
 }
 int
-mm_answer_authpassword(int sock, struct sshbuf *m)
+mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	static int call_count;
 	char *passwd;
 	int r, authenticated;
@ -920,7 +918,7 @@ mm_answer_authpassword(int sock, struct sshbuf *m)
 #ifdef BSD_AUTH
 int
-mm_answer_bsdauthquery(int sock, struct sshbuf *m)
+mm_answer_bsdauthquery(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	char *name, *infotxt;
 	u_int numprompts, *echo_on, success;
@ -954,7 +952,7 @@ mm_answer_bsdauthquery(int sock, struct sshbuf *m)
 }
 int
-mm_answer_bsdauthrespond(int sock, struct sshbuf *m)
+mm_answer_bsdauthrespond(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	char *response;
 	int r, authok;
@ -988,7 +986,7 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m)
 #ifdef USE_PAM
 int
-mm_answer_pam_start(int sock, struct sshbuf *m)
+mm_answer_pam_start(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	if (!options.use_pam)
 		fatal("UsePAM not set, but ended up in %s anyway", __func__);
@ -1003,7 +1001,7 @@ mm_answer_pam_start(int sock, struct sshbuf *m)
 }
 int
-mm_answer_pam_account(int sock, struct sshbuf *m)
+mm_answer_pam_account(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	u_int ret;
 	int r;
@ -1026,7 +1024,7 @@ static void *sshpam_ctxt, *sshpam_authok;
 extern KbdintDevice sshpam_device;
 int
-mm_answer_pam_init_ctx(int sock, struct sshbuf *m)
+mm_answer_pam_init_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	u_int ok = 0;
 	int r;
@ -1051,7 +1049,7 @@ mm_answer_pam_init_ctx(int sock, struct sshbuf *m)
 }
 int
-mm_answer_pam_query(int sock, struct sshbuf *m)
+mm_answer_pam_query(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	char *name = NULL, *info = NULL, **prompts = NULL;
 	u_int i, num = 0, *echo_on = 0;
@ -1092,7 +1090,7 @@ mm_answer_pam_query(int sock, struct sshbuf *m)
 }
 int
-mm_answer_pam_respond(int sock, struct sshbuf *m)
+mm_answer_pam_respond(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	char **resp;
 	u_int i, num;
@ -1130,7 +1128,7 @@ mm_answer_pam_respond(int sock, struct sshbuf *m)
 }
 int
-mm_answer_pam_free_ctx(int sock, struct sshbuf *m)
+mm_answer_pam_free_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
@ -1150,9 +1148,8 @@ mm_answer_pam_free_ctx(int sock, struct sshbuf *m)
 #endif
 int
-mm_answer_keyallowed(int sock, struct sshbuf *m)
+mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	struct sshkey *key = NULL;
 	char *cuser, *chost;
 	u_int pubkey_auth_attempt;
@ -1387,9 +1384,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
 }
 int
-mm_answer_keyverify(int sock, struct sshbuf *m)
+mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	struct sshkey *key;
 	u_char *signature, *data, *blob;
 	char *sigalg;
@ -1434,7 +1430,7 @@ mm_answer_keyverify(int sock, struct sshbuf *m)
 		fatal("%s: bad signature data blob", __func__);
 	ret = sshkey_verify(key, signature, signaturelen, data, datalen,
-	    sigalg, active_state->compat);
+	    sigalg, ssh->compat);
 	debug3("%s: %s %p signature %s", __func__, auth_method, key,
 	    (ret == 0) ? "verified" : "unverified");
 	auth2_record_key(authctxt, ret == 0, key);
@ -1461,9 +1457,8 @@ mm_answer_keyverify(int sock, struct sshbuf *m)
 }
 static void
-mm_record_login(Session *s, struct passwd *pw)
+mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	socklen_t fromlen;
 	struct sockaddr_storage from;
@ -1473,8 +1468,8 @@ mm_record_login(Session *s, struct passwd *pw)
 	 */
 	memset(&from, 0, sizeof(from));
 	fromlen = sizeof(from);
-	if (packet_connection_is_on_socket()) {
+	if (ssh_packet_connection_is_on_socket(ssh)) {
-		if (getpeername(packet_get_connection_in(),
+		if (getpeername(ssh_packet_get_connection_in(ssh),
 		    (struct sockaddr *)&from, &fromlen) < 0) {
 			debug("getpeername: %.100s", strerror(errno));
 			cleanup_exit(255);
@ -1498,7 +1493,7 @@ mm_session_close(Session *s)
 }
 int
-mm_answer_pty(int sock, struct sshbuf *m)
+mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	extern struct monitor *pmonitor;
 	Session *s;
@ -1526,7 +1521,7 @@ mm_answer_pty(int sock, struct sshbuf *m)
 	if (dup2(s->ttyfd, 0) == -1)
 		fatal("%s: dup2", __func__);
-	mm_record_login(s, authctxt->pw);
+	mm_record_login(ssh, s, authctxt->pw);
 	/* Now we can close the file descriptor again */
 	close(0);
@ -1568,7 +1563,7 @@ mm_answer_pty(int sock, struct sshbuf *m)
 }
 int
-mm_answer_pty_cleanup(int sock, struct sshbuf *m)
+mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	Session *s;
 	char *tty;
@ -1586,9 +1581,8 @@ mm_answer_pty_cleanup(int sock, struct sshbuf *m)
 }
 int
-mm_answer_term(int sock, struct sshbuf *req)
+mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	extern struct monitor *pmonitor;
 	int res, status;
@ -1615,7 +1609,7 @@ mm_answer_term(int sock, struct sshbuf *req)
 #ifdef SSH_AUDIT_EVENTS
 /* Report that an audit event occurred */
 int
-mm_answer_audit_event(int socket, struct sshbuf *m)
+mm_answer_audit_event(struct ssh *ssh, int socket, struct sshbuf *m)
 {
 	u_int n;
 	ssh_audit_event_t event;
@ -1644,7 +1638,7 @@ mm_answer_audit_event(int socket, struct sshbuf *m)
 }
 int
-mm_answer_audit_command(int socket, struct sshbuf *m)
+mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m)
 {
 	char *cmd;
 	int r;
@ -1660,10 +1654,8 @@ mm_answer_audit_command(int socket, struct sshbuf *m)
 #endif /* SSH_AUDIT_EVENTS */
 void
-monitor_clear_keystate(struct monitor *pmonitor)
+monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	ssh_clear_newkeys(ssh, MODE_IN);
 	ssh_clear_newkeys(ssh, MODE_OUT);
 	sshbuf_free(child_state);
@ -1671,9 +1663,8 @@ monitor_clear_keystate(struct monitor *pmonitor)
 }
 void
-monitor_apply_keystate(struct monitor *pmonitor)
+monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	struct kex *kex;
 	int r;
@ -1780,7 +1771,7 @@ monitor_reinit(struct monitor *mon)
 #ifdef GSSAPI
 int
-mm_answer_gss_setup_ctx(int sock, struct sshbuf *m)
+mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	gss_OID_desc goid;
 	OM_uint32 major;
@ -1813,7 +1804,7 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m)
 }
 int
-mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
+mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	gss_buffer_desc in;
 	gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
@ -1847,7 +1838,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
 }
 int
-mm_answer_gss_checkmic(int sock, struct sshbuf *m)
+mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	gss_buffer_desc gssbuf, mic;
 	OM_uint32 ret;
@ -1878,7 +1869,7 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)
 }
 int
-mm_answer_gss_userok(int sock, struct sshbuf *m)
+mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
 {
 	int r, authenticated;
 	const char *displayname;
--- a/monitor.h
+++ b/monitor.h
@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.h,v 1.21 2018/07/09 21:53:45 markus Exp $ */
+/* $OpenBSD: monitor.h,v 1.22 2019/01/19 21:43:07 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -65,6 +65,8 @@ enum monitor_reqtype {
 };
 struct ssh;
 struct monitor {
 	int			 m_recvfd;
 	int			 m_sendfd;
@ -78,11 +80,11 @@ struct monitor *monitor_init(void);
 void monitor_reinit(struct monitor *);
 struct Authctxt;
-void monitor_child_preauth(struct Authctxt *, struct monitor *);
+void monitor_child_preauth(struct ssh *, struct monitor *);
-void monitor_child_postauth(struct monitor *);
+void monitor_child_postauth(struct ssh *, struct monitor *);
-struct mon_table;
+void monitor_clear_keystate(struct ssh *, struct monitor *);
-int monitor_read(struct monitor*, struct mon_table *, struct mon_table **);
+void monitor_apply_keystate(struct ssh *, struct monitor *);
 /* Prototypes for request sending and receiving */
 void mm_request_send(int, enum monitor_reqtype, struct sshbuf *);
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.109 2019/01/19 21:41:18 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.110 2019/01/19 21:43:07 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -76,7 +76,6 @@
 #include "ssherr.h"
 #include "opacket.h" /* XXX */
 extern struct ssh *active_state; /* XXX */
 /* Imports */
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.39 2019/01/19 21:41:18 djm Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.40 2019/01/19 21:43:07 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -89,8 +89,6 @@ void mm_session_pty_cleanup2(struct Session *);
 struct newkeys *mm_newkeys_from_blob(u_char *, int);
 int mm_newkeys_to_blob(int, u_char **, u_int *);
 void monitor_clear_keystate(struct monitor *);
 void monitor_apply_keystate(struct monitor *);
 void mm_get_keystate(struct monitor *);
 void mm_send_keystate(struct monitor*);
--- a/sshd.c
+++ b/sshd.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.525 2019/01/19 21:42:30 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.526 2019/01/19 21:43:07 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -459,7 +459,6 @@ privsep_preauth_child(void)
 static int
 privsep_preauth(struct ssh *ssh)
 {
 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
 	int status, r;
 	pid_t pid;
 	struct ssh_sandbox *box = NULL;
@ -488,7 +487,7 @@ privsep_preauth(struct ssh *ssh)
 		}
 		if (box != NULL)
 			ssh_sandbox_parent_preauth(box, pid);
-		monitor_child_preauth(authctxt, pmonitor);
+		monitor_child_preauth(ssh, pmonitor);
 		/* Wait for the child's exit status */
 		while (waitpid(pid, &status, 0) < 0) {
@ -548,8 +547,8 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
 	else if (pmonitor->m_pid != 0) {
 		verbose("User child is on pid %ld", (long)pmonitor->m_pid);
 		sshbuf_reset(loginmsg);
-		monitor_clear_keystate(pmonitor);
+		monitor_clear_keystate(ssh, pmonitor);
-		monitor_child_postauth(pmonitor);
+		monitor_child_postauth(ssh, pmonitor);
 		/* NEVERREACHED */
 		exit(0);
@ -570,7 +569,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
 skip:
 	/* It is safe now to apply the key state */
-	monitor_apply_keystate(pmonitor);
+	monitor_apply_keystate(ssh, pmonitor);
 	/*
 	 * Tell the packet layer that authentication was successful, since