diff options
52 files changed, 515 insertions, 695 deletions
diff --git a/usr/src/cmd/ssh/include/monitor.h b/deleted_files/usr/src/cmd/ssh/include/monitor.h index ea223d8a66..ea223d8a66 100644 --- a/usr/src/cmd/ssh/include/monitor.h +++ b/deleted_files/usr/src/cmd/ssh/include/monitor.h diff --git a/usr/src/cmd/ssh/include/monitor_fdpass.h b/deleted_files/usr/src/cmd/ssh/include/monitor_fdpass.h index d43c0e4fbb..d43c0e4fbb 100644 --- a/usr/src/cmd/ssh/include/monitor_fdpass.h +++ b/deleted_files/usr/src/cmd/ssh/include/monitor_fdpass.h diff --git a/usr/src/cmd/ssh/include/monitor_mm.h b/deleted_files/usr/src/cmd/ssh/include/monitor_mm.h index 37b53c7355..37b53c7355 100644 --- a/usr/src/cmd/ssh/include/monitor_mm.h +++ b/deleted_files/usr/src/cmd/ssh/include/monitor_mm.h diff --git a/usr/src/cmd/ssh/include/monitor_wrap.h b/deleted_files/usr/src/cmd/ssh/include/monitor_wrap.h index 49a215af53..49a215af53 100644 --- a/usr/src/cmd/ssh/include/monitor_wrap.h +++ b/deleted_files/usr/src/cmd/ssh/include/monitor_wrap.h diff --git a/usr/src/cmd/ssh/libssh/common/monitor_fdpass.c b/deleted_files/usr/src/cmd/ssh/libssh/common/monitor_fdpass.c index 305e45e4cc..305e45e4cc 100644 --- a/usr/src/cmd/ssh/libssh/common/monitor_fdpass.c +++ b/deleted_files/usr/src/cmd/ssh/libssh/common/monitor_fdpass.c diff --git a/usr/src/cmd/ssh/libssh/common/monitor_wrap.c b/deleted_files/usr/src/cmd/ssh/libssh/common/monitor_wrap.c index 4882c3d967..4882c3d967 100644 --- a/usr/src/cmd/ssh/libssh/common/monitor_wrap.c +++ b/deleted_files/usr/src/cmd/ssh/libssh/common/monitor_wrap.c diff --git a/usr/src/cmd/ssh/sshd/monitor.c b/deleted_files/usr/src/cmd/ssh/sshd/monitor.c index c14973160b..c14973160b 100644 --- a/usr/src/cmd/ssh/sshd/monitor.c +++ b/deleted_files/usr/src/cmd/ssh/sshd/monitor.c diff --git a/usr/src/cmd/ssh/sshd/monitor_mm.c b/deleted_files/usr/src/cmd/ssh/sshd/monitor_mm.c index 04a82d28f8..04a82d28f8 100644 --- a/usr/src/cmd/ssh/sshd/monitor_mm.c +++ b/deleted_files/usr/src/cmd/ssh/sshd/monitor_mm.c diff --git a/usr/src/cmd/ssh/README.altprivsep b/usr/src/cmd/ssh/README.altprivsep index 610a610fa4..73cdeaf80f 100644 --- a/usr/src/cmd/ssh/README.altprivsep +++ b/usr/src/cmd/ssh/README.altprivsep @@ -1,4 +1,4 @@ - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. #ident "%Z%%M% %I% %E% SMI" @@ -612,7 +612,7 @@ A. References Note that for SSHv1 no on-the-wire messages are processed by the monitor after authentication. In fact, the monitor thinks it's - running SSHv2, even if the on-the-wire protocol is v2. + running SSHv2, even if the on-the-wire protocol is v1. A. References diff --git a/usr/src/cmd/ssh/include/g11n.h b/usr/src/cmd/ssh/include/g11n.h index 0db14a6b27..9fff281c7b 100644 --- a/usr/src/cmd/ssh/include/g11n.h +++ b/usr/src/cmd/ssh/include/g11n.h @@ -18,7 +18,7 @@ * * CDDL HEADER END * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -72,6 +72,8 @@ char **g11n_langtag_set_locale_set_intersect(char *langtag_set, char *g11n_srvr_locale_negotiate(char *clnt_langtags, char **srvr_locales); +/* auxiliary functions */ +void g11n_freelist(char **list); /* * Functions for validating ASCII and UTF-8 strings diff --git a/usr/src/cmd/ssh/include/packet.h b/usr/src/cmd/ssh/include/packet.h index 2ad7a7f94d..8a71eb2864 100644 --- a/usr/src/cmd/ssh/include/packet.h +++ b/usr/src/cmd/ssh/include/packet.h @@ -1,15 +1,3 @@ -/* $OpenBSD: packet.h,v 1.35 2002/06/19 18:01:00 markus Exp $ */ - -#ifndef _PACKET_H -#define _PACKET_H - -#pragma ident "%Z%%M% %I% %E% SMI" - -#ifdef __cplusplus -extern "C" { -#endif - - /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -23,11 +11,24 @@ extern "C" { * called by a name other than "ssh" or "Secure Shell". */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ +#ifndef _PACKET_H +#define _PACKET_H + +/* $OpenBSD: packet.h,v 1.35 2002/06/19 18:01:00 markus Exp $ */ + +#pragma ident "%Z%%M% %I% %E% SMI" + +#ifdef __cplusplus +extern "C" { +#endif + + #include <openssl/bn.h> +#include "kex.h" #ifdef ALTPRIVSEP /* Monitor-side functions */ @@ -89,14 +90,7 @@ void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); void set_newkeys(int mode); -int packet_get_keyiv_len(int); -void packet_get_keyiv(int, u_char *, u_int); -int packet_get_keycontext(int, u_char *); -void packet_set_keycontext(int, u_char *); -u_int32_t packet_get_seqnr(int); -void packet_set_seqnr(int, u_int32_t); -int packet_get_ssh1_cipher(void); -void packet_set_iv(int, u_char *); +void free_keys(Newkeys *keys); void packet_write_poll(void); void packet_write_wait(void); @@ -127,6 +121,9 @@ do { \ } \ } while (0) +int packet_need_rekeying(void); +void packet_set_rekey_limit(u_int32_t); + #ifdef __cplusplus } #endif diff --git a/usr/src/cmd/ssh/include/readconf.h b/usr/src/cmd/ssh/include/readconf.h index 3d1fe7b211..d4829960d8 100644 --- a/usr/src/cmd/ssh/include/readconf.h +++ b/usr/src/cmd/ssh/include/readconf.h @@ -150,6 +150,8 @@ typedef struct { int num_remote_forwards; Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; int clear_forwardings; + + int64_t rekey_limit; int no_host_authentication_for_localhost; int server_alive_interval; int server_alive_count_max; diff --git a/usr/src/cmd/ssh/libssh/Makefile.com b/usr/src/cmd/ssh/libssh/Makefile.com index ed02ab1de2..c691c21225 100644 --- a/usr/src/cmd/ssh/libssh/Makefile.com +++ b/usr/src/cmd/ssh/libssh/Makefile.com @@ -80,8 +80,6 @@ OBJECTS = \ uuencode.o \ xlist.o \ xmalloc.o \ - monitor_wrap.o \ - monitor_fdpass.o \ readconf.o \ sftp-common.o \ proxy-io.o diff --git a/usr/src/cmd/ssh/libssh/common/g11n.c b/usr/src/cmd/ssh/libssh/common/g11n.c index 95b61bef62..6a985db7f3 100644 --- a/usr/src/cmd/ssh/libssh/common/g11n.c +++ b/usr/src/cmd/ssh/libssh/common/g11n.c @@ -18,7 +18,7 @@ * * CDDL HEADER END * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -57,6 +57,10 @@ static char *g11n_locale2langtag(char *locale); uint_t g11n_validate_ascii(const char *str, uint_t len, uchar_t **error_str); uint_t g11n_validate_utf8(const uchar_t *str, uint_t len, uchar_t **error_str); +/* + * Convert locale string name into a language tag. The caller is responsible for + * freeing the memory allocated for the result. + */ static char * g11n_locale2langtag(char *locale) { @@ -67,7 +71,7 @@ g11n_locale2langtag(char *locale) return (NULL); if (strcmp(locale, "POSIX") == 0 || strcmp(locale, "C") == 0) - return ("i-default"); + return (xstrdup("i-default")); /* punt for language codes which are not exactly 2 letters */ if (strlen(locale) < 2 || @@ -270,8 +274,10 @@ g11n_getlocales() list[n_elems++] = xstrdup(locale); } - if (n_elems == 0) + if (n_elems == 0) { + xfree(list); return (NULL); + } list[n_elems] = NULL; (void) pclose(locale_out); @@ -300,7 +306,7 @@ char * g11n_locales2langs(char **locale_set) { char **p, **r, **q; - char *langtag; + char *langtag, *langs; int locales, skip; for (locales = 0, p = locale_set; p && *p; p++) @@ -321,10 +327,15 @@ g11n_locales2langs(char **locale_set) } if (!skip) *(q++) = langtag; + else + xfree(langtag); *q = NULL; } - return (xjoin(r, ',')); + langs = xjoin(r, ','); + g11n_freelist(r); + + return (langs); } static int @@ -343,12 +354,12 @@ g11n_langtag_match(char *langtag1, char *langtag2) char c1, c2; len1 = (strchr(langtag1, '-')) ? - (strchr(langtag1, '-') - langtag1) - : strlen(langtag1); + (strchr(langtag1, '-') - langtag1) + : strlen(langtag1); len2 = (strchr(langtag2, '-')) ? - (strchr(langtag2, '-') - langtag2) - : strlen(langtag2); + (strchr(langtag2, '-') - langtag2) + : strlen(langtag2); /* no match */ if (len1 != len2 || strncmp(langtag1, langtag2, len1) != 0) @@ -628,17 +639,25 @@ g11n_langtag_set_locale_set_intersect(char *langtag_set, char **locale_set) char * g11n_srvr_locale_negotiate(char *clnt_langtags, char **srvr_locales) { - char **results, *result = NULL; + char **results, **locales, *result = NULL; + + if (srvr_locales == NULL) + locales = g11n_getlocales(); + else + locales = srvr_locales; if ((results = g11n_langtag_set_locale_set_intersect(clnt_langtags, - srvr_locales ? srvr_locales : g11n_getlocales())) == NULL) - return (NULL); + locales)) == NULL) + goto err; if (*results != NULL) result = xstrdup(*results); xfree_split_list(results); +err: + if (locales != srvr_locales) + g11n_freelist(locales); return (result); } @@ -801,8 +820,8 @@ g11n_convert_from_ascii(const char *str, int *err_ptr, uchar_t **error_str) * same, and there are aliases of codesets to boot... */ if (strcmp("646", nl_langinfo(CODESET)) == 0 || - strcmp("ASCII", nl_langinfo(CODESET)) == 0 || - strcmp("US-ASCII", nl_langinfo(CODESET)) == 0) { + strcmp("ASCII", nl_langinfo(CODESET)) == 0 || + strcmp("US-ASCII", nl_langinfo(CODESET)) == 0) { initialized = 1; do_convert = 0; } else { @@ -1035,3 +1054,20 @@ do_iconv(iconv_t cd, uint_t *mul_ptr, const void *buf, uint_t len, return (converted); } + +/* + * Free all strings in the list and then free the list itself. We know that the + * list ends with a NULL pointer. + */ +void +g11n_freelist(char **list) +{ + int i = 0; + + while (list[i] != NULL) { + xfree(list[i]); + i++; + } + + xfree(list); +} diff --git a/usr/src/cmd/ssh/libssh/common/kex.c b/usr/src/cmd/ssh/libssh/common/kex.c index 0e3b8d9365..d535254210 100644 --- a/usr/src/cmd/ssh/libssh/common/kex.c +++ b/usr/src/cmd/ssh/libssh/common/kex.c @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -47,7 +47,6 @@ RCSID("$OpenBSD: kex.c,v 1.51 2002/06/24 14:55:38 markus Exp $"); #include "mac.h" #include "match.h" #include "dispatch.h" -#include "monitor.h" #include "g11n.h" #ifdef GSSAPI @@ -56,10 +55,6 @@ RCSID("$OpenBSD: kex.c,v 1.51 2002/06/24 14:55:38 markus Exp $"); #define KEX_COOKIE_LEN 16 -/* Use privilege separation for sshd */ -int use_privsep; -struct monitor *pmonitor; - char *session_lang = NULL; @@ -182,11 +177,8 @@ skip_newkeys: buffer_clear(&kex->peer); /* buffer_clear(&kex->my); */ kex->flags &= ~KEX_INIT_SENT; -#if 0 - /* Must have this name for use in sshd (audit_save_kex())... */ xfree(kex->name); kex->name = NULL; -#endif } void @@ -543,6 +535,7 @@ kex_choose_conf(Kex *kex) g11n_setlocale(LC_ALL, locale); debug("Negotiated main locale: %s", locale); packet_send_debug("Negotiated main locale: %s", locale); + xfree(locale); } if (plangs != p_langs_s2c && p_langs_s2c && *p_langs_s2c) { @@ -550,14 +543,11 @@ kex_choose_conf(Kex *kex) if (locale) { g11n_setlocale(LC_MESSAGES, locale); debug("Negotiated messages locale: %s", locale); - packet_send_debug("Negotiated messages locale: %s", locale); + packet_send_debug("Negotiated " + "messages locale: %s", locale); + xfree(locale); } } - /* - * Should we free locale? Or does setlocale - * retain a reference? - */ - /*xfree(locale);*/ } } else { diff --git a/usr/src/cmd/ssh/libssh/common/kexdh.c b/usr/src/cmd/ssh/libssh/common/kexdh.c index 7af19994fb..b15ecd2c5b 100644 --- a/usr/src/cmd/ssh/libssh/common/kexdh.c +++ b/usr/src/cmd/ssh/libssh/common/kexdh.c @@ -39,7 +39,6 @@ RCSID("$OpenBSD: kexdh.c,v 1.18 2002/03/18 17:50:31 provos Exp $"); #include "packet.h" #include "dh.h" #include "ssh2.h" -#include "monitor_wrap.h" u_char * kex_dh_hash( diff --git a/usr/src/cmd/ssh/libssh/common/kexdhc.c b/usr/src/cmd/ssh/libssh/common/kexdhc.c index 6e7e7d7dc5..1c75f8449f 100644 --- a/usr/src/cmd/ssh/libssh/common/kexdhc.c +++ b/usr/src/cmd/ssh/libssh/common/kexdhc.c @@ -39,7 +39,6 @@ RCSID("$OpenBSD: kexdh.c,v 1.18 2002/03/18 17:50:31 provos Exp $"); #include "packet.h" #include "dh.h" #include "ssh2.h" -#include "monitor_wrap.h" void kexdh_client(Kex *kex) diff --git a/usr/src/cmd/ssh/libssh/common/kexdhs.c b/usr/src/cmd/ssh/libssh/common/kexdhs.c index 1fc9f4c2ee..5e14b1333f 100644 --- a/usr/src/cmd/ssh/libssh/common/kexdhs.c +++ b/usr/src/cmd/ssh/libssh/common/kexdhs.c @@ -39,7 +39,6 @@ RCSID("$OpenBSD: kexdh.c,v 1.18 2002/03/18 17:50:31 provos Exp $"); #include "packet.h" #include "dh.h" #include "ssh2.h" -#include "monitor_wrap.h" void kexdh_server(Kex *kex) @@ -123,7 +122,7 @@ kexdh_server(Kex *kex) /* sign H */ /* XXX hashlen depends on KEX */ - PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20)); + key_sign(server_host_key, &signature, &slen, hash, 20); /* destroy_sensitive_data(); */ diff --git a/usr/src/cmd/ssh/libssh/common/kexgex.c b/usr/src/cmd/ssh/libssh/common/kexgex.c index 3553bb130f..3652e1c020 100644 --- a/usr/src/cmd/ssh/libssh/common/kexgex.c +++ b/usr/src/cmd/ssh/libssh/common/kexgex.c @@ -40,7 +40,6 @@ RCSID("$OpenBSD: kexgex.c,v 1.22 2002/03/24 17:27:03 stevesk Exp $"); #include "dh.h" #include "ssh2.h" #include "compat.h" -#include "monitor_wrap.h" u_char * kexgex_hash( diff --git a/usr/src/cmd/ssh/libssh/common/kexgexc.c b/usr/src/cmd/ssh/libssh/common/kexgexc.c index 5f6ac3d283..5fddebaed9 100644 --- a/usr/src/cmd/ssh/libssh/common/kexgexc.c +++ b/usr/src/cmd/ssh/libssh/common/kexgexc.c @@ -40,7 +40,6 @@ RCSID("$OpenBSD: kexgex.c,v 1.22 2002/03/24 17:27:03 stevesk Exp $"); #include "dh.h" #include "ssh2.h" #include "compat.h" -#include "monitor_wrap.h" void kexgex_client(Kex *kex) diff --git a/usr/src/cmd/ssh/libssh/common/kexgexs.c b/usr/src/cmd/ssh/libssh/common/kexgexs.c index 60608d2a65..b0bd4e3272 100644 --- a/usr/src/cmd/ssh/libssh/common/kexgexs.c +++ b/usr/src/cmd/ssh/libssh/common/kexgexs.c @@ -40,7 +40,6 @@ RCSID("$OpenBSD: kexgex.c,v 1.22 2002/03/24 17:27:03 stevesk Exp $"); #include "dh.h" #include "ssh2.h" #include "compat.h" -#include "monitor_wrap.h" void kexgex_server(Kex *kex) @@ -85,7 +84,7 @@ kexgex_server(Kex *kex) min, nbits, max); /* Contact privileged parent */ - dh = PRIVSEP(choose_dh(min, nbits, max)); + dh = choose_dh(min, nbits, max); if (dh == NULL) packet_disconnect("Protocol error: no matching DH grp found"); @@ -168,7 +167,7 @@ kexgex_server(Kex *kex) /* sign H */ /* XXX hashlen depends on KEX */ - PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20)); + key_sign(server_host_key, &signature, &slen, hash, 20); /* destroy_sensitive_data(); */ diff --git a/usr/src/cmd/ssh/libssh/common/kexgsss.c b/usr/src/cmd/ssh/libssh/common/kexgsss.c index e6a6d67e61..61f3fb70f1 100644 --- a/usr/src/cmd/ssh/libssh/common/kexgsss.c +++ b/usr/src/cmd/ssh/libssh/common/kexgsss.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -45,7 +45,6 @@ #include "dh.h" #include "ssh2.h" #include "ssh-gss.h" -#include "monitor_wrap.h" #include "auth.h" Gssctxt *xxx_gssctxt; @@ -127,8 +126,7 @@ kexgss_server(Kex *kex) type); } - maj_status=PRIVSEP(ssh_gssapi_accept_ctx(ctxt,&recv_tok, - &send_tok)); + maj_status = ssh_gssapi_accept_ctx(ctxt,&recv_tok, &send_tok); xfree(recv_tok.value); /* We allocated this, not gss */ diff --git a/usr/src/cmd/ssh/libssh/common/llib-lssh b/usr/src/cmd/ssh/libssh/common/llib-lssh index f827580891..ed817d9385 100644 --- a/usr/src/cmd/ssh/libssh/common/llib-lssh +++ b/usr/src/cmd/ssh/libssh/common/llib-lssh @@ -84,10 +84,6 @@ #include <match.h> #include <misc.h> #include <mktemp.h> -#include <monitor_fdpass.h> -#include <monitor.h> -#include <monitor_mm.h> -#include <monitor_wrap.h> #include <mpaux.h> #include <msg.h> #include <myproposal.h> diff --git a/usr/src/cmd/ssh/libssh/common/packet.c b/usr/src/cmd/ssh/libssh/common/packet.c index 10fbdd0895..985666a576 100644 --- a/usr/src/cmd/ssh/libssh/common/packet.c +++ b/usr/src/cmd/ssh/libssh/common/packet.c @@ -36,30 +36,29 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.97 2002/07/04 08:12:15 deraadt Exp $"); +/* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */ #pragma ident "%Z%%M% %I% %E% SMI" +#include "includes.h" + +#include "sys-queue.h" #include "xmalloc.h" #include "buffer.h" #include "packet.h" #include "bufaux.h" #include "crc32.h" #include "getput.h" - #include "compress.h" #include "deattack.h" #include "channels.h" - #include "compat.h" #include "ssh1.h" #include "ssh2.h" - #include "cipher.h" #include "kex.h" #include "mac.h" @@ -127,8 +126,14 @@ static int interactive_mode = 0; /* Session key information for Encryption and MAC */ Newkeys *newkeys[MODE_MAX]; -static u_int32_t read_seqnr = 0; -static u_int32_t send_seqnr = 0; +static struct packet_state { + u_int32_t seqnr; + u_int32_t packets; + u_int64_t blocks; +} p_read, p_send; + +static u_int64_t max_blocks_in, max_blocks_out; +static u_int32_t rekey_limit; /* Session key for protocol v1 */ static u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; @@ -137,6 +142,13 @@ static u_int ssh1_keylen; /* roundup current message to extra_pad bytes */ static u_char extra_pad = 0; +struct packet { + TAILQ_ENTRY(packet) next; + u_char type; + Buffer payload; +}; +TAILQ_HEAD(, packet) outgoing; + /* * Sets the descriptors used for communication. Disables encryption until * packet_set_encryption_key is called. @@ -159,6 +171,7 @@ packet_set_connection(int fd_in, int fd_out) buffer_init(&output); buffer_init(&outgoing_packet); buffer_init(&incoming_packet); + TAILQ_INIT(&outgoing); } else { buffer_clear(&input); buffer_clear(&output); @@ -202,99 +215,6 @@ packet_connection_is_on_socket(void) return 1; } -/* - * Exports an IV from the CipherContext required to export the key - * state back from the unprivileged child to the privileged parent - * process. - */ - -void -packet_get_keyiv(int mode, u_char *iv, u_int len) -{ - CipherContext *cc; - - if (mode == MODE_OUT) - cc = &send_context; - else - cc = &receive_context; - - cipher_get_keyiv(cc, iv, len); -} - -int -packet_get_keycontext(int mode, u_char *dat) -{ - CipherContext *cc; - - if (mode == MODE_OUT) - cc = &send_context; - else - cc = &receive_context; - - return (cipher_get_keycontext(cc, dat)); -} - -void -packet_set_keycontext(int mode, u_char *dat) -{ - CipherContext *cc; - - if (mode == MODE_OUT) - cc = &send_context; - else - cc = &receive_context; - - cipher_set_keycontext(cc, dat); -} - -int -packet_get_keyiv_len(int mode) -{ - CipherContext *cc; - - if (mode == MODE_OUT) - cc = &send_context; - else - cc = &receive_context; - - return (cipher_get_keyiv_len(cc)); -} -void -packet_set_iv(int mode, u_char *dat) -{ - CipherContext *cc; - - if (mode == MODE_OUT) - cc = &send_context; - else - cc = &receive_context; - - cipher_set_keyiv(cc, dat); -} -int -packet_get_ssh1_cipher() -{ - return (cipher_get_number(receive_context.cipher)); -} - - -u_int32_t -packet_get_seqnr(int mode) -{ - return (mode == MODE_IN ? read_seqnr : send_seqnr); -} - -void -packet_set_seqnr(int mode, u_int32_t seqnr) -{ - if (mode == MODE_IN) - read_seqnr = seqnr; - else if (mode == MODE_OUT) - send_seqnr = seqnr; - else - fatal("packet_set_seqnr: bad mode %d", mode); -} - /* returns 1 if connection is via ipv4 */ int @@ -478,21 +398,25 @@ packet_put_char(int value) buffer_append(&outgoing_packet, &ch, 1); } + void packet_put_int(u_int value) { buffer_put_int(&outgoing_packet, value); } + void packet_put_string(const void *buf, u_int len) { buffer_put_string(&outgoing_packet, buf, len); } + void packet_put_cstring(const char *str) { buffer_put_cstring(&outgoing_packet, str); } + void packet_put_ascii_cstring(const char *str) { @@ -520,11 +444,13 @@ packet_put_raw(const void *buf, u_int len) { buffer_append(&outgoing_packet, buf, len); } + void packet_put_bignum(BIGNUM * value) { buffer_put_bignum(&outgoing_packet, value); } + void packet_put_bignum2(BIGNUM * value) { @@ -542,7 +468,7 @@ packet_send1(void) u_char buf[8], *cp; int i, padding, len; u_int checksum; - u_int32_t rand = 0; + u_int32_t rnd = 0; /* * If using packet compression, compress the payload of the outgoing @@ -568,9 +494,9 @@ packet_send1(void) cp = buffer_ptr(&outgoing_packet); for (i = 0; i < padding; i++) { if (i % 4 == 0) - rand = arc4random(); - cp[7 - i] = rand & 0xff; - rand >>= 8; + rnd = arc4random(); + cp[7 - i] = rnd & 0xff; + rnd >>= 8; } } buffer_consume(&outgoing_packet, 8 - padding); @@ -614,31 +540,26 @@ set_newkeys(int mode) Mac *mac; Comp *comp; CipherContext *cc; - int encrypt; + u_int64_t *max_blocks; + int crypt_type; - debug("newkeys: mode %d", mode); + debug2("set_newkeys: mode %d", mode); if (mode == MODE_OUT) { cc = &send_context; - encrypt = CIPHER_ENCRYPT; + crypt_type = CIPHER_ENCRYPT; + p_send.packets = p_send.blocks = 0; + max_blocks = &max_blocks_out; } else { cc = &receive_context; - encrypt = CIPHER_DECRYPT; + crypt_type = CIPHER_DECRYPT; + p_read.packets = p_read.blocks = 0; + max_blocks = &max_blocks_in; } if (newkeys[mode] != NULL) { - debug("newkeys: rekeying"); + debug("set_newkeys: rekeying"); cipher_cleanup(cc); - enc = &newkeys[mode]->enc; - mac = &newkeys[mode]->mac; - comp = &newkeys[mode]->comp; - memset(mac->key, 0, mac->key_len); - xfree(enc->name); - xfree(enc->iv); - xfree(enc->key); - xfree(mac->name); - xfree(mac->key); - xfree(comp->name); - xfree(newkeys[mode]); + free_keys(newkeys[mode]); } newkeys[mode] = kex_get_newkeys(mode); if (newkeys[mode] == NULL) @@ -650,7 +571,7 @@ set_newkeys(int mode) mac->enabled = 1; DBG(debug("cipher_init_context: %d", mode)); cipher_init(cc, enc->cipher, enc->key, enc->key_len, - enc->iv, enc->block_size, encrypt); + enc->iv, enc->block_size, crypt_type); /* Deleting the keys does not gain extra security */ /* memset(enc->iv, 0, enc->block_size); memset(enc->key, 0, enc->key_len); */ @@ -662,19 +583,74 @@ set_newkeys(int mode) buffer_compress_init_recv(); comp->enabled = 1; } + + /* + * In accordance to the RFCs listed below we enforce the key + * re-exchange for: + * + * - every 1GB of transmitted data if the selected cipher block size + * is less than 16 bytes (3DES, Blowfish) + * - every 2^(2*B) cipher blocks transmitted (B is block size in bytes) + * if the cipher block size is greater than or equal to 16 bytes (AES) + * - and we never send more than 2^32 SSH packets using the same keys. + * The recommendation of 2^31 packets is not enforced here but in + * packet_need_rekeying(). There is also a hard check in + * packet_send2_wrapped() that we don't send more than 2^32 packets. + * + * Note that if the SSH_BUG_NOREKEY compatibility flag is set then no + * automatic rekeying is performed nor do we enforce the 3rd rule. + * This means that we can be always forced by the opposite side to never + * initiate automatic key re-exchange. This might change in the future. + * + * The RekeyLimit option keyword may only enforce more frequent key + * renegotiation, never less. For more information on key renegotiation, + * see: + * + * - RFC 4253 (SSH Transport Layer Protocol), section "9. Key + * Re-Exchange" + * - RFC 4344 (SSH Transport Layer Encryption Modes), sections "3. + * Rekeying" and "6.1 Rekeying Considerations" + */ + if (enc->block_size >= 16) + *max_blocks = (u_int64_t)1 << (enc->block_size * 2); + else + *max_blocks = ((u_int64_t)1 << 30) / enc->block_size; + + if (rekey_limit) + *max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size); +} + +void +free_keys(Newkeys *keys) +{ + Enc *enc; + Mac *mac; + Comp *comp; + + enc = &keys->enc; + mac = &keys->mac; + comp = &keys->comp; + memset(mac->key, 0, mac->key_len); + xfree(enc->name); + xfree(enc->iv); + xfree(enc->key); + xfree(mac->name); + xfree(mac->key); + xfree(comp->name); + xfree(keys); } /* * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) */ static void -packet_send2(void) +packet_send2_wrapped(void) { u_char type, *cp, *macbuf = NULL; u_char padlen, pad; u_int packet_length = 0; u_int i, len; - u_int32_t rand = 0; + u_int32_t rnd = 0; Enc *enc = NULL; Mac *mac = NULL; Comp *comp = NULL; @@ -733,9 +709,9 @@ packet_send2(void) /* random padding */ for (i = 0; i < padlen; i++) { if (i % 4 == 0) - rand = arc4random(); - cp[i] = rand & 0xff; - rand >>= 8; + rnd = arc4random(); + cp[i] = rnd & 0xff; + rnd >>= 8; } } else { /* clear padding */ @@ -750,10 +726,10 @@ packet_send2(void) /* compute MAC over seqnr and packet(length fields, payload, padding) */ if (mac && mac->enabled) { - macbuf = mac_compute(mac, send_seqnr, + macbuf = mac_compute(mac, p_send.seqnr, buffer_ptr(&outgoing_packet), buffer_len(&outgoing_packet)); - DBG(debug("done calc MAC out #%d", send_seqnr)); + DBG(debug("done calc MAC out #%d", p_send.seqnr)); } /* encrypt packet and append to output buffer. */ cp = buffer_append_space(&output, buffer_len(&outgoing_packet)); @@ -767,8 +743,25 @@ packet_send2(void) buffer_dump(&output); #endif /* increment sequence number for outgoing packets */ - if (++send_seqnr == 0) + if (++p_send.seqnr == 0) log("outgoing seqnr wraps around"); + + /* + * RFC 4344: 3.1. First Rekeying Recommendation + * + * "Because of possible information leakage through the MAC tag after a + * key exchange, .... an SSH implementation SHOULD NOT send more than + * 2**32 packets before rekeying again." + * + * The code below is a hard check so that we are sure we don't go across + * the suggestion. However, since the largest cipher block size we have + * (AES) is 16 bytes we can't reach 2^32 SSH packets encrypted with the + * same key while performing periodic rekeying. + */ + if (++p_send.packets == 0) + if (!(datafellows & SSH_BUG_NOREKEY)) + fatal("too many packets encrypted with same key"); + p_send.blocks += (packet_length + 4) / block_size; buffer_clear(&outgoing_packet); if (type == SSH2_MSG_NEWKEYS) @@ -779,6 +772,51 @@ packet_send2(void) set_newkeys(MODE_OUT); } +static void +packet_send2(void) +{ + static int rekeying = 0; + struct packet *p; + u_char type, *cp; + + cp = buffer_ptr(&outgoing_packet); + type = cp[5]; + + /* during rekeying we can only send key exchange messages */ + if (rekeying) { + if (!((type >= SSH2_MSG_TRANSPORT_MIN) && + (type <= SSH2_MSG_TRANSPORT_MAX))) { + debug("enqueue packet: %u", type); + p = xmalloc(sizeof(*p)); + p->type = type; + memcpy(&p->payload, &outgoing_packet, sizeof(Buffer)); + buffer_init(&outgoing_packet); + TAILQ_INSERT_TAIL(&outgoing, p, next); + return; + } + } + + /* rekeying starts with sending KEXINIT */ + if (type == SSH2_MSG_KEXINIT) + rekeying = 1; + + packet_send2_wrapped(); + + /* after a NEWKEYS message we can send the complete queue */ + if (type == SSH2_MSG_NEWKEYS) { + rekeying = 0; + while ((p = TAILQ_FIRST(&outgoing)) != NULL) { + type = p->type; + debug("dequeue packet: %u", type); + buffer_free(&outgoing_packet); + memcpy(&outgoing_packet, &p->payload, sizeof(Buffer)); + TAILQ_REMOVE(&outgoing, p, next); + xfree(p); + packet_send2_wrapped(); + } + } +} + void packet_send(void) { @@ -1003,7 +1041,7 @@ packet_read_poll2(u_int32_t *seqnr_p) buffer_dump(&incoming_packet); packet_disconnect("Bad packet length %d.", packet_length); } - DBG(debug("input: packet len %d", packet_length+4)); + DBG(debug("input: packet len %u", packet_length + 4)); buffer_consume(&input, block_size); } /* we have a partial packet of block_size bytes */ @@ -1031,19 +1069,25 @@ packet_read_poll2(u_int32_t *seqnr_p) * increment sequence number for incoming packet */ if (mac && mac->enabled) { - macbuf = mac_compute(mac, read_seqnr, + macbuf = mac_compute(mac, p_read.seqnr, buffer_ptr(&incoming_packet), buffer_len(&incoming_packet)); if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0) packet_disconnect("Corrupted MAC on input."); - DBG(debug("MAC #%d ok", read_seqnr)); + DBG(debug("MAC #%d ok", p_read.seqnr)); buffer_consume(&input, mac->mac_len); } if (seqnr_p != NULL) - *seqnr_p = read_seqnr; - if (++read_seqnr == 0) + *seqnr_p = p_read.seqnr; + if (++p_read.seqnr == 0) log("incoming seqnr wraps around"); + /* see above for the comment on "First Rekeying Recommendation" */ + if (++p_read.packets == 0) + if (!(datafellows & SSH_BUG_NOREKEY)) + fatal("too many packets with same key"); + p_read.blocks += (packet_length + 4) / block_size; + /* get padlen */ cp = buffer_ptr(&incoming_packet); padlen = cp[4]; @@ -1518,7 +1562,7 @@ packet_add_padding(u_char pad) void packet_send_ignore(int nbytes) { - u_int32_t rand = 0; + u_int32_t rnd = 0; int i; #ifdef ALTPRIVSEP @@ -1531,12 +1575,31 @@ packet_send_ignore(int nbytes) packet_put_int(nbytes); for (i = 0; i < nbytes; i++) { if (i % 4 == 0) - rand = arc4random(); - packet_put_char(rand & 0xff); - rand >>= 8; + rnd = arc4random(); + packet_put_char((u_char)rnd & 0xff); + rnd >>= 8; } } +#define MAX_PACKETS (1U<<31) +int +packet_need_rekeying(void) +{ + if (datafellows & SSH_BUG_NOREKEY) + return 0; + return + (p_send.packets > MAX_PACKETS) || + (p_read.packets > MAX_PACKETS) || + (max_blocks_out && (p_send.blocks > max_blocks_out)) || + (max_blocks_in && (p_read.blocks > max_blocks_in)); +} + +void +packet_set_rekey_limit(u_int32_t bytes) +{ + rekey_limit = bytes; +} + #ifdef ALTPRIVSEP void packet_set_server(void) diff --git a/usr/src/cmd/ssh/libssh/common/readconf.c b/usr/src/cmd/ssh/libssh/common/readconf.c index 86caa54913..e08ff1e0b0 100644 --- a/usr/src/cmd/ssh/libssh/common/readconf.c +++ b/usr/src/cmd/ssh/libssh/common/readconf.c @@ -129,7 +129,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oFallBackToRsh, oUseRsh, oConnectTimeout, oHashKnownHosts, oServerAliveInterval, oServerAliveCountMax, oDisableBanner, - oIgnoreIfUnknown, oDeprecated + oIgnoreIfUnknown, oRekeyLimit, + oDeprecated } OpCodes; /* Textual representations of the tokens. */ @@ -215,6 +216,7 @@ static struct { { "smartcarddevice", oSmartcardDevice }, { "clearallforwardings", oClearAllForwardings }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, + { "rekeylimit", oRekeyLimit }, { "connecttimeout", oConnectTimeout }, { "serveraliveinterval", oServerAliveInterval }, { "serveralivecountmax", oServerAliveCountMax }, @@ -318,7 +320,8 @@ process_config_line(Options *options, const char *host, int *activep) { char *s, *string, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; - int opcode, *intptr, value, i; + int opcode, *intptr, value, scale, i; + long long orig, val64; StoredOption *so; Forward fwd; @@ -530,6 +533,44 @@ parse_flag: intptr = &options->compression_level; goto parse_int; + case oRekeyLimit: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, linenum); + orig = val64 = strtoll(arg, &endofnumber, 10); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, linenum); + switch (toupper(*endofnumber)) { + case '\0': + scale = 1; + break; + case 'K': + scale = 1<<10; + break; + case 'M': + scale = 1<<20; + break; + case 'G': + scale = 1<<30; + break; + default: + fatal("%.200s line %d: Invalid RekeyLimit suffix", + filename, linenum); + } + val64 *= scale; + /* detect integer wrap and too-large limits */ + if ((val64 / scale) != orig || val64 > UINT_MAX) + fatal("%.200s line %d: RekeyLimit too large", + filename, linenum); + if (val64 < 16) + fatal("%.200s line %d: RekeyLimit too small", + filename, linenum); + if (*activep && options->rekey_limit == -1) + options->rekey_limit = (u_int32_t)val64; + break; + case oIdentityFile: arg = strdelim(&s); if (!arg || *arg == '\0') @@ -938,7 +979,8 @@ initialize_options(Options * options) options->preferred_authentications = NULL; options->bind_address = NULL; options->smartcard_device = NULL; - options->no_host_authentication_for_localhost = - 1; + options->no_host_authentication_for_localhost = -1; + options->rekey_limit = -1; options->fallback_to_rsh = -1; options->use_rsh = -1; options->server_alive_interval = -1; @@ -1077,11 +1119,13 @@ fill_default_options(Options * options) options->log_level = SYSLOG_LEVEL_INFO; if (options->clear_forwardings == 1) clear_forwardings(options); - if (options->no_host_authentication_for_localhost == - 1) + if (options->no_host_authentication_for_localhost == -1) options->no_host_authentication_for_localhost = 0; - if (options->fallback_to_rsh == - 1) + if (options->rekey_limit == -1) + options->rekey_limit = 0; + if (options->fallback_to_rsh == -1) options->fallback_to_rsh = 0; - if (options->use_rsh == - 1) + if (options->use_rsh == -1) options->use_rsh = 0; if (options->server_alive_interval == -1) options->server_alive_interval = 0; diff --git a/usr/src/cmd/ssh/libssh/common/ssh-gss.c b/usr/src/cmd/ssh/libssh/common/ssh-gss.c index 17af3f0c41..fcf8e11b51 100644 --- a/usr/src/cmd/ssh/libssh/common/ssh-gss.c +++ b/usr/src/cmd/ssh/libssh/common/ssh-gss.c @@ -21,7 +21,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -44,7 +44,6 @@ #include "log.h" #include "compat.h" #include "xlist.h" -#include "monitor_wrap.h" #include <netdb.h> @@ -523,13 +522,17 @@ void ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid) { /* All this effort to report an error ... */ void -ssh_gssapi_error(Gssctxt *ctxt, const char *where) { - if (where) - debug("GSS-API error while %s: %s", where, - ssh_gssapi_last_error(ctxt,NULL,NULL)); +ssh_gssapi_error(Gssctxt *ctxt, const char *where) +{ + char *errmsg = ssh_gssapi_last_error(ctxt, NULL, NULL); + + if (where != NULL) + debug("GSS-API error while %s: %s", where, errmsg); else - debug("GSS-API error: %s", - ssh_gssapi_last_error(ctxt,NULL,NULL)); + debug("GSS-API error: %s", errmsg); + + /* ssh_gssapi_last_error() can't return NULL */ + xfree(errmsg); } char * diff --git a/usr/src/cmd/ssh/libssh/common/xlist.c b/usr/src/cmd/ssh/libssh/common/xlist.c index 45a5611510..c44e420eeb 100644 --- a/usr/src/cmd/ssh/libssh/common/xlist.c +++ b/usr/src/cmd/ssh/libssh/common/xlist.c @@ -1,7 +1,7 @@ - /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ +/* + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -13,66 +13,73 @@ char ** xsplit(char *list, char sep) { - char **a; - char *p, *q; - u_int n = 0; + char **a; + char *p, *q; + uint_t n = 0; - for (n = 0, p = list ; p && *p ; ) { - while (p && *p && *p == sep) p++; - if (!*p) break; - n++; - p = strchr(p, sep); - } - a = (char **) xmalloc(sizeof(char *) * (n + 2)); - for (n = 0, p = list ; p && *p ; ) { - while (*p == sep) p++; - if (!*p) break; - q = strchr(p, sep); - if (!q) - q = p + strlen(p); - a[n] = (char *) xmalloc((q - p + 2)); - (void) strncpy(a[n], p, q - p); - a[n][q - p] = '\0'; - n++; - if (!*q) break; - p = q+1; - } - a[n] = NULL; - return a; + for (n = 0, p = list; p && *p; ) { + while (p && *p && *p == sep) + p++; + if (!*p) + break; + n++; + p = strchr(p, sep); + } + a = (char **)xmalloc(sizeof (char *) * (n + 2)); + for (n = 0, p = list; p && *p; ) { + while (*p == sep) + p++; + if (!*p) + break; + q = strchr(p, sep); + if (!q) + q = p + strlen(p); + a[n] = (char *)xmalloc((q - p + 2)); + (void) strncpy(a[n], p, q - p); + a[n][q - p] = '\0'; + n++; + if (!*q) + break; + p = q + 1; + } + a[n] = NULL; + return (a); } void xfree_split_list(char **list) { - char **p; - for (p = list ; p && *p ; p++) { - xfree(*p); - } - xfree(list); + char **p; + for (p = list; p && *p; p++) { + xfree(*p); + } + xfree(list); } char * xjoin(char **alist, char sep) { - char **p; - char *list; - char sep_str[2]; - u_int n; + char **p; + char *list; + char sep_str[2]; + uint_t n; - for (n = 1, p = alist ; p && *p ; p++) { - if (!*p || !**p) continue; - n += strlen(*p) + 1; - } - list = (char *) xmalloc(n); - *list = '\0'; + for (n = 1, p = alist; p && *p; p++) { + if (!*p || !**p) + continue; + n += strlen(*p) + 1; + } + list = (char *)xmalloc(n); + *list = '\0'; - sep_str[0] = sep; - sep_str[1] = '\0'; - for (p = alist ; p && *p ; p++) { - if (!*p || !**p) continue; - if (*list != '\0') - (void) strlcat(list, sep_str, n); - (void) strlcat(list, *p, n); - } - return list; + sep_str[0] = sep; + sep_str[1] = '\0'; + for (p = alist; p && *p; p++) { + if (!*p || !**p) + continue; + if (*list != '\0') + (void) strlcat(list, sep_str, n); + (void) strlcat(list, *p, n); + } + return (list); } diff --git a/usr/src/cmd/ssh/ssh/clientloop.c b/usr/src/cmd/ssh/ssh/clientloop.c index 6485414a57..5929b7b6e0 100644 --- a/usr/src/cmd/ssh/ssh/clientloop.c +++ b/usr/src/cmd/ssh/ssh/clientloop.c @@ -1176,9 +1176,8 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); - - if (need_rekeying) { - debug("user requests rekeying"); + if (need_rekeying || packet_need_rekeying()) { + debug("need rekeying"); xxx_kex->done = 0; kex_send_kexinit(xxx_kex); need_rekeying = 0; diff --git a/usr/src/cmd/ssh/ssh/gss-clnt.c b/usr/src/cmd/ssh/ssh/gss-clnt.c index da65fe4666..3d536da7a6 100644 --- a/usr/src/cmd/ssh/ssh/gss-clnt.c +++ b/usr/src/cmd/ssh/ssh/gss-clnt.c @@ -21,7 +21,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -43,7 +43,6 @@ #include "kex.h" #include "log.h" #include "compat.h" -#include "monitor_wrap.h" #include <netdb.h> @@ -72,6 +71,7 @@ ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs) gss_buffer_desc tok; OM_uint32 maj, min; int i; + char *errmsg; if (!mechs) return; @@ -85,8 +85,9 @@ ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs) maj = gss_create_empty_oid_set(&min, &supported); if (GSS_ERROR(maj)) { - debug("Failed to allocate resources (%s) for GSS-API", - ssh_gssapi_last_error(NULL, &maj, &min)); + errmsg = ssh_gssapi_last_error(NULL, &maj, &min); + debug("Failed to allocate resources (%s) for GSS-API", errmsg); + xfree(errmsg); (void) gss_release_oid_set(&min, &indicated); return; } @@ -94,9 +95,10 @@ ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs) GSS_C_INITIATE, &creds, &acquired, NULL); if (GSS_ERROR(maj)) { + errmsg = ssh_gssapi_last_error(NULL, &maj, &min); debug("Failed to acquire GSS-API credentials for any " - "mechanisms (%s)", - ssh_gssapi_last_error(NULL, &maj, &min)); + "mechanisms (%s)", errmsg); + xfree(errmsg); (void) gss_release_oid_set(&min, &indicated); (void) gss_release_oid_set(&min, &supported); return; @@ -125,18 +127,22 @@ ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs) maj = ssh_gssapi_init_ctx(ctxt, server_host, 0, NULL, &tok); if (GSS_ERROR(maj)) { + errmsg = ssh_gssapi_last_error(ctxt, NULL, NULL); debug("Skipping GSS-API mechanism %s (%s)", - ssh_gssapi_oid_to_name(mech), - ssh_gssapi_last_error(ctxt, NULL, NULL)); + ssh_gssapi_oid_to_name(mech), errmsg); + xfree(errmsg); continue; } (void) gss_release_buffer(&min, &tok); maj = gss_add_oid_set_member(&min, mech, &supported); - if (GSS_ERROR(maj)) + if (GSS_ERROR(maj)) { + errmsg = ssh_gssapi_last_error(NULL, &maj, &min); debug("Failed to allocate resources (%s) for GSS-API", - ssh_gssapi_last_error(NULL, &maj, &min)); + errmsg); + xfree(errmsg); + } } *mechs = supported; diff --git a/usr/src/cmd/ssh/ssh/sshconnect2.c b/usr/src/cmd/ssh/ssh/sshconnect2.c index 5b2901ee32..9b95a15f2c 100644 --- a/usr/src/cmd/ssh/ssh/sshconnect2.c +++ b/usr/src/cmd/ssh/ssh/sshconnect2.c @@ -137,6 +137,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.hostkeyalgorithms; + if (options.rekey_limit) + packet_set_rekey_limit((u_int32_t)options.rekey_limit); + if (datafellows & SSH_BUG_LOCALES_NOT_LANGTAGS) { char *locale = setlocale(LC_ALL, ""); diff --git a/usr/src/cmd/ssh/sshd/Makefile b/usr/src/cmd/ssh/sshd/Makefile index 9999f6feff..51392676fb 100644 --- a/usr/src/cmd/ssh/sshd/Makefile +++ b/usr/src/cmd/ssh/sshd/Makefile @@ -60,8 +60,6 @@ OBJS = sshd.o \ gss-serv.o \ loginrec.o \ md5crypt.o \ - monitor.o \ - monitor_mm.o \ servconf.o \ serverloop.o \ session.o \ diff --git a/usr/src/cmd/ssh/sshd/altprivsep.c b/usr/src/cmd/ssh/sshd/altprivsep.c index e3636efeb7..c2c0a17e8b 100644 --- a/usr/src/cmd/ssh/sshd/altprivsep.c +++ b/usr/src/cmd/ssh/sshd/altprivsep.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -19,7 +18,7 @@ * * CDDL HEADER END * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -235,7 +234,7 @@ altprivsep_start_monitor(Authctxt *authctxt) if (fcntl(pipe_fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %.100s", strerror(errno)); - /* signal readyness of monitor */ + /* signal readiness of monitor */ (void) write(pipe_fd, &pid, sizeof (pid)); aps_started = 1; @@ -583,6 +582,7 @@ aps_send_newkeys(void) packet_put_cstring(comp->name); packet_send(); + free_keys(newkeys); } struct _aps_login_rec { diff --git a/usr/src/cmd/ssh/sshd/auth-bsdauth.c b/usr/src/cmd/ssh/sshd/auth-bsdauth.c index e6ea549620..090fa0ef39 100644 --- a/usr/src/cmd/ssh/sshd/auth-bsdauth.c +++ b/usr/src/cmd/ssh/sshd/auth-bsdauth.c @@ -30,7 +30,6 @@ RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $"); #include "xmalloc.h" #include "auth.h" #include "log.h" -#include "monitor_wrap.h" static void * bsdauth_init_ctx(Authctxt *authctxt) diff --git a/usr/src/cmd/ssh/sshd/auth-options.c b/usr/src/cmd/ssh/sshd/auth-options.c index 37930663f6..b186cbe045 100644 --- a/usr/src/cmd/ssh/sshd/auth-options.c +++ b/usr/src/cmd/ssh/sshd/auth-options.c @@ -22,7 +22,6 @@ RCSID("$OpenBSD: auth-options.c,v 1.26 2002/07/30 17:03:55 markus Exp $"); #include "auth-options.h" #include "servconf.h" #include "misc.h" -#include "monitor_wrap.h" #include "auth.h" /* Flags set authorized_keys flags */ @@ -282,8 +281,7 @@ next_option: /* Process the next option. */ } - if (!use_privsep) - auth_debug_send(); + auth_debug_send(); /* grant access */ return 1; @@ -294,8 +292,7 @@ bad_option: auth_debug_add("Bad options in %.100s file, line %lu: %.50s", file, linenum, opts); - if (!use_privsep) - auth_debug_send(); + auth_debug_send(); /* deny access */ return 0; diff --git a/usr/src/cmd/ssh/sshd/auth-pam.c b/usr/src/cmd/ssh/sshd/auth-pam.c index a666edfa87..6763035a72 100644 --- a/usr/src/cmd/ssh/sshd/auth-pam.c +++ b/usr/src/cmd/ssh/sshd/auth-pam.c @@ -39,14 +39,12 @@ #include "compat.h" #include "misc.h" #include "sshlogin.h" -#include "monitor_wrap.h" +#include "ssh-gss.h" #include <security/pam_appl.h> extern char *__progname; -extern int use_privsep; - extern u_int utmp_len; extern ServerOptions options; @@ -58,8 +56,6 @@ RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." -#define NEW_AUTHTOK_MSG_PRIVSEP \ - "Your password has expired, the session cannot proceed." /* PAM conversation for non-interactive userauth methods */ static int do_pam_conversation(int num_msg, const struct pam_message **msg, @@ -282,7 +278,7 @@ finish_userauth_do_pam(Authctxt *authctxt) if (strcmp(user, authctxt->user) != 0) { log("PAM changed the SSH username"); pwfree(&authctxt->pw); - authctxt->pw = PRIVSEP(getpwnamallow(user)); + authctxt->pw = getpwnamallow(user); authctxt->valid = (authctxt->pw != NULL); xfree(authctxt->user); authctxt->user = xstrdup(user); diff --git a/usr/src/cmd/ssh/sshd/auth-rh-rsa.c b/usr/src/cmd/ssh/sshd/auth-rh-rsa.c index c6c9060c06..ab10e1738a 100644 --- a/usr/src/cmd/ssh/sshd/auth-rh-rsa.c +++ b/usr/src/cmd/ssh/sshd/auth-rh-rsa.c @@ -27,8 +27,6 @@ RCSID("$OpenBSD: auth-rh-rsa.c,v 1.34 2002/03/25 09:25:06 markus Exp $"); #include "auth.h" #include "canohost.h" -#include "monitor_wrap.h" - /* import */ extern ServerOptions options; @@ -68,7 +66,7 @@ auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key) chost = (char *)get_canonical_hostname(options.verify_reverse_mapping); debug("Rhosts RSA authentication: canonical host %.900s", chost); - if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) { + if (!auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key)) { debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); return 0; diff --git a/usr/src/cmd/ssh/sshd/auth-rhosts.c b/usr/src/cmd/ssh/sshd/auth-rhosts.c index 0b0d44a56f..2326eef8ae 100644 --- a/usr/src/cmd/ssh/sshd/auth-rhosts.c +++ b/usr/src/cmd/ssh/sshd/auth-rhosts.c @@ -28,7 +28,6 @@ RCSID("$OpenBSD: auth-rhosts.c,v 1.28 2002/05/13 21:26:49 markus Exp $"); /* import */ extern ServerOptions options; -extern int use_privsep; /* * This function processes an rhosts-style file (.rhosts, .shosts, or @@ -295,7 +294,6 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, auth_debug_reset(); ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); - if (!use_privsep) - auth_debug_send(); + auth_debug_send(); return ret; } diff --git a/usr/src/cmd/ssh/sshd/auth-rsa.c b/usr/src/cmd/ssh/sshd/auth-rsa.c index a4896f20e1..3e0e6ea50d 100644 --- a/usr/src/cmd/ssh/sshd/auth-rsa.c +++ b/usr/src/cmd/ssh/sshd/auth-rsa.c @@ -34,7 +34,6 @@ RCSID("$OpenBSD: auth-rsa.c,v 1.56 2002/06/10 16:53:06 stevesk Exp $"); #include "servconf.h" #include "auth.h" #include "hostfile.h" -#include "monitor_wrap.h" #include "ssh.h" /* import */ @@ -124,7 +123,7 @@ auth_rsa_challenge_dialog(Key *key) if ((encrypted_challenge = BN_new()) == NULL) fatal("auth_rsa_challenge_dialog: BN_new() failed"); - challenge = PRIVSEP(auth_rsa_generate_challenge(key)); + challenge = auth_rsa_generate_challenge(key); /* Encrypt the challenge with the public key. */ rsa_public_encrypt(encrypted_challenge, challenge, key->rsa); @@ -142,7 +141,7 @@ auth_rsa_challenge_dialog(Key *key) response[i] = packet_get_char(); packet_check_eom(); - success = PRIVSEP(auth_rsa_verify_response(key, challenge, response)); + success = auth_rsa_verify_response(key, challenge, response); BN_clear_free(challenge); return (success); } @@ -295,7 +294,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) if (pw == NULL) return 0; - if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) { + if (!auth_rsa_key_allowed(pw, client_n, &key)) { auth_clear_options(); return (0); } diff --git a/usr/src/cmd/ssh/sshd/auth-skey.c b/usr/src/cmd/ssh/sshd/auth-skey.c index 67ed5a6434..436f66aed8 100644 --- a/usr/src/cmd/ssh/sshd/auth-skey.c +++ b/usr/src/cmd/ssh/sshd/auth-skey.c @@ -32,7 +32,6 @@ RCSID("$OpenBSD: auth-skey.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $"); #include "xmalloc.h" #include "auth.h" -#include "monitor_wrap.h" static void * skey_init_ctx(Authctxt *authctxt) diff --git a/usr/src/cmd/ssh/sshd/auth1.c b/usr/src/cmd/ssh/sshd/auth1.c index a797962fc8..0eed0c90c8 100644 --- a/usr/src/cmd/ssh/sshd/auth1.c +++ b/usr/src/cmd/ssh/sshd/auth1.c @@ -9,7 +9,7 @@ * called by a name other than "ssh" or "Secure Shell". */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -31,7 +31,6 @@ RCSID("$OpenBSD: auth1.c,v 1.44 2002/09/26 11:38:43 markus Exp $"); #include "channels.h" #include "session.h" #include "uidswap.h" -#include "monitor_wrap.h" #ifdef HAVE_BSM #include "bsmaudit.h" @@ -95,7 +94,7 @@ do_authloop(Authctxt *authctxt) #if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif - PRIVSEP(auth_password(authctxt, ""))) { + auth_password(authctxt, "")) { auth_log(authctxt, 1, "without authentication", ""); return; } @@ -137,8 +136,8 @@ do_authloop(Authctxt *authctxt) if (tkt.length < MAX_KTXT_LEN) memcpy(tkt.dat, kdata, tkt.length); - if (PRIVSEP(auth_krb4(authctxt, &tkt, - &client_user, &reply))) { + if (auth_krb4(authctxt, &tkt, + &client_user, &reply)) { authenticated = 1; snprintf(info, sizeof(info), " tktuser %.100s", @@ -158,8 +157,8 @@ do_authloop(Authctxt *authctxt) tkt.length = dlen; tkt.data = kdata; - if (PRIVSEP(auth_krb5(authctxt, &tkt, - &client_user, &reply))) { + if (auth_krb5(authctxt, &tkt, + &client_user, &reply)) { authenticated = 1; snprintf(info, sizeof(info), " tktuser %.100s", @@ -279,8 +278,7 @@ do_authloop(Authctxt *authctxt) if (authctxt->init_failures < options.max_init_auth_tries) authenticated = - PRIVSEP(auth_password(authctxt, - password)); + auth_password(authctxt, password); memset(password, 0, strlen(password)); xfree(password); @@ -351,16 +349,11 @@ do_authloop(Authctxt *authctxt) } #else /* Special handling for root */ - if (!use_privsep && - authenticated && authctxt->pw->pw_uid == 0 && + if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) authenticated = 0; #endif #ifdef USE_PAM - /* XXX PAM and PRIVSEP don't mix */ - if (use_privsep && authenticated) - fatal("Privsep is not supported"); - if (authenticated && type != SSH_CMSG_AUTH_PASSWORD) authenticated = do_pam_non_initial_userauth(authctxt); else if (authenticated && !AUTHPAM_DONE(authctxt)) @@ -440,28 +433,21 @@ do_authentication(void) #endif /* HAVE_BSM */ /* Verify that the user is a valid user. */ - if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) { + if ((authctxt->pw = getpwnamallow(user)) != NULL) { authctxt->valid = 1; } else { authctxt->valid = 0; debug("do_authentication: illegal user %s", user); } - setproctitle("%s%s", authctxt->pw ? user : "unknown", - use_privsep ? " [net]" : ""); - -#if 0 -#ifdef USE_PAM - PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); -#endif -#endif + setproctitle("%s", authctxt->pw ? user : "unknown"); /* * If we are not running as root, the user must have the same uid as * the server. (Unless you are running Windows) */ #ifndef HAVE_CYGWIN - if (!use_privsep && getuid() != 0 && authctxt->pw && + if (getuid() != 0 && authctxt->pw && authctxt->pw->pw_uid != getuid()) packet_disconnect("Cannot change user when server not running as root."); #endif diff --git a/usr/src/cmd/ssh/sshd/auth2-gss.c b/usr/src/cmd/ssh/sshd/auth2-gss.c index 8892f6f718..70560dad3a 100644 --- a/usr/src/cmd/ssh/sshd/auth2-gss.c +++ b/usr/src/cmd/ssh/sshd/auth2-gss.c @@ -41,7 +41,6 @@ #include "buffer.h" #include "bufaux.h" #include "packet.h" -#include "monitor_wrap.h" #include <gssapi/gssapi.h> #include "ssh-gss.h" @@ -202,15 +201,14 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) u_int len; if (authctxt == NULL || authctxt->method == NULL || - (authctxt->method->method_data == NULL && !use_privsep)) + (authctxt->method->method_data == NULL)) fatal("No authentication or GSSAPI context during gssapi-with-mic userauth"); gssctxt=authctxt->method->method_data; recv_tok.value=packet_get_string(&len); recv_tok.length=len; /* u_int vs. size_t */ - maj_status=PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, - &send_tok)); + maj_status = ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok); packet_check_eom(); if (GSS_ERROR(maj_status)) { @@ -251,7 +249,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) gss_buffer_desc send_tok,recv_tok; if (authctxt == NULL || authctxt->method == NULL || - (authctxt->method->method_data == NULL && !use_privsep)) + (authctxt->method->method_data == NULL)) fatal("No authentication or GSSAPI context during gssapi-with-mic userauth"); gssctxt=authctxt->method->method_data; @@ -259,7 +257,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) packet_check_eom(); /* Push the error token into GSSAPI to see what it says */ - (void) PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok)); + (void) ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok); debug("Client sent GSS-API error token during GSS userauth-- %s", ssh_gssapi_last_error(gssctxt, NULL, NULL)); @@ -352,7 +350,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) packet_check_eom(); if (authctxt == NULL || authctxt->method == NULL || - (authctxt->method->method_data == NULL && !use_privsep)) + (authctxt->method->method_data == NULL)) fatal("No authentication or GSSAPI context"); gssctxt=authctxt->method->method_data; @@ -380,7 +378,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) * this will do for now. */ #if 0 - authctxt->method->authenticated = PRIVSEP(ssh_gssapi_userok(gssctxt, authctxt->user)); + authctxt->method->authenticated = ssh_gssapi_userok(gssctxt, authctxt->user); #endif if (xxx_gssctxt != gssctxt) @@ -425,7 +423,7 @@ userauth_gssapi_finish(Authctxt *authctxt, Gssctxt *gssctxt) OM_uint32 major; if (*authctxt->user != '\0' && - PRIVSEP(ssh_gssapi_userok(gssctxt, authctxt->user))) { + ssh_gssapi_userok(gssctxt, authctxt->user)) { /* * If the client princ did not map to the requested diff --git a/usr/src/cmd/ssh/sshd/auth2-hostbased.c b/usr/src/cmd/ssh/sshd/auth2-hostbased.c index f7bef1197b..c88e308100 100644 --- a/usr/src/cmd/ssh/sshd/auth2-hostbased.c +++ b/usr/src/cmd/ssh/sshd/auth2-hostbased.c @@ -47,7 +47,6 @@ RCSID("$OpenBSD: auth2-hostbased.c,v 1.2 2002/05/31 11:35:15 markus Exp $"); #include "key.h" #include "canohost.h" -#include "monitor_wrap.h" #include "pathnames.h" /* import */ @@ -119,9 +118,8 @@ userauth_hostbased(Authctxt *authctxt) #endif /* test for allowed key and correct signature */ authenticated = 0; - if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && - PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), - buffer_len(&b))) == 1) + if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && + key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) authenticated = 1; buffer_clear(&b); diff --git a/usr/src/cmd/ssh/sshd/auth2-none.c b/usr/src/cmd/ssh/sshd/auth2-none.c index 94dbf7d18a..8732cf168e 100644 --- a/usr/src/cmd/ssh/sshd/auth2-none.c +++ b/usr/src/cmd/ssh/sshd/auth2-none.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -39,7 +39,6 @@ RCSID("$OpenBSD: auth2-none.c,v 1.4 2002/06/27 10:35:47 deraadt Exp $"); #include "atomicio.h" #include "compat.h" #include "ssh2.h" -#include "monitor_wrap.h" /* import */ extern ServerOptions options; @@ -83,7 +82,7 @@ userauth_banner(void) if (options.banner == NULL || (datafellows & SSH_BUG_BANNER)) return; - if ((banner = PRIVSEP(auth2_read_banner())) == NULL) + if ((banner = auth2_read_banner()) == NULL) goto done; packet_start(SSH2_MSG_USERAUTH_BANNER); @@ -110,7 +109,7 @@ userauth_none(Authctxt *authctxt) if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif - authctxt->method->authenticated = PRIVSEP(auth_password(authctxt, "")); + authctxt->method->authenticated = auth_password(authctxt, ""); } Authmethod method_none = { diff --git a/usr/src/cmd/ssh/sshd/auth2-pam.c b/usr/src/cmd/ssh/sshd/auth2-pam.c index 0c866c9625..802378fded 100644 --- a/usr/src/cmd/ssh/sshd/auth2-pam.c +++ b/usr/src/cmd/ssh/sshd/auth2-pam.c @@ -23,7 +23,6 @@ RCSID("$Id: auth2-pam.c,v 1.14 2002/06/28 16:48:12 mouring Exp $"); #include "canohost.h" #include "log.h" #include "servconf.h" -#include "monitor_wrap.h" #include "misc.h" #ifdef HAVE_BSM @@ -251,6 +250,8 @@ do_pam_conv_kbd_int(int num_msg, struct pam_message **msg, } if (conv_ctxt->num_expected == 0 && text == NULL) { + xfree(conv_ctxt->prompts); + xfree(conv_ctxt->responses); xfree(conv_ctxt); return PAM_SUCCESS; } @@ -301,6 +302,8 @@ do_pam_conv_kbd_int(int num_msg, struct pam_message **msg, if (conv_ctxt->abandoned) { authctxt->unwind_dispatch_loop = 1; + xfree(conv_ctxt->prompts); + xfree(conv_ctxt->responses); xfree(conv_ctxt); debug("PAM conv function returns PAM_CONV_ERR"); return PAM_CONV_ERR; @@ -308,12 +311,15 @@ do_pam_conv_kbd_int(int num_msg, struct pam_message **msg, if (conv_ctxt->num_received == conv_ctxt->num_expected) { *resp = conv_ctxt->responses; + xfree(conv_ctxt->prompts); xfree(conv_ctxt); debug("PAM conv function returns PAM_SUCCESS"); return PAM_SUCCESS; } debug("PAM conv function returns PAM_CONV_ERR"); + xfree(conv_ctxt->prompts); + xfree(conv_ctxt->responses); xfree(conv_ctxt); return PAM_CONV_ERR; } diff --git a/usr/src/cmd/ssh/sshd/auth2-passwd.c b/usr/src/cmd/ssh/sshd/auth2-passwd.c index 4c8ca86ff0..9a1837fb05 100644 --- a/usr/src/cmd/ssh/sshd/auth2-passwd.c +++ b/usr/src/cmd/ssh/sshd/auth2-passwd.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -35,7 +35,6 @@ RCSID("$OpenBSD: auth2-passwd.c,v 1.2 2002/05/31 11:35:15 markus Exp $"); #include "packet.h" #include "log.h" #include "auth.h" -#include "monitor_wrap.h" #include "servconf.h" /* import */ @@ -60,8 +59,9 @@ userauth_passwd(Authctxt *authctxt) #ifdef HAVE_CYGWIN check_nt_auth(1, authctxt->pw) && #endif - PRIVSEP(auth_password(authctxt, password)) == 1) + auth_password(authctxt, password) == 1) { authctxt->method->authenticated = 1; + } memset(password, 0, len); xfree(password); } diff --git a/usr/src/cmd/ssh/sshd/auth2-pubkey.c b/usr/src/cmd/ssh/sshd/auth2-pubkey.c index 9b02597d65..a6544f4f54 100644 --- a/usr/src/cmd/ssh/sshd/auth2-pubkey.c +++ b/usr/src/cmd/ssh/sshd/auth2-pubkey.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -45,7 +45,6 @@ RCSID("$OpenBSD: auth2-pubkey.c,v 1.2 2002/05/31 11:35:15 markus Exp $"); #include "uidswap.h" #include "auth-options.h" #include "canohost.h" -#include "monitor_wrap.h" #ifdef USE_PAM #include <security/pam_appl.h> @@ -155,10 +154,11 @@ userauth_pubkey(Authctxt *authctxt) buffer_dump(&b); #endif /* test for correct signature */ - if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && - PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), - buffer_len(&b))) == 1) + if (user_key_allowed(authctxt->pw, key) && + key_verify(key, sig, slen, buffer_ptr(&b), + buffer_len(&b)) == 1) { authenticated = 1; + } authctxt->method->postponed = 0; buffer_clear(&b); xfree(sig); @@ -174,7 +174,7 @@ userauth_pubkey(Authctxt *authctxt) * if a user is not allowed to login. is this an * issue? -markus */ - if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { + if (user_key_allowed(authctxt->pw, key)) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); diff --git a/usr/src/cmd/ssh/sshd/auth2.c b/usr/src/cmd/ssh/sshd/auth2.c index d220276339..eba64ed56d 100644 --- a/usr/src/cmd/ssh/sshd/auth2.c +++ b/usr/src/cmd/ssh/sshd/auth2.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -42,7 +42,6 @@ RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $"); #include "dispatch.h" #include "sshlogin.h" #include "pathnames.h" -#include "monitor_wrap.h" #ifdef HAVE_BSM #include "bsmaudit.h" @@ -120,8 +119,6 @@ do_authentication2(void) options.kbd_interactive_authentication = 1; if (options.pam_authentication_via_kbd_int) options.kbd_interactive_authentication = 1; - if (use_privsep) - options.pam_authentication_via_kbd_int = 0; dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); @@ -193,7 +190,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (authctxt->attempt == 1) { /* setup auth context */ - authctxt->pw = PRIVSEP(getpwnamallow(user)); + authctxt->pw = getpwnamallow(user); /* May want to abstract SSHv2 services someday */ if (authctxt->pw && strcmp(service, "ssh-connection")==0) { /* enforced in userauth_finish() below */ @@ -202,14 +199,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } else { log("input_userauth_request: illegal user %s", user); } - setproctitle("%s%s", authctxt->pw ? user : "unknown", - use_privsep ? " [net]" : ""); + setproctitle("%s", authctxt->pw ? user : "unknown"); authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; userauth_reset_methods(); - if (use_privsep) - mm_inform_authserv(service, style); } else { char *abandoned; @@ -293,8 +287,7 @@ userauth_finish(Authctxt *authctxt, char *method) #ifndef USE_PAM /* Special handling for root (done elsewhere for PAM) */ - if (!use_privsep && - authctxt->method->authenticated && + if (authctxt->method->authenticated && authctxt->pw != NULL && authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) authctxt->method->authenticated = 0; @@ -457,7 +450,7 @@ userauth_user_svc_change(Authctxt *authctxt, char *user, char *service) xfree(authctxt->user); authctxt->user = xstrdup(user); pwfree(&authctxt->pw); - authctxt->pw = PRIVSEP(getpwnamallow(user)); + authctxt->pw = getpwnamallow(user); authctxt->valid = (authctxt->pw != NULL); /* Forget method state; abandon postponed userauths */ diff --git a/usr/src/cmd/ssh/sshd/gss-serv.c b/usr/src/cmd/ssh/sshd/gss-serv.c index ad0d7c65f5..98b962b3d0 100644 --- a/usr/src/cmd/ssh/sshd/gss-serv.c +++ b/usr/src/cmd/ssh/sshd/gss-serv.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -51,7 +51,6 @@ #include "servconf.h" #include "uidswap.h" #include "compat.h" -#include "monitor_wrap.h" #include <pwd.h> #include "ssh-gss.h" diff --git a/usr/src/cmd/ssh/sshd/servconf.c b/usr/src/cmd/ssh/sshd/servconf.c index 863a75af74..6f2cdbdc84 100644 --- a/usr/src/cmd/ssh/sshd/servconf.c +++ b/usr/src/cmd/ssh/sshd/servconf.c @@ -56,8 +56,6 @@ static void add_one_listen_addr(ServerOptions *, char *, u_short); /* AF_UNSPEC or AF_INET or AF_INET6 */ extern int IPv4or6; -/* Use of privilege separation or not */ -extern int use_privsep; /* Initializes the server options to their default values. */ @@ -149,9 +147,6 @@ initialize_server_options(ServerOptions *options) options->max_init_auth_tries_log = -1; options->lookup_client_hostnames = -1; - - /* Needs to be accessable in many places */ - use_privsep = -1; } #ifdef HAVE_DEFOPEN @@ -380,21 +375,6 @@ fill_default_server_options(ServerOptions *options) if (options->lookup_client_hostnames == -1) options->lookup_client_hostnames = 1; - - /* XXX SUNWssh resync */ - /* Turn privilege separation OFF by default */ - if (use_privsep == -1) - use_privsep = 0; - -#ifndef HAVE_MMAP - if (use_privsep && options->compression == 1) { - error("This platform does not support both privilege " - "separation and compression"); - error("Compression disabled"); - options->compression = 0; - } -#endif - } /* Keyword tokens. */ @@ -939,8 +919,11 @@ parse_flag: goto parse_flag; case sUsePrivilegeSeparation: - intptr = &use_privsep; - goto parse_flag; + log("%s line %d: ignoring UsePrivilegeSeparation option value." + " This option is always on.", filename, linenum); + while (arg) + arg = strdelim(&cp); + break; case sAllowUsers: while (((arg = strdelim(&cp)) != NULL) && *arg != '\0') { diff --git a/usr/src/cmd/ssh/sshd/serverloop.c b/usr/src/cmd/ssh/sshd/serverloop.c index a720fae405..e7e7711f81 100644 --- a/usr/src/cmd/ssh/sshd/serverloop.c +++ b/usr/src/cmd/ssh/sshd/serverloop.c @@ -953,8 +953,14 @@ server_loop2(Authctxt *authctxt) collect_children(); - if (!rekeying) + if (!rekeying) { channel_after_select(readset, writeset); + if (packet_need_rekeying()) { + debug("need rekeying"); + xxx_kex->done = 0; + kex_send_kexinit(xxx_kex); + } + } #ifdef ALTPRIVSEP else altprivsep_process_input(xxx_kex, readset); @@ -991,7 +997,6 @@ server_input_channel_failure(int type, u_int32_t seq, void *ctxt) client_alive_timeouts = 0; } - static void server_input_stdin_data(int type, u_int32_t seq, void *ctxt) { diff --git a/usr/src/cmd/ssh/sshd/session.c b/usr/src/cmd/ssh/sshd/session.c index d85558a44e..04b1c1f7e0 100644 --- a/usr/src/cmd/ssh/sshd/session.c +++ b/usr/src/cmd/ssh/sshd/session.c @@ -71,7 +71,6 @@ RCSID("$OpenBSD: session.c,v 1.150 2002/09/16 19:55:33 stevesk Exp $"); #include "serverloop.h" #include "canohost.h" #include "session.h" -#include "monitor_wrap.h" #ifdef USE_PAM #include <security/pam_appl.h> @@ -786,11 +785,6 @@ do_login(Session *s, const char *command) #ifdef ALTPRIVSEP debug3("Recording SSHv2 channel login in utmpx/wtmpx"); altprivsep_record_login(pid, s->tty); -#else /* ALTPRIVSEP*/ - if (!use_privsep) { - debug3("Recording SSHv2 channel login in utmpx/wtmpx"); - record_login(pid, s->tty, NULL, pw->pw_name); - } #endif /* ALTPRIVSEP*/ if (check_quietlogin(s, command)) @@ -1776,7 +1770,7 @@ session_pty_req(Session *s) /* Allocate a pty and open it. */ debug("Allocating pty."); - if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) { + if (!pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty))) { if (s->term) xfree(s->term); s->term = NULL; @@ -1797,8 +1791,7 @@ session_pty_req(Session *s) * time in case we call fatal() (e.g., the connection gets closed). */ fatal_add_cleanup(session_pty_cleanup, (void *)s); - if (!use_privsep) - pty_setowner(s->pw, s->tty); + pty_setowner(s->pw, s->tty); /* Set window size from the packet. */ pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); @@ -2164,8 +2157,6 @@ session_pty_cleanup2(void *session) debug3("Recording SSHv2 channel login in utmpx/wtmpx"); #ifdef ALTPRIVSEP altprivsep_record_logout(s->pid); -#else /* ALTPRIVSEP */ - record_logout(s->pid, s->tty, NULL, s->pw->pw_name); #endif /* ALTPRIVSEP */ } @@ -2188,7 +2179,7 @@ session_pty_cleanup2(void *session) void session_pty_cleanup(void *session) { - PRIVSEP(session_pty_cleanup2(session)); + session_pty_cleanup2(session); } /* diff --git a/usr/src/cmd/ssh/sshd/sshd.c b/usr/src/cmd/ssh/sshd/sshd.c index 03e81f71e9..199f12ec31 100644 --- a/usr/src/cmd/ssh/sshd/sshd.c +++ b/usr/src/cmd/ssh/sshd/sshd.c @@ -87,10 +87,6 @@ RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $"); #include "dispatch.h" #include "channels.h" #include "session.h" -#include "monitor_mm.h" -#include "monitor.h" -#include "monitor_wrap.h" -#include "monitor_fdpass.h" #include "g11n.h" #include "sshlogin.h" #include "xlist.h" @@ -234,10 +230,6 @@ u_int utmp_len = MAXHOSTNAMELEN; static int *startup_pipes = NULL; static int startup_pipe = -1; /* in child */ -/* variables used for privilege separation */ -extern struct monitor *pmonitor; -extern int use_privsep; - #ifdef GSSAPI static gss_OID_set mechs = GSS_C_NULL_OID_SET; #endif /* GSSAPI */ @@ -697,155 +689,6 @@ demote_sensitive_data(void) /* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */ } -static void -privsep_preauth_child(void) -{ - u_int32_t rnd[256]; - gid_t gidset[1]; - struct passwd *pw; - int i; - - /* Enable challenge-response authentication for privilege separation */ - privsep_challenge_enable(); - - for (i = 0; i < 256; i++) - rnd[i] = arc4random(); - RAND_seed(rnd, sizeof(rnd)); - - /* Demote the private keys to public keys. */ - demote_sensitive_data(); - - if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) - fatal("Privilege separation user %s does not exist", - SSH_PRIVSEP_USER); - (void) memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); - endpwent(); - - /* Change our root directory */ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, - strerror(errno)); - if (chdir("/") == -1) - fatal("chdir(\"/\"): %s", strerror(errno)); - - /* Drop our privileges */ - debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, - (u_int)pw->pw_gid); -#if 0 - /* XXX not ready, to heavy after chroot */ - do_setusercontext(pw); -#else - gidset[0] = pw->pw_gid; - if (setgid(pw->pw_gid) < 0) - fatal("setgid failed for %u", pw->pw_gid); - if (setgroups(1, gidset) < 0) - fatal("setgroups: %.100s", strerror(errno)); - permanently_set_uid(pw); -#endif -} - -static Authctxt * -privsep_preauth(void) -{ - Authctxt *authctxt = NULL; - int status; - pid_t pid; - - /* Set up unprivileged child process to deal with network data */ - pmonitor = monitor_init(); - /* Store a pointer to the kex for later rekeying */ - pmonitor->m_pkex = &xxx_kex; - - pid = fork(); - if (pid == -1) { - fatal("fork of unprivileged child failed"); - } else if (pid != 0) { - fatal_remove_cleanup((void (*) (void *)) packet_close, NULL); - - debug2("Network child is on pid %ld", (long)pid); - - (void) close(pmonitor->m_recvfd); - authctxt = monitor_child_preauth(pmonitor); - (void) close(pmonitor->m_sendfd); - - /* Sync memory */ - monitor_sync(pmonitor); - - /* Wait for the child's exit status */ - while (waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - break; - - /* Reinstall, since the child has finished */ - fatal_add_cleanup((void (*) (void *)) packet_close, NULL); - - return (authctxt); - } else { - /* child */ - - (void) close(pmonitor->m_sendfd); - - /* Demote the child */ - if (getuid() == 0 || geteuid() == 0) - privsep_preauth_child(); - setproctitle("%s", "[net]"); - } - return (NULL); -} - -static void -privsep_postauth(Authctxt *authctxt) -{ - extern Authctxt *x_authctxt; - - /* XXX - Remote port forwarding */ - x_authctxt = authctxt; - -#ifdef DISABLE_FD_PASSING - if (1) { -#else - if (authctxt->pw->pw_uid == 0 || options.use_login) { -#endif - /* File descriptor passing is broken or root login */ - monitor_apply_keystate(pmonitor); - use_privsep = 0; - return; - } - - if (startup_pipe != -1) { - (void) close(startup_pipe); - startup_pipe = -1; - } - - /* New socket pair */ - monitor_reinit(pmonitor); - - pmonitor->m_pid = fork(); - if (pmonitor->m_pid == -1) - fatal("fork of unprivileged child failed"); - else if (pmonitor->m_pid != 0) { - fatal_remove_cleanup((void (*) (void *)) packet_close, NULL); - - debug2("User child is on pid %ld", (long)pmonitor->m_pid); - (void) close(pmonitor->m_recvfd); - monitor_child_postauth(pmonitor); - - /* NEVERREACHED */ - exit(0); - } - - (void) close(pmonitor->m_sendfd); - - /* Demote the private keys to public keys. */ - demote_sensitive_data(); - - /* Drop privileges */ - do_setusercontext(authctxt->pw); - - /* It is safe now to apply the key state */ - monitor_apply_keystate(pmonitor); -} - static char * list_hostkey_types(void) { @@ -1240,28 +1083,6 @@ main(int ac, char **av) } } - if (use_privsep) { - struct stat st; - - if (getpwnam(SSH_PRIVSEP_USER) == NULL) - fatal("Privilege separation user %s does not exist", - SSH_PRIVSEP_USER); - if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || - (S_ISDIR(st.st_mode) == 0)) - fatal("Missing privilege separation directory: %s", - _PATH_PRIVSEP_CHROOT_DIR); - -#ifdef HAVE_CYGWIN - if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && - (st.st_uid != getuid () || - (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) -#else - if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) -#endif - fatal("Bad owner or mode for %s", - _PATH_PRIVSEP_CHROOT_DIR); - } - /* Configuration looks good, so exit if in test mode. */ if (test_flag) exit(0); @@ -1565,6 +1386,7 @@ main(int ac, char **av) #ifdef HAVE_SOLARIS_CONTRACTS contracts_post_fork_child(); #endif /* HAVE_SOLARIS_CONTRACTS */ + xfree(fdset); startup_pipe = startup_p[1]; close_startup_pipes(); close_listen_socks(); @@ -1714,10 +1536,6 @@ main(int ac, char **av) packet_set_nonblocking(); - if (use_privsep) - if ((authctxt = privsep_preauth()) != NULL) - goto authenticated; - /* perform the key exchange */ /* authenticate user and start session */ if (compat20) { @@ -1728,15 +1546,6 @@ main(int ac, char **av) authctxt = do_authentication(); } - /* - * If we use privilege separation, the unprivileged child transfers - * the current keystate and exits - */ - if (use_privsep) { - mm_send_keystate(pmonitor); - exit(0); - } - authenticated: /* Authentication complete */ (void) alarm(0); @@ -1746,17 +1555,6 @@ authenticated: startup_pipe = -1; } - /* - * In privilege separation, we fork another child and prepare - * file descriptor passing. - */ - if (use_privsep) { - privsep_postauth(authctxt); - /* the monitor process [priv] will not return */ - if (!compat20) - destroy_sensitive_data(); - } - #ifdef ALTPRIVSEP if ((aps_child = altprivsep_start_monitor(authctxt)) == -1) fatal("Monitor could not be started."); @@ -1781,7 +1579,7 @@ authenticated: * * NOTE: Order matters -- these fatal cleanups must come before * the audit logout fatal cleanup as these functions are called - * in in LIFO. + * in LIFO. * * NOTE: The monitor will packet_close(), which will close * "newsock," so we dup() it. @@ -1893,70 +1691,6 @@ authenticated: /* NOTREACHED */ } - -#else /* ALTPRIVSEP */ - - if (compat20) { - debug3("Recording SSHv2 session login in wtmpx"); - record_login(getpid(), NULL, "sshd", authctxt->user); - } - -#ifdef HAVE_BSM - fatal_remove_cleanup( - (void (*)(void *))audit_failed_login_cleanup, - (void *)authctxt); - - /* Initialize the group list, audit sometimes needs it. */ - if (initgroups(authctxt->pw->pw_name, authctxt->pw->pw_gid) < 0) { - perror("initgroups"); - exit (1); - } - audit_sshd_login(&ah, authctxt->pw->pw_uid, - authctxt->pw->pw_gid); - - fatal_add_cleanup((void (*)(void *))audit_sshd_logout, - (void *)&ah); -#endif /* HAVE_BSM */ - -#ifdef GSSAPI - fatal_add_cleanup((void (*)(void *))ssh_gssapi_cleanup_creds, - (void *)&xxx_gssctxt); -#endif /* GSSAPI */ - - /* Perform session preparation. */ - do_authenticated(authctxt); - - /* XXX - Add PRIVSEP() macro */ - if (compat20) { - debug3("Recording SSHv2 session logout in wtmpx"); - record_logout(getpid(), NULL, "sshd", authctxt->user); - } - -#ifdef GSSAPI - fatal_remove_cleanup((void (*)(void *))ssh_gssapi_cleanup_creds, - &xxx_gssctxt); - ssh_gssapi_cleanup_creds(xxx_gssctxt); - ssh_gssapi_server_mechs(NULL); /* release cached server mechs */ -#endif /* GSSAPI */ - -#ifdef HAVE_BSM - fatal_remove_cleanup((void (*)(void *))audit_sshd_logout, (void *)&ah); - audit_sshd_logout(&ah); -#endif /* HAVE_BSM */ - -#ifdef USE_PAM - finish_pam(authctxt); -#endif /* USE_PAM */ - - /* The connection has been terminated. */ - verbose("Closing connection to %.100s", remote_ip); - - packet_close(); - - if (use_privsep) - mm_terminate(); - - return (0); #endif /* ALTPRIVSEP */ } @@ -2123,7 +1857,7 @@ do_ssh1_kex(void) packet_check_eom(); /* Decrypt session_key_int using host/server keys */ - rsafail = PRIVSEP(ssh1_session_key(session_key_int)); + rsafail = ssh1_session_key(session_key_int); /* * Extract session key from the decrypted integer. The key is in the @@ -2178,9 +1912,6 @@ do_ssh1_kex(void) /* Destroy the private and public keys. No longer. */ destroy_sensitive_data(); - if (use_privsep) - mm_ssh1_session_id(session_id); - /* Destroy the decrypted integer. It is no longer needed. */ BN_clear_free(session_key_int); @@ -2249,6 +1980,9 @@ do_ssh2_kex(void) g11n_locales2langs(locales); } + if (locales != NULL) + g11n_freelist(locales); + if ((myproposal[PROPOSAL_LANG_STOC] != NULL) || (strcmp(myproposal[PROPOSAL_LANG_STOC], "")) != 0) myproposal[PROPOSAL_LANG_CTOS] = @@ -2261,6 +1995,12 @@ do_ssh2_kex(void) /* start key exchange */ kex = kex_setup(NULL, myproposal, kex_hook); + + if (myproposal[PROPOSAL_LANG_STOC] != NULL) + xfree(myproposal[PROPOSAL_LANG_STOC]); + if (myproposal[PROPOSAL_LANG_CTOS] != NULL) + xfree(myproposal[PROPOSAL_LANG_CTOS]); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; #ifdef GSSAPI |