From 235c7c4e3bf046982c2d8242f30aacffa01073d1 Mon Sep 17 00:00:00 2001 From: "markus@openbsd.org" Date: Mon, 9 Jul 2018 21:53:45 +0000 Subject: [PATCH] upstream: sshd: switch monitor to sshbuf API; lots of help & ok djm@ OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48 --- monitor.c | 494 ++++++++++++++++++++++++++++--------------------- monitor.h | 8 +- monitor_wrap.c | 485 ++++++++++++++++++++++++++++-------------------- 3 files changed, 566 insertions(+), 421 deletions(-) diff --git a/monitor.c b/monitor.c index 11f96b72d..bf83f3b56 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.182 2018/07/09 21:35:50 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.183 2018/07/09 21:53:45 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -69,7 +69,7 @@ #include "xmalloc.h" #include "ssh.h" #include "key.h" -#include "buffer.h" +#include "sshbuf.h" #include "hostfile.h" #include "auth.h" #include "cipher.h" @@ -121,46 +121,46 @@ static struct sshbuf *child_state; /* Functions on the monitor that answer unprivileged requests */ -int mm_answer_moduli(int, Buffer *); -int mm_answer_sign(int, Buffer *); -int mm_answer_pwnamallow(int, Buffer *); -int mm_answer_auth2_read_banner(int, Buffer *); -int mm_answer_authserv(int, Buffer *); -int mm_answer_authpassword(int, Buffer *); -int mm_answer_bsdauthquery(int, Buffer *); -int mm_answer_bsdauthrespond(int, Buffer *); -int mm_answer_skeyquery(int, Buffer *); -int mm_answer_skeyrespond(int, Buffer *); -int mm_answer_keyallowed(int, Buffer *); -int mm_answer_keyverify(int, Buffer *); -int mm_answer_pty(int, Buffer *); -int mm_answer_pty_cleanup(int, Buffer *); -int mm_answer_term(int, Buffer *); -int mm_answer_rsa_keyallowed(int, Buffer *); -int mm_answer_rsa_challenge(int, Buffer *); -int mm_answer_rsa_response(int, Buffer *); -int mm_answer_sesskey(int, Buffer *); -int mm_answer_sessid(int, Buffer *); +int mm_answer_moduli(int, struct sshbuf *); +int mm_answer_sign(int, struct sshbuf *); +int mm_answer_pwnamallow(int, struct sshbuf *); +int mm_answer_auth2_read_banner(int, struct sshbuf *); +int mm_answer_authserv(int, struct sshbuf *); +int mm_answer_authpassword(int, struct sshbuf *); +int mm_answer_bsdauthquery(int, struct sshbuf *); +int mm_answer_bsdauthrespond(int, struct sshbuf *); +int mm_answer_skeyquery(int, struct sshbuf *); +int mm_answer_skeyrespond(int, struct sshbuf *); +int mm_answer_keyallowed(int, struct sshbuf *); +int mm_answer_keyverify(int, struct sshbuf *); +int mm_answer_pty(int, struct sshbuf *); +int mm_answer_pty_cleanup(int, struct sshbuf *); +int mm_answer_term(int, struct sshbuf *); +int mm_answer_rsa_keyallowed(int, struct sshbuf *); +int mm_answer_rsa_challenge(int, struct sshbuf *); +int mm_answer_rsa_response(int, struct sshbuf *); +int mm_answer_sesskey(int, struct sshbuf *); +int mm_answer_sessid(int, struct sshbuf *); #ifdef USE_PAM -int mm_answer_pam_start(int, Buffer *); -int mm_answer_pam_account(int, Buffer *); -int mm_answer_pam_init_ctx(int, Buffer *); -int mm_answer_pam_query(int, Buffer *); -int mm_answer_pam_respond(int, Buffer *); -int mm_answer_pam_free_ctx(int, Buffer *); +int mm_answer_pam_start(int, struct sshbuf *); +int mm_answer_pam_account(int, struct sshbuf *); +int mm_answer_pam_init_ctx(int, struct sshbuf *); +int mm_answer_pam_query(int, struct sshbuf *); +int mm_answer_pam_respond(int, struct sshbuf *); +int mm_answer_pam_free_ctx(int, struct sshbuf *); #endif #ifdef GSSAPI -int mm_answer_gss_setup_ctx(int, Buffer *); -int mm_answer_gss_accept_ctx(int, Buffer *); -int mm_answer_gss_userok(int, Buffer *); -int mm_answer_gss_checkmic(int, Buffer *); +int mm_answer_gss_setup_ctx(int, struct sshbuf *); +int mm_answer_gss_accept_ctx(int, struct sshbuf *); +int mm_answer_gss_userok(int, struct sshbuf *); +int mm_answer_gss_checkmic(int, struct sshbuf *); #endif #ifdef SSH_AUDIT_EVENTS -int mm_answer_audit_event(int, Buffer *); -int mm_answer_audit_command(int, Buffer *); +int mm_answer_audit_event(int, struct sshbuf *); +int mm_answer_audit_command(int, struct sshbuf *); #endif static int monitor_read_log(struct monitor *); @@ -169,7 +169,7 @@ static Authctxt *authctxt; /* local state for key verify */ static u_char *key_blob = NULL; -static u_int key_bloblen = 0; +static size_t key_bloblen = 0; static int key_blobtype = MM_NOKEY; static struct sshauthopt *key_opts = NULL; static char *hostbased_cuser = NULL; @@ -183,7 +183,7 @@ static pid_t monitor_child_pid; struct mon_table { enum monitor_reqtype type; int flags; - int (*f)(int, Buffer *); + int (*f)(int, struct sshbuf *); }; #define MON_ISAUTH 0x0004 /* Required for Authentication */ @@ -426,18 +426,21 @@ monitor_child_postauth(struct monitor *pmonitor) static int monitor_read_log(struct monitor *pmonitor) { - Buffer logmsg; + struct sshbuf *logmsg; u_int len, level; char *msg; + u_char *p; + int r; - buffer_init(&logmsg); + if ((logmsg = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new", __func__); /* Read length */ - buffer_append_space(&logmsg, 4); - if (atomicio(read, pmonitor->m_log_recvfd, - buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) { + if ((r = sshbuf_reserve(logmsg, 4, &p)) != 0) + fatal("%s: reserve: %s", __func__, ssh_err(r)); + if (atomicio(read, pmonitor->m_log_recvfd, p, 4) != 4) { if (errno == EPIPE) { - buffer_free(&logmsg); + sshbuf_free(logmsg); debug("%s: child log fd closed", __func__); close(pmonitor->m_log_recvfd); pmonitor->m_log_recvfd = -1; @@ -445,26 +448,28 @@ monitor_read_log(struct monitor *pmonitor) } fatal("%s: log fd read: %s", __func__, strerror(errno)); } - len = buffer_get_int(&logmsg); + if ((r = sshbuf_get_u32(logmsg, &len)) != 0) + fatal("%s: get len: %s", __func__, ssh_err(r)); if (len <= 4 || len > 8192) fatal("%s: invalid log message length %u", __func__, len); /* Read severity, message */ - buffer_clear(&logmsg); - buffer_append_space(&logmsg, len); - if (atomicio(read, pmonitor->m_log_recvfd, - buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) + sshbuf_reset(logmsg); + if ((r = sshbuf_reserve(logmsg, len, &p)) != 0) + fatal("%s: reserve: %s", __func__, ssh_err(r)); + if (atomicio(read, pmonitor->m_log_recvfd, p, len) != len) fatal("%s: log fd read: %s", __func__, strerror(errno)); + if ((r = sshbuf_get_u32(logmsg, &level)) != 0 || + (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0) + fatal("%s: decode: %s", __func__, ssh_err(r)); /* Log it */ - level = buffer_get_int(&logmsg); - msg = buffer_get_string(&logmsg, NULL); if (log_level_name(level) == NULL) fatal("%s: invalid log level %u (corrupted message?)", __func__, level); do_log2(level, "%s [preauth]", msg); - buffer_free(&logmsg); + sshbuf_free(logmsg); free(msg); return 0; @@ -474,8 +479,8 @@ int monitor_read(struct monitor *pmonitor, struct mon_table *ent, struct mon_table **pent) { - Buffer m; - int ret; + struct sshbuf *m; + int r, ret; u_char type; struct pollfd pfd[2]; @@ -502,10 +507,12 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent, break; /* Continues below */ } - buffer_init(&m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new", __func__); - mm_request_receive(pmonitor->m_sendfd, &m); - type = buffer_get_char(&m); + mm_request_receive(pmonitor->m_sendfd, m); + if ((r = sshbuf_get_u8(m, &type)) != 0) + fatal("%s: decode: %s", __func__, ssh_err(r)); debug3("%s: checking request %d", __func__, type); @@ -519,8 +526,8 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent, if (!(ent->flags & MON_PERMIT)) fatal("%s: unpermitted request %d", __func__, type); - ret = (*ent->f)(pmonitor->m_sendfd, &m); - buffer_free(&m); + ret = (*ent->f)(pmonitor->m_sendfd, m); + sshbuf_free(m); /* The child may use this request only once, disable it */ if (ent->flags & MON_ONCE) { @@ -570,14 +577,16 @@ monitor_reset_key_state(void) #ifdef WITH_OPENSSL int -mm_answer_moduli(int sock, Buffer *m) +mm_answer_moduli(int sock, struct sshbuf *m) { DH *dh; - int min, want, max; + int r; + u_int min, want, max; - min = buffer_get_int(m); - want = buffer_get_int(m); - max = buffer_get_int(m); + if ((r = sshbuf_get_u32(m, &min)) != 0 || + (r = sshbuf_get_u32(m, &want)) != 0 || + (r = sshbuf_get_u32(m, &max)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); debug3("%s: got parameters: %d %d %d", __func__, min, want, max); @@ -586,17 +595,19 @@ mm_answer_moduli(int sock, Buffer *m) fatal("%s: bad parameters: %d %d %d", __func__, min, want, max); - buffer_clear(m); + sshbuf_reset(m); dh = choose_dh(min, want, max); if (dh == NULL) { - buffer_put_char(m, 0); + if ((r = sshbuf_put_u8(m, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); return (0); } else { /* Send first bignum */ - buffer_put_char(m, 1); - buffer_put_bignum2(m, dh->p); - buffer_put_bignum2(m, dh->g); + if ((r = sshbuf_put_u8(m, 1)) != 0 || + (r = sshbuf_put_bignum2(m, dh->p)) != 0 || + (r = sshbuf_put_bignum2(m, dh->g)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); DH_free(dh); } @@ -606,7 +617,7 @@ mm_answer_moduli(int sock, Buffer *m) #endif int -mm_answer_sign(int sock, Buffer *m) +mm_answer_sign(int sock, struct sshbuf *m) { struct ssh *ssh = active_state; /* XXX */ extern int auth_sock; /* XXX move to state struct? */ @@ -708,12 +719,12 @@ mm_answer_sign(int sock, Buffer *m) /* Retrieves the password entry and also checks if the user is permitted */ int -mm_answer_pwnamallow(int sock, Buffer *m) +mm_answer_pwnamallow(int sock, struct sshbuf *m) { struct ssh *ssh = active_state; /* XXX */ char *username; struct passwd *pwent; - int allowed = 0; + int r, allowed = 0; u_int i; debug3("%s", __func__); @@ -721,7 +732,8 @@ mm_answer_pwnamallow(int sock, Buffer *m) if (authctxt->attempt++ != 0) fatal("%s: multiple attempts for getpwnam", __func__); - username = buffer_get_string(m, NULL); + if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); pwent = getpwnamallow(username); @@ -729,10 +741,11 @@ mm_answer_pwnamallow(int sock, Buffer *m) setproctitle("%s [priv]", pwent ? username : "unknown"); free(username); - buffer_clear(m); + sshbuf_reset(m); if (pwent == NULL) { - buffer_put_char(m, 0); + if ((r = sshbuf_put_u8(m, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); authctxt->pw = fakepw(); goto out; } @@ -741,31 +754,40 @@ mm_answer_pwnamallow(int sock, Buffer *m) authctxt->pw = pwent; authctxt->valid = 1; - buffer_put_char(m, 1); - buffer_put_string(m, pwent, sizeof(struct passwd)); - buffer_put_cstring(m, pwent->pw_name); - buffer_put_cstring(m, "*"); + /* XXX don't sent pwent to unpriv; send fake class/dir/shell too */ + if ((r = sshbuf_put_u8(m, 1)) != 0 || + (r = sshbuf_put_string(m, pwent, sizeof(*pwent))) != 0 || + (r = sshbuf_put_cstring(m, pwent->pw_name)) != 0 || + (r = sshbuf_put_cstring(m, "*")) != 0 || #ifdef HAVE_STRUCT_PASSWD_PW_GECOS - buffer_put_cstring(m, pwent->pw_gecos); + (r = sshbuf_put_cstring(m, pwent->pw_gecos)) != 0 || #endif #ifdef HAVE_STRUCT_PASSWD_PW_CLASS - buffer_put_cstring(m, pwent->pw_class); + (r = sshbuf_put_cstring(m, pwent->pw_class)) != 0 || #endif - buffer_put_cstring(m, pwent->pw_dir); - buffer_put_cstring(m, pwent->pw_shell); + (r = sshbuf_put_cstring(m, pwent->pw_dir)) != 0 || + (r = sshbuf_put_cstring(m, pwent->pw_shell)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); out: ssh_packet_set_log_preamble(ssh, "%suser %s", authctxt->valid ? "authenticating" : "invalid ", authctxt->user); - buffer_put_string(m, &options, sizeof(options)); + if ((r = sshbuf_put_string(m, &options, sizeof(options))) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); #define M_CP_STROPT(x) do { \ - if (options.x != NULL) \ - buffer_put_cstring(m, options.x); \ + if (options.x != NULL) { \ + if ((r = sshbuf_put_cstring(m, options.x)) != 0) \ + fatal("%s: buffer error: %s", \ + __func__, ssh_err(r)); \ + } \ } while (0) #define M_CP_STRARRAYOPT(x, nx) do { \ - for (i = 0; i < options.nx; i++) \ - buffer_put_cstring(m, options.x[i]); \ + for (i = 0; i < options.nx; i++) { \ + if ((r = sshbuf_put_cstring(m, options.x[i])) != 0) \ + fatal("%s: buffer error: %s", \ + __func__, ssh_err(r)); \ + } \ } while (0) /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); @@ -797,13 +819,15 @@ mm_answer_pwnamallow(int sock, Buffer *m) return (0); } -int mm_answer_auth2_read_banner(int sock, Buffer *m) +int mm_answer_auth2_read_banner(int sock, struct sshbuf *m) { char *banner; + int r; - buffer_clear(m); + sshbuf_reset(m); banner = auth2_read_banner(); - buffer_put_cstring(m, banner != NULL ? banner : ""); + if ((r = sshbuf_put_cstring(m, banner != NULL ? banner : "")) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); free(banner); @@ -811,12 +835,15 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m) } int -mm_answer_authserv(int sock, Buffer *m) +mm_answer_authserv(int sock, struct sshbuf *m) { + int r; + monitor_permit_authentications(1); - authctxt->service = buffer_get_string(m, NULL); - authctxt->style = buffer_get_string(m, NULL); + if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); debug3("%s: service=%s, style=%s", __func__, authctxt->service, authctxt->style); @@ -829,27 +856,30 @@ mm_answer_authserv(int sock, Buffer *m) } int -mm_answer_authpassword(int sock, Buffer *m) +mm_answer_authpassword(int sock, struct sshbuf *m) { struct ssh *ssh = active_state; /* XXX */ static int call_count; char *passwd; - int authenticated; - u_int plen; + int r, authenticated; + size_t plen; if (!options.password_authentication) fatal("%s: password authentication not enabled", __func__); - passwd = buffer_get_string(m, &plen); + if ((r = sshbuf_get_cstring(m, &passwd, &plen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); /* Only authenticate if the context is valid */ authenticated = options.password_authentication && auth_password(ssh, passwd); - explicit_bzero(passwd, strlen(passwd)); + explicit_bzero(passwd, plen); free(passwd); - buffer_clear(m); - buffer_put_int(m, authenticated); + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, authenticated)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); #ifdef USE_PAM - buffer_put_int(m, sshpam_get_maxtries_reached()); + if ((r = sshbuf_put_u32(m, sshpam_get_maxtries_reached())) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); #endif debug3("%s: sending result %d", __func__, authenticated); @@ -867,23 +897,25 @@ mm_answer_authpassword(int sock, Buffer *m) #ifdef BSD_AUTH int -mm_answer_bsdauthquery(int sock, Buffer *m) +mm_answer_bsdauthquery(int sock, struct sshbuf *m) { char *name, *infotxt; - u_int numprompts; - u_int *echo_on; + u_int numprompts, *echo_on, success; char **prompts; - u_int success; + int r; if (!options.kbd_interactive_authentication) fatal("%s: kbd-int authentication not enabled", __func__); success = bsdauth_query(authctxt, &name, &infotxt, &numprompts, &prompts, &echo_on) < 0 ? 0 : 1; - buffer_clear(m); - buffer_put_int(m, success); - if (success) - buffer_put_cstring(m, prompts[0]); + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, success)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (success) { + if ((r = sshbuf_put_cstring(m, prompts[0])) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + } debug3("%s: sending challenge success: %u", __func__, success); mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); @@ -899,25 +931,27 @@ mm_answer_bsdauthquery(int sock, Buffer *m) } int -mm_answer_bsdauthrespond(int sock, Buffer *m) +mm_answer_bsdauthrespond(int sock, struct sshbuf *m) { char *response; - int authok; + int r, authok; if (!options.kbd_interactive_authentication) fatal("%s: kbd-int authentication not enabled", __func__); if (authctxt->as == NULL) fatal("%s: no bsd auth session", __func__); - response = buffer_get_string(m, NULL); + if ((r = sshbuf_get_cstring(m, &response, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); authok = options.challenge_response_authentication && auth_userresponse(authctxt->as, response, 0); authctxt->as = NULL; debug3("%s: <%s> = <%d>", __func__, response, authok); free(response); - buffer_clear(m); - buffer_put_int(m, authok); + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, authok)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); debug3("%s: sending authenticated: %d", __func__, authok); mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); @@ -1131,25 +1165,23 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) #endif int -mm_answer_keyallowed(int sock, Buffer *m) +mm_answer_keyallowed(int sock, struct sshbuf *m) { struct ssh *ssh = active_state; /* XXX */ - struct sshkey *key; + struct sshkey *key = NULL; char *cuser, *chost; - u_char *blob; - u_int bloblen, pubkey_auth_attempt; + u_int pubkey_auth_attempt; enum mm_keytype type = 0; int r, allowed = 0; struct sshauthopt *opts = NULL; debug3("%s entering", __func__); - type = buffer_get_int(m); - cuser = buffer_get_string(m, NULL); - chost = buffer_get_string(m, NULL); - blob = buffer_get_string(m, &bloblen); - pubkey_auth_attempt = buffer_get_int(m); - - key = key_from_blob(blob, bloblen); + if ((r = sshbuf_get_u32(m, &type)) != 0 || + (r = sshbuf_get_cstring(m, &cuser, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 || + (r = sshkey_froms(m, &key)) != 0 || + (r = sshbuf_get_u32(m, &pubkey_auth_attempt)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); debug3("%s: key_from_blob: %p", __func__, key); @@ -1199,15 +1231,14 @@ mm_answer_keyallowed(int sock, Buffer *m) allowed ? "allowed" : "not allowed"); auth2_record_key(authctxt, 0, key); - sshkey_free(key); /* clear temporarily storage (used by verify) */ monitor_reset_key_state(); if (allowed) { /* Save temporarily for comparison in verify */ - key_blob = blob; - key_bloblen = bloblen; + if ((r = sshkey_to_blob(key, &key_blob, &key_bloblen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); key_blobtype = type; key_opts = opts; hostbased_cuser = cuser; @@ -1215,13 +1246,14 @@ mm_answer_keyallowed(int sock, Buffer *m) } else { /* Log failed attempt */ auth_log(authctxt, 0, 0, auth_method, NULL); - free(blob); free(cuser); free(chost); } + sshkey_free(key); - buffer_clear(m); - buffer_put_int(m, allowed); + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, allowed)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (opts != NULL && (r = sshauthopt_serialise(opts, m, 1)) != 0) fatal("%s: sshauthopt_serialise: %s", __func__, ssh_err(r)); mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m); @@ -1235,34 +1267,41 @@ mm_answer_keyallowed(int sock, Buffer *m) static int monitor_valid_userblob(u_char *data, u_int datalen) { - Buffer b; - u_char *p; + struct sshbuf *b; + const u_char *p; char *userstyle, *cp; - u_int len; - int fail = 0; + size_t len; + u_char type; + int r, fail = 0; - buffer_init(&b); - buffer_append(&b, data, datalen); + if ((b = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new", __func__); + if ((r = sshbuf_put(b, data, datalen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (datafellows & SSH_OLD_SESSIONID) { - p = buffer_ptr(&b); - len = buffer_len(&b); + p = sshbuf_ptr(b); + len = sshbuf_len(b); if ((session_id2 == NULL) || (len < session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - buffer_consume(&b, session_id2_len); + if ((r = sshbuf_consume(b, session_id2_len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); } else { - p = buffer_get_string(&b, &len); + if ((r = sshbuf_get_string_direct(b, &p, &len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if ((session_id2 == NULL) || (len != session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - free(p); } - if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + if ((r = sshbuf_get_u8(b, &type)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (type != SSH2_MSG_USERAUTH_REQUEST) fail++; - cp = buffer_get_cstring(&b, NULL); + if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); @@ -1273,18 +1312,22 @@ monitor_valid_userblob(u_char *data, u_int datalen) } free(userstyle); free(cp); - buffer_skip_string(&b); - cp = buffer_get_cstring(&b, NULL); + if ((r = sshbuf_skip_string(b)) != 0 || /* service */ + (r = sshbuf_get_cstring(b, &cp, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (strcmp("publickey", cp) != 0) fail++; free(cp); - if (!buffer_get_char(&b)) + if ((r = sshbuf_get_u8(b, &type)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (type == 0) fail++; - buffer_skip_string(&b); - buffer_skip_string(&b); - if (buffer_len(&b) != 0) + if ((r = sshbuf_skip_string(b)) != 0 || /* pkalg */ + (r = sshbuf_skip_string(b)) != 0) /* pkblob */ + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (sshbuf_len(b) != 0) fail++; - buffer_free(&b); + sshbuf_free(b); return (fail == 0); } @@ -1292,59 +1335,69 @@ static int monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, char *chost) { - Buffer b; - char *p, *userstyle; - u_int len; - int fail = 0; + struct sshbuf *b; + const u_char *p; + char *cp, *userstyle; + size_t len; + int r, fail = 0; + u_char type; - buffer_init(&b); - buffer_append(&b, data, datalen); + if ((b = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new", __func__); + if ((r = sshbuf_put(b, data, datalen)) != 0 || + (r = sshbuf_get_string_direct(b, &p, &len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - p = buffer_get_string(&b, &len); if ((session_id2 == NULL) || (len != session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - free(p); - if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) + if ((r = sshbuf_get_u8(b, &type)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (type != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_cstring(&b, NULL); + if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); - if (strcmp(userstyle, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", - userstyle, p); + if (strcmp(userstyle, cp) != 0) { + logit("wrong user name passed to monitor: " + "expected %s != %.100s", userstyle, cp); fail++; } free(userstyle); - free(p); - buffer_skip_string(&b); /* service */ - p = buffer_get_cstring(&b, NULL); - if (strcmp(p, "hostbased") != 0) + free(cp); + if ((r = sshbuf_skip_string(b)) != 0 || /* service */ + (r = sshbuf_get_cstring(b, &cp, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (strcmp(cp, "hostbased") != 0) fail++; - free(p); - buffer_skip_string(&b); /* pkalg */ - buffer_skip_string(&b); /* pkblob */ + free(cp); + if ((r = sshbuf_skip_string(b)) != 0 || /* pkalg */ + (r = sshbuf_skip_string(b)) != 0) /* pkblob */ + fatal("%s: buffer error: %s", __func__, ssh_err(r)); /* verify client host, strip trailing dot if necessary */ - p = buffer_get_string(&b, NULL); - if (((len = strlen(p)) > 0) && p[len - 1] == '.') - p[len - 1] = '\0'; - if (strcmp(p, chost) != 0) + if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (((len = strlen(cp)) > 0) && cp[len - 1] == '.') + cp[len - 1] = '\0'; + if (strcmp(cp, chost) != 0) fail++; - free(p); + free(cp); /* verify client user */ - p = buffer_get_string(&b, NULL); - if (strcmp(p, cuser) != 0) + if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (strcmp(cp, cuser) != 0) fail++; - free(p); + free(cp); - if (buffer_len(&b) != 0) + if (sshbuf_len(b) != 0) fail++; - buffer_free(&b); + sshbuf_free(b); return (fail == 0); } @@ -1460,15 +1513,15 @@ mm_session_close(Session *s) } int -mm_answer_pty(int sock, Buffer *m) +mm_answer_pty(int sock, struct sshbuf *m) { extern struct monitor *pmonitor; Session *s; - int res, fd0; + int r, res, fd0; debug3("%s entering", __func__); - buffer_clear(m); + sshbuf_reset(m); s = session_new(); if (s == NULL) goto error; @@ -1480,8 +1533,9 @@ mm_answer_pty(int sock, Buffer *m) goto error; pty_setowner(authctxt->pw, s->tty); - buffer_put_int(m, 1); - buffer_put_cstring(m, s->tty); + if ((r = sshbuf_put_u32(m, 1)) != 0 || + (r = sshbuf_put_cstring(m, s->tty)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); /* We need to trick ttyslot */ if (dup2(s->ttyfd, 0) == -1) @@ -1493,8 +1547,9 @@ mm_answer_pty(int sock, Buffer *m) close(0); /* send messages generated by record_login */ - buffer_put_string(m, buffer_ptr(loginmsg), buffer_len(loginmsg)); - buffer_clear(loginmsg); + if ((r = sshbuf_put_stringb(m, loginmsg)) != 0) + fatal("%s: put login message: %s", __func__, ssh_err(r)); + sshbuf_reset(loginmsg); mm_request_send(sock, MONITOR_ANS_PTY, m); @@ -1521,29 +1576,32 @@ mm_answer_pty(int sock, Buffer *m) error: if (s != NULL) mm_session_close(s); - buffer_put_int(m, 0); + if ((r = sshbuf_put_u32(m, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(sock, MONITOR_ANS_PTY, m); return (0); } int -mm_answer_pty_cleanup(int sock, Buffer *m) +mm_answer_pty_cleanup(int sock, struct sshbuf *m) { Session *s; char *tty; + int r; debug3("%s entering", __func__); - tty = buffer_get_string(m, NULL); + if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if ((s = session_by_tty(tty)) != NULL) mm_session_close(s); - buffer_clear(m); + sshbuf_reset(m); free(tty); return (0); } int -mm_answer_term(int sock, Buffer *req) +mm_answer_term(int sock, struct sshbuf *req) { struct ssh *ssh = active_state; /* XXX */ extern struct monitor *pmonitor; @@ -1732,24 +1790,27 @@ monitor_reinit(struct monitor *mon) #ifdef GSSAPI int -mm_answer_gss_setup_ctx(int sock, Buffer *m) +mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) { gss_OID_desc goid; OM_uint32 major; - u_int len; + size_t len; + int r; if (!options.gss_authentication) fatal("%s: GSSAPI authentication not enabled", __func__); - goid.elements = buffer_get_string(m, &len); + if ((r = sshbuf_get_string(m, &goid.elements, &len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); goid.length = len; major = ssh_gssapi_server_ctx(&gsscontext, &goid); free(goid.elements); - buffer_clear(m); - buffer_put_int(m, major); + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, major)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(sock, MONITOR_ANS_GSSSETUP, m); @@ -1760,26 +1821,27 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) } int -mm_answer_gss_accept_ctx(int sock, Buffer *m) +mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) { gss_buffer_desc in; gss_buffer_desc out = GSS_C_EMPTY_BUFFER; OM_uint32 major, minor; OM_uint32 flags = 0; /* GSI needs this */ - u_int len; + int r; if (!options.gss_authentication) fatal("%s: GSSAPI authentication not enabled", __func__); - in.value = buffer_get_string(m, &len); - in.length = len; + if ((r = sshbuf_get_string(m, &in.value, &in.length)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); free(in.value); - buffer_clear(m); - buffer_put_int(m, major); - buffer_put_string(m, out.value, out.length); - buffer_put_int(m, flags); + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, major)) != 0 || + (r = sshbuf_put_string(m, out.value, out.length)) != 0 || + (r = sshbuf_put_u32(m, flags)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(sock, MONITOR_ANS_GSSSTEP, m); gss_release_buffer(&minor, &out); @@ -1793,27 +1855,26 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) } int -mm_answer_gss_checkmic(int sock, Buffer *m) +mm_answer_gss_checkmic(int sock, struct sshbuf *m) { gss_buffer_desc gssbuf, mic; OM_uint32 ret; - u_int len; if (!options.gss_authentication) fatal("%s: GSSAPI authentication not enabled", __func__); - gssbuf.value = buffer_get_string(m, &len); - gssbuf.length = len; - mic.value = buffer_get_string(m, &len); - mic.length = len; + if ((r = sshbuf_get_string(m, &gssbuf.value, &gssbuf.length)) != 0 || + (r = sshbuf_get_string(m, &mic.value, &mic.length)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); free(gssbuf.value); free(mic.value); - buffer_clear(m); - buffer_put_int(m, ret); + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, ret)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m); @@ -1824,7 +1885,7 @@ mm_answer_gss_checkmic(int sock, Buffer *m) } int -mm_answer_gss_userok(int sock, Buffer *m) +mm_answer_gss_userok(int sock, struct sshbuf *m) { int authenticated; const char *displayname; @@ -1834,8 +1895,9 @@ mm_answer_gss_userok(int sock, Buffer *m) authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); - buffer_clear(m); - buffer_put_int(m, authenticated); + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, authenticated)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); debug3("%s: sending result %d", __func__, authenticated); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); diff --git a/monitor.h b/monitor.h index d68f67458..0c7635000 100644 --- a/monitor.h +++ b/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.20 2016/09/28 16:33:07 djm Exp $ */ +/* $OpenBSD: monitor.h,v 1.21 2018/07/09 21:53:45 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -87,8 +87,8 @@ struct mon_table; int monitor_read(struct monitor*, struct mon_table *, struct mon_table **); /* Prototypes for request sending and receiving */ -void mm_request_send(int, enum monitor_reqtype, Buffer *); -void mm_request_receive(int, Buffer *); -void mm_request_receive_expect(int, enum monitor_reqtype, Buffer *); +void mm_request_send(int, enum monitor_reqtype, struct sshbuf *); +void mm_request_receive(int, struct sshbuf *); +void mm_request_receive_expect(int, enum monitor_reqtype, struct sshbuf *); #endif /* _MONITOR_H_ */ diff --git a/monitor_wrap.c b/monitor_wrap.c index 6bf041093..cf38b230b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.102 2018/07/09 21:26:02 markus Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.103 2018/07/09 21:53:45 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -50,7 +50,7 @@ #ifdef WITH_OPENSSL #include "dh.h" #endif -#include "buffer.h" +#include "sshbuf.h" #include "key.h" #include "cipher.h" #include "kex.h" @@ -93,27 +93,28 @@ extern ServerOptions options; void mm_log_handler(LogLevel level, const char *msg, void *ctx) { - Buffer log_msg; + struct sshbuf *log_msg; struct monitor *mon = (struct monitor *)ctx; + int r; + size_t len; if (mon->m_log_sendfd == -1) fatal("%s: no log channel", __func__); - buffer_init(&log_msg); - /* - * Placeholder for packet length. Will be filled in with the actual - * packet length once the packet has been constucted. This saves - * fragile math. - */ - buffer_put_int(&log_msg, 0); + if ((log_msg = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); - buffer_put_int(&log_msg, level); - buffer_put_cstring(&log_msg, msg); - put_u32(buffer_ptr(&log_msg), buffer_len(&log_msg) - 4); - if (atomicio(vwrite, mon->m_log_sendfd, buffer_ptr(&log_msg), - buffer_len(&log_msg)) != buffer_len(&log_msg)) + if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ + (r = sshbuf_put_u32(log_msg, level)) != 0 || + (r = sshbuf_put_cstring(log_msg, msg)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if ((len = sshbuf_len(log_msg)) < 4 || len > 0xffffffff) + fatal("%s: bad length %zu", __func__, len); + POKE_U32(sshbuf_mutable_ptr(log_msg), len - 4); + if (atomicio(vwrite, mon->m_log_sendfd, + sshbuf_mutable_ptr(log_msg), len) != len) fatal("%s: write: %s", __func__, strerror(errno)); - buffer_free(&log_msg); + sshbuf_free(log_msg); } int @@ -127,26 +128,29 @@ mm_is_monitor(void) } void -mm_request_send(int sock, enum monitor_reqtype type, Buffer *m) +mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m) { - u_int mlen = buffer_len(m); + size_t mlen = sshbuf_len(m); u_char buf[5]; debug3("%s entering: type %d", __func__, type); - put_u32(buf, mlen + 1); + if (mlen >= 0xffffffff) + fatal("%s: bad length %zu", __func__, mlen); + POKE_U32(buf, mlen + 1); buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) fatal("%s: write: %s", __func__, strerror(errno)); - if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen) + if (atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen) fatal("%s: write: %s", __func__, strerror(errno)); } void -mm_request_receive(int sock, Buffer *m) +mm_request_receive(int sock, struct sshbuf *m) { - u_char buf[4]; + u_char buf[4], *p = NULL; u_int msg_len; + int r; debug3("%s entering", __func__); @@ -155,24 +159,27 @@ mm_request_receive(int sock, Buffer *m) cleanup_exit(255); fatal("%s: read: %s", __func__, strerror(errno)); } - msg_len = get_u32(buf); + msg_len = PEEK_U32(buf); if (msg_len > 256 * 1024) fatal("%s: read: bad msg_len %d", __func__, msg_len); - buffer_clear(m); - buffer_append_space(m, msg_len); - if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len) + sshbuf_reset(m); + if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (atomicio(read, sock, p, msg_len) != msg_len) fatal("%s: read: %s", __func__, strerror(errno)); } void -mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m) +mm_request_receive_expect(int sock, enum monitor_reqtype type, struct sshbuf *m) { u_char rtype; + int r; debug3("%s entering: type %d", __func__, type); mm_request_receive(sock, m); - rtype = buffer_get_char(m); + if ((r = sshbuf_get_u8(m, &rtype)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (rtype != type) fatal("%s: read: rtype %d != type %d", __func__, rtype, type); @@ -183,20 +190,24 @@ DH * mm_choose_dh(int min, int nbits, int max) { BIGNUM *p, *g; - int success = 0; - Buffer m; + int r; + u_char success = 0; + struct sshbuf *m; - buffer_init(&m); - buffer_put_int(&m, min); - buffer_put_int(&m, nbits); - buffer_put_int(&m, max); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_u32(m, min)) != 0 || + (r = sshbuf_put_u32(m, nbits)) != 0 || + (r = sshbuf_put_u32(m, max)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, m); debug3("%s: waiting for MONITOR_ANS_MODULI", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, m); - success = buffer_get_char(&m); + if ((r = sshbuf_get_u8(m, &success)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (success == 0) fatal("%s: MONITOR_ANS_MODULI failed", __func__); @@ -204,11 +215,12 @@ mm_choose_dh(int min, int nbits, int max) fatal("%s: BN_new failed", __func__); if ((g = BN_new()) == NULL) fatal("%s: BN_new failed", __func__); - buffer_get_bignum2(&m, p); - buffer_get_bignum2(&m, g); + if ((r = sshbuf_get_bignum2(m, p)) != 0 || + (r = sshbuf_get_bignum2(m, g)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - debug3("%s: remaining %d", __func__, buffer_len(&m)); - buffer_free(&m); + debug3("%s: remaining %zu", __func__, sshbuf_len(m)); + sshbuf_free(m); return (dh_new_group(g, p)); } @@ -219,21 +231,30 @@ mm_key_sign(struct sshkey *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen, const char *hostkey_alg) { struct kex *kex = *pmonitor->m_pkex; - Buffer m; + struct sshbuf *m; + size_t xxxlen; + u_int ndx = kex->host_key_index(key, 0, active_state); + int r; debug3("%s entering", __func__); - buffer_init(&m); - buffer_put_int(&m, kex->host_key_index(key, 0, active_state)); - buffer_put_string(&m, data, datalen); - buffer_put_cstring(&m, hostkey_alg); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_u32(m, ndx)) != 0 || + (r = sshbuf_put_string(m, data, datalen)) != 0 || + (r = sshbuf_put_cstring(m, hostkey_alg)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, m); debug3("%s: waiting for MONITOR_ANS_SIGN", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m); - *sigp = buffer_get_string(&m, lenp); - buffer_free(&m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, m); + if ((r = sshbuf_get_string(m, sigp, &xxxlen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (xxxlen > 0xffffffff) + fatal("%s: bad length %zu", __func__, xxxlen); + *lenp = xxxlen; /* XXX fix API: size_t vs u_int */ + sshbuf_free(m); return (0); } @@ -242,54 +263,80 @@ struct passwd * mm_getpwnamallow(const char *username) { struct ssh *ssh = active_state; /* XXX */ - Buffer m; + struct sshbuf *m; struct passwd *pw; - u_int len, i; + size_t len; + u_int i; ServerOptions *newopts; + int r; + u_char ok; + const u_char *p; debug3("%s entering", __func__); - buffer_init(&m); - buffer_put_cstring(&m, username); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_cstring(m, username)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, m); debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, m); - if (buffer_get_char(&m) == 0) { + if ((r = sshbuf_get_u8(m, &ok)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (ok == 0) { pw = NULL; goto out; } - pw = buffer_get_string(&m, &len); - if (len != sizeof(struct passwd)) + + /* XXX don't like passing struct passwd like this */ + pw = xcalloc(sizeof(*pw), 1); + if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (len != sizeof(*pw)) fatal("%s: struct passwd size mismatch", __func__); - pw->pw_name = buffer_get_string(&m, NULL); - pw->pw_passwd = buffer_get_string(&m, NULL); + memcpy(pw, p, sizeof(*pw)); + + if ((r = sshbuf_get_cstring(m, &pw->pw_name, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &pw->pw_passwd, NULL)) != 0 || #ifdef HAVE_STRUCT_PASSWD_PW_GECOS - pw->pw_gecos = buffer_get_string(&m, NULL); + (r = sshbuf_get_cstring(m, &pw->pw_gecos, NULL)) != 0 || #endif #ifdef HAVE_STRUCT_PASSWD_PW_CLASS - pw->pw_class = buffer_get_string(&m, NULL); + (r = sshbuf_get_cstring(m, &pw->pw_class, NULL)) != 0 || #endif - pw->pw_dir = buffer_get_string(&m, NULL); - pw->pw_shell = buffer_get_string(&m, NULL); + (r = sshbuf_get_cstring(m, &pw->pw_dir, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &pw->pw_shell, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); out: /* copy options block as a Match directive may have changed some */ - newopts = buffer_get_string(&m, &len); + if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (len != sizeof(*newopts)) fatal("%s: option block size mismatch", __func__); + newopts = xcalloc(sizeof(*newopts), 1); + memcpy(newopts, p, sizeof(*newopts)); #define M_CP_STROPT(x) do { \ - if (newopts->x != NULL) \ - newopts->x = buffer_get_string(&m, NULL); \ + if (newopts->x != NULL) { \ + if ((r = sshbuf_get_cstring(m, \ + &newopts->x, NULL)) != 0) \ + fatal("%s: buffer error: %s", \ + __func__, ssh_err(r)); \ + } \ } while (0) #define M_CP_STRARRAYOPT(x, nx) do { \ newopts->x = newopts->nx == 0 ? \ NULL : xcalloc(newopts->nx, sizeof(*newopts->x)); \ - for (i = 0; i < newopts->nx; i++) \ - newopts->x[i] = buffer_get_string(&m, NULL); \ + for (i = 0; i < newopts->nx; i++) { \ + if ((r = sshbuf_get_cstring(m, \ + &newopts->x[i], NULL)) != 0) \ + fatal("%s: buffer error: %s", \ + __func__, ssh_err(r)); \ + } \ } while (0) /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); @@ -301,7 +348,7 @@ out: process_permitopen(ssh, &options); free(newopts); - buffer_free(&m); + sshbuf_free(m); return (pw); } @@ -309,19 +356,22 @@ out: char * mm_auth2_read_banner(void) { - Buffer m; + struct sshbuf *m; char *banner; + int r; debug3("%s entering", __func__); - buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); - buffer_clear(&m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, m); + sshbuf_reset(m); mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_AUTH2_READ_BANNER, &m); - banner = buffer_get_string(&m, NULL); - buffer_free(&m); + MONITOR_ANS_AUTH2_READ_BANNER, m); + if ((r = sshbuf_get_cstring(m, &banner, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + sshbuf_free(m); /* treat empty banner as missing banner */ if (strlen(banner) == 0) { @@ -336,41 +386,50 @@ mm_auth2_read_banner(void) void mm_inform_authserv(char *service, char *style) { - Buffer m; + struct sshbuf *m; + int r; debug3("%s entering", __func__); - buffer_init(&m); - buffer_put_cstring(&m, service); - buffer_put_cstring(&m, style ? style : ""); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_cstring(m, service)) != 0 || + (r = sshbuf_put_cstring(m, style ? style : "")) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); - buffer_free(&m); + sshbuf_free(m); } /* Do the password authentication */ int mm_auth_password(struct ssh *ssh, char *password) { - Buffer m; - int authenticated = 0; + struct sshbuf *m; + int r, maxtries = 0, authenticated = 0; debug3("%s entering", __func__); - buffer_init(&m); - buffer_put_cstring(&m, password); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_cstring(m, password)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, m); debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_AUTHPASSWORD, m); - authenticated = buffer_get_int(&m); + if ((r = sshbuf_get_u32(m, &authenticated)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); #ifdef USE_PAM - sshpam_set_maxtries_reached(buffer_get_int(&m)); + if ((r = sshbuf_get_u32(m, &maxtries)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + sshpam_set_maxtries_reached(maxtries); #endif - buffer_free(&m); + sshbuf_free(m); debug3("%s: user %sauthenticated", __func__, authenticated ? "" : "not "); @@ -396,9 +455,7 @@ int mm_key_allowed(enum mm_keytype type, const char *user, const char *host, struct sshkey *key, int pubkey_auth_attempt, struct sshauthopt **authoptp) { - Buffer m; - u_char *blob; - u_int len; + struct sshbuf *m; int r, allowed = 0; struct sshauthopt *opts = NULL; @@ -407,31 +464,29 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host, if (authoptp != NULL) *authoptp = NULL; - /* Convert the key to a blob and the pass it over */ - if (!key_to_blob(key, &blob, &len)) - return 0; + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_u32(m, type)) != 0 || + (r = sshbuf_put_cstring(m, user ? user : "")) != 0 || + (r = sshbuf_put_cstring(m, host ? host : "")) != 0 || + (r = sshkey_puts(key, m)) != 0 || + (r = sshbuf_put_u32(m, pubkey_auth_attempt)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - buffer_init(&m); - buffer_put_int(&m, type); - buffer_put_cstring(&m, user ? user : ""); - buffer_put_cstring(&m, host ? host : ""); - buffer_put_string(&m, blob, len); - buffer_put_int(&m, pubkey_auth_attempt); - free(blob); - - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, m); debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__); mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_KEYALLOWED, &m); + MONITOR_ANS_KEYALLOWED, m); - allowed = buffer_get_int(&m); + if ((r = sshbuf_get_u32(m, &allowed)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (allowed && type == MM_USERKEY) { - if ((r = sshauthopt_deserialise(&m, &opts)) != 0) + if ((r = sshauthopt_deserialise(m, &opts)) != 0) fatal("%s: sshauthopt_deserialise: %s", __func__, ssh_err(r)); } - buffer_free(&m); + sshbuf_free(m); if (authoptp != NULL) { *authoptp = opts; @@ -452,32 +507,31 @@ int mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen, const u_char *data, size_t datalen, const char *sigalg, u_int compat) { - Buffer m; - u_char *blob; - u_int len; + struct sshbuf *m; u_int encoded_ret = 0; + int r; debug3("%s entering", __func__); - /* Convert the key to a blob and the pass it over */ - if (!key_to_blob(key, &blob, &len)) - return (0); - buffer_init(&m); - buffer_put_string(&m, blob, len); - buffer_put_string(&m, sig, siglen); - buffer_put_string(&m, data, datalen); - buffer_put_cstring(&m, sigalg == NULL ? "" : sigalg); - free(blob); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshkey_puts(key, m)) != 0 || + (r = sshbuf_put_string(m, sig, siglen)) != 0 || + (r = sshbuf_put_string(m, data, datalen)) != 0 || + (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, m); debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m); + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_KEYVERIFY, m); - encoded_ret = buffer_get_int(&m); + if ((r = sshbuf_get_u32(m, &encoded_ret)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - buffer_free(&m); + sshbuf_free(m); if (encoded_ret != 0) return SSH_ERR_SIGNATURE_INVALID; @@ -504,7 +558,7 @@ mm_send_keystate(struct monitor *monitor) int mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) { - Buffer m; + struct sshbuf *m; char *p, *msg; int success = 0, tmp1 = -1, tmp2 = -1, r; @@ -521,21 +575,24 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) close(tmp1); close(tmp2); - buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, m); debug3("%s: waiting for MONITOR_ANS_PTY", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, m); - success = buffer_get_int(&m); + if ((r = sshbuf_get_u32(m, &success)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (success == 0) { debug3("%s: pty alloc failed", __func__); - buffer_free(&m); + sshbuf_free(m); return (0); } - p = buffer_get_string(&m, NULL); - msg = buffer_get_string(&m, NULL); - buffer_free(&m); + if ((r = sshbuf_get_cstring(m, &p, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &msg, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + sshbuf_free(m); strlcpy(namebuf, p, namebuflen); /* Possible truncation */ free(p); @@ -555,14 +612,17 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) void mm_session_pty_cleanup2(Session *s) { - Buffer m; + struct sshbuf *m; + int r; if (s->ttyfd == -1) return; - buffer_init(&m); - buffer_put_cstring(&m, s->tty); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, &m); - buffer_free(&m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_cstring(m, s->tty)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, m); + sshbuf_free(m); /* closed dup'ed master */ if (s->ptymaster != -1 && close(s->ptymaster) < 0) @@ -710,11 +770,12 @@ mm_sshpam_free_ctx(void *ctxtp) void mm_terminate(void) { - Buffer m; + struct sshbuf *m; - buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, &m); - buffer_free(&m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, m); + sshbuf_free(m); } static void @@ -733,27 +794,31 @@ int mm_bsdauth_query(void *ctx, char **name, char **infotxt, u_int *numprompts, char ***prompts, u_int **echo_on) { - Buffer m; + struct sshbuf *m; u_int success; char *challenge; + int r; debug3("%s: entering", __func__); - buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY, - &m); - success = buffer_get_int(&m); + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_BSDAUTHQUERY, m); + if ((r = sshbuf_get_u32(m, &success)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (success == 0) { debug3("%s: no challenge", __func__); - buffer_free(&m); + sshbuf_free(m); return (-1); } /* Get the challenge, and format the response */ - challenge = buffer_get_string(&m, NULL); - buffer_free(&m); + if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + sshbuf_free(m); mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); (*prompts)[0] = challenge; @@ -766,22 +831,25 @@ mm_bsdauth_query(void *ctx, char **name, char **infotxt, int mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) { - Buffer m; - int authok; + struct sshbuf *m; + int r, authok; debug3("%s: entering", __func__); if (numresponses != 1) return (-1); - buffer_init(&m); - buffer_put_cstring(&m, responses[0]); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, &m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_cstring(m, responses[0])) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, m); mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_BSDAUTHRESPOND, &m); + MONITOR_ANS_BSDAUTHRESPOND, m); - authok = buffer_get_int(&m); - buffer_free(&m); + if ((r = sshbuf_get_u32(m, &authok)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + sshbuf_free(m); return ((authok == 0) ? -1 : 0); } @@ -881,45 +949,55 @@ mm_audit_run_command(const char *command) OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) { - Buffer m; + struct sshbuf *m; OM_uint32 major; + int r; /* Client doesn't get to see the context */ *ctx = NULL; - buffer_init(&m); - buffer_put_string(&m, goid->elements, goid->length); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_string(m, goid->elements, goid->length)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, m); - major = buffer_get_int(&m); + if ((r = sshbuf_get_u32(m, &major)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - buffer_free(&m); + sshbuf_free(m); return (major); } OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, - gss_buffer_desc *out, OM_uint32 *flags) + gss_buffer_desc *out, OM_uint32 *flagsp) { - Buffer m; + struct sshbuf *m; OM_uint32 major; - u_int len; + u_int flags; + int r; - buffer_init(&m); - buffer_put_string(&m, in->value, in->length); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_string(m, in->value, in->length)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, m); - major = buffer_get_int(&m); - out->value = buffer_get_string(&m, &len); - out->length = len; - if (flags) - *flags = buffer_get_int(&m); + if ((r = sshbuf_get_u32(m, &major)) != 0 || + (r = sshbuf_get_string(m, &out->value, &out->length)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (flagsp != NULL) { + if ((r = sshbuf_get_u32(m, &flags)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + *flagsp = flags; + } - buffer_free(&m); + sshbuf_free(m); return (major); } @@ -927,39 +1005,44 @@ mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) { - Buffer m; + struct sshbuf *m; OM_uint32 major; + int r; - buffer_init(&m); - buffer_put_string(&m, gssbuf->value, gssbuf->length); - buffer_put_string(&m, gssmic->value, gssmic->length); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_string(m, gssbuf->value, gssbuf->length)) != 0 || + (r = sshbuf_put_string(m, gssmic->value, gssmic->length)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC, - &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, m); + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_GSSCHECKMIC, m); - major = buffer_get_int(&m); - buffer_free(&m); + if ((r = sshbuf_get_u32(m, &major)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + sshbuf_free(m); return(major); } int mm_ssh_gssapi_userok(char *user) { - Buffer m; - int authenticated = 0; + struct sshbuf *m; + int r, authenticated = 0; - buffer_init(&m); + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, - &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_GSSUSEROK, m); - authenticated = buffer_get_int(&m); + if ((r = sshbuf_get_u32(m, &authenticated)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); - buffer_free(&m); + sshbuf_free(m); debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } #endif /* GSSAPI */ -