sync with OpenBSD -current
This commit is contained in:
parent
da785accdf
commit
659ea2942e
GPG key ID:
F42C07F07E2E35B7
39 changed files with 1318 additions and 384 deletions
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect2.c,v 1.369 2023/12/13 03:28:19 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.371 2023/12/18 14:45:49 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
|
|
@ -351,7 +351,6 @@ struct cauthmethod {
|
|||
};
|
||||
|
||||
static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_success(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_failure(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_banner(int, u_int32_t, struct ssh *);
|
||||
|
|
@ -453,10 +452,8 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
|||
authctxt.mech_tried = 0;
|
||||
#endif
|
||||
authctxt.agent_fd = -1;
|
||||
pubkey_prepare(ssh, &authctxt);
|
||||
if (authctxt.method == NULL) {
|
||||
if (authctxt.method == NULL)
|
||||
fatal_f("internal error: cannot send userauth none request");
|
||||
}
|
||||
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_SERVICE_REQUEST)) != 0 ||
|
||||
(r = sshpkt_put_cstring(ssh, "ssh-userauth")) != 0 ||
|
||||
|
|
@ -465,7 +462,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
|||
|
||||
ssh->authctxt = &authctxt;
|
||||
ssh_dispatch_init(ssh, &input_userauth_error);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
|
||||
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
|
||||
pubkey_cleanup(ssh);
|
||||
|
|
@ -515,7 +512,9 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
|
|||
/* initial userauth request */
|
||||
userauth_none(ssh);
|
||||
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_error);
|
||||
/* accept EXT_INFO at any time during userauth */
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, ssh->kex->ext_info_s ?
|
||||
&kex_input_ext_info : &input_userauth_error);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
|
||||
|
|
@ -524,12 +523,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
|
|||
return r;
|
||||
}
|
||||
|
||||
static int
|
||||
input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
|
||||
{
|
||||
return kex_input_ext_info(type, seqnr, ssh);
|
||||
}
|
||||
|
||||
void
|
||||
userauth(struct ssh *ssh, char *authlist)
|
||||
{
|
||||
|
|
@ -608,6 +601,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
|
|||
free(authctxt->methoddata);
|
||||
authctxt->methoddata = NULL;
|
||||
authctxt->success = 1; /* break out */
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -1677,10 +1671,10 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt)
|
|||
struct identity *id, *id2, *tmp;
|
||||
struct idlist agent, files, *preferred;
|
||||
struct sshkey *key;
|
||||
int agent_fd = -1, i, r, found;
|
||||
int disallowed, agent_fd = -1, i, r, found;
|
||||
size_t j;
|
||||
struct ssh_identitylist *idlist;
|
||||
char *ident;
|
||||
char *cp, *ident;
|
||||
|
||||
TAILQ_INIT(&agent); /* keys from the agent */
|
||||
TAILQ_INIT(&files); /* keys from the config file */
|
||||
|
|
@ -1798,16 +1792,30 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt)
|
|||
TAILQ_CONCAT(preferred, &files, next);
|
||||
/* finally, filter by PubkeyAcceptedAlgorithms */
|
||||
TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
|
||||
if (id->key != NULL && !key_type_allowed_by_config(id->key)) {
|
||||
debug("Skipping %s key %s - "
|
||||
"corresponding algo not in PubkeyAcceptedAlgorithms",
|
||||
sshkey_ssh_name(id->key), id->filename);
|
||||
TAILQ_REMOVE(preferred, id, next);
|
||||
sshkey_free(id->key);
|
||||
free(id->filename);
|
||||
memset(id, 0, sizeof(*id));
|
||||
disallowed = 0;
|
||||
cp = NULL;
|
||||
if (id->key == NULL)
|
||||
continue;
|
||||
if (!key_type_allowed_by_config(id->key)) {
|
||||
debug("Skipping %s key %s - corresponding algorithm "
|
||||
"not in PubkeyAcceptedAlgorithms",
|
||||
sshkey_ssh_name(id->key), id->filename);
|
||||
disallowed = 1;
|
||||
} else if (ssh->kex->server_sig_algs != NULL &&
|
||||
(cp = key_sig_algorithm(ssh, id->key)) == NULL) {
|
||||
debug("Skipping %s key %s - corresponding algorithm "
|
||||
"not supported by server",
|
||||
sshkey_ssh_name(id->key), id->filename);
|
||||
disallowed = 1;
|
||||
}
|
||||
free(cp);
|
||||
if (!disallowed)
|
||||
continue;
|
||||
/* remove key */
|
||||
TAILQ_REMOVE(preferred, id, next);
|
||||
sshkey_free(id->key);
|
||||
free(id->filename);
|
||||
memset(id, 0, sizeof(*id));
|
||||
}
|
||||
/* List the keys we plan on using */
|
||||
TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
|
||||
|
|
@ -1853,6 +1861,12 @@ userauth_pubkey(struct ssh *ssh)
|
|||
Identity *id;
|
||||
int sent = 0;
|
||||
char *ident;
|
||||
static int prepared;
|
||||
|
||||
if (!prepared) {
|
||||
pubkey_prepare(ssh, authctxt);
|
||||
prepared = 1;
|
||||
}
|
||||
|
||||
while ((id = TAILQ_FIRST(&authctxt->keys))) {
|
||||
if (id->tried++)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue