static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
u_char *p;
char *userstyle, *cp;
u_int len;
int fail = 0;
buffer_init(&b);
buffer_append(&b, data, datalen);
if (datafellows & SSH_OLD_SESSIONID) {
p = buffer_ptr(&b);
len = buffer_len(&b);
if ((session_id2 == NULL) ||
(len < session_id2_len) ||
(timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
fail++;
buffer_consume(&b, session_id2_len);
} else {
p = buffer_get_string(&b, &len);
if ((session_id2 == NULL) ||
(len != session_id2_len) ||
(timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
fail++;
free(p);
}
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
cp = buffer_get_cstring(&b, NULL);
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
if (strcmp(userstyle, cp) != 0) {
logit("wrong user name passed to monitor: "
"expected %s != %.100s", userstyle, cp);
fail++;
}
free(userstyle);
free(cp);
buffer_skip_string(&b);
if (datafellows & SSH_BUG_PKAUTH) {
if (!buffer_get_char(&b))
fail++;
} else {
cp = buffer_get_cstring(&b, NULL);
if (strcmp("publickey", cp) != 0)
fail++;
free(cp);
if (!buffer_get_char(&b))
fail++;
buffer_skip_string(&b);
}
buffer_skip_string(&b);
if (buffer_len(&b) != 0)
fail++;
buffer_free(&b);
return (fail == 0);
}
static int
monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
char *chost)
{
Buffer b;
char *p, *userstyle;
u_int len;
int fail = 0;
buffer_init(&b);
buffer_append(&b, data, datalen);
p = buffer_get_string(&b, &len);
if ((session_id2 == NULL) ||
(len != session_id2_len) ||
(timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
fail++;
free(p);
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
if (strcmp(userstyle, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
userstyle, p);
fail++;
}
free(userstyle);
free(p);
buffer_skip_string(&b); /* service */
p = buffer_get_cstring(&b, NULL);
if (strcmp(p, "hostbased") != 0)
fail++;
free(p);
buffer_skip_string(&b); /* pkalg */
buffer_skip_string(&b); /* pkblob */
/* verify client host, strip trailing dot if necessary */
p = buffer_get_string(&b, NULL);
if (((len = strlen(p)) > 0) && p[len - 1] == '.')
p[len - 1] = '\0';
if (strcmp(p, chost) != 0)
fail++;
free(p);
/* verify client user */
p = buffer_get_string(&b, NULL);
if (strcmp(p, cuser) != 0)
fail++;
free(p);
if (buffer_len(&b) != 0)
fail++;
buffer_free(&b);
return (fail == 0);
}
static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
char *p;
u_int len;
int fail = 0;
buffer_init(&b);
buffer_append(&b, data, datalen);
if (datafellows & SSH_OLD_SESSIONID) {
p = buffer_ptr(&b);
len = buffer_len(&b);
if ((session_id2 == NULL) ||
(len < session_id2_len) ||
(memcmp(p, session_id2, session_id2_len) != 0))
fail++;
buffer_consume(&b, session_id2_len);
} else {
p = buffer_get_string(&b, &len);
if ((session_id2 == NULL) ||
(len != session_id2_len) ||
(memcmp(p, session_id2, session_id2_len) != 0))
fail++;
xfree(p);
}
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
fail++;
}
xfree(p);
buffer_skip_string(&b);
if (datafellows & SSH_BUG_PKAUTH) {
if (!buffer_get_char(&b))
fail++;
} else {
p = buffer_get_string(&b, NULL);
if (strcmp("publickey", p) != 0)
fail++;
xfree(p);
if (!buffer_get_char(&b))
fail++;
buffer_skip_string(&b);
}
buffer_skip_string(&b);
if (buffer_len(&b) != 0)
fail++;
buffer_free(&b);
return (fail == 0);
}
static int
valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
u_int datalen)
{
Buffer b;
Key *key = NULL;
u_char *pkblob;
u_int blen, len;
char *pkalg, *p;
int pktype, fail;
fail = 0;
buffer_init(&b);
buffer_append(&b, data, datalen);
/* session id, currently limited to SHA1 (20 bytes) or SHA256 (32) */
p = buffer_get_string(&b, &len);
if (len != 20 && len != 32)
fail++;
xfree(p);
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
/* server user */
buffer_skip_string(&b);
/* service */
p = buffer_get_string(&b, NULL);
if (strcmp("ssh-connection", p) != 0)
fail++;
xfree(p);
/* method */
p = buffer_get_string(&b, NULL);
if (strcmp("hostbased", p) != 0)
fail++;
xfree(p);
/* pubkey */
pkalg = buffer_get_string(&b, NULL);
pkblob = buffer_get_string(&b, &blen);
pktype = key_type_from_name(pkalg);
if (pktype == KEY_UNSPEC)
fail++;
else if ((key = key_from_blob(pkblob, blen)) == NULL)
fail++;
else if (key->type != pktype)
fail++;
xfree(pkalg);
xfree(pkblob);
/* client host name, handle trailing dot */
p = buffer_get_string(&b, &len);
debug2("valid_request: check expect chost %s got %s", host, p);
if (strlen(host) != len - 1)
fail++;
else if (p[len - 1] != '.')
fail++;
else if (strncasecmp(host, p, len - 1) != 0)
fail++;
xfree(p);
/* local user */
p = buffer_get_string(&b, NULL);
if (strcmp(pw->pw_name, p) != 0)
fail++;
xfree(p);
/* end of message */
if (buffer_len(&b) != 0)
fail++;
buffer_free(&b);
debug3("valid_request: fail %d", fail);
if (fail && key != NULL)
key_free(key);
else
*ret = key;
return (fail ? -1 : 0);
}
