diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-03-07 19:02:43 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-03-08 06:20:35 +1100 |
commit | 95767262caa6692eff1e1565be1f5cb297949a89 (patch) | |
tree | 1055360a328d0998dabb966f2e1002389f8c6c41 | |
parent | af0bb38ffd1f2c4f9f43b0029be2efe922815255 (diff) |
upstream commit
refactor canohost.c: move functions that cache results closer
to the places that use them (authn and session code). After this, no state is
cached in canohost.c
feedback and ok markus@
Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
-rw-r--r-- | auth-options.c | 13 | ||||
-rw-r--r-- | auth-rh-rsa.c | 11 | ||||
-rw-r--r-- | auth-rhosts.c | 12 | ||||
-rw-r--r-- | auth.c | 145 | ||||
-rw-r--r-- | auth.h | 4 | ||||
-rw-r--r-- | auth2-hostbased.c | 7 | ||||
-rw-r--r-- | canohost.c | 262 | ||||
-rw-r--r-- | canohost.h | 13 | ||||
-rw-r--r-- | channels.c | 6 | ||||
-rw-r--r-- | monitor.c | 5 | ||||
-rw-r--r-- | monitor_wrap.c | 12 | ||||
-rw-r--r-- | monitor_wrap.h | 10 | ||||
-rw-r--r-- | opacket.h | 4 | ||||
-rw-r--r-- | packet.c | 37 | ||||
-rw-r--r-- | packet.h | 8 | ||||
-rw-r--r-- | servconf.c | 11 | ||||
-rw-r--r-- | serverloop.c | 12 | ||||
-rw-r--r-- | session.c | 42 | ||||
-rw-r--r-- | session.h | 4 | ||||
-rw-r--r-- | ssh.c | 7 | ||||
-rw-r--r-- | sshd.c | 120 |
21 files changed, 372 insertions, 373 deletions
diff --git a/auth-options.c b/auth-options.c index edbaf80b..b399b91e 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */ +/* $OpenBSD: auth-options.c,v 1.71 2016/03/07 19:02:43 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -29,6 +29,7 @@ #include "ssherr.h" #include "log.h" #include "canohost.h" +#include "packet.h" #include "sshbuf.h" #include "misc.h" #include "channels.h" @@ -120,6 +121,7 @@ match_flag(const char *opt, int allow_negate, char **optsp, const char *msg) int auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) { + struct ssh *ssh = active_state; /* XXX */ const char *cp; int i, r; @@ -273,9 +275,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } cp = "from=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - const char *remote_ip = get_remote_ipaddr(); - const char *remote_host = get_canonical_hostname( - options.use_dns); + const char *remote_ip = ssh_remote_ipaddr(ssh); + const char *remote_host = auth_get_canonical_hostname( + ssh, options.use_dns); char *patterns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -457,6 +459,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, char **cert_forced_command, int *cert_source_address_done) { + struct ssh *ssh = active_state; /* XXX */ char *command, *allowed; const char *remote_ip; char *name = NULL; @@ -530,7 +533,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, free(allowed); goto out; } - remote_ip = get_remote_ipaddr(); + remote_ip = ssh_remote_ipaddr(ssh); result = addr_match_cidr_list(remote_ip, allowed); free(allowed); diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 2e20396e..057335ba 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rh-rsa.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */ +/* $OpenBSD: auth-rh-rsa.c,v 1.45 2016/03/07 19:02:43 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -42,8 +42,8 @@ extern ServerOptions options; int -auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, - Key *client_host_key) +auth_rhosts_rsa_key_allowed(struct passwd *pw, const char *cuser, + const char *chost, Key *client_host_key) { HostStatus host_status; @@ -68,7 +68,8 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, int auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key) { - char *chost; + struct ssh *ssh = active_state; /* XXX */ + const char *chost; struct passwd *pw = authctxt->pw; debug("Trying rhosts with RSA host authentication for client user %.100s", @@ -78,7 +79,7 @@ auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key) client_host_key->rsa == NULL) return 0; - chost = (char *)get_canonical_hostname(options.use_dns); + chost = auth_get_canonical_hostname(ssh, options.use_dns); debug("Rhosts RSA authentication: canonical host %.900s", chost); if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) { diff --git a/auth-rhosts.c b/auth-rhosts.c index ee9e827a..0ef34471 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rhosts.c,v 1.46 2014/12/23 22:42:48 djm Exp $ */ +/* $OpenBSD: auth-rhosts.c,v 1.47 2016/03/07 19:02:43 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -30,14 +30,15 @@ #include <unistd.h> #include "packet.h" -#include "buffer.h" #include "uidswap.h" #include "pathnames.h" #include "log.h" #include "misc.h" +#include "buffer.h" /* XXX */ +#include "key.h" /* XXX */ #include "servconf.h" #include "canohost.h" -#include "key.h" +#include "sshkey.h" #include "hostfile.h" #include "auth.h" @@ -189,10 +190,11 @@ check_rhosts_file(const char *filename, const char *hostname, int auth_rhosts(struct passwd *pw, const char *client_user) { + struct ssh *ssh = active_state; /* XXX */ const char *hostname, *ipaddr; - hostname = get_canonical_hostname(options.use_dns); - ipaddr = get_remote_ipaddr(); + hostname = auth_get_canonical_hostname(ssh, options.use_dns); + ipaddr = ssh_remote_ipaddr(ssh); return auth_rhosts2(pw, client_user, hostname, ipaddr); } @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.114 2016/03/07 19:02:43 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -27,6 +27,7 @@ #include <sys/types.h> #include <sys/stat.h> +#include <sys/socket.h> #include <netinet/in.h> @@ -50,6 +51,7 @@ #include <string.h> #include <unistd.h> #include <limits.h> +#include <netdb.h> #include "xmalloc.h" #include "match.h" @@ -97,6 +99,7 @@ int auth_debug_init; int allowed_user(struct passwd * pw) { + struct ssh *ssh = active_state; /* XXX */ struct stat st; const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; u_int i; @@ -182,8 +185,8 @@ allowed_user(struct passwd * pw) if (options.num_deny_users > 0 || options.num_allow_users > 0 || options.num_deny_groups > 0 || options.num_allow_groups > 0) { - hostname = get_canonical_hostname(options.use_dns); - ipaddr = get_remote_ipaddr(); + hostname = auth_get_canonical_hostname(ssh, options.use_dns); + ipaddr = ssh_remote_ipaddr(ssh); } /* Return false if user is listed in DenyUsers */ @@ -274,6 +277,7 @@ void auth_log(Authctxt *authctxt, int authenticated, int partial, const char *method, const char *submethod) { + struct ssh *ssh = active_state; /* XXX */ void (*authlog) (const char *fmt,...) = verbose; char *authmsg; @@ -300,8 +304,8 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, authctxt->valid ? "" : "invalid user ", authctxt->user, - get_remote_ipaddr(), - get_remote_port(), + ssh_remote_ipaddr(ssh), + ssh_remote_port(ssh), compat20 ? "ssh2" : "ssh1", authctxt->info != NULL ? ": " : "", authctxt->info != NULL ? authctxt->info : ""); @@ -331,12 +335,14 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, void auth_maxtries_exceeded(Authctxt *authctxt) { + struct ssh *ssh = active_state; /* XXX */ + error("maximum authentication attempts exceeded for " "%s%.100s from %.200s port %d %s", authctxt->valid ? "" : "invalid user ", authctxt->user, - get_remote_ipaddr(), - get_remote_port(), + ssh_remote_ipaddr(ssh), + ssh_remote_port(ssh), compat20 ? "ssh2" : "ssh1"); packet_disconnect("Too many authentication failures"); /* NOTREACHED */ @@ -348,6 +354,8 @@ auth_maxtries_exceeded(Authctxt *authctxt) int auth_root_allowed(const char *method) { + struct ssh *ssh = active_state; /* XXX */ + switch (options.permit_root_login) { case PERMIT_YES: return 1; @@ -364,7 +372,8 @@ auth_root_allowed(const char *method) } break; } - logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); + logit("ROOT LOGIN REFUSED FROM %.200s port %d", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); return 0; } @@ -604,6 +613,7 @@ auth_openprincipals(const char *file, struct passwd *pw, int strict_modes) struct passwd * getpwnamallow(const char *user) { + struct ssh *ssh = active_state; /* XXX */ #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; #ifdef BSD_AUTH @@ -639,8 +649,8 @@ getpwnamallow(const char *user) } #endif if (pw == NULL) { - logit("Invalid user %.100s from %.100s", - user, get_remote_ipaddr()); + logit("Invalid user %.100s from %.100s port %d", + user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); #ifdef CUSTOM_FAILED_LOGIN record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); @@ -773,3 +783,118 @@ fakepw(void) return (&fake); } + +/* + * Returns the remote DNS hostname as a string. The returned string must not + * be freed. NB. this will usually trigger a DNS query the first time it is + * called. + * This function does additional checks on the hostname to mitigate some + * attacks on legacy rhosts-style authentication. + * XXX is RhostsRSAAuthentication vulnerable to these? + * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) + */ + +static char * +remote_hostname(struct ssh *ssh) +{ + struct sockaddr_storage from; + socklen_t fromlen; + struct addrinfo hints, *ai, *aitop; + char name[NI_MAXHOST], ntop2[NI_MAXHOST]; + const char *ntop = ssh_remote_ipaddr(ssh); + + /* Get IP address of client. */ + fromlen = sizeof(from); + memset(&from, 0, sizeof(from)); + if (getpeername(ssh_packet_get_connection_in(ssh), + (struct sockaddr *)&from, &fromlen) < 0) { + debug("getpeername failed: %.100s", strerror(errno)); + return strdup(ntop); + } + + ipv64_normalise_mapped(&from, &fromlen); + if (from.ss_family == AF_INET6) + fromlen = sizeof(struct sockaddr_in6); + + debug3("Trying to reverse map address %.100s.", ntop); + /* Map the IP address to a host name. */ + if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), + NULL, 0, NI_NAMEREQD) != 0) { + /* Host name not found. Use ip address. */ + return strdup(ntop); + } + + /* + * if reverse lookup result looks like a numeric hostname, + * someone is trying to trick us by PTR record like following: + * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 + */ + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; + if (getaddrinfo(name, NULL, &hints, &ai) == 0) { + logit("Nasty PTR record \"%s\" is set up for %s, ignoring", + name, ntop); + freeaddrinfo(ai); + return strdup(ntop); + } + + /* Names are stored in lowercase. */ + lowercase(name); + + /* + * Map it back to an IP address and check that the given + * address actually is an address of this host. This is + * necessary because anyone with access to a name server can + * define arbitrary names for an IP address. Mapping from + * name to IP address can be trusted better (but can still be + * fooled if the intruder has access to the name server of + * the domain). + */ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = from.ss_family; + hints.ai_socktype = SOCK_STREAM; + if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { + logit("reverse mapping checking getaddrinfo for %.700s " + "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); + return strdup(ntop); + } + /* Look for the address from the list of addresses. */ + for (ai = aitop; ai; ai = ai->ai_next) { + if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, + sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && + (strcmp(ntop, ntop2) == 0)) + break; + } + freeaddrinfo(aitop); + /* If we reached the end of the list, the address was not there. */ + if (ai == NULL) { + /* Address not found for the host name. */ + logit("Address %.100s maps to %.600s, but this does not " + "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", + ntop, name); + return strdup(ntop); + } + return strdup(name); +} + +/* + * Return the canonical name of the host in the other side of the current + * connection. The host name is cached, so it is efficient to call this + * several times. + */ + +const char * +auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +{ + static char *dnsname; + + if (!use_dns) + return ssh_remote_ipaddr(ssh); + else if (dnsname != NULL) + return dnsname; + else { + dnsname = remote_hostname(ssh); + return dnsname; + } +} @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.86 2015/12/04 16:41:28 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.87 2016/03/07 19:02:43 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -197,6 +197,8 @@ FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); int auth_key_is_revoked(Key *); +const char *auth_get_canonical_hostname(struct ssh *, int); + HostStatus check_key_in_hostfiles(struct passwd *, Key *, const char *, const char *, const char *); diff --git a/auth2-hostbased.c b/auth2-hostbased.c index e2327cf7..1b3c3b20 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.25 2015/05/04 06:10:48 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.26 2016/03/07 19:02:43 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -160,6 +160,7 @@ int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, Key *key) { + struct ssh *ssh = active_state; /* XXX */ const char *resolvedname, *ipaddr, *lookup, *reason; HostStatus host_status; int len; @@ -168,8 +169,8 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, if (auth_key_is_revoked(key)) return 0; - resolvedname = get_canonical_hostname(options.use_dns); - ipaddr = get_remote_ipaddr(); + resolvedname = auth_get_canonical_hostname(ssh, options.use_dns); + ipaddr = ssh_remote_ipaddr(ssh); debug2("%s: chost %s resolvedname %s ipaddr %s", __func__, chost, resolvedname, ipaddr); @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.72 2015/03/01 15:44:40 millert Exp $ */ +/* $OpenBSD: canohost.c,v 1.73 2016/03/07 19:02:43 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,147 +35,6 @@ #include "canohost.h" #include "misc.h" -static void check_ip_options(int, char *); -static char *canonical_host_ip = NULL; -static int cached_port = -1; - -/* - * Return the canonical name of the host at the other end of the socket. The - * caller should free the returned string. - */ - -static char * -get_remote_hostname(int sock, int use_dns) -{ - struct sockaddr_storage from; - socklen_t fromlen; - struct addrinfo hints, *ai, *aitop; - char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; - - /* Get IP address of client. */ - fromlen = sizeof(from); - memset(&from, 0, sizeof(from)); - if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { - debug("getpeername failed: %.100s", strerror(errno)); - cleanup_exit(255); - } - - if (from.ss_family == AF_INET) - check_ip_options(sock, ntop); - - ipv64_normalise_mapped(&from, &fromlen); - - if (from.ss_family == AF_INET6) - fromlen = sizeof(struct sockaddr_in6); - - if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), - NULL, 0, NI_NUMERICHOST) != 0) - fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); - - if (!use_dns) - return xstrdup(ntop); - - debug3("Trying to reverse map address %.100s.", ntop); - /* Map the IP address to a host name. */ - if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), - NULL, 0, NI_NAMEREQD) != 0) { - /* Host name not found. Use ip address. */ - return xstrdup(ntop); - } - - /* - * if reverse lookup result looks like a numeric hostname, - * someone is trying to trick us by PTR record like following: - * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 - */ - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_DGRAM; /*dummy*/ - hints.ai_flags = AI_NUMERICHOST; - if (getaddrinfo(name, NULL, &hints, &ai) == 0) { - logit("Nasty PTR record \"%s\" is set up for %s, ignoring", - name, ntop); - freeaddrinfo(ai); - return xstrdup(ntop); - } - - /* Names are stores in lowercase. */ - lowercase(name); - - /* - * Map it back to an IP address and check that the given - * address actually is an address of this host. This is - * necessary because anyone with access to a name server can - * define arbitrary names for an IP address. Mapping from - * name to IP address can be trusted better (but can still be - * fooled if the intruder has access to the name server of - * the domain). - */ - memset(&hints, 0, sizeof(hints)); - hints.ai_family = from.ss_family; - hints.ai_socktype = SOCK_STREAM; - if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { - logit("reverse mapping checking getaddrinfo for %.700s " - "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); - return xstrdup(ntop); - } - /* Look for the address from the list of addresses. */ - for (ai = aitop; ai; ai = ai->ai_next) { - if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, - sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && - (strcmp(ntop, ntop2) == 0)) - break; - } - freeaddrinfo(aitop); - /* If we reached the end of the list, the address was not there. */ - if (!ai) { - /* Address not found for the host name. */ - logit("Address %.100s maps to %.600s, but this does not " - "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", - ntop, name); - return xstrdup(ntop); - } - return xstrdup(name); -} - -/* - * If IP options are supported, make sure there are none (log and - * disconnect them if any are found). Basically we are worried about - * source routing; it can be used to pretend you are somebody - * (ip-address) you are not. That itself may be "almost acceptable" - * under certain circumstances, but rhosts autentication is useless - * if source routing is accepted. Notice also that if we just dropped - * source routing here, the other side could use IP spoofing to do - * rest of the interaction and could still bypass security. So we - * exit here if we detect any IP options. - */ -/* IPv4 only */ -static void -check_ip_options(int sock, char *ipaddr) -{ -#ifdef IP_OPTIONS - u_char options[200]; - char text[sizeof(options) * 3 + 1]; - socklen_t option_size, i; - int ipproto; - struct protoent *ip; - - if ((ip = getprotobyname("ip")) != NULL) - ipproto = ip->p_proto; - else - ipproto = IPPROTO_IP; - option_size = sizeof(options); - if (getsockopt(sock, ipproto, IP_OPTIONS, options, - &option_size) >= 0 && option_size != 0) { - text[0] = '\0'; - for (i = 0; i < option_size; i++) - snprintf(text + i*3, sizeof(text) - i*3, - " %2.2x", options[i]); - fatal("Connection from %.100s with IP options:%.800s", - ipaddr, text); - } -#endif /* IP_OPTIONS */ -} - void ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) { @@ -202,38 +61,6 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) } /* - * Return the canonical name of the host in the other side of the current - * connection. The host name is cached, so it is efficient to call this - * several times. - */ - -const char * -get_canonical_hostname(int use_dns) -{ - char *host; - static char *canonical_host_name = NULL; - static char *remote_ip = NULL; - - /* Check if we have previously retrieved name with same option. */ - if (use_dns && canonical_host_name != NULL) - return canonical_host_name; - if (!use_dns && remote_ip != NULL) - return remote_ip; - - /* Get the real hostname if socket; otherwise return UNKNOWN. */ - if (packet_connection_is_on_socket()) - host = get_remote_hostname(packet_get_connection_in(), use_dns); - else - host = "UNKNOWN"; - - if (use_dns) - canonical_host_name = host; - else - remote_ip = host; - return host; -} - -/* * Returns the local/remote IP-address/hostname of socket as a string. * The returned string must be freed. */ @@ -250,12 +77,10 @@ get_socket_address(int sock, int remote, int flags) memset(&addr, 0, sizeof(addr)); if (remote) { - if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) - < 0) + if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) != 0) return NULL; } else { - if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) - < 0) + if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) != 0) return NULL; } @@ -271,7 +96,7 @@ get_socket_address(int sock, int remote, int flags) /* Get the address in ascii. */ if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop), NULL, 0, flags)) != 0) { - error("get_socket_address: getnameinfo %d failed: %s", + error("%s: getnameinfo %d failed: %s", __func__, flags, ssh_gai_strerror(r)); return NULL; } @@ -316,7 +141,8 @@ get_local_name(int fd) /* Handle the case where we were passed a pipe */ if (gethostname(myname, sizeof(myname)) == -1) { - verbose("get_local_name: gethostname: %s", strerror(errno)); + verbose("%s: gethostname: %s", __func__, strerror(errno)); + host = xstrdup("UNKNOWN"); } else { host = xstrdup(myname); } @@ -324,51 +150,9 @@ get_local_name(int fd) return host; } -void -clear_cached_addr(void) -{ - free(canonical_host_ip); - canonical_host_ip = NULL; - cached_port = -1; -} - -/* - * Returns the IP-address of the remote host as a string. The returned - * string must not be freed. - */ - -const char * -get_remote_ipaddr(void) -{ - /* Check whether we have cached the ipaddr. */ - if (canonical_host_ip == NULL) { - if (packet_connection_is_on_socket()) { - canonical_host_ip = - get_peer_ipaddr(packet_get_connection_in()); - if (canonical_host_ip == NULL) - cleanup_exit(255); - } else { - /* If not on socket, return UNKNOWN. */ - canonical_host_ip = xstrdup("UNKNOWN"); - } - } - return canonical_host_ip; -} - -const char * -get_remote_name_or_ip(u_int utmp_len, int use_dns) -{ - static const char *remote = ""; - if (utmp_len > 0) - remote = get_canonical_hostname(use_dns); - if (utmp_len == 0 || strlen(remote) > utmp_len) - remote = get_remote_ipaddr(); - return remote; -} - /* Returns the local/remote port for the socket. */ -int +static int get_sock_port(int sock, int local) { struct sockaddr_storage from; @@ -402,27 +186,11 @@ get_sock_port(int sock, int local) /* Return port number. */ if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, strport, sizeof(strport), NI_NUMERICSERV)) != 0) - fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s", + fatal("%s: getnameinfo NI_NUMERICSERV failed: %s", __func__, ssh_gai_strerror(r)); return atoi(strport); } -/* Returns remote/local port number for the current connection. */ - -static int -get_port(int local) -{ - /* - * If the connection is not a socket, return 65535. This is - * intentionally chosen to be an unprivileged port number. - */ - if (!packet_connection_is_on_socket()) - return 65535; - - /* Get socket and return the port number. */ - return get_sock_port(packet_get_connection_in(), local); -} - int get_peer_port(int sock) { @@ -430,17 +198,7 @@ get_peer_port(int sock) } int -get_remote_port(void) -{ - /* Cache to avoid getpeername() on a dead connection */ - if (cached_port == -1) - cached_port = get_port(0); - - return cached_port; -} - -int -get_local_port(void) +get_local_port(int sock) { - return get_port(1); + return get_sock_port(sock, 1); } @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.h,v 1.11 2009/05/27 06:31:25 andreas Exp $ */ +/* $OpenBSD: canohost.h,v 1.12 2016/03/07 19:02:43 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -12,18 +12,15 @@ * called by a name other than "ssh" or "Secure Shell". */ -const char *get_canonical_hostname(int); -const char *get_remote_ipaddr(void); -const char *get_remote_name_or_ip(u_int, int); +#ifndef _CANOHOST_H +#define _CANOHOST_H char *get_peer_ipaddr(int); int get_peer_port(int); char *get_local_ipaddr(int); char *get_local_name(int); +int get_local_port(int); -int get_remote_port(void); -int get_local_port(void); -int get_sock_port(int, int); -void clear_cached_addr(void); +#endif /* _CANOHOST_H */ void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *); @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.349 2016/02/05 13:28:19 naddy Exp $ */ +/* $OpenBSD: channels.c,v 1.350 2016/03/07 19:02:43 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1416,7 +1416,7 @@ port_open_helper(Channel *c, char *rtype) { char buf[1024]; char *local_ipaddr = get_local_ipaddr(c->sock); - int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1); + int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock); char *remote_ipaddr = get_peer_ipaddr(c->sock); int remote_port = get_peer_port(c->sock); @@ -2935,7 +2935,7 @@ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 && allocated_listen_port != NULL && *allocated_listen_port == 0) { - *allocated_listen_port = get_sock_port(sock, 1); + *allocated_listen_port = get_local_port(sock); debug("Allocated listen port %d", *allocated_listen_port); } @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.157 2016/02/15 23:32:37 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.158 2016/03/07 19:02:43 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -1469,6 +1469,7 @@ mm_answer_keyverify(int sock, Buffer *m) static void mm_record_login(Session *s, struct passwd *pw) { + struct ssh *ssh = active_state; /* XXX */ socklen_t fromlen; struct sockaddr_storage from; @@ -1490,7 +1491,7 @@ mm_record_login(Session *s, struct passwd *pw) } /* Record that there was a login on that tty from the remote host. */ record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, - get_remote_name_or_ip(utmp_len, options.use_dns), + session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns), (struct sockaddr *)&from, fromlen); } diff --git a/monitor_wrap.c b/monitor_wrap.c index c5db6df4..55200490 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.87 2016/01/14 16:17:40 markus Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.88 2016/03/07 19:02:43 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -378,15 +378,15 @@ mm_user_key_allowed(struct passwd *pw, Key *key, int pubkey_auth_attempt) } int -mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, +mm_hostbased_key_allowed(struct passwd *pw, const char *user, const char *host, Key *key) { return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0)); } int -mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, - char *host, Key *key) +mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, const char *user, + const char *host, Key *key) { int ret; @@ -397,8 +397,8 @@ mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, } int -mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key, - int pubkey_auth_attempt) +mm_key_allowed(enum mm_keytype type, const char *user, const char *host, + Key *key, int pubkey_auth_attempt) { Buffer m; u_char *blob; diff --git a/monitor_wrap.h b/monitor_wrap.h index eb820aee..9fd02b30 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.29 2015/12/04 16:41:28 markus Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.30 2016/03/07 19:02:43 djm Exp $ */ |