diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2018-08-27 09:08:28 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-08-27 09:30:24 +0200 |
commit | 73c9d60e5abf6bc20093e105dec112b071c83871 (patch) | |
tree | 2c08401a56a30337e83b744d50374f64ce93b865 | |
parent | ae3825dfb2c6364bc088353640d59b0546b8d6f6 (diff) | |
download | libssh-73c9d60e5abf6bc20093e105dec112b071c83871.tar.gz libssh-73c9d60e5abf6bc20093e105dec112b071c83871.tar.xz libssh-73c9d60e5abf6bc20093e105dec112b071c83871.zip |
session: Group auth variables in a struct
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r-- | include/libssh/session.h | 12 | ||||
-rw-r--r-- | src/auth.c | 75 | ||||
-rw-r--r-- | src/client.c | 10 | ||||
-rw-r--r-- | src/gssapi.c | 14 | ||||
-rw-r--r-- | src/packet_cb.c | 2 | ||||
-rw-r--r-- | src/server.c | 18 | ||||
-rw-r--r-- | src/session.c | 7 |
7 files changed, 70 insertions, 68 deletions
diff --git a/include/libssh/session.h b/include/libssh/session.h index 5421056f..325f6a37 100644 --- a/include/libssh/session.h +++ b/include/libssh/session.h @@ -128,11 +128,15 @@ struct ssh_session_struct { enum ssh_session_state_e session_state; int packet_state; enum ssh_dh_state_e dh_handshake_state; - enum ssh_auth_service_state_e auth_service_state; - enum ssh_auth_state_e auth_state; enum ssh_channel_request_state_e global_req_state; struct ssh_agent_state_struct *agent_state; - struct ssh_auth_auto_state_struct *auth_auto_state; + + struct { + struct ssh_auth_auto_state_struct *auto_state; + enum ssh_auth_service_state_e service_state; + enum ssh_auth_state_e state; + uint32_t supported_methods; + } auth; /* * RFC 4253, 7.1: if the first_kex_packet_follows flag was set in @@ -167,8 +171,8 @@ struct ssh_session_struct { /* The type of host key wanted by client */ enum ssh_keytypes_e hostkey; } srv; + /* auths accepted by server */ - int auth_methods; struct ssh_list *ssh_message_list; /* list of delayed SSH messages */ int (*ssh_message_callback)( struct ssh_session_struct *session, ssh_message msg, void *userdata); void *ssh_message_callback_data; @@ -79,7 +79,7 @@ static int ssh_userauth_request_service(ssh_session session) { static int ssh_auth_response_termination(void *user) { ssh_session session = (ssh_session)user; - switch (session->auth_state) { + switch (session->auth.state) { case SSH_AUTH_STATE_NONE: case SSH_AUTH_STATE_KBDINT_SENT: case SSH_AUTH_STATE_GSSAPI_REQUEST_SENT: @@ -116,7 +116,7 @@ static int ssh_userauth_get_response(ssh_session session) { return SSH_AUTH_AGAIN; } - switch(session->auth_state) { + switch(session->auth.state) { case SSH_AUTH_STATE_ERROR: rc = SSH_AUTH_ERROR; break; @@ -191,17 +191,17 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_failure) { if (rc != SSH_OK) { ssh_set_error(session, SSH_FATAL, "Invalid SSH_MSG_USERAUTH_FAILURE message"); - session->auth_state=SSH_AUTH_STATE_ERROR; + session->auth.state = SSH_AUTH_STATE_ERROR; goto end; } if (partial) { - session->auth_state=SSH_AUTH_STATE_PARTIAL; + session->auth.state = SSH_AUTH_STATE_PARTIAL; SSH_LOG(SSH_LOG_INFO, "Partial success. Authentication that can continue: %s", auth_methods); } else { - session->auth_state=SSH_AUTH_STATE_FAILED; + session->auth.state = SSH_AUTH_STATE_FAILED; SSH_LOG(SSH_LOG_INFO, "Access denied. Authentication that can continue: %s", auth_methods); @@ -210,21 +210,21 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_failure) { auth_methods); } - session->auth_methods = 0; + session->auth.supported_methods = 0; if (strstr(auth_methods, "password") != NULL) { - session->auth_methods |= SSH_AUTH_METHOD_PASSWORD; + session->auth.supported_methods |= SSH_AUTH_METHOD_PASSWORD; } if (strstr(auth_methods, "keyboard-interactive") != NULL) { - session->auth_methods |= SSH_AUTH_METHOD_INTERACTIVE; + session->auth.supported_methods |= SSH_AUTH_METHOD_INTERACTIVE; } if (strstr(auth_methods, "publickey") != NULL) { - session->auth_methods |= SSH_AUTH_METHOD_PUBLICKEY; + session->auth.supported_methods |= SSH_AUTH_METHOD_PUBLICKEY; } if (strstr(auth_methods, "hostbased") != NULL) { - session->auth_methods |= SSH_AUTH_METHOD_HOSTBASED; + session->auth.supported_methods |= SSH_AUTH_METHOD_HOSTBASED; } if (strstr(auth_methods, "gssapi-with-mic") != NULL) { - session->auth_methods |= SSH_AUTH_METHOD_GSSAPI_MIC; + session->auth.supported_methods |= SSH_AUTH_METHOD_GSSAPI_MIC; } end: @@ -248,7 +248,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_success) { SSH_LOG(SSH_LOG_DEBUG, "Authentication successful"); SSH_LOG(SSH_LOG_TRACE, "Received SSH_USERAUTH_SUCCESS"); - session->auth_state = SSH_AUTH_STATE_SUCCESS; + session->auth.state = SSH_AUTH_STATE_SUCCESS; session->session_state = SSH_SESSION_STATE_AUTHENTICATED; session->flags |= SSH_SESSION_FLAG_AUTHENTICATED; @@ -277,17 +277,17 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_pk_ok) { SSH_LOG(SSH_LOG_TRACE, "Received SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE"); - if (session->auth_state==SSH_AUTH_STATE_KBDINT_SENT) { + if (session->auth.state == SSH_AUTH_STATE_KBDINT_SENT) { /* Assuming we are in keyboard-interactive context */ SSH_LOG(SSH_LOG_TRACE, "keyboard-interactive context, assuming SSH_USERAUTH_INFO_REQUEST"); rc = ssh_packet_userauth_info_request(session,type,packet,user); #ifdef WITH_GSSAPI - } else if (session->auth_state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT) { + } else if (session->auth.state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT) { rc = ssh_packet_userauth_gssapi_response(session, type, packet, user); #endif } else { - session->auth_state = SSH_AUTH_STATE_PK_OK; + session->auth.state = SSH_AUTH_STATE_PK_OK; SSH_LOG(SSH_LOG_TRACE, "Assuming SSH_USERAUTH_PK_OK"); rc = SSH_PACKET_USED; } @@ -323,7 +323,7 @@ int ssh_userauth_list(ssh_session session, const char *username) return 0; } - return session->auth_methods; + return session->auth.supported_methods; } /** @@ -378,7 +378,7 @@ int ssh_userauth_none(ssh_session session, const char *username) { goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth.state = SSH_AUTH_STATE_NONE; session->pending_call_state = SSH_PENDING_CALL_AUTH_NONE; rc = ssh_packet_send(session); if (rc == SSH_ERROR) { @@ -485,7 +485,7 @@ int ssh_userauth_try_publickey(ssh_session session, ssh_string_free(pubkey_s); - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth.state = SSH_AUTH_STATE_NONE; session->pending_call_state = SSH_PENDING_CALL_AUTH_OFFER_PUBKEY; rc = ssh_packet_send(session); if (rc == SSH_ERROR) { @@ -605,7 +605,7 @@ int ssh_userauth_publickey(ssh_session session, goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth.state = SSH_AUTH_STATE_NONE; session->pending_call_state = SSH_PENDING_CALL_AUTH_PUBKEY; rc = ssh_packet_send(session); if (rc == SSH_ERROR) { @@ -690,7 +690,7 @@ static int ssh_userauth_agent_publickey(ssh_session session, goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth.state = SSH_AUTH_STATE_NONE; session->pending_call_state = SSH_PENDING_CALL_AUTH_AGENT; rc = ssh_packet_send(session); if (rc == SSH_ERROR) { @@ -905,23 +905,22 @@ int ssh_userauth_publickey_auto(ssh_session session, return SSH_AUTH_ERROR; } if (! (session->opts.flags & SSH_OPT_FLAG_PUBKEY_AUTH)) { - session->auth_methods &= ~SSH_AUTH_METHOD_PUBLICKEY; + session->auth.supported_methods &= ~SSH_AUTH_METHOD_PUBLICKEY; return SSH_AUTH_DENIED; } if (session->common.callbacks) { auth_fn = session->common.callbacks->auth_function; auth_data = session->common.callbacks->userdata; } - if (!session->auth_auto_state) { - session->auth_auto_state = - malloc(sizeof(struct ssh_auth_auto_state_struct)); - if (!session->auth_auto_state) { + if (!session->auth.auto_state) { + session->auth.auto_state = + calloc(1, sizeof(struct ssh_auth_auto_state_struct)); + if (!session->auth.auto_state) { ssh_set_error_oom(session); return SSH_AUTH_ERROR; } - ZERO_STRUCTP(session->auth_auto_state); } - state = session->auth_auto_state; + state = session->auth.auto_state; if (state->state == SSH_AUTH_AUTO_STATE_NONE) { #ifndef _WIN32 /* Try authentication with ssh-agent first */ @@ -954,7 +953,7 @@ int ssh_userauth_publickey_auto(ssh_session session, SSH_FATAL, "Failed to import public key: %s", pubkey_file); - SAFE_FREE(session->auth_auto_state); + SAFE_FREE(session->auth.auto_state); return SSH_AUTH_ERROR; } else if (rc == SSH_EOF) { /* Read the private key and save the public key to file */ @@ -982,7 +981,7 @@ int ssh_userauth_publickey_auto(ssh_session session, rc = ssh_pki_export_privkey_to_pubkey(state->privkey, &state->pubkey); if (rc == SSH_ERROR) { ssh_key_free(state->privkey); - SAFE_FREE(session->auth_auto_state); + SAFE_FREE(session->auth.auto_state); return SSH_AUTH_ERROR; } @@ -1003,7 +1002,7 @@ int ssh_userauth_publickey_auto(ssh_session session, privkey_file); ssh_key_free(state->privkey); ssh_key_free(state->pubkey); - SAFE_FREE(session->auth_auto_state); + SAFE_FREE(session->auth.auto_state); return rc; } else if (rc == SSH_AUTH_AGAIN) { return rc; @@ -1056,7 +1055,7 @@ int ssh_userauth_publickey_auto(ssh_session session, if (rc != SSH_AUTH_AGAIN && rc != SSH_AUTH_DENIED) { ssh_key_free(state->privkey); ssh_key_free(state->pubkey); - SAFE_FREE(session->auth_auto_state); + SAFE_FREE(session->auth.auto_state); if (rc == SSH_AUTH_SUCCESS) { SSH_LOG(SSH_LOG_INFO, "Successfully authenticated using %s", @@ -1077,7 +1076,7 @@ int ssh_userauth_publickey_auto(ssh_session session, } SSH_LOG(SSH_LOG_INFO, "Tried every public key, none matched"); - SAFE_FREE(session->auth_auto_state); + SAFE_FREE(session->auth.auto_state); return SSH_AUTH_DENIED; } @@ -1151,7 +1150,7 @@ int ssh_userauth_password(ssh_session session, goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth.state = SSH_AUTH_STATE_NONE; session->pending_call_state = SSH_PENDING_CALL_AUTH_OFFER_PUBKEY; rc = ssh_packet_send(session); if (rc == SSH_ERROR) { @@ -1323,7 +1322,7 @@ static int ssh_userauth_kbdint_init(ssh_session session, } - session->auth_state = SSH_AUTH_STATE_KBDINT_SENT; + session->auth.state = SSH_AUTH_STATE_KBDINT_SENT; session->pending_call_state = SSH_PENDING_CALL_AUTH_KBDINT_INIT; SSH_LOG(SSH_LOG_DEBUG, @@ -1382,7 +1381,7 @@ static int ssh_userauth_kbdint_send(ssh_session session) } } - session->auth_state = SSH_AUTH_STATE_KBDINT_SENT; + session->auth.state = SSH_AUTH_STATE_KBDINT_SENT; session->pending_call_state = SSH_PENDING_CALL_AUTH_KBDINT_SEND; ssh_kbdint_free(session->kbdint); session->kbdint = NULL; @@ -1495,7 +1494,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_request) { return SSH_PACKET_USED; } } - session->auth_state=SSH_AUTH_STATE_INFO; + session->auth.state=SSH_AUTH_STATE_INFO; return SSH_PACKET_USED; } @@ -1795,12 +1794,12 @@ int ssh_userauth_gssapi(ssh_session session) { return SSH_AUTH_ERROR; } SSH_LOG(SSH_LOG_PROTOCOL, "Authenticating with gssapi-with-mic"); - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth.state = SSH_AUTH_STATE_NONE; session->pending_call_state = SSH_PENDING_CALL_AUTH_GSSAPI_MIC; rc = ssh_gssapi_auth_mic(session); if (rc == SSH_AUTH_ERROR || rc == SSH_AUTH_DENIED) { - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth.state = SSH_AUTH_STATE_NONE; session->pending_call_state = SSH_PENDING_CALL_NONE; return rc; } diff --git a/src/client.c b/src/client.c index 00cbad38..a4745380 100644 --- a/src/client.c +++ b/src/client.c @@ -295,7 +295,7 @@ static int dh_handshake(ssh_session session) { static int ssh_service_request_termination(void *s){ ssh_session session = (ssh_session)s; if(session->session_state == SSH_SESSION_STATE_ERROR || - session->auth_service_state != SSH_AUTH_SERVICE_SENT) + session->auth.service_state != SSH_AUTH_SERVICE_SENT) return 1; else return 0; @@ -319,7 +319,7 @@ static int ssh_service_request_termination(void *s){ int ssh_service_request(ssh_session session, const char *service) { int rc=SSH_ERROR; - if(session->auth_service_state != SSH_AUTH_SERVICE_NONE) + if(session->auth.service_state != SSH_AUTH_SERVICE_NONE) goto pending; rc = ssh_buffer_pack(session->out_buffer, @@ -330,7 +330,7 @@ int ssh_service_request(ssh_session session, const char *service) { ssh_set_error_oom(session); return SSH_ERROR; } - session->auth_service_state=SSH_AUTH_SERVICE_SENT; + session->auth.service_state = SSH_AUTH_SERVICE_SENT; if (ssh_packet_send(session) == SSH_ERROR) { ssh_set_error(session, SSH_FATAL, "Sending SSH2_MSG_SERVICE_REQUEST failed."); @@ -345,7 +345,7 @@ pending: if (rc == SSH_ERROR) { return SSH_ERROR; } - switch(session->auth_service_state){ + switch(session->auth.service_state) { case SSH_AUTH_SERVICE_DENIED: ssh_set_error(session,SSH_FATAL,"ssh_auth_service request denied"); break; @@ -700,7 +700,7 @@ error: if (session->out_hashbuf) { ssh_buffer_reinit(session->out_hashbuf); } - session->auth_methods = 0; + session->auth.supported_methods = 0; SAFE_FREE(session->serverbanner); SAFE_FREE(session->clientbanner); diff --git a/src/gssapi.c b/src/gssapi.c index 9473fef2..51b69e7a 100644 --- a/src/gssapi.c +++ b/src/gssapi.c @@ -598,7 +598,7 @@ static int ssh_gssapi_send_auth_mic(ssh_session session, ssh_string *oid_set, in } } - session->auth_state = SSH_AUTH_STATE_GSSAPI_REQUEST_SENT; + session->auth.state = SSH_AUTH_STATE_GSSAPI_REQUEST_SENT; return ssh_packet_send(session); fail: ssh_buffer_reinit(session->out_buffer); @@ -797,7 +797,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ (void)user; SSH_LOG(SSH_LOG_PACKET, "Received SSH_USERAUTH_GSSAPI_RESPONSE"); - if (session->auth_state != SSH_AUTH_STATE_GSSAPI_REQUEST_SENT){ + if (session->auth.state != SSH_AUTH_STATE_GSSAPI_REQUEST_SENT){ ssh_set_error(session, SSH_FATAL, "Invalid state in ssh_packet_userauth_gssapi_response"); goto error; } @@ -845,12 +845,12 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ output_token.length, (size_t)output_token.length, output_token.value); ssh_packet_send(session); - session->auth_state = SSH_AUTH_STATE_GSSAPI_TOKEN; + session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN; } return SSH_PACKET_USED; error: - session->auth_state = SSH_AUTH_STATE_ERROR; + session->auth.state = SSH_AUTH_STATE_ERROR; ssh_gssapi_free(session); session->gssapi = NULL; return SSH_PACKET_USED; @@ -907,7 +907,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ (void)type; SSH_LOG(SSH_LOG_PACKET,"Received SSH_MSG_USERAUTH_GSSAPI_TOKEN"); - if (!session->gssapi || session->auth_state != SSH_AUTH_STATE_GSSAPI_TOKEN) { + if (!session->gssapi || session->auth.state != SSH_AUTH_STATE_GSSAPI_TOKEN) { ssh_set_error(session, SSH_FATAL, "Received SSH_MSG_USERAUTH_GSSAPI_TOKEN in invalid state"); goto error; @@ -960,14 +960,14 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ } if (maj_stat == GSS_S_COMPLETE) { - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth.state = SSH_AUTH_STATE_NONE; ssh_gssapi_send_mic(session); } return SSH_PACKET_USED; error: - session->auth_state = SSH_AUTH_STATE_ERROR; + session->auth.state = SSH_AUTH_STATE_ERROR; ssh_gssapi_free(session); session->gssapi = NULL; return SSH_PACKET_USED; diff --git a/src/packet_cb.c b/src/packet_cb.c index 2c8d9935..ecf327ef 100644 --- a/src/packet_cb.c +++ b/src/packet_cb.c @@ -264,7 +264,7 @@ SSH_PACKET_CALLBACK(ssh_packet_service_accept){ (void)type; (void)user; - session->auth_service_state=SSH_AUTH_SERVICE_ACCEPTED; + session->auth.service_state = SSH_AUTH_SERVICE_ACCEPTED; SSH_LOG(SSH_LOG_PACKET, "Received SSH_MSG_SERVICE_ACCEPT"); diff --git a/src/server.c b/src/server.c index d1ff497a..8984e6a0 100644 --- a/src/server.c +++ b/src/server.c @@ -574,7 +574,7 @@ static int ssh_server_kex_termination(void *s){ void ssh_set_auth_methods(ssh_session session, int auth_methods){ /* accept only methods in range */ - session->auth_methods = auth_methods & 0x3f; + session->auth.supported_methods = auth_methods & 0x3f; } /* Do the banner and key exchange */ @@ -625,26 +625,26 @@ int ssh_auth_reply_default(ssh_session session,int partial) { int rc = SSH_ERROR; - if (session->auth_methods == 0) { - session->auth_methods = SSH_AUTH_METHOD_PUBLICKEY | SSH_AUTH_METHOD_PASSWORD; + if (session->auth.supported_methods == 0) { + session->auth.supported_methods = SSH_AUTH_METHOD_PUBLICKEY | SSH_AUTH_METHOD_PASSWORD; } - if (session->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { + if (session->auth.supported_methods & SSH_AUTH_METHOD_PUBLICKEY) { strncat(methods_c, "publickey,", sizeof(methods_c) - strlen(methods_c) - 1); } - if (session->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC){ + if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_MIC){ strncat(methods_c,"gssapi-with-mic,", sizeof(methods_c) - strlen(methods_c) - 1); } - if (session->auth_methods & SSH_AUTH_METHOD_INTERACTIVE) { + if (session->auth.supported_methods & SSH_AUTH_METHOD_INTERACTIVE) { strncat(methods_c, "keyboard-interactive,", sizeof(methods_c) - strlen(methods_c) - 1); } - if (session->auth_methods & SSH_AUTH_METHOD_PASSWORD) { + if (session->auth.supported_methods & SSH_AUTH_METHOD_PASSWORD) { strncat(methods_c, "password,", sizeof(methods_c) - strlen(methods_c) - 1); } - if (session->auth_methods & SSH_AUTH_METHOD_HOSTBASED) { + if (session->auth.supported_methods & SSH_AUTH_METHOD_HOSTBASED) { strncat(methods_c, "hostbased,", sizeof(methods_c) - strlen(methods_c) - 1); } @@ -887,7 +887,7 @@ int ssh_message_auth_set_methods(ssh_message msg, int methods) { return -1; } - msg->session->auth_methods = methods; + msg->session->auth.supported_methods = methods; return 0; } diff --git a/src/session.c b/src/session.c index c8c7414c..a1959d48 100644 --- a/src/session.c +++ b/src/session.c @@ -60,11 +60,10 @@ ssh_session ssh_new(void) { char *id = NULL; int rc; - session = malloc(sizeof (struct ssh_session_struct)); + session = calloc(1, sizeof (struct ssh_session_struct)); if (session == NULL) { return NULL; } - ZERO_STRUCTP(session); session->next_crypto = crypto_new(); if (session->next_crypto == NULL) { @@ -87,7 +86,7 @@ ssh_session ssh_new(void) { } session->alive = 0; - session->auth_methods = 0; + session->auth.supported_methods = 0; ssh_set_blocking(session, 1); session->maxchannel = FIRST_CHANNEL; @@ -268,7 +267,7 @@ void ssh_free(ssh_session session) { #endif session->agent_state = NULL; - SAFE_FREE(session->auth_auto_state); + SAFE_FREE(session->auth.auto_state); SAFE_FREE(session->serverbanner); SAFE_FREE(session->clientbanner); SAFE_FREE(session->banner); |