Line | Source | Count |
1 | | - |
2 | | - |
3 | | - |
4 | | - |
5 | | - |
6 | | - |
7 | | - |
8 | | - |
9 | | - |
10 | | - |
11 | | - |
12 | | - |
13 | | - |
14 | | - |
15 | | - |
16 | | - |
17 | | - |
18 | | - |
19 | | - |
20 | | - |
21 | | - |
22 | | - |
23 | | - |
24 | | - |
25 | | - |
26 | #include "includes.h" | - |
27 | | - |
28 | #include <sys/types.h> | - |
29 | #include <sys/stat.h> | - |
30 | #include <sys/uio.h> | - |
31 | | - |
32 | #include <fcntl.h> | - |
33 | #include <limits.h> | - |
34 | #include <pwd.h> | - |
35 | #include <stdarg.h> | - |
36 | #include <string.h> | - |
37 | #include <unistd.h> | - |
38 | | - |
39 | #include "atomicio.h" | - |
40 | #include "xmalloc.h" | - |
41 | #include "ssh2.h" | - |
42 | #include "packet.h" | - |
43 | #include "log.h" | - |
44 | #include "sshbuf.h" | - |
45 | #include "misc.h" | - |
46 | #include "servconf.h" | - |
47 | #include "compat.h" | - |
48 | #include "sshkey.h" | - |
49 | #include "hostfile.h" | - |
50 | #include "auth.h" | - |
51 | #include "dispatch.h" | - |
52 | #include "pathnames.h" | - |
53 | #include "sshbuf.h" | - |
54 | #include "ssherr.h" | - |
55 | | - |
56 | #ifdef GSSAPI | - |
57 | #include "ssh-gss.h" | - |
58 | #endif | - |
59 | #include "monitor_wrap.h" | - |
60 | #include "ssherr.h" | - |
61 | #include "digest.h" | - |
62 | | - |
63 | | - |
64 | extern ServerOptions options; | - |
65 | extern u_char *session_id2; | - |
66 | extern u_int session_id2_len; | - |
67 | extern struct sshbuf *loginmsg; | - |
68 | | - |
69 | | - |
70 | | - |
71 | extern Authmethod method_none; | - |
72 | extern Authmethod method_pubkey; | - |
73 | extern Authmethod method_passwd; | - |
74 | extern Authmethod method_kbdint; | - |
75 | extern Authmethod method_hostbased; | - |
76 | #ifdef GSSAPI | - |
77 | extern Authmethod method_gssapi; | - |
78 | #endif | - |
79 | | - |
80 | Authmethod *authmethods[] = { | - |
81 | &method_none, | - |
82 | &method_pubkey, | - |
83 | #ifdef GSSAPI | - |
84 | &method_gssapi, | - |
85 | #endif | - |
86 | &method_passwd, | - |
87 | &method_kbdint, | - |
88 | &method_hostbased, | - |
89 | NULL | - |
90 | }; | - |
91 | | - |
92 | | - |
93 | | - |
94 | static int input_service_request(int, u_int32_t, struct ssh *); | - |
95 | static int input_userauth_request(int, u_int32_t, struct ssh *); | - |
96 | | - |
97 | | - |
98 | static Authmethod *authmethod_lookup(Authctxt *, const char *); | - |
99 | static char *authmethods_get(Authctxt *authctxt); | - |
100 | | - |
101 | #define MATCH_NONE 0 /* method or submethod mismatch */ | - |
102 | #define MATCH_METHOD 1 /* method matches (no submethod specified) */ | - |
103 | #define MATCH_BOTH 2 /* method and submethod match */ | - |
104 | #define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */ | - |
105 | static int list_starts_with(const char *, const char *, const char *); | - |
106 | | - |
107 | char * | - |
108 | auth2_read_banner(void) | - |
109 | { | - |
110 | struct stat st; | - |
111 | char *banner = NULL; | - |
112 | size_t len, n; | - |
113 | int fd; | - |
114 | | - |
115 | if ((fd = open(options.banner, O_RDONLY)) == -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
116 | return (NULL); never executed: return ( ((void *)0) ); | 0 |
117 | if (fstat(fd, &st) == -1) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
118 | close(fd); | - |
119 | return (NULL); never executed: return ( ((void *)0) ); | 0 |
120 | } | - |
121 | if (st.st_size <= 0 || st.st_size > 1*1024*1024) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
122 | close(fd); | - |
123 | return (NULL); never executed: return ( ((void *)0) ); | 0 |
124 | } | - |
125 | | - |
126 | len = (size_t)st.st_size; | - |
127 | banner = xmalloc(len + 1); | - |
128 | n = atomicio(read, fd, banner, len); | - |
129 | close(fd); | - |
130 | | - |
131 | if (n != len) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
132 | free(banner); | - |
133 | return (NULL); never executed: return ( ((void *)0) ); | 0 |
134 | } | - |
135 | banner[n] = '\0'; | - |
136 | | - |
137 | return (banner); never executed: return (banner); | 0 |
138 | } | - |
139 | | - |
140 | void | - |
141 | userauth_send_banner(const char *msg) | - |
142 | { | - |
143 | packet_start(SSH2_MSG_USERAUTH_BANNER); | - |
144 | packet_put_cstring(msg); | - |
145 | packet_put_cstring(""); | - |
146 | packet_send(); | - |
147 | debug("%s: sent", __func__); | - |
148 | } never executed: end of block | 0 |
149 | | - |
150 | static void | - |
151 | userauth_banner(void) | - |
152 | { | - |
153 | char *banner = NULL; | - |
154 | | - |
155 | if (options.banner == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
156 | return; never executed: return; | 0 |
157 | | - |
158 | if ((banner = PRIVSEP(auth2_read_banner())) == NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
159 | goto done; never executed: goto done; | 0 |
160 | userauth_send_banner(banner); | - |
161 | | - |
162 | done: code before this statement never executed: done: | 0 |
163 | free(banner); | - |
164 | } never executed: end of block | 0 |
165 | | - |
166 | | - |
167 | | - |
168 | | - |
169 | void | - |
170 | do_authentication2(Authctxt *authctxt) | - |
171 | { | - |
172 | struct ssh *ssh = active_state; | - |
173 | ssh->authctxt = authctxt; | - |
174 | ssh_dispatch_init(ssh, &dispatch_protocol_error); | - |
175 | ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_REQUEST, &input_service_request); | - |
176 | ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt->success); | - |
177 | ssh->authctxt = NULL; | - |
178 | } never executed: end of block | 0 |
179 | | - |
180 | | - |
181 | static int | - |
182 | input_service_request(int type, u_int32_t seq, struct ssh *ssh) | - |
183 | { | - |
184 | Authctxt *authctxt = ssh->authctxt; | - |
185 | u_int len; | - |
186 | int acceptit = 0; | - |
187 | char *service = packet_get_cstring(&len); | - |
188 | packet_check_eom(); never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
189 | | - |
190 | if (authctxt == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
191 | fatal("input_service_request: no authctxt"); never executed: fatal("input_service_request: no authctxt"); | 0 |
192 | | - |
193 | if (strcmp(service, "ssh-userauth") == 0) { never executed: __result = (((const unsigned char *) (const char *) ( service ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( "ssh-userauth" ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
194 | if (!authctxt->success) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
195 | acceptit = 1; | - |
196 | | - |
197 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); | - |
198 | } never executed: end of block | 0 |
199 | } never executed: end of block | 0 |
200 | | - |
201 | | - |
202 | if (acceptit) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
203 | packet_start(SSH2_MSG_SERVICE_ACCEPT); | - |
204 | packet_put_cstring(service); | - |
205 | packet_send(); | - |
206 | packet_write_wait(); | - |
207 | } else { never executed: end of block | 0 |
208 | debug("bad service request %s", service); | - |
209 | packet_disconnect("bad service request %s", service); | - |
210 | } never executed: end of block | 0 |
211 | free(service); | - |
212 | return 0; never executed: return 0; | 0 |
213 | } | - |
214 | | - |
215 | #define MIN_FAIL_DELAY_SECONDS 0.005 | - |
216 | static double | - |
217 | user_specific_delay(const char *user) | - |
218 | { | - |
219 | char b[512]; | - |
220 | size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512); | - |
221 | u_char *hash = xmalloc(len); | - |
222 | double delay; | - |
223 | | - |
224 | (void)snprintf(b, sizeof b, "%llu%s", | - |
225 | (unsigned long long)options.timing_secret, user); | - |
226 | if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
227 | fatal("%s: ssh_digest_memory", __func__); never executed: fatal("%s: ssh_digest_memory", __func__); | 0 |
228 | | - |
229 | delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; | - |
230 | freezero(hash, len); | - |
231 | debug3("%s: user specific delay %0.3lfms", __func__, delay/1000); | - |
232 | return MIN_FAIL_DELAY_SECONDS + delay; never executed: return 0.005 + delay; | 0 |
233 | } | - |
234 | | - |
235 | static void | - |
236 | ensure_minimum_time_since(double start, double seconds) | - |
237 | { | - |
238 | struct timespec ts; | - |
239 | double elapsed = monotime_double() - start, req = seconds, remain; | - |
240 | | - |
241 | | - |
242 | while ((remain = seconds - elapsed) < 0.0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
243 | seconds *= 2; never executed: seconds *= 2; | 0 |
244 | | - |
245 | ts.tv_sec = remain; | - |
246 | ts.tv_nsec = (remain - ts.tv_sec) * 1000000000; | - |
247 | debug3("%s: elapsed %0.3lfms, delaying %0.3lfms (requested %0.3lfms)", | - |
248 | __func__, elapsed*1000, remain*1000, req*1000); | - |
249 | nanosleep(&ts, NULL); | - |
250 | } never executed: end of block | 0 |
251 | | - |
252 | | - |
253 | static int | - |
254 | input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | - |
255 | { | - |
256 | Authctxt *authctxt = ssh->authctxt; | - |
257 | Authmethod *m = NULL; | - |
258 | char *user, *service, *method, *style = NULL; | - |
259 | int authenticated = 0; | - |
260 | double tstart = monotime_double(); | - |
261 | | - |
262 | if (authctxt == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
263 | fatal("input_userauth_request: no authctxt"); never executed: fatal("input_userauth_request: no authctxt"); | 0 |
264 | | - |
265 | user = packet_get_cstring(NULL); | - |
266 | service = packet_get_cstring(NULL); | - |
267 | method = packet_get_cstring(NULL); | - |
268 | debug("userauth-request for user %s service %s method %s", user, service, method); | - |
269 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | - |
270 | | - |
271 | if ((style = strchr(user, ':')) != NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
272 | *style++ = 0; never executed: *style++ = 0; | 0 |
273 | | - |
274 | if (authctxt->attempt++ == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
275 | | - |
276 | authctxt->pw = PRIVSEP(getpwnamallow(user));TRUE | never evaluated | FALSE | never evaluated |
| 0 |
277 | authctxt->user = xstrdup(user); | - |
278 | if (authctxt->pw && strcmp(service, "ssh-connection")==0) { never executed: __result = (((const unsigned char *) (const char *) ( service ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( "ssh-connection" ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
279 | authctxt->valid = 1; | - |
280 | debug2("%s: setting up authctxt for %s", | - |
281 | __func__, user); | - |
282 | } else { never executed: end of block | 0 |
283 | | - |
284 | authctxt->pw = fakepw(); | - |
285 | #ifdef SSH_AUDIT_EVENTS | - |
286 | PRIVSEP(audit_event(SSH_INVALID_USER)); | - |
287 | #endif | - |
288 | } never executed: end of block | 0 |
289 | #ifdef USE_PAM | - |
290 | if (options.use_pam) | - |
291 | PRIVSEP(start_pam(authctxt)); | - |
292 | #endif | - |
293 | ssh_packet_set_log_preamble(ssh, "%suser %s", | - |
294 | authctxt->valid ? "authenticating " : "invalid ", user); | - |
295 | setproctitle("%s%s", authctxt->valid ? user : "unknown", | - |
296 | use_privsep ? " [net]" : ""); | - |
297 | authctxt->service = xstrdup(service); | - |
298 | authctxt->style = style ? xstrdup(style) : NULL;TRUE | never evaluated | FALSE | never evaluated |
| 0 |
299 | if (use_privsep)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
300 | mm_inform_authserv(service, style); never executed: mm_inform_authserv(service, style); | 0 |
301 | userauth_banner(); | - |
302 | if (auth2_setup_methods_lists(authctxt) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
303 | packet_disconnect("no authentication methods enabled"); never executed: packet_disconnect("no authentication methods enabled"); | 0 |
304 | } else if (strcmp(user, authctxt->user) != 0 || never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( user ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( authctxt->user ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
305 | strcmp(service, authctxt->service) != 0) { never executed: __result = (((const unsigned char *) (const char *) ( service ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( authctxt->service ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
306 | packet_disconnect("Change of username or service not allowed: " | - |
307 | "(%s,%s) -> (%s,%s)", | - |
308 | authctxt->user, authctxt->service, user, service); | - |
309 | } never executed: end of block | 0 |
310 | | - |
311 | auth2_challenge_stop(ssh); | - |
312 | | - |
313 | #ifdef GSSAPI | - |
314 | | - |
315 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | - |
316 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | - |
317 | #endif | - |
318 | | - |
319 | auth2_authctxt_reset_info(authctxt); | - |
320 | authctxt->postponed = 0; | - |
321 | authctxt->server_caused_failure = 0; | - |
322 | | - |
323 | | - |
324 | m = authmethod_lookup(authctxt, method); | - |
325 | if (m != NULL && authctxt->failures < options.max_authtries) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
326 | debug2("input_userauth_request: try method %s", method); | - |
327 | authenticated = m->userauth(ssh); | - |
328 | } never executed: end of block | 0 |
329 | if (!authctxt->authenticated)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
330 | ensure_minimum_time_since(tstart, never executed: ensure_minimum_time_since(tstart, user_specific_delay(authctxt->user)); | 0 |
331 | user_specific_delay(authctxt->user)); never executed: ensure_minimum_time_since(tstart, user_specific_delay(authctxt->user)); | 0 |
332 | userauth_finish(ssh, authenticated, method, NULL); | - |
333 | | - |
334 | free(service); | - |
335 | free(user); | - |
336 | free(method); | - |
337 | return 0; never executed: return 0; | 0 |
338 | } | - |
339 | | - |
340 | void | - |
341 | userauth_finish(struct ssh *ssh, int authenticated, const char *method, | - |
342 | const char *submethod) | - |
343 | { | - |
344 | Authctxt *authctxt = ssh->authctxt; | - |
345 | char *methods; | - |
346 | int partial = 0; | - |
347 | | - |
348 | if (!authctxt->valid && authenticated)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
349 | fatal("INTERNAL ERROR: authenticated invalid user %s", never executed: fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); | 0 |
350 | authctxt->user); never executed: fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); | 0 |
351 | if (authenticated && authctxt->postponed)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
352 | fatal("INTERNAL ERROR: authenticated and postponed"); never executed: fatal("INTERNAL ERROR: authenticated and postponed"); | 0 |
353 | | - |
354 | | - |
355 | if (authenticated && authctxt->pw->pw_uid == 0 &&TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
356 | !auth_root_allowed(ssh, method)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
357 | authenticated = 0; | - |
358 | #ifdef SSH_AUDIT_EVENTS | - |
359 | PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); | - |
360 | #endif | - |
361 | } never executed: end of block | 0 |
362 | | - |
363 | if (authenticated && options.num_auth_methods != 0) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
364 | if (!auth2_update_methods_lists(authctxt, method, submethod)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
365 | authenticated = 0; | - |
366 | partial = 1; | - |
367 | } never executed: end of block | 0 |
368 | } never executed: end of block | 0 |
369 | | - |
370 | | - |
371 | auth_log(authctxt, authenticated, partial, method, submethod); | - |
372 | | - |
373 | | - |
374 | if (authenticated || partial)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
375 | auth2_update_session_info(authctxt, method, submethod); never executed: auth2_update_session_info(authctxt, method, submethod); | 0 |
376 | | - |
377 | if (authctxt->postponed)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
378 | return; never executed: return; | 0 |
379 | | - |
380 | #ifdef USE_PAM | - |
381 | if (options.use_pam && authenticated) { | - |
382 | int r; | - |
383 | | - |
384 | if (!PRIVSEP(do_pam_account())) { | - |
385 | | - |
386 | if (sshbuf_len(loginmsg) > 0) { | - |
387 | if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0) | - |
388 | fatal("%s: buffer error: %s", | - |
389 | __func__, ssh_err(r)); | - |
390 | userauth_send_banner(sshbuf_ptr(loginmsg)); | - |
391 | packet_write_wait(); | - |
392 | } | - |
393 | fatal("Access denied for user %s by PAM account " | - |
394 | "configuration", authctxt->user); | - |
395 | } | - |
396 | } | - |
397 | #endif | - |
398 | | - |
399 | if (authenticated == 1) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
400 | | - |
401 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); | - |
402 | packet_start(SSH2_MSG_USERAUTH_SUCCESS); | - |
403 | packet_send(); | - |
404 | packet_write_wait(); | - |
405 | | - |
406 | authctxt->success = 1; | - |
407 | ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); | - |
408 | } else { never executed: end of block | 0 |
409 | | - |
410 | if (!partial && !authctxt->server_caused_failure &&TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
411 | (authctxt->attempt > 1 || strcmp(method, "none") != 0)) never executed: __result = (((const unsigned char *) (const char *) ( method ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( "none" ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
412 | authctxt->failures++; never executed: authctxt->failures++; | 0 |
413 | if (authctxt->failures >= options.max_authtries) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
414 | #ifdef SSH_AUDIT_EVENTS | - |
415 | PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); | - |
416 | #endif | - |
417 | auth_maxtries_exceeded(authctxt); | - |
418 | } never executed: end of block | 0 |
419 | methods = authmethods_get(authctxt); | - |
420 | debug3("%s: failure partial=%d next methods=\"%s\"", __func__, | - |
421 | partial, methods); | - |
422 | packet_start(SSH2_MSG_USERAUTH_FAILURE); | - |
423 | packet_put_cstring(methods); | - |
424 | packet_put_char(partial); | - |
425 | packet_send(); | - |
426 | packet_write_wait(); | - |
427 | free(methods); | - |
428 | } never executed: end of block | 0 |
429 | } | - |
430 | | - |
431 | | - |
432 | | - |
433 | | - |
434 | | - |
435 | | - |
436 | int | - |
437 | auth2_method_allowed(Authctxt *authctxt, const char *method, | - |
438 | const char *submethod) | - |
439 | { | - |
440 | u_int i; | - |
441 | | - |
442 | | - |
443 | | - |
444 | | - |
445 | | - |
446 | if (options.num_auth_methods == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
447 | return 1; never executed: return 1; | 0 |
448 | for (i = 0; i < authctxt->num_auth_methods; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
449 | if (list_starts_with(authctxt->auth_methods[i], method,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
450 | submethod) != MATCH_NONE)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
451 | return 1; never executed: return 1; | 0 |
452 | } never executed: end of block | 0 |
453 | return 0; never executed: return 0; | 0 |
454 | } | - |
455 | | - |
456 | static char * | - |
457 | authmethods_get(Authctxt *authctxt) | - |
458 | { | - |
459 | struct sshbuf *b; | - |
460 | char *list; | - |
461 | int i, r; | - |
462 | | - |
463 | if ((b = sshbuf_new()) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
464 | fatal("%s: sshbuf_new failed", __func__); never executed: fatal("%s: sshbuf_new failed", __func__); | 0 |
465 | for (i = 0; authmethods[i] != NULL; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
466 | if (strcmp(authmethods[i]->name, "none") == 0) never executed: __result = (((const unsigned char *) (const char *) ( authmethods[i]->name ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( "none" ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
467 | continue; never executed: continue; | 0 |
468 | if (authmethods[i]->enabled == NULL ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
469 | *(authmethods[i]->enabled) == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
470 | continue; never executed: continue; | 0 |
471 | if (!auth2_method_allowed(authctxt, authmethods[i]->name,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
472 | NULL))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
473 | continue; never executed: continue; | 0 |
474 | if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "",TRUE | never evaluated | FALSE | never evaluated |
| 0 |
475 | authmethods[i]->name)) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
476 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); never executed: fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 0 |
477 | } never executed: end of block | 0 |
478 | if ((list = sshbuf_dup_string(b)) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
479 | fatal("%s: sshbuf_dup_string failed", __func__); never executed: fatal("%s: sshbuf_dup_string failed", __func__); | 0 |
480 | sshbuf_free(b); | - |
481 | return list; never executed: return list; | 0 |
482 | } | - |
483 | | - |
484 | static Authmethod * | - |
485 | authmethod_lookup(Authctxt *authctxt, const char *name) | - |
486 | { | - |
487 | int i; | - |
488 | | - |
489 | if (name != NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
490 | for (i = 0; authmethods[i] != NULL; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
491 | if (authmethods[i]->enabled != NULL &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
492 | *(authmethods[i]->enabled) != 0 &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
493 | strcmp(name, authmethods[i]->name) == 0 && never executed: __result = (((const unsigned char *) (const char *) ( name ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( authmethods[i]->name ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
494 | auth2_method_allowed(authctxt,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
495 | authmethods[i]->name, NULL))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
496 | return authmethods[i]; never executed: return authmethods[i]; | 0 |
497 | debug2("Unrecognized authentication method name: %s", | - |
498 | name ? name : "NULL"); | - |
499 | return NULL; never executed: return ((void *)0) ; | 0 |
500 | } | - |
501 | | - |
502 | | - |
503 | | - |
504 | | - |
505 | | - |
506 | | - |
507 | int | - |
508 | auth2_methods_valid(const char *_methods, int need_enable) | - |
509 | { | - |
510 | char *methods, *omethods, *method, *p; | - |
511 | u_int i, found; | - |
512 | int ret = -1; | - |
513 | | - |
514 | if (*_methods == '\0') {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
515 | error("empty authentication method list"); | - |
516 | return -1; never executed: return -1; | 0 |
517 | } | - |
518 | omethods = methods = xstrdup(_methods); | - |
519 | while ((method = strsep(&methods, ",")) != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
520 | for (found = i = 0; !found && authmethods[i] != NULL; i++) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
521 | if ((p = strchr(method, ':')) != NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
522 | *p = '\0'; never executed: *p = '\0'; | 0 |
523 | if (strcmp(method, authmethods[i]->name) != 0) never executed: __result = (((const unsigned char *) (const char *) ( method ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( authmethods[i]->name ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
524 | continue; never executed: continue; | 0 |
525 | if (need_enable) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
526 | if (authmethods[i]->enabled == NULL ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
527 | *(authmethods[i]->enabled) == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
528 | error("Disabled method \"%s\" in " | - |
529 | "AuthenticationMethods list \"%s\"", | - |
530 | method, _methods); | - |
531 | goto out; never executed: goto out; | 0 |
532 | } | - |
533 | } never executed: end of block | 0 |
534 | found = 1; | - |
535 | break; never executed: break; | 0 |
536 | } | - |
537 | if (!found) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
538 | error("Unknown authentication method \"%s\" in list", | - |
539 | method); | - |
540 | goto out; never executed: goto out; | 0 |
541 | } | - |
542 | } never executed: end of block | 0 |
543 | ret = 0; | - |
544 | out: code before this statement never executed: out: | 0 |
545 | free(omethods); | - |
546 | return ret; never executed: return ret; | 0 |
547 | } | - |
548 | | - |
549 | | - |
550 | | - |
551 | | - |
552 | | - |
553 | | - |
554 | | - |
555 | | - |
556 | int | - |
557 | auth2_setup_methods_lists(Authctxt *authctxt) | - |
558 | { | - |
559 | u_int i; | - |
560 | | - |
561 | if (options.num_auth_methods == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
562 | return 0; never executed: return 0; | 0 |
563 | debug3("%s: checking methods", __func__); | - |
564 | authctxt->auth_methods = xcalloc(options.num_auth_methods, | - |
565 | sizeof(*authctxt->auth_methods)); | - |
566 | authctxt->num_auth_methods = 0; | - |
567 | for (i = 0; i < options.num_auth_methods; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
568 | if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
569 | logit("Authentication methods list \"%s\" contains " | - |
570 | "disabled method, skipping", | - |
571 | options.auth_methods[i]); | - |
572 | continue; never executed: continue; | 0 |
573 | } | - |
574 | debug("authentication methods list %d: %s", | - |
575 | authctxt->num_auth_methods, options.auth_methods[i]); | - |
576 | authctxt->auth_methods[authctxt->num_auth_methods++] = | - |
577 | xstrdup(options.auth_methods[i]); | - |
578 | } never executed: end of block | 0 |
579 | if (authctxt->num_auth_methods == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
580 | error("No AuthenticationMethods left after eliminating " | - |
581 | "disabled methods"); | - |
582 | return -1; never executed: return -1; | 0 |
583 | } | - |
584 | return 0; never executed: return 0; | 0 |
585 | } | - |
586 | | - |
587 | static int | - |
588 | list_starts_with(const char *methods, const char *method, | - |
589 | const char *submethod) | - |
590 | { | - |
591 | size_t l = strlen(method); | - |
592 | int match; | - |
593 | const char *p; | - |
594 | | - |
595 | if (strncmp(methods, method, l) != 0) never executed: __result = (((const unsigned char *) (const char *) ( methods ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( method ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
596 | return MATCH_NONE; never executed: return 0; | 0 |
597 | p = methods + l; | - |
598 | match = MATCH_METHOD; | - |
599 | if (*p == ':') {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
600 | if (!submethod)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
601 | return MATCH_PARTIAL; never executed: return 3; | 0 |
602 | l = strlen(submethod); | - |
603 | p += 1; | - |
604 | if (strncmp(submethod, p, l)) never executed: __result = (((const unsigned char *) (const char *) ( submethod ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( p ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
605 | return MATCH_NONE; never executed: return 0; | 0 |
606 | p += l; | - |
607 | match = MATCH_BOTH; | - |
608 | } never executed: end of block | 0 |
609 | if (*p != ',' && *p != '\0')TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
610 | return MATCH_NONE; never executed: return 0; | 0 |
611 | return match; never executed: return match; | 0 |
612 | } | - |
613 | | - |
614 | | - |
615 | | - |
616 | | - |
617 | | - |
618 | | - |
619 | static int | - |
620 | remove_method(char **methods, const char *method, const char *submethod) | - |
621 | { | - |
622 | char *omethods = *methods, *p; | - |
623 | size_t l = strlen(method); | - |
624 | int match; | - |
625 | | - |
626 | match = list_starts_with(omethods, method, submethod); | - |
627 | if (match != MATCH_METHOD && match != MATCH_BOTH)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
628 | return 0; never executed: return 0; | 0 |
629 | p = omethods + l; | - |
630 | if (submethod && match == MATCH_BOTH)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
631 | p += 1 + strlen(submethod); never executed: p += 1 + strlen(submethod); | 0 |
632 | if (*p == ',')TRUE | never evaluated | FALSE | never evaluated |
| 0 |
633 | p++; never executed: p++; | 0 |
634 | *methods = xstrdup(p); | - |
635 | free(omethods); | - |
636 | return 1; never executed: return 1; | 0 |
637 | } | - |
638 | | - |
639 | | - |
640 | | - |
641 | | - |
642 | | - |
643 | | - |
644 | | - |
645 | int | - |
646 | auth2_update_methods_lists(Authctxt *authctxt, const char *method, | - |
647 | const char *submethod) | - |
648 | { | - |
649 | u_int i, found = 0; | - |
650 | | - |
651 | debug3("%s: updating methods list after \"%s\"", __func__, method); | - |
652 | for (i = 0; i < authctxt->num_auth_methods; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
653 | if (!remove_method(&(authctxt->auth_methods[i]), method,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
654 | submethod))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
655 | continue; never executed: continue; | 0 |
656 | found = 1; | - |
657 | if (*authctxt->auth_methods[i] == '\0') {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
658 | debug2("authentication methods list %d complete", i); | - |
659 | return 1; never executed: return 1; | 0 |
660 | } | - |
661 | debug3("authentication methods list %d remaining: \"%s\"", | - |
662 | i, authctxt->auth_methods[i]); | - |
663 | } never executed: end of block | 0 |
664 | | - |
665 | if (!found)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
666 | fatal("%s: method not in AuthenticationMethods", __func__); never executed: fatal("%s: method not in AuthenticationMethods", __func__); | 0 |
667 | return 0; never executed: return 0; | 0 |
668 | } | - |
669 | | - |
670 | | - |
671 | void auth2_authctxt_reset_info(Authctxt *authctxt) | - |
672 | { | - |
673 | sshkey_free(authctxt->auth_method_key); | - |
674 | free(authctxt->auth_method_info); | - |
675 | authctxt->auth_method_key = NULL; | - |
676 | authctxt->auth_method_info = NULL; | - |
677 | } never executed: end of block | 0 |
678 | | - |
679 | | - |
680 | void | - |
681 | auth2_record_info(Authctxt *authctxt, const char *fmt, ...) | - |
682 | { | - |
683 | va_list ap; | - |
684 | int i; | - |
685 | | - |
686 | free(authctxt->auth_method_info); | - |
687 | authctxt->auth_method_info = NULL; | - |
688 | | - |
689 | va_start(ap, fmt); | - |
690 | i = vasprintf(&authctxt->auth_method_info, fmt, ap); | - |
691 | va_end(ap); | - |
692 | | - |
693 | if (i < 0 || authctxt->auth_method_info == NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
694 | fatal("%s: vasprintf failed", __func__); never executed: fatal("%s: vasprintf failed", __func__); | 0 |
695 | } never executed: end of block | 0 |
696 | | - |
697 | | - |
698 | | - |
699 | | - |
700 | | - |
701 | | - |
702 | void | - |
703 | auth2_record_key(Authctxt *authctxt, int authenticated, | - |
704 | const struct sshkey *key) | - |
705 | { | - |
706 | struct sshkey **tmp, *dup; | - |
707 | int r; | - |
708 | | - |
709 | if ((r = sshkey_from_private(key, &dup)) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
710 | fatal("%s: copy key: %s", __func__, ssh_err(r)); never executed: fatal("%s: copy key: %s", __func__, ssh_err(r)); | 0 |
711 | sshkey_free(authctxt->auth_method_key); | - |
712 | authctxt->auth_method_key = dup; | - |
713 | | - |
714 | if (!authenticated)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
715 | return; never executed: return; | 0 |
716 | | - |
717 | | - |
718 | if ((r = sshkey_from_private(key, &dup)) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
719 | fatal("%s: copy key: %s", __func__, ssh_err(r)); never executed: fatal("%s: copy key: %s", __func__, ssh_err(r)); | 0 |
720 | if (authctxt->nprev_keys >= INT_MAX ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
721 | (tmp = recallocarray(authctxt->prev_keys, authctxt->nprev_keys,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
722 | authctxt->nprev_keys + 1, sizeof(*authctxt->prev_keys))) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
723 | fatal("%s: reallocarray failed", __func__); never executed: fatal("%s: reallocarray failed", __func__); | 0 |
724 | authctxt->prev_keys = tmp; | - |
725 | authctxt->prev_keys[authctxt->nprev_keys] = dup; | - |
726 | authctxt->nprev_keys++; | - |
727 | | - |
728 | } never executed: end of block | 0 |
729 | | - |
730 | | - |
731 | int | - |
732 | auth2_key_already_used(Authctxt *authctxt, const struct sshkey *key) | - |
733 | { | - |
734 | u_int i; | - |
735 | char *fp; | - |
736 | | - |
737 | for (i = 0; i < authctxt->nprev_keys; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
738 | if (sshkey_equal_public(key, authctxt->prev_keys[i])) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
739 | fp = sshkey_fingerprint(authctxt->prev_keys[i], | - |
740 | options.fingerprint_hash, SSH_FP_DEFAULT); | - |
741 | debug3("%s: key already used: %s %s", __func__, | - |
742 | sshkey_type(authctxt->prev_keys[i]), | - |
743 | fp == NULL ? "UNKNOWN" : fp); | - |
744 | free(fp); | - |
745 | return 1; never executed: return 1; | 0 |
746 | } | - |
747 | } never executed: end of block | 0 |
748 | return 0; never executed: return 0; | 0 |
749 | } | - |
750 | | - |
751 | | - |
752 | | - |
753 | | - |
754 | | - |
755 | void | - |
756 | auth2_update_session_info(Authctxt *authctxt, const char *method, | - |
757 | const char *submethod) | - |
758 | { | - |
759 | int r; | - |
760 | | - |
761 | if (authctxt->session_info == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
762 | if ((authctxt->session_info = sshbuf_new()) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
763 | fatal("%s: sshbuf_new", __func__); never executed: fatal("%s: sshbuf_new", __func__); | 0 |
764 | } never executed: end of block | 0 |
765 | | - |
766 | | - |
767 | if ((r = sshbuf_putf(authctxt->session_info, "%s%s%s",TRUE | never evaluated | FALSE | never evaluated |
| 0 |
768 | method, submethod == NULL ? "" : "/",TRUE | never evaluated | FALSE | never evaluated |
| 0 |
769 | submethod == NULL ? "" : submethod)) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
770 | fatal("%s: append method: %s", __func__, ssh_err(r)); never executed: fatal("%s: append method: %s", __func__, ssh_err(r)); | 0 |
771 | | - |
772 | | - |
773 | if (authctxt->auth_method_key != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
774 | if ((r = sshbuf_put_u8(authctxt->session_info, ' ')) != 0 ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
775 | (r = sshkey_format_text(authctxt->auth_method_key,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
776 | authctxt->session_info)) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
777 | fatal("%s: append key: %s", __func__, ssh_err(r)); never executed: fatal("%s: append key: %s", __func__, ssh_err(r)); | 0 |
778 | } never executed: end of block | 0 |
779 | | - |
780 | if (authctxt->auth_method_info != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
781 | | - |
782 | if (strchr(authctxt->auth_method_info, '\n') != NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
783 | fatal("%s: auth_method_info contains \\n", __func__); never executed: fatal("%s: auth_method_info contains \\n", __func__); | 0 |
784 | if ((r = sshbuf_put_u8(authctxt->session_info, ' ')) != 0 ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
785 | (r = sshbuf_putf(authctxt->session_info, "%s",TRUE | never evaluated | FALSE | never evaluated |
| 0 |
786 | authctxt->auth_method_info)) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
787 | fatal("%s: append method info: %s", | - |
788 | __func__, ssh_err(r)); | - |
789 | } never executed: end of block | 0 |
790 | } never executed: end of block | 0 |
791 | if ((r = sshbuf_put_u8(authctxt->session_info, '\n')) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
792 | fatal("%s: append: %s", __func__, ssh_err(r)); never executed: fatal("%s: append: %s", __func__, ssh_err(r)); | 0 |
793 | } never executed: end of block | 0 |
794 | | - |
| | |