1.13.1
by Colin Watson
Import upstream version 4.6p1 |
1 |
/* $OpenBSD: authfd.c,v 1.80 2006/08/03 03:34:41 deraadt Exp $ */
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
2 |
/*
|
3 |
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
4 |
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
5 |
* All rights reserved
|
|
6 |
* Functions for connecting the local authentication agent.
|
|
7 |
*
|
|
8 |
* As far as I am concerned, the code I have written for this software
|
|
9 |
* can be used freely for any purpose. Any derived versions of this
|
|
10 |
* software must be clearly marked as such, and if the derived work is
|
|
11 |
* incompatible with the protocol description in the RFC file, it must be
|
|
12 |
* called by a name other than "ssh" or "Secure Shell".
|
|
13 |
*
|
|
14 |
* SSH2 implementation,
|
|
15 |
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
|
16 |
*
|
|
17 |
* Redistribution and use in source and binary forms, with or without
|
|
18 |
* modification, are permitted provided that the following conditions
|
|
19 |
* are met:
|
|
20 |
* 1. Redistributions of source code must retain the above copyright
|
|
21 |
* notice, this list of conditions and the following disclaimer.
|
|
22 |
* 2. Redistributions in binary form must reproduce the above copyright
|
|
23 |
* notice, this list of conditions and the following disclaimer in the
|
|
24 |
* documentation and/or other materials provided with the distribution.
|
|
25 |
*
|
|
26 |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
27 |
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
28 |
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
29 |
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
30 |
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
31 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
32 |
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
33 |
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
34 |
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
35 |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
36 |
*/
|
|
37 |
||
38 |
#include "includes.h" |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
39 |
|
40 |
#include <sys/types.h> |
|
41 |
#include <sys/un.h> |
|
42 |
#include <sys/socket.h> |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
43 |
|
44 |
#include <openssl/evp.h> |
|
45 |
||
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
46 |
#include <openssl/crypto.h> |
47 |
#include <fcntl.h> |
|
48 |
#include <stdlib.h> |
|
49 |
#include <signal.h> |
|
50 |
#include <stdarg.h> |
|
51 |
#include <string.h> |
|
52 |
#include <unistd.h> |
|
53 |
||
54 |
#include "xmalloc.h" |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
55 |
#include "ssh.h" |
56 |
#include "rsa.h" |
|
57 |
#include "buffer.h" |
|
58 |
#include "key.h" |
|
59 |
#include "authfd.h" |
|
60 |
#include "cipher.h" |
|
61 |
#include "kex.h" |
|
62 |
#include "compat.h" |
|
63 |
#include "log.h" |
|
64 |
#include "atomicio.h" |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
65 |
#include "misc.h" |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
66 |
|
67 |
static int agent_present = 0; |
|
68 |
||
69 |
/* helper */
|
|
70 |
int decode_reply(int type); |
|
71 |
||
72 |
/* macro to check for "agent failure" message */
|
|
73 |
#define agent_failed(x) \
|
|
74 |
((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE) || \
|
|
75 |
(x == SSH2_AGENT_FAILURE))
|
|
76 |
||
77 |
int
|
|
78 |
ssh_agent_present(void) |
|
79 |
{
|
|
80 |
int authfd; |
|
81 |
||
82 |
if (agent_present) |
|
83 |
return 1; |
|
84 |
if ((authfd = ssh_get_authentication_socket()) == -1) |
|
85 |
return 0; |
|
86 |
else { |
|
87 |
ssh_close_authentication_socket(authfd); |
|
88 |
return 1; |
|
89 |
}
|
|
90 |
}
|
|
91 |
||
92 |
/* Returns the number of the authentication fd, or -1 if there is none. */
|
|
93 |
||
94 |
int
|
|
95 |
ssh_get_authentication_socket(void) |
|
96 |
{
|
|
97 |
const char *authsocket; |
|
98 |
int sock; |
|
99 |
struct sockaddr_un sunaddr; |
|
100 |
||
101 |
authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME); |
|
102 |
if (!authsocket) |
|
103 |
return -1; |
|
104 |
||
105 |
sunaddr.sun_family = AF_UNIX; |
|
106 |
strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); |
|
107 |
||
108 |
sock = socket(AF_UNIX, SOCK_STREAM, 0); |
|
109 |
if (sock < 0) |
|
110 |
return -1; |
|
111 |
||
112 |
/* close on exec */
|
|
113 |
if (fcntl(sock, F_SETFD, 1) == -1) { |
|
114 |
close(sock); |
|
115 |
return -1; |
|
116 |
}
|
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
117 |
if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) { |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
118 |
close(sock); |
119 |
return -1; |
|
120 |
}
|
|
121 |
agent_present = 1; |
|
122 |
return sock; |
|
123 |
}
|
|
124 |
||
125 |
static int |
|
126 |
ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply) |
|
127 |
{
|
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
128 |
u_int l, len; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
129 |
char buf[1024]; |
130 |
||
131 |
/* Get the length of the message, and format it in the buffer. */
|
|
132 |
len = buffer_len(request); |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
133 |
put_u32(buf, len); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
134 |
|
135 |
/* Send the length and then the packet to the agent. */
|
|
136 |
if (atomicio(vwrite, auth->fd, buf, 4) != 4 || |
|
137 |
atomicio(vwrite, auth->fd, buffer_ptr(request), |
|
138 |
buffer_len(request)) != buffer_len(request)) { |
|
139 |
error("Error writing to authentication socket."); |
|
140 |
return 0; |
|
141 |
}
|
|
142 |
/*
|
|
143 |
* Wait for response from the agent. First read the length of the
|
|
144 |
* response packet.
|
|
145 |
*/
|
|
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
146 |
if (atomicio(read, auth->fd, buf, 4) != 4) { |
147 |
error("Error reading response length from authentication socket."); |
|
148 |
return 0; |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
149 |
}
|
150 |
||
151 |
/* Extract the length, and check it for sanity. */
|
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
152 |
len = get_u32(buf); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
153 |
if (len > 256 * 1024) |
154 |
fatal("Authentication response too long: %u", len); |
|
155 |
||
156 |
/* Read the rest of the response in to the buffer. */
|
|
157 |
buffer_clear(reply); |
|
158 |
while (len > 0) { |
|
159 |
l = len; |
|
160 |
if (l > sizeof(buf)) |
|
161 |
l = sizeof(buf); |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
162 |
if (atomicio(read, auth->fd, buf, l) != l) { |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
163 |
error("Error reading response from authentication socket."); |
164 |
return 0; |
|
165 |
}
|
|
166 |
buffer_append(reply, buf, l); |
|
167 |
len -= l; |
|
168 |
}
|
|
169 |
return 1; |
|
170 |
}
|
|
171 |
||
172 |
/*
|
|
173 |
* Closes the agent socket if it should be closed (depends on how it was
|
|
174 |
* obtained). The argument must have been returned by
|
|
175 |
* ssh_get_authentication_socket().
|
|
176 |
*/
|
|
177 |
||
178 |
void
|
|
179 |
ssh_close_authentication_socket(int sock) |
|
180 |
{
|
|
181 |
if (getenv(SSH_AUTHSOCKET_ENV_NAME)) |
|
182 |
close(sock); |
|
183 |
}
|
|
184 |
||
185 |
/*
|
|
186 |
* Opens and connects a private socket for communication with the
|
|
187 |
* authentication agent. Returns the file descriptor (which must be
|
|
188 |
* shut down and closed by the caller when no longer needed).
|
|
189 |
* Returns NULL if an error occurred and the connection could not be
|
|
190 |
* opened.
|
|
191 |
*/
|
|
192 |
||
193 |
AuthenticationConnection * |
|
194 |
ssh_get_authentication_connection(void) |
|
195 |
{
|
|
196 |
AuthenticationConnection *auth; |
|
197 |
int sock; |
|
198 |
||
199 |
sock = ssh_get_authentication_socket(); |
|
200 |
||
201 |
/*
|
|
202 |
* Fail if we couldn't obtain a connection. This happens if we
|
|
203 |
* exited due to a timeout.
|
|
204 |
*/
|
|
205 |
if (sock < 0) |
|
206 |
return NULL; |
|
207 |
||
208 |
auth = xmalloc(sizeof(*auth)); |
|
209 |
auth->fd = sock; |
|
210 |
buffer_init(&auth->identities); |
|
211 |
auth->howmany = 0; |
|
212 |
||
213 |
return auth; |
|
214 |
}
|
|
215 |
||
216 |
/*
|
|
217 |
* Closes the connection to the authentication agent and frees any associated
|
|
218 |
* memory.
|
|
219 |
*/
|
|
220 |
||
221 |
void
|
|
222 |
ssh_close_authentication_connection(AuthenticationConnection *auth) |
|
223 |
{
|
|
224 |
buffer_free(&auth->identities); |
|
225 |
close(auth->fd); |
|
226 |
xfree(auth); |
|
227 |
}
|
|
228 |
||
229 |
/* Lock/unlock agent */
|
|
230 |
int
|
|
231 |
ssh_lock_agent(AuthenticationConnection *auth, int lock, const char *password) |
|
232 |
{
|
|
233 |
int type; |
|
234 |
Buffer msg; |
|
235 |
||
236 |
buffer_init(&msg); |
|
237 |
buffer_put_char(&msg, lock ? SSH_AGENTC_LOCK : SSH_AGENTC_UNLOCK); |
|
238 |
buffer_put_cstring(&msg, password); |
|
239 |
||
240 |
if (ssh_request_reply(auth, &msg, &msg) == 0) { |
|
241 |
buffer_free(&msg); |
|
242 |
return 0; |
|
243 |
}
|
|
244 |
type = buffer_get_char(&msg); |
|
245 |
buffer_free(&msg); |
|
246 |
return decode_reply(type); |
|
247 |
}
|
|
248 |
||
249 |
/*
|
|
250 |
* Returns the first authentication identity held by the agent.
|
|
251 |
*/
|
|
252 |
||
253 |
int
|
|
254 |
ssh_get_num_identities(AuthenticationConnection *auth, int version) |
|
255 |
{
|
|
256 |
int type, code1 = 0, code2 = 0; |
|
257 |
Buffer request; |
|
258 |
||
259 |
switch (version) { |
|
260 |
case 1: |
|
261 |
code1 = SSH_AGENTC_REQUEST_RSA_IDENTITIES; |
|
262 |
code2 = SSH_AGENT_RSA_IDENTITIES_ANSWER; |
|
263 |
break; |
|
264 |
case 2: |
|
265 |
code1 = SSH2_AGENTC_REQUEST_IDENTITIES; |
|
266 |
code2 = SSH2_AGENT_IDENTITIES_ANSWER; |
|
267 |
break; |
|
268 |
default: |
|
269 |
return 0; |
|
270 |
}
|
|
271 |
||
272 |
/*
|
|
273 |
* Send a message to the agent requesting for a list of the
|
|
274 |
* identities it can represent.
|
|
275 |
*/
|
|
276 |
buffer_init(&request); |
|
277 |
buffer_put_char(&request, code1); |
|
278 |
||
279 |
buffer_clear(&auth->identities); |
|
280 |
if (ssh_request_reply(auth, &request, &auth->identities) == 0) { |
|
281 |
buffer_free(&request); |
|
282 |
return 0; |
|
283 |
}
|
|
284 |
buffer_free(&request); |
|
285 |
||
286 |
/* Get message type, and verify that we got a proper answer. */
|
|
287 |
type = buffer_get_char(&auth->identities); |
|
288 |
if (agent_failed(type)) { |
|
289 |
return 0; |
|
290 |
} else if (type != code2) { |
|
291 |
fatal("Bad authentication reply message type: %d", type); |
|
292 |
}
|
|
293 |
||
294 |
/* Get the number of entries in the response and check it for sanity. */
|
|
295 |
auth->howmany = buffer_get_int(&auth->identities); |
|
296 |
if ((u_int)auth->howmany > 1024) |
|
297 |
fatal("Too many identities in authentication reply: %d", |
|
298 |
auth->howmany); |
|
299 |
||
300 |
return auth->howmany; |
|
301 |
}
|
|
302 |
||
303 |
Key * |
|
304 |
ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int version) |
|
305 |
{
|
|
306 |
/* get number of identities and return the first entry (if any). */
|
|
307 |
if (ssh_get_num_identities(auth, version) > 0) |
|
308 |
return ssh_get_next_identity(auth, comment, version); |
|
309 |
return NULL; |
|
310 |
}
|
|
311 |
||
312 |
Key * |
|
313 |
ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version) |
|
314 |
{
|
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
315 |
int keybits; |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
316 |
u_int bits; |
317 |
u_char *blob; |
|
318 |
u_int blen; |
|
319 |
Key *key = NULL; |
|
320 |
||
321 |
/* Return failure if no more entries. */
|
|
322 |
if (auth->howmany <= 0) |
|
323 |
return NULL; |
|
324 |
||
325 |
/*
|
|
326 |
* Get the next entry from the packet. These will abort with a fatal
|
|
327 |
* error if the packet is too short or contains corrupt data.
|
|
328 |
*/
|
|
329 |
switch (version) { |
|
330 |
case 1: |
|
331 |
key = key_new(KEY_RSA1); |
|
332 |
bits = buffer_get_int(&auth->identities); |
|
333 |
buffer_get_bignum(&auth->identities, key->rsa->e); |
|
334 |
buffer_get_bignum(&auth->identities, key->rsa->n); |
|
335 |
*comment = buffer_get_string(&auth->identities, NULL); |
|
1.1.3
by Colin Watson
Import upstream version 4.2p1 |
336 |
keybits = BN_num_bits(key->rsa->n); |
337 |
if (keybits < 0 || bits != (u_int)keybits) |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
338 |
logit("Warning: identity keysize mismatch: actual %d, announced %u", |
339 |
BN_num_bits(key->rsa->n), bits); |
|
340 |
break; |
|
341 |
case 2: |
|
342 |
blob = buffer_get_string(&auth->identities, &blen); |
|
343 |
*comment = buffer_get_string(&auth->identities, NULL); |
|
344 |
key = key_from_blob(blob, blen); |
|
345 |
xfree(blob); |
|
346 |
break; |
|
347 |
default: |
|
348 |
return NULL; |
|
349 |
}
|
|
350 |
/* Decrement the number of remaining entries. */
|
|
351 |
auth->howmany--; |
|
352 |
return key; |
|
353 |
}
|
|
354 |
||
355 |
/*
|
|
356 |
* Generates a random challenge, sends it to the agent, and waits for
|
|
357 |
* response from the agent. Returns true (non-zero) if the agent gave the
|
|
358 |
* correct answer, zero otherwise. Response type selects the style of
|
|
359 |
* response desired, with 0 corresponding to protocol version 1.0 (no longer
|
|
360 |
* supported) and 1 corresponding to protocol version 1.1.
|
|
361 |
*/
|
|
362 |
||
363 |
int
|
|
364 |
ssh_decrypt_challenge(AuthenticationConnection *auth, |
|
365 |
Key* key, BIGNUM *challenge, |
|
366 |
u_char session_id[16], |
|
367 |
u_int response_type, |
|
368 |
u_char response[16]) |
|
369 |
{
|
|
370 |
Buffer buffer; |
|
371 |
int success = 0; |
|
372 |
int i; |
|
373 |
int type; |
|
374 |
||
375 |
if (key->type != KEY_RSA1) |
|
376 |
return 0; |
|
377 |
if (response_type == 0) { |
|
378 |
logit("Compatibility with ssh protocol version 1.0 no longer supported."); |
|
379 |
return 0; |
|
380 |
}
|
|
381 |
buffer_init(&buffer); |
|
382 |
buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE); |
|
383 |
buffer_put_int(&buffer, BN_num_bits(key->rsa->n)); |
|
384 |
buffer_put_bignum(&buffer, key->rsa->e); |
|
385 |
buffer_put_bignum(&buffer, key->rsa->n); |
|
386 |
buffer_put_bignum(&buffer, challenge); |
|
387 |
buffer_append(&buffer, session_id, 16); |
|
388 |
buffer_put_int(&buffer, response_type); |
|
389 |
||
390 |
if (ssh_request_reply(auth, &buffer, &buffer) == 0) { |
|
391 |
buffer_free(&buffer); |
|
392 |
return 0; |
|
393 |
}
|
|
394 |
type = buffer_get_char(&buffer); |
|
395 |
||
396 |
if (agent_failed(type)) { |
|
397 |
logit("Agent admitted failure to authenticate using the key."); |
|
398 |
} else if (type != SSH_AGENT_RSA_RESPONSE) { |
|
399 |
fatal("Bad authentication response: %d", type); |
|
400 |
} else { |
|
401 |
success = 1; |
|
402 |
/*
|
|
403 |
* Get the response from the packet. This will abort with a
|
|
404 |
* fatal error if the packet is corrupt.
|
|
405 |
*/
|
|
406 |
for (i = 0; i < 16; i++) |
|
1.13.1
by Colin Watson
Import upstream version 4.6p1 |
407 |
response[i] = (u_char)buffer_get_char(&buffer); |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
408 |
}
|
409 |
buffer_free(&buffer); |
|
410 |
return success; |
|
411 |
}
|
|
412 |
||
413 |
/* ask agent to sign data, returns -1 on error, 0 on success */
|
|
414 |
int
|
|
415 |
ssh_agent_sign(AuthenticationConnection *auth, |
|
416 |
Key *key, |
|
417 |
u_char **sigp, u_int *lenp, |
|
418 |
u_char *data, u_int datalen) |
|
419 |
{
|
|
420 |
extern int datafellows; |
|
421 |
Buffer msg; |
|
422 |
u_char *blob; |
|
423 |
u_int blen; |
|
424 |
int type, flags = 0; |
|
425 |
int ret = -1; |
|
426 |
||
427 |
if (key_to_blob(key, &blob, &blen) == 0) |
|
428 |
return -1; |
|
429 |
||
430 |
if (datafellows & SSH_BUG_SIGBLOB) |
|
431 |
flags = SSH_AGENT_OLD_SIGNATURE; |
|
432 |
||
433 |
buffer_init(&msg); |
|
434 |
buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST); |
|
435 |
buffer_put_string(&msg, blob, blen); |
|
436 |
buffer_put_string(&msg, data, datalen); |
|
437 |
buffer_put_int(&msg, flags); |
|
438 |
xfree(blob); |
|
439 |
||
440 |
if (ssh_request_reply(auth, &msg, &msg) == 0) { |
|
441 |
buffer_free(&msg); |
|
442 |
return -1; |
|
443 |
}
|
|
444 |
type = buffer_get_char(&msg); |
|
445 |
if (agent_failed(type)) { |
|
446 |
logit("Agent admitted failure to sign using the key."); |
|
447 |
} else if (type != SSH2_AGENT_SIGN_RESPONSE) { |
|
448 |
fatal("Bad authentication response: %d", type); |
|
449 |
} else { |
|
450 |
ret = 0; |
|
451 |
*sigp = buffer_get_string(&msg, lenp); |
|
452 |
}
|
|
453 |
buffer_free(&msg); |
|
454 |
return ret; |
|
455 |
}
|
|
456 |
||
457 |
/* Encode key for a message to the agent. */
|
|
458 |
||
459 |
static void |
|
460 |
ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) |
|
461 |
{
|
|
462 |
buffer_put_int(b, BN_num_bits(key->n)); |
|
463 |
buffer_put_bignum(b, key->n); |
|
464 |
buffer_put_bignum(b, key->e); |
|
465 |
buffer_put_bignum(b, key->d); |
|
466 |
/* To keep within the protocol: p < q for ssh. in SSL p > q */
|
|
467 |
buffer_put_bignum(b, key->iqmp); /* ssh key->u */ |
|
468 |
buffer_put_bignum(b, key->q); /* ssh key->p, SSL key->q */ |
|
469 |
buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */ |
|
470 |
buffer_put_cstring(b, comment); |
|
471 |
}
|
|
472 |
||
473 |
static void |
|
474 |
ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) |
|
475 |
{
|
|
476 |
buffer_put_cstring(b, key_ssh_name(key)); |
|
477 |
switch (key->type) { |
|
478 |
case KEY_RSA: |
|
479 |
buffer_put_bignum2(b, key->rsa->n); |
|
480 |
buffer_put_bignum2(b, key->rsa->e); |
|
481 |
buffer_put_bignum2(b, key->rsa->d); |
|
482 |
buffer_put_bignum2(b, key->rsa->iqmp); |
|
483 |
buffer_put_bignum2(b, key->rsa->p); |
|
484 |
buffer_put_bignum2(b, key->rsa->q); |
|
485 |
break; |
|
486 |
case KEY_DSA: |
|
487 |
buffer_put_bignum2(b, key->dsa->p); |
|
488 |
buffer_put_bignum2(b, key->dsa->q); |
|
489 |
buffer_put_bignum2(b, key->dsa->g); |
|
490 |
buffer_put_bignum2(b, key->dsa->pub_key); |
|
491 |
buffer_put_bignum2(b, key->dsa->priv_key); |
|
492 |
break; |
|
493 |
}
|
|
494 |
buffer_put_cstring(b, comment); |
|
495 |
}
|
|
496 |
||
497 |
/*
|
|
498 |
* Adds an identity to the authentication server. This call is not meant to
|
|
499 |
* be used by normal applications.
|
|
500 |
*/
|
|
501 |
||
502 |
int
|
|
503 |
ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, |
|
504 |
const char *comment, u_int life, u_int confirm) |
|
505 |
{
|
|
506 |
Buffer msg; |
|
507 |
int type, constrained = (life || confirm); |
|
508 |
||
509 |
buffer_init(&msg); |
|
510 |
||
511 |
switch (key->type) { |
|
512 |
case KEY_RSA1: |
|
513 |
type = constrained ? |
|
514 |
SSH_AGENTC_ADD_RSA_ID_CONSTRAINED : |
|
515 |
SSH_AGENTC_ADD_RSA_IDENTITY; |
|
516 |
buffer_put_char(&msg, type); |
|
517 |
ssh_encode_identity_rsa1(&msg, key->rsa, comment); |
|
518 |
break; |
|
519 |
case KEY_RSA: |
|
520 |
case KEY_DSA: |
|
521 |
type = constrained ? |
|
522 |
SSH2_AGENTC_ADD_ID_CONSTRAINED : |
|
523 |
SSH2_AGENTC_ADD_IDENTITY; |
|
524 |
buffer_put_char(&msg, type); |
|
525 |
ssh_encode_identity_ssh2(&msg, key, comment); |
|
526 |
break; |
|
527 |
default: |
|
528 |
buffer_free(&msg); |
|
529 |
return 0; |
|
530 |
}
|
|
531 |
if (constrained) { |
|
532 |
if (life != 0) { |
|
533 |
buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); |
|
534 |
buffer_put_int(&msg, life); |
|
535 |
}
|
|
536 |
if (confirm != 0) |
|
537 |
buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM); |
|
538 |
}
|
|
539 |
if (ssh_request_reply(auth, &msg, &msg) == 0) { |
|
540 |
buffer_free(&msg); |
|
541 |
return 0; |
|
542 |
}
|
|
543 |
type = buffer_get_char(&msg); |
|
544 |
buffer_free(&msg); |
|
545 |
return decode_reply(type); |
|
546 |
}
|
|
547 |
||
548 |
int
|
|
549 |
ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) |
|
550 |
{
|
|
551 |
return ssh_add_identity_constrained(auth, key, comment, 0, 0); |
|
552 |
}
|
|
553 |
||
554 |
/*
|
|
555 |
* Removes an identity from the authentication server. This call is not
|
|
556 |
* meant to be used by normal applications.
|
|
557 |
*/
|
|
558 |
||
559 |
int
|
|
560 |
ssh_remove_identity(AuthenticationConnection *auth, Key *key) |
|
561 |
{
|
|
562 |
Buffer msg; |
|
563 |
int type; |
|
564 |
u_char *blob; |
|
565 |
u_int blen; |
|
566 |
||
567 |
buffer_init(&msg); |
|
568 |
||
569 |
if (key->type == KEY_RSA1) { |
|
570 |
buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY); |
|
571 |
buffer_put_int(&msg, BN_num_bits(key->rsa->n)); |
|
572 |
buffer_put_bignum(&msg, key->rsa->e); |
|
573 |
buffer_put_bignum(&msg, key->rsa->n); |
|
574 |
} else if (key->type == KEY_DSA || key->type == KEY_RSA) { |
|
575 |
key_to_blob(key, &blob, &blen); |
|
576 |
buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); |
|
577 |
buffer_put_string(&msg, blob, blen); |
|
578 |
xfree(blob); |
|
579 |
} else { |
|
580 |
buffer_free(&msg); |
|
581 |
return 0; |
|
582 |
}
|
|
583 |
if (ssh_request_reply(auth, &msg, &msg) == 0) { |
|
584 |
buffer_free(&msg); |
|
585 |
return 0; |
|
586 |
}
|
|
587 |
type = buffer_get_char(&msg); |
|
588 |
buffer_free(&msg); |
|
589 |
return decode_reply(type); |
|
590 |
}
|
|
591 |
||
592 |
int
|
|
593 |
ssh_update_card(AuthenticationConnection *auth, int add, |
|
594 |
const char *reader_id, const char *pin, u_int life, u_int confirm) |
|
595 |
{
|
|
596 |
Buffer msg; |
|
597 |
int type, constrained = (life || confirm); |
|
598 |
||
599 |
if (add) { |
|
600 |
type = constrained ? |
|
601 |
SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED : |
|
602 |
SSH_AGENTC_ADD_SMARTCARD_KEY; |
|
603 |
} else |
|
604 |
type = SSH_AGENTC_REMOVE_SMARTCARD_KEY; |
|
605 |
||
606 |
buffer_init(&msg); |
|
607 |
buffer_put_char(&msg, type); |
|
608 |
buffer_put_cstring(&msg, reader_id); |
|
609 |
buffer_put_cstring(&msg, pin); |
|
610 |
||
611 |
if (constrained) { |
|
612 |
if (life != 0) { |
|
613 |
buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); |
|
614 |
buffer_put_int(&msg, life); |
|
615 |
}
|
|
616 |
if (confirm != 0) |
|
617 |
buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM); |
|
618 |
}
|
|
619 |
||
620 |
if (ssh_request_reply(auth, &msg, &msg) == 0) { |
|
621 |
buffer_free(&msg); |
|
622 |
return 0; |
|
623 |
}
|
|
624 |
type = buffer_get_char(&msg); |
|
625 |
buffer_free(&msg); |
|
626 |
return decode_reply(type); |
|
627 |
}
|
|
628 |
||
629 |
/*
|
|
630 |
* Removes all identities from the agent. This call is not meant to be used
|
|
631 |
* by normal applications.
|
|
632 |
*/
|
|
633 |
||
634 |
int
|
|
635 |
ssh_remove_all_identities(AuthenticationConnection *auth, int version) |
|
636 |
{
|
|
637 |
Buffer msg; |
|
638 |
int type; |
|
639 |
int code = (version==1) ? |
|
640 |
SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES : |
|
641 |
SSH2_AGENTC_REMOVE_ALL_IDENTITIES; |
|
642 |
||
643 |
buffer_init(&msg); |
|
644 |
buffer_put_char(&msg, code); |
|
645 |
||
646 |
if (ssh_request_reply(auth, &msg, &msg) == 0) { |
|
647 |
buffer_free(&msg); |
|
648 |
return 0; |
|
649 |
}
|
|
650 |
type = buffer_get_char(&msg); |
|
651 |
buffer_free(&msg); |
|
652 |
return decode_reply(type); |
|
653 |
}
|
|
654 |
||
655 |
int
|
|
656 |
decode_reply(int type) |
|
657 |
{
|
|
658 |
switch (type) { |
|
659 |
case SSH_AGENT_FAILURE: |
|
660 |
case SSH_COM_AGENT2_FAILURE: |
|
661 |
case SSH2_AGENT_FAILURE: |
|
662 |
logit("SSH_AGENT_FAILURE"); |
|
663 |
return 0; |
|
664 |
case SSH_AGENT_SUCCESS: |
|
665 |
return 1; |
|
666 |
default: |
|
667 |
fatal("Bad response from authentication agent: %d", type); |
|
668 |
}
|
|
669 |
/* NOTREACHED */
|
|
670 |
return 0; |
|
671 |
}
|