diff options
| -rw-r--r-- | usr.bin/ssh/authfd.c | 73 | ||||
| -rw-r--r-- | usr.bin/ssh/authfd.h | 14 | ||||
| -rw-r--r-- | usr.bin/ssh/channels.c | 8 | ||||
| -rw-r--r-- | usr.bin/ssh/clientloop.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-add.c | 18 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-agent.c | 9 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect1.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 73 |
9 files changed, 138 insertions, 69 deletions
diff --git a/usr.bin/ssh/authfd.c b/usr.bin/ssh/authfd.c index 69fe2ae411e..227c99286eb 100644 --- a/usr.bin/ssh/authfd.c +++ b/usr.bin/ssh/authfd.c @@ -14,17 +14,21 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.21 2000/06/26 09:22:29 markus Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.22 2000/07/16 08:27:20 markus Exp $"); #include "ssh.h" #include "rsa.h" -#include "authfd.h" #include "buffer.h" #include "bufaux.h" #include "xmalloc.h" #include "getput.h" #include <openssl/rsa.h> +#include <openssl/dsa.h> +#include <openssl/evp.h> +#include "key.h" +#include "authfd.h" +#include "kex.h" /* helper */ int ssh_agent_get_reply(AuthenticationConnection *auth); @@ -138,10 +142,7 @@ ssh_get_first_identity(AuthenticationConnection *auth, * Send a message to the agent requesting for a list of the * identities it can represent. */ - msg[0] = 0; - msg[1] = 0; - msg[2] = 0; - msg[3] = 1; + PUT_32BIT(msg, 1); msg[4] = SSH_AGENTC_REQUEST_RSA_IDENTITIES; if (atomicio(write, auth->fd, msg, 5) != 5) { error("write auth->fd: %.100s", strerror(errno)); @@ -336,31 +337,64 @@ error_cleanup: return 1; } +/* Encode key for a message to the agent. */ + +void +ssh_encode_identity_rsa(Buffer *b, RSA *key, const char *comment) +{ + buffer_clear(b); + buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY); + buffer_put_int(b, BN_num_bits(key->n)); + buffer_put_bignum(b, key->n); + buffer_put_bignum(b, key->e); + buffer_put_bignum(b, key->d); + /* To keep within the protocol: p < q for ssh. in SSL p > q */ + buffer_put_bignum(b, key->iqmp); /* ssh key->u */ + buffer_put_bignum(b, key->q); /* ssh key->p, SSL key->q */ + buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */ + buffer_put_string(b, comment, strlen(comment)); +} + +void +ssh_encode_identity_dsa(Buffer *b, DSA *key, const char *comment) +{ + buffer_clear(b); + buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY); + buffer_put_cstring(b, KEX_DSS); + buffer_put_bignum2(b, key->p); + buffer_put_bignum2(b, key->q); + buffer_put_bignum2(b, key->g); + buffer_put_bignum2(b, key->pub_key); + buffer_put_bignum2(b, key->priv_key); + buffer_put_string(b, comment, strlen(comment)); +} + /* * Adds an identity to the authentication server. This call is not meant to * be used by normal applications. */ int -ssh_add_identity(AuthenticationConnection *auth, - RSA * key, const char *comment) +ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) { Buffer buffer; unsigned char buf[8192]; int len; - /* Format a message to the agent. */ buffer_init(&buffer); - buffer_put_char(&buffer, SSH_AGENTC_ADD_RSA_IDENTITY); - buffer_put_int(&buffer, BN_num_bits(key->n)); - buffer_put_bignum(&buffer, key->n); - buffer_put_bignum(&buffer, key->e); - buffer_put_bignum(&buffer, key->d); - /* To keep within the protocol: p < q for ssh. in SSL p > q */ - buffer_put_bignum(&buffer, key->iqmp); /* ssh key->u */ - buffer_put_bignum(&buffer, key->q); /* ssh key->p, SSL key->q */ - buffer_put_bignum(&buffer, key->p); /* ssh key->q, SSL key->p */ - buffer_put_string(&buffer, comment, strlen(comment)); + + switch (key->type) { + case KEY_RSA: + ssh_encode_identity_rsa(&buffer, key->rsa, comment); + break; + case KEY_DSA: + ssh_encode_identity_dsa(&buffer, key->dsa, comment); + break; + default: + buffer_free(&buffer); + return 0; + break; + } /* Get the length of the message, and format it in the buffer. */ len = buffer_len(&buffer); @@ -487,6 +521,7 @@ ssh_agent_get_reply(AuthenticationConnection *auth) buffer_free(&buffer); switch (type) { case SSH_AGENT_FAILURE: +log("SSH_AGENT_FAILURE"); return 0; case SSH_AGENT_SUCCESS: return 1; diff --git a/usr.bin/ssh/authfd.h b/usr.bin/ssh/authfd.h index d7ff4be2037..14b9bee94d6 100644 --- a/usr.bin/ssh/authfd.h +++ b/usr.bin/ssh/authfd.h @@ -13,7 +13,7 @@ * */ -/* RCSID("$OpenBSD: authfd.h,v 1.8 2000/06/20 01:39:38 markus Exp $"); */ +/* RCSID("$OpenBSD: authfd.h,v 1.9 2000/07/16 08:27:21 markus Exp $"); */ #ifndef AUTHFD_H #define AUTHFD_H @@ -31,6 +31,16 @@ #define SSH_AGENTC_REMOVE_RSA_IDENTITY 8 #define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 +#define SSH2_AGENTC_REQUEST_IDENTITIES 11 +#define SSH2_AGENT_IDENTITIES_ANSWER 12 +#define SSH2_AGENTC_SIGN_REQUEST 13 +#define SSH2_AGENT_SIGN_RESPONSE 14 +#define SSH2_AGENT_FAILURE SSH_AGENT_FAILURE +#define SSH2_AGENT_SUCCESS SSH_AGENT_SUCCESS +#define SSH2_AGENTC_ADD_IDENTITY 17 +#define SSH2_AGENTC_REMOVE_IDENTITY 18 +#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19 + typedef struct { int fd; Buffer packet; @@ -96,7 +106,7 @@ ssh_decrypt_challenge(AuthenticationConnection * auth, * successfully added. */ int -ssh_add_identity(AuthenticationConnection * connection, RSA * key, +ssh_add_identity(AuthenticationConnection * connection, Key *key, const char *comment); /* diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index 5ee5624eca4..37b40347fb9 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -17,13 +17,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $"); +RCSID("$OpenBSD: channels.c,v 1.64 2000/07/16 08:27:21 markus Exp $"); #include "ssh.h" #include "packet.h" #include "xmalloc.h" #include "buffer.h" -#include "authfd.h" #include "uidswap.h" #include "readconf.h" #include "servconf.h" @@ -34,6 +33,11 @@ RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $"); #include "ssh2.h" +#include <openssl/rsa.h> +#include <openssl/dsa.h> +#include "key.h" +#include "authfd.h" + /* Maximum number of fake X11 displays to try. */ #define MAX_DISPLAYS 1000 diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c index f7ac7b3b02c..67fa36d911a 100644 --- a/usr.bin/ssh/clientloop.c +++ b/usr.bin/ssh/clientloop.c @@ -16,13 +16,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.28 2000/07/13 23:14:08 provos Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.29 2000/07/16 08:27:21 markus Exp $"); #include "xmalloc.h" #include "ssh.h" #include "packet.h" #include "buffer.h" -#include "authfd.h" #include "readconf.h" #include "ssh2.h" @@ -30,7 +29,6 @@ RCSID("$OpenBSD: clientloop.c,v 1.28 2000/07/13 23:14:08 provos Exp $"); #include "channels.h" #include "dispatch.h" - /* Flag indicating that stdin should be redirected from /dev/null. */ extern int stdin_null_flag; diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c index aa447bcfed7..5b4b598860b 100644 --- a/usr.bin/ssh/ssh-add.c +++ b/usr.bin/ssh/ssh-add.c @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.17 2000/06/20 01:39:44 markus Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.18 2000/07/16 08:27:21 markus Exp $"); #include <openssl/rsa.h> #include <openssl/dsa.h> @@ -15,9 +15,9 @@ RCSID("$OpenBSD: ssh-add.c,v 1.17 2000/06/20 01:39:44 markus Exp $"); #include "rsa.h" #include "ssh.h" #include "xmalloc.h" -#include "authfd.h" #include "fingerprint.h" #include "key.h" +#include "authfd.h" #include "authfile.h" void @@ -96,11 +96,17 @@ add_file(AuthenticationConnection *ac, const char *filename) char buf[1024], msg[1024]; int success; int interactive = isatty(STDIN_FILENO); + int type = KEY_RSA; + /* + * try to load the public key. right now this only works for RSA, + * since DSA keys are fully encrypted + */ public = key_new(KEY_RSA); if (!load_public_key(filename, public, &saved_comment)) { - printf("Bad key file %s: %s\n", filename, strerror(errno)); - return; + /* ok, so we will asume this is a DSA key */ + type = KEY_DSA; + saved_comment = xstrdup(filename); } key_free(public); @@ -112,7 +118,7 @@ add_file(AuthenticationConnection *ac, const char *filename) } /* At first, try empty passphrase */ - private = key_new(KEY_RSA); + private = key_new(type); success = load_private_key(filename, "", private, &comment); if (!success) { printf("Need passphrase for %.200s\n", filename); @@ -144,7 +150,7 @@ add_file(AuthenticationConnection *ac, const char *filename) } xfree(saved_comment); - if (ssh_add_identity(ac, private->rsa, comment)) + if (ssh_add_identity(ac, private, comment)) fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); else fprintf(stderr, "Could not add identity: %s\n", filename); diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c index 18f1315fc4d..7e48819ed27 100644 --- a/usr.bin/ssh/ssh-agent.c +++ b/usr.bin/ssh/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.32 2000/07/16 08:27:21 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -9,11 +9,10 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.32 2000/07/16 08:27:21 markus Exp $"); #include "ssh.h" #include "rsa.h" -#include "authfd.h" #include "buffer.h" #include "bufaux.h" #include "xmalloc.h" @@ -22,6 +21,10 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $"); #include "mpaux.h" #include <openssl/md5.h> +#include <openssl/dsa.h> +#include <openssl/rsa.h> +#include "key.h" +#include "authfd.h" typedef struct { int fd; diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index 92b7edf0a8f..2f9cb3cc022 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -11,7 +11,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.58 2000/07/16 08:27:22 markus Exp $"); #include <openssl/evp.h> #include <openssl/dsa.h> @@ -21,7 +21,6 @@ RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $"); #include "ssh.h" #include "packet.h" #include "buffer.h" -#include "authfd.h" #include "readconf.h" #include "uidswap.h" @@ -29,6 +28,7 @@ RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $"); #include "compat.h" #include "channels.h" #include "key.h" +#include "authfd.h" #include "authfile.h" extern char *__progname; diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c index 4360d7283d8..aaebf17ffa1 100644 --- a/usr.bin/ssh/sshconnect1.c +++ b/usr.bin/ssh/sshconnect1.c @@ -9,7 +9,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.4 2000/07/16 08:27:22 markus Exp $"); #include <openssl/bn.h> #include <openssl/dsa.h> @@ -21,12 +21,12 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $"); #include "ssh.h" #include "buffer.h" #include "packet.h" -#include "authfd.h" #include "cipher.h" #include "mpaux.h" #include "uidswap.h" #include "readconf.h" #include "key.h" +#include "authfd.h" #include "sshconnect.h" #include "authfile.h" diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index ae96d534e0d..22ad39e7f38 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.15 2000/06/21 16:46:10 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.16 2000/07/16 08:27:22 markus Exp $"); #include <openssl/bn.h> #include <openssl/rsa.h> @@ -286,40 +286,20 @@ ssh2_try_passwd(const char *server_user, const char *host, const char *service) return 1; } -int -ssh2_try_pubkey(char *filename, +typedef int sign_fn( + Key *key, + unsigned char **sigp, int *lenp, + unsigned char *data, int datalen); + +void +ssh2_sign_and_send_pubkey(Key *k, sign_fn *do_sign, const char *server_user, const char *host, const char *service) { Buffer b; - Key *k; unsigned char *blob, *signature; int bloblen, slen; - struct stat st; int skip = 0; - if (stat(filename, &st) != 0) { - debug("key does not exist: %s", filename); - return 0; - } - debug("try pubkey: %s", filename); - - k = key_new(KEY_DSA); - if (!load_private_key(filename, "", k, NULL)) { - int success = 0; - char *passphrase; - char prompt[300]; - snprintf(prompt, sizeof prompt, - "Enter passphrase for DSA key '%.100s': ", - filename); - passphrase = read_passphrase(prompt, 0); - success = load_private_key(filename, passphrase, k, NULL); - memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); - if (!success) { - key_free(k); - return 0; - } - } dsa_make_key_blob(k, &blob, &bloblen); /* data to be signed */ @@ -343,8 +323,8 @@ ssh2_try_pubkey(char *filename, buffer_put_string(&b, blob, bloblen); /* generate signature */ - dsa_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); - key_free(k); + do_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); + key_free(k); /* XXX */ #ifdef DEBUG_DSS buffer_dump(&b); #endif @@ -377,6 +357,39 @@ ssh2_try_pubkey(char *filename, /* send */ packet_send(); packet_write_wait(); +} + +int +ssh2_try_pubkey(char *filename, + const char *server_user, const char *host, const char *service) +{ + Key *k; + struct stat st; + + if (stat(filename, &st) != 0) { + debug("key does not exist: %s", filename); + return 0; + } + debug("try pubkey: %s", filename); + + k = key_new(KEY_DSA); + if (!load_private_key(filename, "", k, NULL)) { + int success = 0; + char *passphrase; + char prompt[300]; + snprintf(prompt, sizeof prompt, + "Enter passphrase for DSA key '%.100s': ", + filename); + passphrase = read_passphrase(prompt, 0); + success = load_private_key(filename, passphrase, k, NULL); + memset(passphrase, 0, strlen(passphrase)); + xfree(passphrase); + if (!success) { + key_free(k); + return 0; + } + } + ssh2_sign_and_send_pubkey(k, dsa_sign, server_user, host, service); return 1; } |