From 994cf1426d176e2ee9ba310416544c325e04b155 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 21 Jul 2000 10:19:44 +1000 Subject: [PATCH] - (djm) OpenBSD CVS updates: - markus@cvs.openbsd.org 2000/07/16 02:27:22 [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] [sshconnect1.c sshconnect2.c] make ssh-add accept dsa keys (the agent does not) - djm@cvs.openbsd.org 2000/07/17 19:25:02 [sshd.c] Another closing of stdin; ok deraadt - markus@cvs.openbsd.org 2000/07/19 18:33:12 [dsa.c] missing free, reorder - markus@cvs.openbsd.org 2000/07/20 16:23:14 [ssh-keygen.1] document input and output files --- ChangeLog | 20 ++++++++++++-- authfd.c | 73 +++++++++++++++++++++++++++++++++++++-------------- authfd.h | 14 ++++++++-- channels.c | 8 ++++-- clientloop.c | 4 +-- dsa.c | 14 +++++----- ssh-add.c | 18 ++++++++----- ssh-agent.c | 9 ++++--- ssh.c | 4 +-- sshconnect1.c | 4 +-- sshconnect2.c | 73 ++++++++++++++++++++++++++++++--------------------- sshd.c | 3 ++- 12 files changed, 165 insertions(+), 79 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2fbc1f249..17c0aec65 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,24 @@ +20000721 + - (djm) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/07/16 02:27:22 + [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] + [sshconnect1.c sshconnect2.c] + make ssh-add accept dsa keys (the agent does not) + - djm@cvs.openbsd.org 2000/07/17 19:25:02 + [sshd.c] + Another closing of stdin; ok deraadt + - markus@cvs.openbsd.org 2000/07/19 18:33:12 + [dsa.c] + missing free, reorder + - markus@cvs.openbsd.org 2000/07/20 16:23:14 + [ssh-keygen.1] + document input and output files + 20000720 - - Spec file fix from Petr Novotny + - (djm) Spec file fix from Petr Novotny 20000716 - - Release 2.1.1p4 + - (djm) Release 2.1.1p4 20000715 - (djm) OpenBSD CVS updates diff --git a/authfd.c b/authfd.c index 69fe2ae41..227c99286 100644 --- a/authfd.c +++ b/authfd.c @@ -14,17 +14,21 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.21 2000/06/26 09:22:29 markus Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.22 2000/07/16 08:27:20 markus Exp $"); #include "ssh.h" #include "rsa.h" -#include "authfd.h" #include "buffer.h" #include "bufaux.h" #include "xmalloc.h" #include "getput.h" #include +#include +#include +#include "key.h" +#include "authfd.h" +#include "kex.h" /* helper */ int ssh_agent_get_reply(AuthenticationConnection *auth); @@ -138,10 +142,7 @@ ssh_get_first_identity(AuthenticationConnection *auth, * Send a message to the agent requesting for a list of the * identities it can represent. */ - msg[0] = 0; - msg[1] = 0; - msg[2] = 0; - msg[3] = 1; + PUT_32BIT(msg, 1); msg[4] = SSH_AGENTC_REQUEST_RSA_IDENTITIES; if (atomicio(write, auth->fd, msg, 5) != 5) { error("write auth->fd: %.100s", strerror(errno)); @@ -336,31 +337,64 @@ error_cleanup: return 1; } +/* Encode key for a message to the agent. */ + +void +ssh_encode_identity_rsa(Buffer *b, RSA *key, const char *comment) +{ + buffer_clear(b); + buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY); + buffer_put_int(b, BN_num_bits(key->n)); + buffer_put_bignum(b, key->n); + buffer_put_bignum(b, key->e); + buffer_put_bignum(b, key->d); + /* To keep within the protocol: p < q for ssh. in SSL p > q */ + buffer_put_bignum(b, key->iqmp); /* ssh key->u */ + buffer_put_bignum(b, key->q); /* ssh key->p, SSL key->q */ + buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */ + buffer_put_string(b, comment, strlen(comment)); +} + +void +ssh_encode_identity_dsa(Buffer *b, DSA *key, const char *comment) +{ + buffer_clear(b); + buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY); + buffer_put_cstring(b, KEX_DSS); + buffer_put_bignum2(b, key->p); + buffer_put_bignum2(b, key->q); + buffer_put_bignum2(b, key->g); + buffer_put_bignum2(b, key->pub_key); + buffer_put_bignum2(b, key->priv_key); + buffer_put_string(b, comment, strlen(comment)); +} + /* * Adds an identity to the authentication server. This call is not meant to * be used by normal applications. */ int -ssh_add_identity(AuthenticationConnection *auth, - RSA * key, const char *comment) +ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) { Buffer buffer; unsigned char buf[8192]; int len; - /* Format a message to the agent. */ buffer_init(&buffer); - buffer_put_char(&buffer, SSH_AGENTC_ADD_RSA_IDENTITY); - buffer_put_int(&buffer, BN_num_bits(key->n)); - buffer_put_bignum(&buffer, key->n); - buffer_put_bignum(&buffer, key->e); - buffer_put_bignum(&buffer, key->d); - /* To keep within the protocol: p < q for ssh. in SSL p > q */ - buffer_put_bignum(&buffer, key->iqmp); /* ssh key->u */ - buffer_put_bignum(&buffer, key->q); /* ssh key->p, SSL key->q */ - buffer_put_bignum(&buffer, key->p); /* ssh key->q, SSL key->p */ - buffer_put_string(&buffer, comment, strlen(comment)); + + switch (key->type) { + case KEY_RSA: + ssh_encode_identity_rsa(&buffer, key->rsa, comment); + break; + case KEY_DSA: + ssh_encode_identity_dsa(&buffer, key->dsa, comment); + break; + default: + buffer_free(&buffer); + return 0; + break; + } /* Get the length of the message, and format it in the buffer. */ len = buffer_len(&buffer); @@ -487,6 +521,7 @@ ssh_agent_get_reply(AuthenticationConnection *auth) buffer_free(&buffer); switch (type) { case SSH_AGENT_FAILURE: +log("SSH_AGENT_FAILURE"); return 0; case SSH_AGENT_SUCCESS: return 1; diff --git a/authfd.h b/authfd.h index d7ff4be20..14b9bee94 100644 --- a/authfd.h +++ b/authfd.h @@ -13,7 +13,7 @@ * */ -/* RCSID("$OpenBSD: authfd.h,v 1.8 2000/06/20 01:39:38 markus Exp $"); */ +/* RCSID("$OpenBSD: authfd.h,v 1.9 2000/07/16 08:27:21 markus Exp $"); */ #ifndef AUTHFD_H #define AUTHFD_H @@ -31,6 +31,16 @@ #define SSH_AGENTC_REMOVE_RSA_IDENTITY 8 #define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 +#define SSH2_AGENTC_REQUEST_IDENTITIES 11 +#define SSH2_AGENT_IDENTITIES_ANSWER 12 +#define SSH2_AGENTC_SIGN_REQUEST 13 +#define SSH2_AGENT_SIGN_RESPONSE 14 +#define SSH2_AGENT_FAILURE SSH_AGENT_FAILURE +#define SSH2_AGENT_SUCCESS SSH_AGENT_SUCCESS +#define SSH2_AGENTC_ADD_IDENTITY 17 +#define SSH2_AGENTC_REMOVE_IDENTITY 18 +#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19 + typedef struct { int fd; Buffer packet; @@ -96,7 +106,7 @@ ssh_decrypt_challenge(AuthenticationConnection * auth, * successfully added. */ int -ssh_add_identity(AuthenticationConnection * connection, RSA * key, +ssh_add_identity(AuthenticationConnection * connection, Key *key, const char *comment); /* diff --git a/channels.c b/channels.c index 3710b2fd4..ea395293a 100644 --- a/channels.c +++ b/channels.c @@ -17,13 +17,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $"); +RCSID("$OpenBSD: channels.c,v 1.64 2000/07/16 08:27:21 markus Exp $"); #include "ssh.h" #include "packet.h" #include "xmalloc.h" #include "buffer.h" -#include "authfd.h" #include "uidswap.h" #include "readconf.h" #include "servconf.h" @@ -34,6 +33,11 @@ RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $"); #include "ssh2.h" +#include +#include +#include "key.h" +#include "authfd.h" + /* Maximum number of fake X11 displays to try. */ #define MAX_DISPLAYS 1000 diff --git a/clientloop.c b/clientloop.c index f7ac7b3b0..67fa36d91 100644 --- a/clientloop.c +++ b/clientloop.c @@ -16,13 +16,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.28 2000/07/13 23:14:08 provos Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.29 2000/07/16 08:27:21 markus Exp $"); #include "xmalloc.h" #include "ssh.h" #include "packet.h" #include "buffer.h" -#include "authfd.h" #include "readconf.h" #include "ssh2.h" @@ -30,7 +29,6 @@ RCSID("$OpenBSD: clientloop.c,v 1.28 2000/07/13 23:14:08 provos Exp $"); #include "channels.h" #include "dispatch.h" - /* Flag indicating that stdin should be redirected from /dev/null. */ extern int stdin_null_flag; diff --git a/dsa.c b/dsa.c index c1c37bceb..5ce7abf70 100644 --- a/dsa.c +++ b/dsa.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dsa.c,v 1.9 2000/06/20 01:39:41 markus Exp $"); +RCSID("$OpenBSD: dsa.c,v 1.10 2000/07/20 00:33:12 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -53,8 +53,7 @@ RCSID("$OpenBSD: dsa.c,v 1.9 2000/06/20 01:39:41 markus Exp $"); #define SIGBLOB_LEN (2*INTBLOB_LEN) Key * -dsa_key_from_blob( - char *blob, int blen) +dsa_key_from_blob(char *blob, int blen) { Buffer b; char *ktype; @@ -66,16 +65,17 @@ dsa_key_from_blob( dump_base64(stderr, blob, blen); #endif /* fetch & parse DSA/DSS pubkey */ - key = key_new(KEY_DSA); - dsa = key->dsa; buffer_init(&b); buffer_append(&b, blob, blen); ktype = buffer_get_string(&b, NULL); if (strcmp(KEX_DSS, ktype) != 0) { error("dsa_key_from_blob: cannot handle type %s", ktype); - key_free(key); + buffer_free(&b); + xfree(ktype); return NULL; } + key = key_new(KEY_DSA); + dsa = key->dsa; buffer_get_bignum2(&b, dsa->p); buffer_get_bignum2(&b, dsa->q); buffer_get_bignum2(&b, dsa->g); @@ -84,8 +84,8 @@ dsa_key_from_blob( if(rlen != 0) error("dsa_key_from_blob: remaining bytes in key blob %d", rlen); buffer_free(&b); + xfree(ktype); - debug("keytype %s", ktype); #ifdef DEBUG_DSS DSA_print_fp(stderr, dsa, 8); #endif diff --git a/ssh-add.c b/ssh-add.c index a5d785ce7..482229c22 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.17 2000/06/20 01:39:44 markus Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.18 2000/07/16 08:27:21 markus Exp $"); #include #include @@ -15,9 +15,9 @@ RCSID("$OpenBSD: ssh-add.c,v 1.17 2000/06/20 01:39:44 markus Exp $"); #include "rsa.h" #include "ssh.h" #include "xmalloc.h" -#include "authfd.h" #include "fingerprint.h" #include "key.h" +#include "authfd.h" #include "authfile.h" #ifdef HAVE___PROGNAME @@ -102,11 +102,17 @@ add_file(AuthenticationConnection *ac, const char *filename) char buf[1024], msg[1024]; int success; int interactive = isatty(STDIN_FILENO); + int type = KEY_RSA; + /* + * try to load the public key. right now this only works for RSA, + * since DSA keys are fully encrypted + */ public = key_new(KEY_RSA); if (!load_public_key(filename, public, &saved_comment)) { - printf("Bad key file %s: %s\n", filename, strerror(errno)); - return; + /* ok, so we will asume this is a DSA key */ + type = KEY_DSA; + saved_comment = xstrdup(filename); } key_free(public); @@ -118,7 +124,7 @@ add_file(AuthenticationConnection *ac, const char *filename) } /* At first, try empty passphrase */ - private = key_new(KEY_RSA); + private = key_new(type); success = load_private_key(filename, "", private, &comment); if (!success) { printf("Need passphrase for %.200s\n", filename); @@ -150,7 +156,7 @@ add_file(AuthenticationConnection *ac, const char *filename) } xfree(saved_comment); - if (ssh_add_identity(ac, private->rsa, comment)) + if (ssh_add_identity(ac, private, comment)) fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); else fprintf(stderr, "Could not add identity: %s\n", filename); diff --git a/ssh-agent.c b/ssh-agent.c index 148bcff6e..e8383b5df 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.32 2000/07/16 08:27:21 markus Exp $ */ /* * Author: Tatu Ylonen @@ -9,11 +9,10 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.32 2000/07/16 08:27:21 markus Exp $"); #include "ssh.h" #include "rsa.h" -#include "authfd.h" #include "buffer.h" #include "bufaux.h" #include "xmalloc.h" @@ -22,6 +21,10 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $"); #include "mpaux.h" #include +#include +#include +#include "key.h" +#include "authfd.h" typedef struct { int fd; diff --git a/ssh.c b/ssh.c index c2faf3882..58e4d7bd9 100644 --- a/ssh.c +++ b/ssh.c @@ -11,7 +11,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.58 2000/07/16 08:27:22 markus Exp $"); #include #include @@ -21,7 +21,6 @@ RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $"); #include "ssh.h" #include "packet.h" #include "buffer.h" -#include "authfd.h" #include "readconf.h" #include "uidswap.h" @@ -29,6 +28,7 @@ RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $"); #include "compat.h" #include "channels.h" #include "key.h" +#include "authfd.h" #include "authfile.h" #ifdef HAVE___PROGNAME diff --git a/sshconnect1.c b/sshconnect1.c index 4360d7283..aaebf17ff 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -9,7 +9,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.4 2000/07/16 08:27:22 markus Exp $"); #include #include @@ -21,12 +21,12 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $"); #include "ssh.h" #include "buffer.h" #include "packet.h" -#include "authfd.h" #include "cipher.h" #include "mpaux.h" #include "uidswap.h" #include "readconf.h" #include "key.h" +#include "authfd.h" #include "sshconnect.h" #include "authfile.h" diff --git a/sshconnect2.c b/sshconnect2.c index ae96d534e..22ad39e7f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.15 2000/06/21 16:46:10 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.16 2000/07/16 08:27:22 markus Exp $"); #include #include @@ -286,40 +286,20 @@ ssh2_try_passwd(const char *server_user, const char *host, const char *service) return 1; } -int -ssh2_try_pubkey(char *filename, +typedef int sign_fn( + Key *key, + unsigned char **sigp, int *lenp, + unsigned char *data, int datalen); + +void +ssh2_sign_and_send_pubkey(Key *k, sign_fn *do_sign, const char *server_user, const char *host, const char *service) { Buffer b; - Key *k; unsigned char *blob, *signature; int bloblen, slen; - struct stat st; int skip = 0; - if (stat(filename, &st) != 0) { - debug("key does not exist: %s", filename); - return 0; - } - debug("try pubkey: %s", filename); - - k = key_new(KEY_DSA); - if (!load_private_key(filename, "", k, NULL)) { - int success = 0; - char *passphrase; - char prompt[300]; - snprintf(prompt, sizeof prompt, - "Enter passphrase for DSA key '%.100s': ", - filename); - passphrase = read_passphrase(prompt, 0); - success = load_private_key(filename, passphrase, k, NULL); - memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); - if (!success) { - key_free(k); - return 0; - } - } dsa_make_key_blob(k, &blob, &bloblen); /* data to be signed */ @@ -343,8 +323,8 @@ ssh2_try_pubkey(char *filename, buffer_put_string(&b, blob, bloblen); /* generate signature */ - dsa_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); - key_free(k); + do_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); + key_free(k); /* XXX */ #ifdef DEBUG_DSS buffer_dump(&b); #endif @@ -377,6 +357,39 @@ ssh2_try_pubkey(char *filename, /* send */ packet_send(); packet_write_wait(); +} + +int +ssh2_try_pubkey(char *filename, + const char *server_user, const char *host, const char *service) +{ + Key *k; + struct stat st; + + if (stat(filename, &st) != 0) { + debug("key does not exist: %s", filename); + return 0; + } + debug("try pubkey: %s", filename); + + k = key_new(KEY_DSA); + if (!load_private_key(filename, "", k, NULL)) { + int success = 0; + char *passphrase; + char prompt[300]; + snprintf(prompt, sizeof prompt, + "Enter passphrase for DSA key '%.100s': ", + filename); + passphrase = read_passphrase(prompt, 0); + success = load_private_key(filename, passphrase, k, NULL); + memset(passphrase, 0, strlen(passphrase)); + xfree(passphrase); + if (!success) { + key_free(k); + return 0; + } + } + ssh2_sign_and_send_pubkey(k, dsa_sign, server_user, host, service); return 1; } diff --git a/sshd.c b/sshd.c index cab0dd6f1..b6db074c8 100644 --- a/sshd.c +++ b/sshd.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.122 2000/07/11 08:11:34 deraadt Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.123 2000/07/18 01:25:01 djm Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -642,6 +642,7 @@ main(int ac, char **av) s2 = dup(s1); sock_in = dup(0); sock_out = dup(1); + startup_pipe = -1; /* * We intentionally do not close the descriptors 0, 1, and 2 * as our code for setting the descriptors won\'t work if