- (djm) OpenBSD CVS updates:

- markus@cvs.openbsd.org  2000/07/16 02:27:22
     [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c]
     [sshconnect1.c sshconnect2.c]
     make ssh-add accept dsa keys (the agent does not)
   - djm@cvs.openbsd.org     2000/07/17 19:25:02
     [sshd.c]
     Another closing of stdin; ok deraadt
   - markus@cvs.openbsd.org  2000/07/19 18:33:12
     [dsa.c]
     missing free, reorder
   - markus@cvs.openbsd.org  2000/07/20 16:23:14
     [ssh-keygen.1]
     document input and output files

ChangeLog

@@ -1,8 +1,24 @@
+20000721
+ - (djm) OpenBSD CVS updates:
+   - markus@cvs.openbsd.org  2000/07/16 02:27:22
+     [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c]
+     [sshconnect1.c sshconnect2.c]
+     make ssh-add accept dsa keys (the agent does not)
+   - djm@cvs.openbsd.org     2000/07/17 19:25:02
+     [sshd.c]
+     Another closing of stdin; ok deraadt
+   - markus@cvs.openbsd.org  2000/07/19 18:33:12
+     [dsa.c]
+     missing free, reorder
+   - markus@cvs.openbsd.org  2000/07/20 16:23:14
+     [ssh-keygen.1]
+     document input and output files
+
 20000720
- - Spec file fix from Petr Novotny <Petr.Novotny@antek.cz>
+ - (djm) Spec file fix from Petr Novotny <Petr.Novotny@antek.cz>
 
 20000716
- - Release 2.1.1p4
+ - (djm) Release 2.1.1p4
 
 20000715
  - (djm) OpenBSD CVS updates

authfd.c

@@ -14,17 +14,21 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.21 2000/06/26 09:22:29 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.22 2000/07/16 08:27:20 markus Exp $");
 
 #include "ssh.h"
 #include "rsa.h"
-#include "authfd.h"
 #include "buffer.h"
 #include "bufaux.h"
 #include "xmalloc.h"
 #include "getput.h"
 
 #include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include "key.h"
+#include "authfd.h"
+#include "kex.h"
 
 /* helper */
 int ssh_agent_get_reply(AuthenticationConnection *auth);
@@ -138,10 +142,7 @@ ssh_get_first_identity(AuthenticationConnection *auth,
 	 * Send a message to the agent requesting for a list of the
 	 * identities it can represent.
 	 */
-	msg[0] = 0;
+	PUT_32BIT(msg, 1);
-	msg[1] = 0;
-	msg[2] = 0;
-	msg[3] = 1;
 	msg[4] = SSH_AGENTC_REQUEST_RSA_IDENTITIES;
 	if (atomicio(write, auth->fd, msg, 5) != 5) {
 		error("write auth->fd: %.100s", strerror(errno));
@@ -336,31 +337,64 @@ error_cleanup:
 	return 1;
 }
 
+/* Encode key for a message to the agent. */
+
+void
+ssh_encode_identity_rsa(Buffer *b, RSA *key, const char *comment)
+{
+	buffer_clear(b);
+	buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY);
+	buffer_put_int(b, BN_num_bits(key->n));
+	buffer_put_bignum(b, key->n);
+	buffer_put_bignum(b, key->e);
+	buffer_put_bignum(b, key->d);
+	/* To keep within the protocol: p < q for ssh. in SSL p > q */
+	buffer_put_bignum(b, key->iqmp);	/* ssh key->u */
+	buffer_put_bignum(b, key->q);	/* ssh key->p, SSL key->q */
+	buffer_put_bignum(b, key->p);	/* ssh key->q, SSL key->p */
+	buffer_put_string(b, comment, strlen(comment));
+}
+
+void
+ssh_encode_identity_dsa(Buffer *b, DSA *key, const char *comment)
+{
+	buffer_clear(b);
+	buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY);
+	buffer_put_cstring(b, KEX_DSS);
+	buffer_put_bignum2(b, key->p);
+	buffer_put_bignum2(b, key->q);
+	buffer_put_bignum2(b, key->g);
+	buffer_put_bignum2(b, key->pub_key);
+	buffer_put_bignum2(b, key->priv_key);
+	buffer_put_string(b, comment, strlen(comment));
+}
+
 /*
  * Adds an identity to the authentication server.  This call is not meant to
  * be used by normal applications.
  */
 
 int
-ssh_add_identity(AuthenticationConnection *auth,
+ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
-		 RSA * key, const char *comment)
 {
 	Buffer buffer;
 	unsigned char buf[8192];
 	int len;
 
-	/* Format a message to the agent. */
 	buffer_init(&buffer);
-	buffer_put_char(&buffer, SSH_AGENTC_ADD_RSA_IDENTITY);
+
-	buffer_put_int(&buffer, BN_num_bits(key->n));
+	switch (key->type) {
-	buffer_put_bignum(&buffer, key->n);
+	case KEY_RSA:
-	buffer_put_bignum(&buffer, key->e);
+		ssh_encode_identity_rsa(&buffer, key->rsa, comment);
-	buffer_put_bignum(&buffer, key->d);
+		break;
-	/* To keep within the protocol: p < q for ssh. in SSL p > q */
+	case KEY_DSA:
-	buffer_put_bignum(&buffer, key->iqmp);	/* ssh key->u */
+		ssh_encode_identity_dsa(&buffer, key->dsa, comment);
-	buffer_put_bignum(&buffer, key->q);	/* ssh key->p, SSL key->q */
+		break;
-	buffer_put_bignum(&buffer, key->p);	/* ssh key->q, SSL key->p */
+	default:
-	buffer_put_string(&buffer, comment, strlen(comment));
+		buffer_free(&buffer);
+		return 0;
+		break;
+	}
 
 	/* Get the length of the message, and format it in the buffer. */
 	len = buffer_len(&buffer);
@@ -487,6 +521,7 @@ ssh_agent_get_reply(AuthenticationConnection *auth)
 	buffer_free(&buffer);
 	switch (type) {
 	case SSH_AGENT_FAILURE:
+log("SSH_AGENT_FAILURE");
 		return 0;
 	case SSH_AGENT_SUCCESS:
 		return 1;

authfd.h

@@ -13,7 +13,7 @@
  *
  */
 
-/* RCSID("$OpenBSD: authfd.h,v 1.8 2000/06/20 01:39:38 markus Exp $"); */
+/* RCSID("$OpenBSD: authfd.h,v 1.9 2000/07/16 08:27:21 markus Exp $"); */
 
 #ifndef AUTHFD_H
 #define AUTHFD_H
@@ -31,6 +31,16 @@
 #define SSH_AGENTC_REMOVE_RSA_IDENTITY		8
 #define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES	9
 
+#define SSH2_AGENTC_REQUEST_IDENTITIES		11
+#define SSH2_AGENT_IDENTITIES_ANSWER		12
+#define SSH2_AGENTC_SIGN_REQUEST		13
+#define SSH2_AGENT_SIGN_RESPONSE		14
+#define SSH2_AGENT_FAILURE			SSH_AGENT_FAILURE
+#define SSH2_AGENT_SUCCESS			SSH_AGENT_SUCCESS
+#define SSH2_AGENTC_ADD_IDENTITY		17
+#define SSH2_AGENTC_REMOVE_IDENTITY		18
+#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES	19
+
 typedef struct {
 	int     fd;
 	Buffer  packet;
@@ -96,7 +106,7 @@ ssh_decrypt_challenge(AuthenticationConnection * auth,
  * successfully added.
  */
 int
-ssh_add_identity(AuthenticationConnection * connection, RSA * key,
+ssh_add_identity(AuthenticationConnection * connection, Key *key,
     const char *comment);
 
 /*

channels.c

@@ -17,13 +17,12 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $");
+RCSID("$OpenBSD: channels.c,v 1.64 2000/07/16 08:27:21 markus Exp $");
 
 #include "ssh.h"
 #include "packet.h"
 #include "xmalloc.h"
 #include "buffer.h"
-#include "authfd.h"
 #include "uidswap.h"
 #include "readconf.h"
 #include "servconf.h"
@@ -34,6 +33,11 @@ RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $");
 
 #include "ssh2.h"
 
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include "key.h"
+#include "authfd.h"
+
 /* Maximum number of fake X11 displays to try. */
 #define MAX_DISPLAYS  1000
 

clientloop.c

@@ -16,13 +16,12 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.28 2000/07/13 23:14:08 provos Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.29 2000/07/16 08:27:21 markus Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
 #include "packet.h"
 #include "buffer.h"
-#include "authfd.h"
 #include "readconf.h"
 
 #include "ssh2.h"
@@ -30,7 +29,6 @@ RCSID("$OpenBSD: clientloop.c,v 1.28 2000/07/13 23:14:08 provos Exp $");
 #include "channels.h"
 #include "dispatch.h"
 
-
 /* Flag indicating that stdin should be redirected from /dev/null. */
 extern int stdin_null_flag;
 

dsa.c

@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: dsa.c,v 1.9 2000/06/20 01:39:41 markus Exp $");
+RCSID("$OpenBSD: dsa.c,v 1.10 2000/07/20 00:33:12 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -53,8 +53,7 @@ RCSID("$OpenBSD: dsa.c,v 1.9 2000/06/20 01:39:41 markus Exp $");
 #define SIGBLOB_LEN	(2*INTBLOB_LEN)
 
 Key *
-dsa_key_from_blob(
+dsa_key_from_blob(char *blob, int blen)
-    char *blob, int blen)
 {
 	Buffer b;
 	char *ktype;
@@ -66,16 +65,17 @@ dsa_key_from_blob(
 	dump_base64(stderr, blob, blen);
 #endif
 	/* fetch & parse DSA/DSS pubkey */
-	key = key_new(KEY_DSA);
-	dsa = key->dsa;
 	buffer_init(&b);
 	buffer_append(&b, blob, blen);
 	ktype = buffer_get_string(&b, NULL);
 	if (strcmp(KEX_DSS, ktype) != 0) {
 		error("dsa_key_from_blob: cannot handle type %s", ktype);
-		key_free(key);
+		buffer_free(&b);
+		xfree(ktype);
 		return NULL;
 	}
+	key = key_new(KEY_DSA);
+	dsa = key->dsa;
 	buffer_get_bignum2(&b, dsa->p);
 	buffer_get_bignum2(&b, dsa->q);
 	buffer_get_bignum2(&b, dsa->g);
@@ -84,8 +84,8 @@ dsa_key_from_blob(
 	if(rlen != 0)
 		error("dsa_key_from_blob: remaining bytes in key blob %d", rlen);
 	buffer_free(&b);
+	xfree(ktype);
 
-	debug("keytype %s", ktype);
 #ifdef DEBUG_DSS
 	DSA_print_fp(stderr, dsa, 8);
 #endif

ssh-add.c

@@ -7,7 +7,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.17 2000/06/20 01:39:44 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.18 2000/07/16 08:27:21 markus Exp $");
 
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
@@ -15,9 +15,9 @@ RCSID("$OpenBSD: ssh-add.c,v 1.17 2000/06/20 01:39:44 markus Exp $");
 #include "rsa.h"
 #include "ssh.h"
 #include "xmalloc.h"
-#include "authfd.h"
 #include "fingerprint.h"
 #include "key.h"
+#include "authfd.h"
 #include "authfile.h"
 
 #ifdef HAVE___PROGNAME
@@ -102,11 +102,17 @@ add_file(AuthenticationConnection *ac, const char *filename)
 	char buf[1024], msg[1024];
 	int success;
 	int interactive = isatty(STDIN_FILENO);
+	int type = KEY_RSA;
 
+	/*
+	 * try to load the public key. right now this only works for RSA,
+	 * since DSA keys are fully encrypted
+	 */
 	public = key_new(KEY_RSA);
 	if (!load_public_key(filename, public, &saved_comment)) {
-		printf("Bad key file %s: %s\n", filename, strerror(errno));
+		/* ok, so we will asume this is a DSA key */
-		return;
+		type = KEY_DSA;
+		saved_comment = xstrdup(filename);
 	}
 	key_free(public);
 
@@ -118,7 +124,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
 	}
 
 	/* At first, try empty passphrase */
-	private = key_new(KEY_RSA);
+	private = key_new(type);
 	success = load_private_key(filename, "", private, &comment);
 	if (!success) {
 		printf("Need passphrase for %.200s\n", filename);
@@ -150,7 +156,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
 	}
 	xfree(saved_comment);
 
-	if (ssh_add_identity(ac, private->rsa, comment))
+	if (ssh_add_identity(ac, private, comment))
 		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
 	else
 		fprintf(stderr, "Could not add identity: %s\n", filename);

ssh-agent.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $	*/
+/*	$OpenBSD: ssh-agent.c,v 1.32 2000/07/16 08:27:21 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -9,11 +9,10 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.32 2000/07/16 08:27:21 markus Exp $");
 
 #include "ssh.h"
 #include "rsa.h"
-#include "authfd.h"
 #include "buffer.h"
 #include "bufaux.h"
 #include "xmalloc.h"
@@ -22,6 +21,10 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $");
 #include "mpaux.h"
 
 #include <openssl/md5.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include "key.h"
+#include "authfd.h"
 
 typedef struct {
 	int fd;

ssh.c

@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.58 2000/07/16 08:27:22 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@@ -21,7 +21,6 @@ RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $");
 #include "ssh.h"
 #include "packet.h"
 #include "buffer.h"
-#include "authfd.h"
 #include "readconf.h"
 #include "uidswap.h"
 
@@ -29,6 +28,7 @@ RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $");
 #include "compat.h"
 #include "channels.h"
 #include "key.h"
+#include "authfd.h"
 #include "authfile.h"
 
 #ifdef HAVE___PROGNAME

sshconnect1.c

@@ -9,7 +9,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.4 2000/07/16 08:27:22 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
@@ -21,12 +21,12 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $");
 #include "ssh.h"
 #include "buffer.h"
 #include "packet.h"
-#include "authfd.h"
 #include "cipher.h"
 #include "mpaux.h"
 #include "uidswap.h"
 #include "readconf.h"
 #include "key.h"
+#include "authfd.h"
 #include "sshconnect.h"
 #include "authfile.h"
 

sshconnect2.c

@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.15 2000/06/21 16:46:10 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.16 2000/07/16 08:27:22 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
@@ -286,40 +286,20 @@ ssh2_try_passwd(const char *server_user, const char *host, const char *service)
 	return 1;
 }
 
-int
+typedef int sign_fn(
-ssh2_try_pubkey(char *filename,
+    Key *key,
+    unsigned char **sigp, int *lenp,
+    unsigned char *data, int datalen);
+
+void
+ssh2_sign_and_send_pubkey(Key *k, sign_fn *do_sign,
     const char *server_user, const char *host, const char *service)
 {
 	Buffer b;
-	Key *k;
 	unsigned char *blob, *signature;
 	int bloblen, slen;
-	struct stat st;
 	int skip = 0;
 
-	if (stat(filename, &st) != 0) {
-		debug("key does not exist: %s", filename);
-		return 0;
-	}
-	debug("try pubkey: %s", filename);
-
-	k = key_new(KEY_DSA);
-	if (!load_private_key(filename, "", k, NULL)) {
-		int success = 0;
-		char *passphrase;
-		char prompt[300];
-		snprintf(prompt, sizeof prompt,
-		     "Enter passphrase for DSA key '%.100s': ",
-		     filename);
-		passphrase = read_passphrase(prompt, 0);
-		success = load_private_key(filename, passphrase, k, NULL);
-		memset(passphrase, 0, strlen(passphrase));
-		xfree(passphrase);
-		if (!success) {
-			key_free(k);
-			return 0;
-		}
-	}
 	dsa_make_key_blob(k, &blob, &bloblen);
 
 	/* data to be signed */
@@ -343,8 +323,8 @@ ssh2_try_pubkey(char *filename,
 	buffer_put_string(&b, blob, bloblen);
 
 	/* generate signature */
-	dsa_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
+	do_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
-	key_free(k);
+	key_free(k); /* XXX */
 #ifdef DEBUG_DSS
 	buffer_dump(&b);
 #endif
@@ -377,6 +357,39 @@ ssh2_try_pubkey(char *filename,
 	/* send */
 	packet_send();
 	packet_write_wait();
+}
+
+int
+ssh2_try_pubkey(char *filename,
+    const char *server_user, const char *host, const char *service)
+{
+	Key *k;
+	struct stat st;
+
+	if (stat(filename, &st) != 0) {
+		debug("key does not exist: %s", filename);
+		return 0;
+	}
+	debug("try pubkey: %s", filename);
+
+	k = key_new(KEY_DSA);
+	if (!load_private_key(filename, "", k, NULL)) {
+		int success = 0;
+		char *passphrase;
+		char prompt[300];
+		snprintf(prompt, sizeof prompt,
+		     "Enter passphrase for DSA key '%.100s': ",
+		     filename);
+		passphrase = read_passphrase(prompt, 0);
+		success = load_private_key(filename, passphrase, k, NULL);
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+		if (!success) {
+			key_free(k);
+			return 0;
+		}
+	}
+	ssh2_sign_and_send_pubkey(k, dsa_sign, server_user, host, service);
 	return 1;
 }
 

sshd.c

@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.122 2000/07/11 08:11:34 deraadt Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.123 2000/07/18 01:25:01 djm Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -642,6 +642,7 @@ main(int ac, char **av)
 		s2 = dup(s1);
 		sock_in = dup(0);
 		sock_out = dup(1);
+		startup_pipe = -1;
 		/*
 		 * We intentionally do not close the descriptors 0, 1, and 2
 		 * as our code for setting the descriptors won\'t work if