Mercurial > dropbear

comparison cli-authpubkey.c @ 641:2b1bb792cd4d dropbear-tfm

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
- Update tfm changes to current default tip
author Matt Johnston <matt@ucc.asn.au>
date Mon, 21 Nov 2011 19:52:28 +0800
parents 52d7301e46bd
children 405418f7dc5e
comparison
equal deleted inserted replaced
640:76097ec1a29a 641:2b1bb792cd4d
28 #include "dbutil.h" 28 #include "dbutil.h"
29 #include "session.h" 29 #include "session.h"
30 #include "ssh.h" 30 #include "ssh.h"
31 #include "runopts.h" 31 #include "runopts.h"
32 #include "auth.h" 32 #include "auth.h"
33 #include "agentfwd.h"
33 34
34 #ifdef ENABLE_CLI_PUBKEY_AUTH 35 #ifdef ENABLE_CLI_PUBKEY_AUTH
35 static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign); 36 static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign);
36 37
37 /* Called when we receive a SSH_MSG_USERAUTH_FAILURE for a pubkey request. 38 /* Called when we receive a SSH_MSG_USERAUTH_FAILURE for a pubkey request.
38 * We use it to remove the key we tried from the list */ 39 * We use it to remove the key we tried from the list */
39 void cli_pubkeyfail() { 40 void cli_pubkeyfail() {
40 41 m_list_elem *iter;
41 struct SignKeyList *keyitem; 42 for (iter = cli_opts.privkeys->first; iter; iter = iter->next) {
42 struct SignKeyList **previtem; 43 sign_key *iter_key = (sign_key*)iter->item;
43 44
44 TRACE(("enter cli_pubkeyfail")) 45 if (iter_key == cli_ses.lastprivkey)
45 previtem = &cli_opts.privkeys; 46 {
46 47 /* found the failing key */
47 /* Find the key we failed with, and remove it */ 48 list_remove(iter);
48 for (keyitem = cli_opts.privkeys; keyitem != NULL; keyitem = keyitem->next) { 49 sign_key_free(iter_key);
49 if (keyitem == cli_ses.lastprivkey) { 50 cli_ses.lastprivkey = NULL;
50 *previtem = keyitem->next; 51 return;
51 } 52 }
52 previtem = &keyitem; 53 }
53 }
54
55 sign_key_free(cli_ses.lastprivkey->key); /* It won't be used again */
56 m_free(cli_ses.lastprivkey);
57
58 TRACE(("leave cli_pubkeyfail"))
59 } 54 }
60 55
61 void recv_msg_userauth_pk_ok() { 56 void recv_msg_userauth_pk_ok() {
62 57 m_list_elem *iter;
63 struct SignKeyList *keyitem = NULL;
64 buffer* keybuf = NULL; 58 buffer* keybuf = NULL;
65 char* algotype = NULL; 59 char* algotype = NULL;
66 unsigned int algolen; 60 unsigned int algolen;
67 int keytype; 61 int keytype;
68 unsigned int remotelen; 62 unsigned int remotelen;
78 72
79 remotelen = buf_getint(ses.payload); 73 remotelen = buf_getint(ses.payload);
80 74
81 /* Iterate through our keys, find which one it was that matched, and 75 /* Iterate through our keys, find which one it was that matched, and
82 * send a real request with that key */ 76 * send a real request with that key */
83 for (keyitem = cli_opts.privkeys; keyitem != NULL; keyitem = keyitem->next) { 77 for (iter = cli_opts.privkeys->first; iter; iter = iter->next) {
84 78 sign_key *key = (sign_key*)iter->item;
85 if (keyitem->type != keytype) { 79 if (key->type != keytype) {
86 /* Types differed */ 80 /* Types differed */
87 TRACE(("types differed")) 81 TRACE(("types differed"))
88 continue; 82 continue;
89 } 83 }
90 84
91 /* Now we compare the contents of the key */ 85 /* Now we compare the contents of the key */
92 keybuf->pos = keybuf->len = 0; 86 keybuf->pos = keybuf->len = 0;
93 buf_put_pub_key(keybuf, keyitem->key, keytype); 87 buf_put_pub_key(keybuf, key, keytype);
94 buf_setpos(keybuf, 0); 88 buf_setpos(keybuf, 0);
95 buf_incrpos(keybuf, 4); /* first int is the length of the remainder (ie 89 buf_incrpos(keybuf, 4); /* first int is the length of the remainder (ie
96 remotelen) which has already been taken from 90 remotelen) which has already been taken from
97 the remote buffer */ 91 the remote buffer */
98 92
112 /* Success */ 106 /* Success */
113 break; 107 break;
114 } 108 }
115 buf_free(keybuf); 109 buf_free(keybuf);
116 110
117 if (keyitem != NULL) { 111 if (iter != NULL) {
118 TRACE(("matching key")) 112 TRACE(("matching key"))
119 /* XXX TODO: if it's an encrypted key, here we ask for their 113 /* XXX TODO: if it's an encrypted key, here we ask for their
120 * password */ 114 * password */
121 send_msg_userauth_pubkey(keyitem->key, keytype, 1); 115 send_msg_userauth_pubkey((sign_key*)iter->item, keytype, 1);
122 } else { 116 } else {
123 TRACE(("That was whacky. We got told that a key was valid, but it didn't match our list. Sounds like dodgy code on Dropbear's part")) 117 TRACE(("That was whacky. We got told that a key was valid, but it didn't match our list. Sounds like dodgy code on Dropbear's part"))
124 } 118 }
125 119
126 TRACE(("leave recv_msg_userauth_pk_ok")) 120 TRACE(("leave recv_msg_userauth_pk_ok"))
121 }
122
123 void cli_buf_put_sign(buffer* buf, sign_key *key, int type,
124 const unsigned char *data, unsigned int len)
125 {
126 if (key->source == SIGNKEY_SOURCE_AGENT) {
127 /* Format the agent signature ourselves, as buf_put_sign would. */
128 buffer *sigblob;
129 sigblob = buf_new(MAX_PUBKEY_SIZE);
130 agent_buf_sign(sigblob, key, data, len);
131 buf_setpos(sigblob, 0);
132 buf_putstring(buf, buf_getptr(sigblob, sigblob->len),
133 sigblob->len);
134
135 buf_free(sigblob);
136 } else {
137 buf_put_sign(buf, key, type, data, len);
138 }
139
127 } 140 }
128 141
129 /* TODO: make it take an agent reference to use as well */ 142 /* TODO: make it take an agent reference to use as well */
130 static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) { 143 static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
131 144
159 /* We put the signature as well - this contains string(session id), then 172 /* We put the signature as well - this contains string(session id), then
160 * the contents of the write payload to this point */ 173 * the contents of the write payload to this point */
161 sigbuf = buf_new(4 + SHA1_HASH_SIZE + ses.writepayload->len); 174 sigbuf = buf_new(4 + SHA1_HASH_SIZE + ses.writepayload->len);
162 buf_putstring(sigbuf, ses.session_id, SHA1_HASH_SIZE); 175 buf_putstring(sigbuf, ses.session_id, SHA1_HASH_SIZE);
163 buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); 176 buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
164 buf_put_sign(ses.writepayload, key, type, sigbuf->data, sigbuf->len); 177 cli_buf_put_sign(ses.writepayload, key, type, sigbuf->data, sigbuf->len);
165 buf_free(sigbuf); /* Nothing confidential in the buffer */ 178 buf_free(sigbuf); /* Nothing confidential in the buffer */
166 } 179 }
167 180
168 encrypt_packet(); 181 encrypt_packet();
169 TRACE(("leave send_msg_userauth_pubkey")) 182 TRACE(("leave send_msg_userauth_pubkey"))
170 } 183 }
171 184
185 /* Returns 1 if a key was tried */
172 int cli_auth_pubkey() { 186 int cli_auth_pubkey() {
173 187
174 TRACE(("enter cli_auth_pubkey")) 188 TRACE(("enter cli_auth_pubkey"))
175 189
176 if (cli_opts.privkeys != NULL) { 190 if (!cli_opts.agent_keys_loaded) {
191 /* get the list of available keys from the agent */
192 cli_load_agent_keys(cli_opts.privkeys);
193 cli_opts.agent_keys_loaded = 1;
194 }
195
196 if (cli_opts.privkeys->first) {
197 sign_key * key = (sign_key*)cli_opts.privkeys->first->item;
177 /* Send a trial request */ 198 /* Send a trial request */
178 send_msg_userauth_pubkey(cli_opts.privkeys->key, 199 send_msg_userauth_pubkey(key, key->type, 0);
179 cli_opts.privkeys->type, 0); 200 cli_ses.lastprivkey = key;
180 cli_ses.lastprivkey = cli_opts.privkeys;
181 TRACE(("leave cli_auth_pubkey-success")) 201 TRACE(("leave cli_auth_pubkey-success"))
182 return 1; 202 return 1;
183 } else { 203 } else {
204 /* no more keys left */
184 TRACE(("leave cli_auth_pubkey-failure")) 205 TRACE(("leave cli_auth_pubkey-failure"))
185 return 0; 206 return 0;
186 } 207 }
187 } 208 }
209
210 void cli_auth_pubkey_cleanup() {
211
212 #ifdef ENABLE_CLI_AGENTFWD
213 m_close(cli_opts.agent_fd);
214 cli_opts.agent_fd = -1;
215 #endif
216
217 while (cli_opts.privkeys->first) {
218 sign_key * key = list_remove(cli_opts.privkeys->first);
219 sign_key_free(key);
220 }
221 }
188 #endif /* Pubkey auth */ 222 #endif /* Pubkey auth */