Mercurial > dropbear
comparison cli-auth.c @ 1295:750ec4ec4cbe
Convert #ifdef to #if, other build changes
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 04 May 2016 15:33:40 +0200 |
| parents | c6346c63281b |
| children | 6959c88c8f13 |
comparison
equal
deleted
inserted
replaced
| 1294:56aba7dedbea | 1295:750ec4ec4cbe |
|---|---|
| 49 SSH_SERVICE_CONNECTION_LEN); | 49 SSH_SERVICE_CONNECTION_LEN); |
| 50 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ | 50 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ |
| 51 | 51 |
| 52 encrypt_packet(); | 52 encrypt_packet(); |
| 53 | 53 |
| 54 #ifdef DROPBEAR_CLI_IMMEDIATE_AUTH | 54 #if DROPBEAR_CLI_IMMEDIATE_AUTH |
| 55 /* We can't haven't two auth requests in-flight with delayed zlib mode | 55 /* We can't haven't two auth requests in-flight with delayed zlib mode |
| 56 since if the first one succeeds then the remote side will | 56 since if the first one succeeds then the remote side will |
| 57 expect the second one to be compressed. | 57 expect the second one to be compressed. |
| 58 Race described at | 58 Race described at |
| 59 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/zlib-openssh.html | 59 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/zlib-openssh.html |
| 119 * SSH_MSG_USERAUTH_PASSWD_CHANGEREQ, | 119 * SSH_MSG_USERAUTH_PASSWD_CHANGEREQ, |
| 120 * SSH_MSG_USERAUTH_PK_OK, & | 120 * SSH_MSG_USERAUTH_PK_OK, & |
| 121 * SSH_MSG_USERAUTH_INFO_REQUEST. */ | 121 * SSH_MSG_USERAUTH_INFO_REQUEST. */ |
| 122 void recv_msg_userauth_specific_60() { | 122 void recv_msg_userauth_specific_60() { |
| 123 | 123 |
| 124 #ifdef ENABLE_CLI_PUBKEY_AUTH | 124 #if DROPBEAR_CLI_PUBKEY_AUTH |
| 125 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { | 125 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { |
| 126 recv_msg_userauth_pk_ok(); | 126 recv_msg_userauth_pk_ok(); |
| 127 return; | 127 return; |
| 128 } | 128 } |
| 129 #endif | 129 #endif |
| 130 | 130 |
| 131 #ifdef ENABLE_CLI_INTERACT_AUTH | 131 #if DROPBEAR_CLI_INTERACT_AUTH |
| 132 if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT) { | 132 if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT) { |
| 133 recv_msg_userauth_info_request(); | 133 recv_msg_userauth_info_request(); |
| 134 return; | 134 return; |
| 135 } | 135 } |
| 136 #endif | 136 #endif |
| 137 | 137 |
| 138 #ifdef ENABLE_CLI_PASSWORD_AUTH | 138 #if DROPBEAR_CLI_PASSWORD_AUTH |
| 139 if (cli_ses.lastauthtype == AUTH_TYPE_PASSWORD) { | 139 if (cli_ses.lastauthtype == AUTH_TYPE_PASSWORD) { |
| 140 /* Eventually there could be proper password-changing | 140 /* Eventually there could be proper password-changing |
| 141 * support. However currently few servers seem to | 141 * support. However currently few servers seem to |
| 142 * implement it, and password auth is last-resort | 142 * implement it, and password auth is last-resort |
| 143 * regardless - keyboard-interactive is more likely | 143 * regardless - keyboard-interactive is more likely |
| 177 cli_ses.state = USERAUTH_REQ_SENT; | 177 cli_ses.state = USERAUTH_REQ_SENT; |
| 178 cli_ses.ignore_next_auth_response = 0; | 178 cli_ses.ignore_next_auth_response = 0; |
| 179 TRACE(("leave recv_msg_userauth_failure, ignored response, state set to USERAUTH_REQ_SENT")); | 179 TRACE(("leave recv_msg_userauth_failure, ignored response, state set to USERAUTH_REQ_SENT")); |
| 180 return; | 180 return; |
| 181 } else { | 181 } else { |
| 182 #ifdef ENABLE_CLI_PUBKEY_AUTH | 182 #if DROPBEAR_CLI_PUBKEY_AUTH |
| 183 /* If it was a pubkey auth request, we should cross that key | 183 /* If it was a pubkey auth request, we should cross that key |
| 184 * off the list. */ | 184 * off the list. */ |
| 185 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { | 185 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { |
| 186 cli_pubkeyfail(); | 186 cli_pubkeyfail(); |
| 187 } | 187 } |
| 188 #endif | 188 #endif |
| 189 | 189 |
| 190 #ifdef ENABLE_CLI_INTERACT_AUTH | 190 #if DROPBEAR_CLI_INTERACT_AUTH |
| 191 /* If we get a failure message for keyboard interactive without | 191 /* If we get a failure message for keyboard interactive without |
| 192 * receiving any request info packet, then we don't bother trying | 192 * receiving any request info packet, then we don't bother trying |
| 193 * keyboard interactive again */ | 193 * keyboard interactive again */ |
| 194 if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT | 194 if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT |
| 195 && !cli_ses.interact_request_received) { | 195 && !cli_ses.interact_request_received) { |
| 225 | 225 |
| 226 tok = methods; /* tok stores the next method we'll compare */ | 226 tok = methods; /* tok stores the next method we'll compare */ |
| 227 for (i = 0; i <= methlen; i++) { | 227 for (i = 0; i <= methlen; i++) { |
| 228 if (methods[i] == '\0') { | 228 if (methods[i] == '\0') { |
| 229 TRACE(("auth method '%s'", tok)) | 229 TRACE(("auth method '%s'", tok)) |
| 230 #ifdef ENABLE_CLI_PUBKEY_AUTH | 230 #if DROPBEAR_CLI_PUBKEY_AUTH |
| 231 if (strncmp(AUTH_METHOD_PUBKEY, tok, | 231 if (strncmp(AUTH_METHOD_PUBKEY, tok, |
| 232 AUTH_METHOD_PUBKEY_LEN) == 0) { | 232 AUTH_METHOD_PUBKEY_LEN) == 0) { |
| 233 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; | 233 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; |
| 234 } | 234 } |
| 235 #endif | 235 #endif |
| 236 #ifdef ENABLE_CLI_INTERACT_AUTH | 236 #if DROPBEAR_CLI_INTERACT_AUTH |
| 237 if (strncmp(AUTH_METHOD_INTERACT, tok, | 237 if (strncmp(AUTH_METHOD_INTERACT, tok, |
| 238 AUTH_METHOD_INTERACT_LEN) == 0) { | 238 AUTH_METHOD_INTERACT_LEN) == 0) { |
| 239 ses.authstate.authtypes |= AUTH_TYPE_INTERACT; | 239 ses.authstate.authtypes |= AUTH_TYPE_INTERACT; |
| 240 } | 240 } |
| 241 #endif | 241 #endif |
| 242 #ifdef ENABLE_CLI_PASSWORD_AUTH | 242 #if DROPBEAR_CLI_PASSWORD_AUTH |
| 243 if (strncmp(AUTH_METHOD_PASSWORD, tok, | 243 if (strncmp(AUTH_METHOD_PASSWORD, tok, |
| 244 AUTH_METHOD_PASSWORD_LEN) == 0) { | 244 AUTH_METHOD_PASSWORD_LEN) == 0) { |
| 245 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; | 245 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; |
| 246 } | 246 } |
| 247 #endif | 247 #endif |
| 265 * will enable compression in the transport layer */ | 265 * will enable compression in the transport layer */ |
| 266 ses.authstate.authdone = 1; | 266 ses.authstate.authdone = 1; |
| 267 cli_ses.state = USERAUTH_SUCCESS_RCVD; | 267 cli_ses.state = USERAUTH_SUCCESS_RCVD; |
| 268 cli_ses.lastauthtype = AUTH_TYPE_NONE; | 268 cli_ses.lastauthtype = AUTH_TYPE_NONE; |
| 269 | 269 |
| 270 #ifdef ENABLE_CLI_PUBKEY_AUTH | 270 #if DROPBEAR_CLI_PUBKEY_AUTH |
| 271 cli_auth_pubkey_cleanup(); | 271 cli_auth_pubkey_cleanup(); |
| 272 #endif | 272 #endif |
| 273 } | 273 } |
| 274 | 274 |
| 275 int cli_auth_try() { | 275 int cli_auth_try() { |
| 279 | 279 |
| 280 CHECKCLEARTOWRITE(); | 280 CHECKCLEARTOWRITE(); |
| 281 | 281 |
| 282 /* Order to try is pubkey, interactive, password. | 282 /* Order to try is pubkey, interactive, password. |
| 283 * As soon as "finished" is set for one, we don't do any more. */ | 283 * As soon as "finished" is set for one, we don't do any more. */ |
| 284 #ifdef ENABLE_CLI_PUBKEY_AUTH | 284 #if DROPBEAR_CLI_PUBKEY_AUTH |
| 285 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { | 285 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { |
| 286 finished = cli_auth_pubkey(); | 286 finished = cli_auth_pubkey(); |
| 287 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY; | 287 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY; |
| 288 } | 288 } |
| 289 #endif | 289 #endif |
| 290 | 290 |
| 291 #ifdef ENABLE_CLI_PASSWORD_AUTH | 291 #if DROPBEAR_CLI_PASSWORD_AUTH |
| 292 if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) { | 292 if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) { |
| 293 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { | 293 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { |
| 294 fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n"); | 294 fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n"); |
| 295 } else { | 295 } else { |
| 296 cli_auth_password(); | 296 cli_auth_password(); |
| 298 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD; | 298 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD; |
| 299 } | 299 } |
| 300 } | 300 } |
| 301 #endif | 301 #endif |
| 302 | 302 |
| 303 #ifdef ENABLE_CLI_INTERACT_AUTH | 303 #if DROPBEAR_CLI_INTERACT_AUTH |
| 304 if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) { | 304 if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) { |
| 305 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { | 305 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { |
| 306 fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n"); | 306 fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n"); |
| 307 } else { | 307 } else { |
| 308 if (!cli_ses.auth_interact_failed) { | 308 if (!cli_ses.auth_interact_failed) { |
| 322 } | 322 } |
| 323 TRACE(("leave cli_auth_try failure")) | 323 TRACE(("leave cli_auth_try failure")) |
| 324 return DROPBEAR_FAILURE; | 324 return DROPBEAR_FAILURE; |
| 325 } | 325 } |
| 326 | 326 |
| 327 #if defined(ENABLE_CLI_PASSWORD_AUTH) || defined(ENABLE_CLI_INTERACT_AUTH) | 327 #if DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_INTERACT_AUTH |
| 328 /* A helper for getpass() that exits if the user cancels. The returned | 328 /* A helper for getpass() that exits if the user cancels. The returned |
| 329 * password is statically allocated by getpass() */ | 329 * password is statically allocated by getpass() */ |
| 330 char* getpass_or_cancel(char* prompt) | 330 char* getpass_or_cancel(char* prompt) |
| 331 { | 331 { |
| 332 char* password = NULL; | 332 char* password = NULL; |