Mercurial > dropbear
comparison cli-authpubkey.c @ 1675:ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 17 May 2020 23:58:31 +0800 |
parents | ba6fc7afe1c5 |
children | d5cdc60db08e |
comparison
equal
deleted
inserted
replaced
1674:ba6fc7afe1c5 | 1675:ae41624c2198 |
---|---|
31 #include "runopts.h" | 31 #include "runopts.h" |
32 #include "auth.h" | 32 #include "auth.h" |
33 #include "agentfwd.h" | 33 #include "agentfwd.h" |
34 | 34 |
35 #if DROPBEAR_CLI_PUBKEY_AUTH | 35 #if DROPBEAR_CLI_PUBKEY_AUTH |
36 static void send_msg_userauth_pubkey(sign_key *key, enum signkey_type sigtype, int realsign); | 36 static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, int realsign); |
37 | 37 |
38 /* Called when we receive a SSH_MSG_USERAUTH_FAILURE for a pubkey request. | 38 /* Called when we receive a SSH_MSG_USERAUTH_FAILURE for a pubkey request. |
39 * We use it to remove the key we tried from the list */ | 39 * We use it to remove the key we tried from the list */ |
40 void cli_pubkeyfail() { | 40 void cli_pubkeyfail() { |
41 m_list_elem *iter; | 41 m_list_elem *iter; |
56 void recv_msg_userauth_pk_ok() { | 56 void recv_msg_userauth_pk_ok() { |
57 m_list_elem *iter; | 57 m_list_elem *iter; |
58 buffer* keybuf = NULL; | 58 buffer* keybuf = NULL; |
59 char* algotype = NULL; | 59 char* algotype = NULL; |
60 unsigned int algolen; | 60 unsigned int algolen; |
61 enum signkey_type sigtype, keytype; | 61 enum signkey_type keytype; |
62 enum signature_type sigtype; | |
62 unsigned int remotelen; | 63 unsigned int remotelen; |
63 | 64 |
64 TRACE(("enter recv_msg_userauth_pk_ok")) | 65 TRACE(("enter recv_msg_userauth_pk_ok")) |
65 | 66 |
66 algotype = buf_getstring(ses.payload, &algolen); | 67 algotype = buf_getstring(ses.payload, &algolen); |
111 | 112 |
112 if (iter != NULL) { | 113 if (iter != NULL) { |
113 TRACE(("matching key")) | 114 TRACE(("matching key")) |
114 /* XXX TODO: if it's an encrypted key, here we ask for their | 115 /* XXX TODO: if it's an encrypted key, here we ask for their |
115 * password */ | 116 * password */ |
116 send_msg_userauth_pubkey((sign_key*)iter->item, keytype, 1); | 117 send_msg_userauth_pubkey((sign_key*)iter->item, sigtype, 1); |
117 } else { | 118 } else { |
118 TRACE(("That was whacky. We got told that a key was valid, but it didn't match our list. Sounds like dodgy code on Dropbear's part")) | 119 TRACE(("That was whacky. We got told that a key was valid, but it didn't match our list. Sounds like dodgy code on Dropbear's part")) |
119 } | 120 } |
120 | 121 |
121 TRACE(("leave recv_msg_userauth_pk_ok")) | 122 TRACE(("leave recv_msg_userauth_pk_ok")) |
122 } | 123 } |
123 | 124 |
124 static void cli_buf_put_sign(buffer* buf, sign_key *key, enum signkey_type sigtype, | 125 static void cli_buf_put_sign(buffer* buf, sign_key *key, enum signature_type sigtype, |
125 const buffer *data_buf) { | 126 const buffer *data_buf) { |
126 #if DROPBEAR_CLI_AGENTFWD | 127 #if DROPBEAR_CLI_AGENTFWD |
127 // TODO: rsa-sha256 agent | 128 // TODO: rsa-sha256 agent |
128 if (key->source == SIGNKEY_SOURCE_AGENT) { | 129 if (key->source == SIGNKEY_SOURCE_AGENT) { |
129 /* Format the agent signature ourselves, as buf_put_sign would. */ | 130 /* Format the agent signature ourselves, as buf_put_sign would. */ |
137 { | 138 { |
138 buf_put_sign(buf, key, sigtype, data_buf); | 139 buf_put_sign(buf, key, sigtype, data_buf); |
139 } | 140 } |
140 } | 141 } |
141 | 142 |
142 static void send_msg_userauth_pubkey(sign_key *key, enum signkey_type sigtype, int realsign) { | 143 static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, int realsign) { |
143 | 144 |
144 const char *algoname = NULL; | 145 const char *algoname = NULL; |
145 unsigned int algolen; | 146 unsigned int algolen; |
146 buffer* sigbuf = NULL; | 147 buffer* sigbuf = NULL; |
147 enum signkey_type keytype = signkey_type_from_signature(sigtype); | 148 enum signkey_type keytype = signkey_type_from_signature(sigtype); |
148 | 149 |
149 TRACE(("enter send_msg_userauth_pubkey")) | 150 TRACE(("enter send_msg_userauth_pubkey sigtype %d", sigtype)) |
150 CHECKCLEARTOWRITE(); | 151 CHECKCLEARTOWRITE(); |
151 | 152 |
152 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); | 153 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); |
153 | 154 |
154 buf_putstring(ses.writepayload, cli_opts.username, | 155 buf_putstring(ses.writepayload, cli_opts.username, |
181 TRACE(("leave send_msg_userauth_pubkey")) | 182 TRACE(("leave send_msg_userauth_pubkey")) |
182 } | 183 } |
183 | 184 |
184 /* Returns 1 if a key was tried */ | 185 /* Returns 1 if a key was tried */ |
185 int cli_auth_pubkey() { | 186 int cli_auth_pubkey() { |
186 | |
187 TRACE(("enter cli_auth_pubkey")) | 187 TRACE(("enter cli_auth_pubkey")) |
188 | 188 |
189 #if DROPBEAR_CLI_AGENTFWD | 189 #if DROPBEAR_CLI_AGENTFWD |
190 if (!cli_opts.agent_keys_loaded) { | 190 if (!cli_opts.agent_keys_loaded) { |
191 /* get the list of available keys from the agent */ | 191 /* get the list of available keys from the agent */ |
192 cli_load_agent_keys(cli_opts.privkeys); | 192 cli_load_agent_keys(cli_opts.privkeys); |
193 cli_opts.agent_keys_loaded = 1; | 193 cli_opts.agent_keys_loaded = 1; |
194 } | 194 } |
195 #endif | 195 #endif |
196 | 196 |
197 /* TODO iterate through privkeys to skip ones not in server-sig-algs */ | |
198 | |
199 /* TODO: testing */ | |
200 #if DROPBEAR_RSA_SHA256 | |
201 cli_ses.preferred_rsa_sigtype = DROPBEAR_SIGNATURE_RSA_SHA256; | |
202 #elif DROPBEAR_RSA_SHA1 | |
203 cli_ses.preferred_rsa_sigtype = DROPBEAR_SIGNATURE_RSA_SHA1; | |
204 #endif | |
205 | |
197 if (cli_opts.privkeys->first) { | 206 if (cli_opts.privkeys->first) { |
198 sign_key * key = (sign_key*)cli_opts.privkeys->first->item; | 207 sign_key * key = (sign_key*)cli_opts.privkeys->first->item; |
199 enum signkey_type sigtype = key->type; | 208 /* Determine the signature type to use */ |
209 enum signature_type sigtype = (enum signature_type)key->type; | |
210 #if DROPBEAR_RSA | |
211 if (key->type == DROPBEAR_SIGNKEY_RSA) { | |
212 sigtype = cli_ses.preferred_rsa_sigtype; | |
213 } | |
214 #endif | |
215 | |
200 /* Send a trial request */ | 216 /* Send a trial request */ |
201 #if DROPBEAR_RSA && DROPBEAR_RSA_SHA256 | |
202 // TODO: use ext-info to choose rsa kind | |
203 if (sigtype == DROPBEAR_SIGNKEY_RSA) { | |
204 sigtype = DROPBEAR_SIGNKEY_RSA_SHA256; | |
205 } | |
206 #endif | |
207 send_msg_userauth_pubkey(key, sigtype, 0); | 217 send_msg_userauth_pubkey(key, sigtype, 0); |
208 cli_ses.lastprivkey = key; | 218 cli_ses.lastprivkey = key; |
209 TRACE(("leave cli_auth_pubkey-success")) | 219 TRACE(("leave cli_auth_pubkey-success")) |
210 return 1; | 220 return 1; |
211 } else { | 221 } else { |