1/* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Functions for connecting the local authentication agent. 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this --- 21 unchanged lines hidden (view full) --- 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37#include "includes.h" |
38RCSID("$OpenBSD: authfd.c,v 1.61 2003/06/28 16:23:06 deraadt Exp $"); |
39 40#include <openssl/evp.h> 41 42#include "ssh.h" 43#include "rsa.h" 44#include "buffer.h" 45#include "bufaux.h" 46#include "xmalloc.h" --- 70 unchanged lines hidden (view full) --- 117 int l, len; 118 char buf[1024]; 119 120 /* Get the length of the message, and format it in the buffer. */ 121 len = buffer_len(request); 122 PUT_32BIT(buf, len); 123 124 /* Send the length and then the packet to the agent. */ |
125 if (atomicio(vwrite, auth->fd, buf, 4) != 4 || 126 atomicio(vwrite, auth->fd, buffer_ptr(request), |
127 buffer_len(request)) != buffer_len(request)) { 128 error("Error writing to authentication socket."); 129 return 0; 130 } 131 /* 132 * Wait for response from the agent. First read the length of the 133 * response packet. 134 */ --- 192 unchanged lines hidden (view full) --- 327 switch (version) { 328 case 1: 329 key = key_new(KEY_RSA1); 330 bits = buffer_get_int(&auth->identities); 331 buffer_get_bignum(&auth->identities, key->rsa->e); 332 buffer_get_bignum(&auth->identities, key->rsa->n); 333 *comment = buffer_get_string(&auth->identities, NULL); 334 if (bits != BN_num_bits(key->rsa->n)) |
335 logit("Warning: identity keysize mismatch: actual %d, announced %u", |
336 BN_num_bits(key->rsa->n), bits); 337 break; 338 case 2: 339 blob = buffer_get_string(&auth->identities, &blen); 340 *comment = buffer_get_string(&auth->identities, NULL); 341 key = key_from_blob(blob, blen); 342 xfree(blob); 343 break; --- 24 unchanged lines hidden (view full) --- 368 Buffer buffer; 369 int success = 0; 370 int i; 371 int type; 372 373 if (key->type != KEY_RSA1) 374 return 0; 375 if (response_type == 0) { |
376 logit("Compatibility with ssh protocol version 1.0 no longer supported."); |
377 return 0; 378 } 379 buffer_init(&buffer); 380 buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE); 381 buffer_put_int(&buffer, BN_num_bits(key->rsa->n)); 382 buffer_put_bignum(&buffer, key->rsa->e); 383 buffer_put_bignum(&buffer, key->rsa->n); 384 buffer_put_bignum(&buffer, challenge); 385 buffer_append(&buffer, session_id, 16); 386 buffer_put_int(&buffer, response_type); 387 388 if (ssh_request_reply(auth, &buffer, &buffer) == 0) { 389 buffer_free(&buffer); 390 return 0; 391 } 392 type = buffer_get_char(&buffer); 393 394 if (agent_failed(type)) { |
395 logit("Agent admitted failure to authenticate using the key."); |
396 } else if (type != SSH_AGENT_RSA_RESPONSE) { 397 fatal("Bad authentication response: %d", type); 398 } else { 399 success = 1; 400 /* 401 * Get the response from the packet. This will abort with a 402 * fatal error if the packet is corrupt. 403 */ --- 32 unchanged lines hidden (view full) --- 436 xfree(blob); 437 438 if (ssh_request_reply(auth, &msg, &msg) == 0) { 439 buffer_free(&msg); 440 return -1; 441 } 442 type = buffer_get_char(&msg); 443 if (agent_failed(type)) { |
444 logit("Agent admitted failure to sign using the key."); |
445 } else if (type != SSH2_AGENT_SIGN_RESPONSE) { 446 fatal("Bad authentication response: %d", type); 447 } else { 448 ret = 0; 449 *sigp = buffer_get_string(&msg, lenp); 450 } 451 buffer_free(&msg); 452 return ret; --- 131 unchanged lines hidden (view full) --- 584 return 0; 585 } 586 type = buffer_get_char(&msg); 587 buffer_free(&msg); 588 return decode_reply(type); 589} 590 591int |
592ssh_update_card(AuthenticationConnection *auth, int add, 593 const char *reader_id, const char *pin, u_int life, u_int confirm) |
594{ 595 Buffer msg; |
596 int type, constrained = (life || confirm); |
597 |
598 if (add) { 599 type = constrained ? 600 SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED : 601 SSH_AGENTC_ADD_SMARTCARD_KEY; 602 } else 603 type = SSH_AGENTC_REMOVE_SMARTCARD_KEY; 604 |
605 buffer_init(&msg); |
606 buffer_put_char(&msg, type); |
607 buffer_put_cstring(&msg, reader_id); 608 buffer_put_cstring(&msg, pin); |
609 610 if (constrained) { 611 if (life != 0) { 612 buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); 613 buffer_put_int(&msg, life); 614 } 615 if (confirm != 0) 616 buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM); 617 } 618 |
619 if (ssh_request_reply(auth, &msg, &msg) == 0) { 620 buffer_free(&msg); 621 return 0; 622 } 623 type = buffer_get_char(&msg); 624 buffer_free(&msg); 625 return decode_reply(type); 626} --- 26 unchanged lines hidden (view full) --- 653 654int 655decode_reply(int type) 656{ 657 switch (type) { 658 case SSH_AGENT_FAILURE: 659 case SSH_COM_AGENT2_FAILURE: 660 case SSH2_AGENT_FAILURE: |
661 logit("SSH_AGENT_FAILURE"); |
662 return 0; 663 case SSH_AGENT_SUCCESS: 664 return 1; 665 default: 666 fatal("Bad response from authentication agent: %d", type); 667 } 668 /* NOTREACHED */ 669 return 0; 670} |