diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h index 03265cb3..8b918e6f 100644 --- a/include/libssh/libssh.h +++ b/include/libssh/libssh.h @@ -331,6 +331,8 @@ int ssh_userauth_none(SSH_SESSION *session, const char *username); int ssh_userauth_password(SSH_SESSION *session, const char *username, const char *password); int ssh_userauth_offer_pubkey(SSH_SESSION *session, const char *username, int type, STRING *publickey); int ssh_userauth_pubkey(SSH_SESSION *session, const char *username, STRING *publickey, PRIVATE_KEY *privatekey); +int ssh_userauth_agent_pubkey(SSH_SESSION *session, const char *username, + PUBLIC_KEY *publickey); int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase); int ssh_userauth_kbdint(SSH_SESSION *session, const char *user, const char *submethods); int ssh_userauth_kbdint_getnprompts(SSH_SESSION *session); diff --git a/include/libssh/priv.h b/include/libssh/priv.h index 67cd6bf1..1713e327 100644 --- a/include/libssh/priv.h +++ b/include/libssh/priv.h @@ -289,7 +289,7 @@ struct channel_struct { struct agent_struct { struct socket *sock; - STRING *ident; + BUFFER *ident; unsigned int count; }; @@ -450,7 +450,17 @@ void agent_free(struct agent_struct *agent); */ int agent_running(struct ssh_session *session); -int agent_ident_count(struct ssh_session *session); +int agent_get_ident_count(struct ssh_session *session); + +struct public_key_struct *agent_get_next_ident(struct ssh_session *session, + char **comment); + +struct public_key_struct *agent_get_first_ident(struct ssh_session *session, + char **comment); + +STRING *agent_sign_data(struct ssh_session *session, + struct buffer_struct *data, + struct public_key_struct *pubkey); #endif /* socket.c */ @@ -560,11 +570,20 @@ PRIVATE_KEY *_privatekey_from_file(void *session,char *filename,int type); /* in keys.c */ char *ssh_type_to_char(int type); +int ssh_type_from_name(char *name); + +PRIVATE_KEY *privatekey_make_dss(SSH_SESSION *session, BUFFER *buffer); +PRIVATE_KEY *privatekey_make_rsa(SSH_SESSION *session, BUFFER *buffer, + char *type); +PRIVATE_KEY *privatekey_from_string(SSH_SESSION *session, STRING *privkey_s); + PUBLIC_KEY *publickey_make_dss(SSH_SESSION *session, BUFFER *buffer); PUBLIC_KEY *publickey_make_rsa(SSH_SESSION *session, BUFFER *buffer,char *type); PUBLIC_KEY *publickey_from_string(SSH_SESSION *session, STRING *pubkey_s); SIGNATURE *signature_from_string(SSH_SESSION *session, STRING *signature,PUBLIC_KEY *pubkey,int needed_type); void signature_free(SIGNATURE *sign); +STRING *ssh_do_sign_with_agent(struct ssh_session *session, + struct buffer_struct *buf, struct public_key_struct *publickey); STRING *ssh_do_sign(SSH_SESSION *session,BUFFER *sigbuf, PRIVATE_KEY *privatekey); STRING *ssh_sign_session_id(SSH_SESSION *session, PRIVATE_KEY *privatekey); diff --git a/libssh/agent.c b/libssh/agent.c index 0c3ee445..7e95a614 100644 --- a/libssh/agent.c +++ b/libssh/agent.c @@ -23,6 +23,17 @@ /* This file is based on authfd.c from OpenSSH */ +/* + * How does the ssh-agent work? + * + * a) client sends a request to get a list of all keys + * the agent returns the cound and all public keys + * b) iterate over them to check if the server likes one + * c) the client sends a sign request to the agent + * type, pubkey as blob, data to sign, flags + * the agent returns the signed data + */ + #ifndef _WIN32 #include @@ -50,7 +61,7 @@ static u32 agent_get_u32(const void *vp) { v |= (u32)p[2] << 8; v |= (u32)p[3]; - return (v); + return v; } static void agent_put_u32(void *vp, u32 v) { @@ -107,7 +118,7 @@ static size_t atomicio(struct socket *s, void *buf, size_t n, int do_read) { AGENT *agent_new(struct ssh_session *session) { AGENT *agent = NULL; - agent = malloc(sizeof(*agent)); + agent = calloc(1, sizeof(*agent)); if (agent) { agent->count = 0; agent->sock = ssh_socket_new(session); @@ -124,7 +135,9 @@ void agent_close(struct agent_struct *agent) { void agent_free(AGENT *agent) { if (agent) { - string_free(agent->ident); + if (agent->ident) { + buffer_free(agent->ident); + } if (agent->sock) { agent_close(agent); ssh_socket_free(agent->sock); @@ -152,76 +165,68 @@ static int agent_connect(SSH_SESSION *session) { return -1; } -static int agent_decode_reply(int type) { +#if 0 +static int agent_decode_reply(struct ssh_session *session, int type) { switch (type) { case SSH_AGENT_FAILURE: case SSH2_AGENT_FAILURE: case SSH_COM_AGENT2_FAILURE: - ssh_say(1, "SSH_AGENT_FAILURE\n"); + ssh_log(session, SSH_LOG_RARE, "SSH_AGENT_FAILURE"); return 0; case SSH_AGENT_SUCCESS: return 1; default: + ssh_set_error(session, SSH_FATAL, + "Bad response from authentication agent: %d", type); /* TODO: fatal */ break; } return -1; } +#endif static int agent_talk(struct ssh_session *session, struct buffer_struct *request, struct buffer_struct *reply) { - size_t len = 0; - unsigned char payload[1024] = {0}; + u32 len = 0; + u8 payload[1024] = {0}; len = buffer_get_len(request); - ssh_say(2, "agent_talk - len of request: %u\n", len); + ssh_log(session, SSH_LOG_PACKET, "agent_talk - len of request: %u", len); agent_put_u32(payload, len); -#if 0 - /* send length and then the request packet */ - if (ssh_socket_completewrite(session->agent->sock, payload, 4) == SSH_OK) { - buffer_get_data(request, payload, len); - fprintf(stderr, "agent_talk - sending request, payload = %u\n", payload[0]); - if (ssh_socket_completewrite(session->agent->sock, payload, len) - != SSH_OK) { - return -1; - } - } else { - return -1; - } -#endif /* send length and then the request packet */ if (atomicio(session->agent->sock, payload, 4, 0) == 4) { buffer_get_data(request, payload, len); - ssh_say(2, "agent_talk - sending request, payload = %u\n", payload[0]); + ssh_log(session, SSH_LOG_PACKET, + "agent_talk - sending request, payload[0] = %u", payload[0]); if (atomicio(session->agent->sock, payload, len, 0) != len) { + ssh_log(session, SSH_LOG_PACKET, "atomicio sending request failed: %s", + strerror(errno)); return -1; } } else { + ssh_log(session, SSH_LOG_PACKET, + "atomicio sending request length failed: %s", + strerror(errno)); return -1; } - session->blocking = 0; - -#if 0 - /* wait for response, read the length of the response packet */ - if (ssh_socket_read(session->agent->sock, payload, 4) != SSH_OK) { - fprintf(stderr, "agent_talk - error: %s\n", ssh_get_error(session)); - return -1; - } -#endif /* wait for response, read the length of the response packet */ if (atomicio(session->agent->sock, payload, 4, 1) != 4) { + ssh_log(session, SSH_LOG_PACKET, "atomicio read response length failed: %s", + strerror(errno)); return -1; } len = agent_get_u32(payload); if (len > 256 * 1024) { + ssh_set_error(session, SSH_FATAL, + "Authentication response too long: %u", len); return -1; } - ssh_say(2, "agent_talk - response length: %u\n", len); + ssh_log(session, SSH_LOG_PACKET, "agent_talk - response length: %u", len); while (len > 0) { size_t n = len; @@ -229,7 +234,8 @@ static int agent_talk(struct ssh_session *session, n = sizeof(payload); } if (atomicio(session->agent->sock, payload, n, 1) != n) { - ssh_say(1, "Error reading response from authentication socket."); + ssh_log(session, SSH_LOG_RARE, + "Error reading response from authentication socket."); return -1; } buffer_add_data(reply, payload, n); @@ -239,12 +245,12 @@ static int agent_talk(struct ssh_session *session, return 0; } -int agent_ident_count(SSH_SESSION *session) { +int agent_get_ident_count(struct ssh_session *session) { BUFFER *request = NULL; BUFFER *reply = NULL; unsigned int type = 0; unsigned int c1 = 0, c2 = 0; - unsigned char buf[4] = {0}; + u8 buf[4] = {0}; switch (session->version) { case 1: @@ -273,26 +279,157 @@ int agent_ident_count(SSH_SESSION *session) { /* get message type and verify the answer */ buffer_get_u8(reply, (u8 *) &type); - ssh_say(2, "agent_ident_count - answer type: %d, expected answer: %d\n", + ssh_log(session, SSH_LOG_PACKET, + "agent_ident_count - answer type: %d, expected answer: %d", type, c2); if (agent_failed(type)) { return 0; } else if (type != c2) { - /* TODO: fatal, set ssh error? */ + ssh_set_error(session, SSH_FATAL, + "Bad authentication reply message type: %d", type); return -1; } buffer_get_u32(reply, (u32 *) buf); session->agent->count = agent_get_u32(buf); - ssh_say(2, "agent_ident_count - count: %d\n", session->agent->count); + ssh_log(session, SSH_LOG_PACKET, "agent_ident_count - count: %d", + session->agent->count); if (session->agent->count > 1024) { - /* TODO: fatal, set ssh error? */ + ssh_set_error(session, SSH_FATAL, + "Too many identities in authentication reply: %d", + session->agent->count); + buffer_free(reply); return -1; } + if (session->agent->ident) { + buffer_free(session->agent->ident); + } + session->agent->ident = reply; + return session->agent->count; } +/* caller has to free commment */ +struct public_key_struct *agent_get_first_ident(struct ssh_session *session, + char **comment) { + if (agent_get_ident_count(session) > 0) { + return agent_get_next_ident(session, comment); + } + + return NULL; +} + +/* caller has to free commment */ +struct public_key_struct *agent_get_next_ident(struct ssh_session *session, + char **comment) { + struct public_key_struct *pubkey = NULL; + struct string_struct *blob = NULL; + struct string_struct *tmp = NULL; + + if (session->agent->count == 0) { + return NULL; + } + + switch(session->version) { + case 1: + /* TODO */ + break; + case 2: + /* get the blob */ + blob = buffer_get_ssh_string(session->agent->ident); + if (blob == NULL) { + return NULL; + } + + /* get the comment */ + tmp = buffer_get_ssh_string(session->agent->ident); + if (tmp == NULL) { + string_free(blob); + + return NULL; + } + + if (comment) { + *comment = string_to_char(tmp); + } else { + string_free(blob); + string_free(tmp); + + return NULL; + } + string_free(tmp); + + /* get key from blob */ + pubkey = publickey_from_string(session, blob); + string_free(blob); + break; + default: + return NULL; + } + + return pubkey; +} + +STRING *agent_sign_data(struct ssh_session *session, + struct buffer_struct *data, + struct public_key_struct *pubkey) { + struct string_struct *blob = NULL; + struct string_struct *sig = NULL; + struct buffer_struct *request = NULL; + struct buffer_struct *reply = NULL; + int type = SSH2_AGENT_FAILURE; + int flags = 0; + u32 dlen = 0; + + /* create blob from the pubkey */ + blob = publickey_to_string(pubkey); + + request = buffer_new(); + + /* create request */ + buffer_add_u8(request, SSH2_AGENTC_SIGN_REQUEST); + + /* adds len + blob */ + buffer_add_ssh_string(request, blob); + + /* Add data */ + dlen = buffer_get_len(data); + buffer_add_u32(request, htonl(dlen)); + buffer_add_data(request, buffer_get(data), dlen); + + buffer_add_u32(request, htonl(flags)); + + string_free(blob); + + reply = buffer_new(); + + /* send the request */ + if (agent_talk(session, request, reply) < 0) { + buffer_free(request); + return NULL; + } + buffer_free(request); + + /* check if reply is valid */ + buffer_get_u8(reply, (u8 *) &type); + if (agent_failed(type)) { + ssh_log(session, SSH_LOG_RARE, "Agent reports failure in signing the key"); + buffer_free(reply); + return NULL; + } else if (type != SSH2_AGENT_SIGN_RESPONSE) { + ssh_set_error(session, SSH_FATAL, "Bad authentication response: %d", type); + buffer_free(reply); + return NULL; + } + + sig = buffer_get_ssh_string(reply); + + buffer_free(reply); + + return sig; +} + int agent_running(SSH_SESSION *session) { if (session == NULL || session->agent == NULL) { return 0; diff --git a/libssh/auth.c b/libssh/auth.c index 2c072adf..3b865b83 100644 --- a/libssh/auth.c +++ b/libssh/auth.c @@ -332,6 +332,87 @@ int ssh_userauth_pubkey(SSH_SESSION *session, const char *username, STRING *publ return err; } +/** \brief Try to authenticate through public key with ssh agent + * \param session ssh session + * \param username username to authenticate. You can specify NULL if + * ssh_option_set_username() has been used. You cannot try two different logins in a row. + * \param publickey a public key returned by publickey_from_file() + * \param privatekey a private key returned by privatekey_from_file() + * \returns SSH_AUTH_ERROR : a serious error happened\n + * SSH_AUTH_DENIED : Authentication failed : use another method\n + * SSH_AUTH_PARTIAL : You've been partially authenticated, you still have to use another method\n + * SSH_AUTH_SUCCESS : Authentication success + * \see publickey_from_file() + * \see privatekey_from_file() + * \see private_key_free() + * \see ssh_userauth_offer_pubkey() + */ + +int ssh_userauth_agent_pubkey(SSH_SESSION *session, const char *username, + PUBLIC_KEY *publickey) { + STRING *user; + STRING *service; + STRING *method; + STRING *algo; + STRING *key; + STRING *sign; + int err = SSH_AUTH_ERROR; + + enter_function(); + if (! agent_running(session)) { + return err; + } + + if(username == NULL) { + if((username = session->options->username) == NULL) { + if (ssh_options_default_username(session->options)) { + leave_function(); + return err; + } else { + username=session->options->username; + } + } + } + if (ask_userauth(session)) { + leave_function(); + return err; + } + + user = string_from_char(username); + service = string_from_char("ssh-connection"); + method = string_from_char("publickey"); + algo = string_from_char(ssh_type_to_char(publickey->type)); + key = publickey_to_string(publickey); + + /* we said previously the public key was accepted */ + buffer_add_u8(session->out_buffer, SSH2_MSG_USERAUTH_REQUEST); + buffer_add_ssh_string(session->out_buffer, user); + buffer_add_ssh_string(session->out_buffer, service); + buffer_add_ssh_string(session->out_buffer, method); + buffer_add_u8(session->out_buffer, 1); + buffer_add_ssh_string(session->out_buffer, algo); + buffer_add_ssh_string(session->out_buffer, key); +#if 0 + sign=ssh_do_sign(session,session->out_buffer,privatekey); + sign = agent_sign_data(session, session->out_buffer, publickey); +#endif + sign = ssh_do_sign_with_agent(session, session->out_buffer, publickey); + + if (sign) { + buffer_add_ssh_string(session->out_buffer, sign); + string_free(sign); + packet_send(session); + err = wait_auth_status(session,0); + } + string_free(user); + string_free(service); + string_free(method); + string_free(algo); + leave_function(); + + return err; +} + /** \brief Try to authenticate by password * \param session ssh session * \param username username to authenticate. You can specify NULL if @@ -421,10 +502,13 @@ int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase) { int type=0; int err; STRING *pubkey; + struct public_key_struct *publickey; char *privkeyfile=NULL; PRIVATE_KEY *privkey; - char *id=NULL; + char *id = NULL; + enter_function(); + // always testing none err=ssh_userauth_none(session,NULL); if(err==SSH_AUTH_ERROR || err==SSH_AUTH_SUCCESS){ @@ -434,13 +518,69 @@ int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase) { /* try ssh-agent keys first */ #ifndef _WIN32 -#if 0 if (agent_running(session)) { - ssh_say(1, "SSH Agent is running\n"); - count = agent_ident_count(session); - ssh_say(1, "SSH Agent has %d key(s)\n", count); - } -#endif + ssh_log(session, SSH_LOG_RARE, + "Trying to authenticate with SSH agent keys"); + + for (publickey = agent_get_first_ident(session, &privkeyfile); + publickey != NULL; + publickey = agent_get_next_ident(session, &privkeyfile)) { + + ssh_log(session, SSH_LOG_RARE, "Trying identity %s", privkeyfile); + + pubkey = publickey_to_string(publickey); + if (pubkey) { + err = ssh_userauth_offer_pubkey(session, NULL, publickey->type, pubkey); + string_free(pubkey); + if (err == SSH_AUTH_ERROR) { + SAFE_FREE(id); + SAFE_FREE(privkeyfile); + publickey_free(publickey); + leave_function(); + + return err; + } else if (err != SSH_AUTH_SUCCESS) { + ssh_log(session, SSH_LOG_PACKET, "Public key refused by server\n"); + SAFE_FREE(id); + SAFE_FREE(privkeyfile); + publickey_free(publickey); + continue; + } + ssh_log(session, SSH_LOG_RARE, "Public key accepted"); + /* pubkey accepted by server ! */ + err = ssh_userauth_agent_pubkey(session, NULL, publickey); + if (err == SSH_AUTH_ERROR) { + SAFE_FREE(id); + SAFE_FREE(privkeyfile); + publickey_free(publickey); + leave_function(); + + return err; + } else if (err != SSH_AUTH_SUCCESS) { + ssh_log(session, SSH_LOG_RARE, + "Server accepted public key but refused the signature\n" + "It might be a bug of libssh\n"); + SAFE_FREE(id); + SAFE_FREE(privkeyfile); + publickey_free(publickey); + continue; + } + /* auth success */ + ssh_log(session, SSH_LOG_RARE, "Authentication using %s success\n", + privkeyfile); + SAFE_FREE(id); + SAFE_FREE(privkeyfile); + publickey_free(publickey); + + leave_function(); + + return SSH_AUTH_SUCCESS; + } /* if pubkey */ + SAFE_FREE(id); + SAFE_FREE(privkeyfile); + publickey_free(publickey); + } /* for each privkey */ + } /* if agent is running */ #endif if(session->options->identity){ diff --git a/libssh/keys.c b/libssh/keys.c index 2b981ac6..406bcdd8 100644 --- a/libssh/keys.c +++ b/libssh/keys.c @@ -45,6 +45,25 @@ char *ssh_type_to_char(int type){ } } +int ssh_type_from_name(char *name) { + if (strcmp(name, "rsa1") == 0) { + return TYPE_RSA1; + } else if (strcmp(name, "rsa") == 0) { + return TYPE_RSA; + } else if (strcmp(name, "dsa") == 0) { + return TYPE_DSS; + } else if (strcmp(name, "ssh-rsa1") == 0) { + return TYPE_RSA1; + } else if (strcmp(name, "ssh-rsa") == 0) { + return TYPE_RSA; + } else if (strcmp(name, "ssh-dss") == 0) { + return TYPE_DSS; + } + + ssh_say(2, "key_type_from_name: unknown key type '%s'\n", name); + return -1; +} + PUBLIC_KEY *publickey_make_dss(SSH_SESSION *session, BUFFER *buffer){ STRING *p,*q,*g,*pubkey; PUBLIC_KEY *key=malloc(sizeof(PUBLIC_KEY)); @@ -601,6 +620,38 @@ static STRING *RSA_do_sign(void *payload,int len,RSA *privkey){ } #endif +STRING *ssh_do_sign_with_agent(struct ssh_session *session, + struct buffer_struct *buf, struct public_key_struct *publickey) { + struct buffer_struct *sigbuf = NULL; + struct string_struct *signature = NULL; + struct string_struct *session_id = NULL; + struct ssh_crypto_struct *crypto = NULL; + + if (session->current_crypto) { + crypto = session->current_crypto; + } else { + crypto = session->next_crypto; + } + + /* prepend session identifier */ + session_id = string_new(SHA_DIGEST_LEN); + string_fill(session_id, crypto->session_id, SHA_DIGEST_LEN); + + sigbuf = buffer_new(); + + buffer_add_ssh_string(sigbuf, session_id); + + /* append out buffer */ + buffer_add_buffer(sigbuf, buf); + + /* create signature */ + signature = agent_sign_data(session, sigbuf, publickey); + + buffer_free(sigbuf); + + return signature; +} + /* this function signs the session id (known as H) as a string then the content of sigbuf */ STRING *ssh_do_sign(SSH_SESSION *session,BUFFER *sigbuf, PRIVATE_KEY *privatekey){ SHACTX ctx;