diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-01-14 20:05:27 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-15 21:37:34 +1100 |
commit | 141efe49542f7156cdbc2e4cd0a041d8b1aab622 (patch) | |
tree | a9142350f2b8689f4d42548ca272ed577b32a881 /sshconnect1.c | |
parent | 0088c57af302cda278bd26d8c3ae81d5b6f7c289 (diff) |
upstream commit
move authfd.c and its tentacles to the new buffer/key
API; ok markus@
Diffstat (limited to 'sshconnect1.c')
-rw-r--r-- | sshconnect1.c | 72 |
1 files changed, 41 insertions, 31 deletions
diff --git a/sshconnect1.c b/sshconnect1.c index 08589f5e..016abbce 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect1.c,v 1.76 2014/07/15 15:54:14 millert Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.77 2015/01/14 20:05:27 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -22,6 +22,7 @@ #include <openssl/bn.h> +#include <errno.h> #include <stdarg.h> #include <stdio.h> #include <stdlib.h> @@ -49,6 +50,7 @@ #include "hostfile.h" #include "auth.h" #include "digest.h" +#include "ssherr.h" /* Session id for the current session. */ u_char session_id[16]; @@ -64,33 +66,38 @@ extern char *__progname; static int try_agent_authentication(void) { - int type; - char *comment; - AuthenticationConnection *auth; + int r, type, agent_fd, ret = 0; u_char response[16]; - u_int i; - Key *key; + size_t i; BIGNUM *challenge; + struct ssh_identitylist *idlist = NULL; /* Get connection to the agent. */ - auth = ssh_get_authentication_connection(); - if (!auth) + if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) { + if (r != SSH_ERR_AGENT_NOT_PRESENT) + debug("%s: ssh_get_authentication_socket: %s", + __func__, ssh_err(r)); return 0; + } if ((challenge = BN_new()) == NULL) fatal("try_agent_authentication: BN_new failed"); - /* Loop through identities served by the agent. */ - for (key = ssh_get_first_identity(auth, &comment, 1); - key != NULL; - key = ssh_get_next_identity(auth, &comment, 1)) { + /* Loop through identities served by the agent. */ + if ((r = ssh_fetch_identitylist(agent_fd, 1, &idlist)) != 0) { + if (r != SSH_ERR_AGENT_NO_IDENTITIES) + debug("%s: ssh_fetch_identitylist: %s", + __func__, ssh_err(r)); + goto out; + } + for (i = 0; i < idlist->nkeys; i++) { /* Try this identity. */ - debug("Trying RSA authentication via agent with '%.100s'", comment); - free(comment); + debug("Trying RSA authentication via agent with '%.100s'", + idlist->comments[i]); /* Tell the server that we are willing to authenticate using this key. */ packet_start(SSH_CMSG_AUTH_RSA); - packet_put_bignum(key->rsa->n); + packet_put_bignum(idlist->keys[i]->rsa->n); packet_send(); packet_write_wait(); @@ -101,7 +108,6 @@ try_agent_authentication(void) does not support RSA authentication. */ if (type == SSH_SMSG_FAILURE) { debug("Server refused our key."); - key_free(key); continue; } /* Otherwise it should have sent a challenge. */ @@ -115,16 +121,17 @@ try_agent_authentication(void) debug("Received RSA challenge from server."); /* Ask the agent to decrypt the challenge. */ - if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) { + if ((r = ssh_decrypt_challenge(agent_fd, idlist->keys[i], + challenge, session_id, response)) != 0) { /* * The agent failed to authenticate this identifier * although it advertised it supports this. Just * return a wrong value. */ - logit("Authentication agent failed to decrypt challenge."); + logit("Authentication agent failed to decrypt " + "challenge: %s", ssh_err(r)); explicit_bzero(response, sizeof(response)); } - key_free(key); debug("Sending response to RSA challenge."); /* Send the decrypted challenge back to the server. */ @@ -137,22 +144,25 @@ try_agent_authentication(void) /* Wait for response from the server. */ type = packet_read(); - /* The server returns success if it accepted the authentication. */ + /* + * The server returns success if it accepted the + * authentication. + */ if (type == SSH_SMSG_SUCCESS) { - ssh_close_authentication_connection(auth); - BN_clear_free(challenge); debug("RSA authentication accepted by server."); - return 1; - } - /* Otherwise it should return failure. */ - if (type != SSH_SMSG_FAILURE) - packet_disconnect("Protocol error waiting RSA auth response: %d", - type); + ret = 1; + break; + } else if (type != SSH_SMSG_FAILURE) + packet_disconnect("Protocol error waiting RSA auth " + "response: %d", type); } - ssh_close_authentication_connection(auth); + if (ret != 1) + debug("RSA authentication using agent refused."); + out: + ssh_free_identitylist(idlist); + ssh_close_authentication_socket(agent_fd); BN_clear_free(challenge); - debug("RSA authentication using agent refused."); - return 0; + return ret; } /* |