- (djm) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/07/16 02:27:22
[authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c]
[sshconnect1.c sshconnect2.c]
make ssh-add accept dsa keys (the agent does not)
- djm@cvs.openbsd.org 2000/07/17 19:25:02
[sshd.c]
Another closing of stdin; ok deraadt
- markus@cvs.openbsd.org 2000/07/19 18:33:12
[dsa.c]
missing free, reorder
- markus@cvs.openbsd.org 2000/07/20 16:23:14
[ssh-keygen.1]
document input and output files
diff --git a/ChangeLog b/ChangeLog
index 2fbc1f2..17c0aec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,8 +1,24 @@
+20000721
+ - (djm) OpenBSD CVS updates:
+ - markus@cvs.openbsd.org 2000/07/16 02:27:22
+ [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c]
+ [sshconnect1.c sshconnect2.c]
+ make ssh-add accept dsa keys (the agent does not)
+ - djm@cvs.openbsd.org 2000/07/17 19:25:02
+ [sshd.c]
+ Another closing of stdin; ok deraadt
+ - markus@cvs.openbsd.org 2000/07/19 18:33:12
+ [dsa.c]
+ missing free, reorder
+ - markus@cvs.openbsd.org 2000/07/20 16:23:14
+ [ssh-keygen.1]
+ document input and output files
+
20000720
- - Spec file fix from Petr Novotny <Petr.Novotny@antek.cz>
+ - (djm) Spec file fix from Petr Novotny <Petr.Novotny@antek.cz>
20000716
- - Release 2.1.1p4
+ - (djm) Release 2.1.1p4
20000715
- (djm) OpenBSD CVS updates
diff --git a/authfd.c b/authfd.c
index 69fe2ae..227c992 100644
--- a/authfd.c
+++ b/authfd.c
@@ -14,17 +14,21 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.21 2000/06/26 09:22:29 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.22 2000/07/16 08:27:20 markus Exp $");
#include "ssh.h"
#include "rsa.h"
-#include "authfd.h"
#include "buffer.h"
#include "bufaux.h"
#include "xmalloc.h"
#include "getput.h"
#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include "key.h"
+#include "authfd.h"
+#include "kex.h"
/* helper */
int ssh_agent_get_reply(AuthenticationConnection *auth);
@@ -138,10 +142,7 @@
* Send a message to the agent requesting for a list of the
* identities it can represent.
*/
- msg[0] = 0;
- msg[1] = 0;
- msg[2] = 0;
- msg[3] = 1;
+ PUT_32BIT(msg, 1);
msg[4] = SSH_AGENTC_REQUEST_RSA_IDENTITIES;
if (atomicio(write, auth->fd, msg, 5) != 5) {
error("write auth->fd: %.100s", strerror(errno));
@@ -336,31 +337,64 @@
return 1;
}
+/* Encode key for a message to the agent. */
+
+void
+ssh_encode_identity_rsa(Buffer *b, RSA *key, const char *comment)
+{
+ buffer_clear(b);
+ buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY);
+ buffer_put_int(b, BN_num_bits(key->n));
+ buffer_put_bignum(b, key->n);
+ buffer_put_bignum(b, key->e);
+ buffer_put_bignum(b, key->d);
+ /* To keep within the protocol: p < q for ssh. in SSL p > q */
+ buffer_put_bignum(b, key->iqmp); /* ssh key->u */
+ buffer_put_bignum(b, key->q); /* ssh key->p, SSL key->q */
+ buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */
+ buffer_put_string(b, comment, strlen(comment));
+}
+
+void
+ssh_encode_identity_dsa(Buffer *b, DSA *key, const char *comment)
+{
+ buffer_clear(b);
+ buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY);
+ buffer_put_cstring(b, KEX_DSS);
+ buffer_put_bignum2(b, key->p);
+ buffer_put_bignum2(b, key->q);
+ buffer_put_bignum2(b, key->g);
+ buffer_put_bignum2(b, key->pub_key);
+ buffer_put_bignum2(b, key->priv_key);
+ buffer_put_string(b, comment, strlen(comment));
+}
+
/*
* Adds an identity to the authentication server. This call is not meant to
* be used by normal applications.
*/
int
-ssh_add_identity(AuthenticationConnection *auth,
- RSA * key, const char *comment)
+ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
{
Buffer buffer;
unsigned char buf[8192];
int len;
- /* Format a message to the agent. */
buffer_init(&buffer);
- buffer_put_char(&buffer, SSH_AGENTC_ADD_RSA_IDENTITY);
- buffer_put_int(&buffer, BN_num_bits(key->n));
- buffer_put_bignum(&buffer, key->n);
- buffer_put_bignum(&buffer, key->e);
- buffer_put_bignum(&buffer, key->d);
- /* To keep within the protocol: p < q for ssh. in SSL p > q */
- buffer_put_bignum(&buffer, key->iqmp); /* ssh key->u */
- buffer_put_bignum(&buffer, key->q); /* ssh key->p, SSL key->q */
- buffer_put_bignum(&buffer, key->p); /* ssh key->q, SSL key->p */
- buffer_put_string(&buffer, comment, strlen(comment));
+
+ switch (key->type) {
+ case KEY_RSA:
+ ssh_encode_identity_rsa(&buffer, key->rsa, comment);
+ break;
+ case KEY_DSA:
+ ssh_encode_identity_dsa(&buffer, key->dsa, comment);
+ break;
+ default:
+ buffer_free(&buffer);
+ return 0;
+ break;
+ }
/* Get the length of the message, and format it in the buffer. */
len = buffer_len(&buffer);
@@ -487,6 +521,7 @@
buffer_free(&buffer);
switch (type) {
case SSH_AGENT_FAILURE:
+log("SSH_AGENT_FAILURE");
return 0;
case SSH_AGENT_SUCCESS:
return 1;
diff --git a/authfd.h b/authfd.h
index d7ff4be..14b9bee 100644
--- a/authfd.h
+++ b/authfd.h
@@ -13,7 +13,7 @@
*
*/
-/* RCSID("$OpenBSD: authfd.h,v 1.8 2000/06/20 01:39:38 markus Exp $"); */
+/* RCSID("$OpenBSD: authfd.h,v 1.9 2000/07/16 08:27:21 markus Exp $"); */
#ifndef AUTHFD_H
#define AUTHFD_H
@@ -31,6 +31,16 @@
#define SSH_AGENTC_REMOVE_RSA_IDENTITY 8
#define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9
+#define SSH2_AGENTC_REQUEST_IDENTITIES 11
+#define SSH2_AGENT_IDENTITIES_ANSWER 12
+#define SSH2_AGENTC_SIGN_REQUEST 13
+#define SSH2_AGENT_SIGN_RESPONSE 14
+#define SSH2_AGENT_FAILURE SSH_AGENT_FAILURE
+#define SSH2_AGENT_SUCCESS SSH_AGENT_SUCCESS
+#define SSH2_AGENTC_ADD_IDENTITY 17
+#define SSH2_AGENTC_REMOVE_IDENTITY 18
+#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19
+
typedef struct {
int fd;
Buffer packet;
@@ -96,7 +106,7 @@
* successfully added.
*/
int
-ssh_add_identity(AuthenticationConnection * connection, RSA * key,
+ssh_add_identity(AuthenticationConnection * connection, Key *key,
const char *comment);
/*
diff --git a/channels.c b/channels.c
index 3710b2f..ea39529 100644
--- a/channels.c
+++ b/channels.c
@@ -17,13 +17,12 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $");
+RCSID("$OpenBSD: channels.c,v 1.64 2000/07/16 08:27:21 markus Exp $");
#include "ssh.h"
#include "packet.h"
#include "xmalloc.h"
#include "buffer.h"
-#include "authfd.h"
#include "uidswap.h"
#include "readconf.h"
#include "servconf.h"
@@ -34,6 +33,11 @@
#include "ssh2.h"
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include "key.h"
+#include "authfd.h"
+
/* Maximum number of fake X11 displays to try. */
#define MAX_DISPLAYS 1000
diff --git a/clientloop.c b/clientloop.c
index f7ac7b3..67fa36d 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -16,13 +16,12 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.28 2000/07/13 23:14:08 provos Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.29 2000/07/16 08:27:21 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
#include "packet.h"
#include "buffer.h"
-#include "authfd.h"
#include "readconf.h"
#include "ssh2.h"
@@ -30,7 +29,6 @@
#include "channels.h"
#include "dispatch.h"
-
/* Flag indicating that stdin should be redirected from /dev/null. */
extern int stdin_null_flag;
diff --git a/dsa.c b/dsa.c
index c1c37bc..5ce7abf 100644
--- a/dsa.c
+++ b/dsa.c
@@ -28,7 +28,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: dsa.c,v 1.9 2000/06/20 01:39:41 markus Exp $");
+RCSID("$OpenBSD: dsa.c,v 1.10 2000/07/20 00:33:12 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -53,8 +53,7 @@
#define SIGBLOB_LEN (2*INTBLOB_LEN)
Key *
-dsa_key_from_blob(
- char *blob, int blen)
+dsa_key_from_blob(char *blob, int blen)
{
Buffer b;
char *ktype;
@@ -66,16 +65,17 @@
dump_base64(stderr, blob, blen);
#endif
/* fetch & parse DSA/DSS pubkey */
- key = key_new(KEY_DSA);
- dsa = key->dsa;
buffer_init(&b);
buffer_append(&b, blob, blen);
ktype = buffer_get_string(&b, NULL);
if (strcmp(KEX_DSS, ktype) != 0) {
error("dsa_key_from_blob: cannot handle type %s", ktype);
- key_free(key);
+ buffer_free(&b);
+ xfree(ktype);
return NULL;
}
+ key = key_new(KEY_DSA);
+ dsa = key->dsa;
buffer_get_bignum2(&b, dsa->p);
buffer_get_bignum2(&b, dsa->q);
buffer_get_bignum2(&b, dsa->g);
@@ -84,8 +84,8 @@
if(rlen != 0)
error("dsa_key_from_blob: remaining bytes in key blob %d", rlen);
buffer_free(&b);
+ xfree(ktype);
- debug("keytype %s", ktype);
#ifdef DEBUG_DSS
DSA_print_fp(stderr, dsa, 8);
#endif
diff --git a/ssh-add.c b/ssh-add.c
index a5d785c..482229c 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -7,7 +7,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.17 2000/06/20 01:39:44 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.18 2000/07/16 08:27:21 markus Exp $");
#include <openssl/rsa.h>
#include <openssl/dsa.h>
@@ -15,9 +15,9 @@
#include "rsa.h"
#include "ssh.h"
#include "xmalloc.h"
-#include "authfd.h"
#include "fingerprint.h"
#include "key.h"
+#include "authfd.h"
#include "authfile.h"
#ifdef HAVE___PROGNAME
@@ -102,11 +102,17 @@
char buf[1024], msg[1024];
int success;
int interactive = isatty(STDIN_FILENO);
+ int type = KEY_RSA;
+ /*
+ * try to load the public key. right now this only works for RSA,
+ * since DSA keys are fully encrypted
+ */
public = key_new(KEY_RSA);
if (!load_public_key(filename, public, &saved_comment)) {
- printf("Bad key file %s: %s\n", filename, strerror(errno));
- return;
+ /* ok, so we will asume this is a DSA key */
+ type = KEY_DSA;
+ saved_comment = xstrdup(filename);
}
key_free(public);
@@ -118,7 +124,7 @@
}
/* At first, try empty passphrase */
- private = key_new(KEY_RSA);
+ private = key_new(type);
success = load_private_key(filename, "", private, &comment);
if (!success) {
printf("Need passphrase for %.200s\n", filename);
@@ -150,7 +156,7 @@
}
xfree(saved_comment);
- if (ssh_add_identity(ac, private->rsa, comment))
+ if (ssh_add_identity(ac, private, comment))
fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
else
fprintf(stderr, "Could not add identity: %s\n", filename);
diff --git a/ssh-agent.c b/ssh-agent.c
index 148bcff..e8383b5 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.32 2000/07/16 08:27:21 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -9,11 +9,10 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.32 2000/07/16 08:27:21 markus Exp $");
#include "ssh.h"
#include "rsa.h"
-#include "authfd.h"
#include "buffer.h"
#include "bufaux.h"
#include "xmalloc.h"
@@ -22,6 +21,10 @@
#include "mpaux.h"
#include <openssl/md5.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include "key.h"
+#include "authfd.h"
typedef struct {
int fd;
diff --git a/ssh.c b/ssh.c
index c2faf38..58e4d7b 100644
--- a/ssh.c
+++ b/ssh.c
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.57 2000/07/15 04:01:37 djm Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.58 2000/07/16 08:27:22 markus Exp $");
#include <openssl/evp.h>
#include <openssl/dsa.h>
@@ -21,7 +21,6 @@
#include "ssh.h"
#include "packet.h"
#include "buffer.h"
-#include "authfd.h"
#include "readconf.h"
#include "uidswap.h"
@@ -29,6 +28,7 @@
#include "compat.h"
#include "channels.h"
#include "key.h"
+#include "authfd.h"
#include "authfile.h"
#ifdef HAVE___PROGNAME
diff --git a/sshconnect1.c b/sshconnect1.c
index 4360d72..aaebf17 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -9,7 +9,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.4 2000/07/16 08:27:22 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dsa.h>
@@ -21,12 +21,12 @@
#include "ssh.h"
#include "buffer.h"
#include "packet.h"
-#include "authfd.h"
#include "cipher.h"
#include "mpaux.h"
#include "uidswap.h"
#include "readconf.h"
#include "key.h"
+#include "authfd.h"
#include "sshconnect.h"
#include "authfile.h"
diff --git a/sshconnect2.c b/sshconnect2.c
index ae96d53..22ad39e 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -28,7 +28,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.15 2000/06/21 16:46:10 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.16 2000/07/16 08:27:22 markus Exp $");
#include <openssl/bn.h>
#include <openssl/rsa.h>
@@ -286,40 +286,20 @@
return 1;
}
-int
-ssh2_try_pubkey(char *filename,
+typedef int sign_fn(
+ Key *key,
+ unsigned char **sigp, int *lenp,
+ unsigned char *data, int datalen);
+
+void
+ssh2_sign_and_send_pubkey(Key *k, sign_fn *do_sign,
const char *server_user, const char *host, const char *service)
{
Buffer b;
- Key *k;
unsigned char *blob, *signature;
int bloblen, slen;
- struct stat st;
int skip = 0;
- if (stat(filename, &st) != 0) {
- debug("key does not exist: %s", filename);
- return 0;
- }
- debug("try pubkey: %s", filename);
-
- k = key_new(KEY_DSA);
- if (!load_private_key(filename, "", k, NULL)) {
- int success = 0;
- char *passphrase;
- char prompt[300];
- snprintf(prompt, sizeof prompt,
- "Enter passphrase for DSA key '%.100s': ",
- filename);
- passphrase = read_passphrase(prompt, 0);
- success = load_private_key(filename, passphrase, k, NULL);
- memset(passphrase, 0, strlen(passphrase));
- xfree(passphrase);
- if (!success) {
- key_free(k);
- return 0;
- }
- }
dsa_make_key_blob(k, &blob, &bloblen);
/* data to be signed */
@@ -343,8 +323,8 @@
buffer_put_string(&b, blob, bloblen);
/* generate signature */
- dsa_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
- key_free(k);
+ do_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
+ key_free(k); /* XXX */
#ifdef DEBUG_DSS
buffer_dump(&b);
#endif
@@ -377,6 +357,39 @@
/* send */
packet_send();
packet_write_wait();
+}
+
+int
+ssh2_try_pubkey(char *filename,
+ const char *server_user, const char *host, const char *service)
+{
+ Key *k;
+ struct stat st;
+
+ if (stat(filename, &st) != 0) {
+ debug("key does not exist: %s", filename);
+ return 0;
+ }
+ debug("try pubkey: %s", filename);
+
+ k = key_new(KEY_DSA);
+ if (!load_private_key(filename, "", k, NULL)) {
+ int success = 0;
+ char *passphrase;
+ char prompt[300];
+ snprintf(prompt, sizeof prompt,
+ "Enter passphrase for DSA key '%.100s': ",
+ filename);
+ passphrase = read_passphrase(prompt, 0);
+ success = load_private_key(filename, passphrase, k, NULL);
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ if (!success) {
+ key_free(k);
+ return 0;
+ }
+ }
+ ssh2_sign_and_send_pubkey(k, dsa_sign, server_user, host, service);
return 1;
}
diff --git a/sshd.c b/sshd.c
index cab0dd6..b6db074 100644
--- a/sshd.c
+++ b/sshd.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.122 2000/07/11 08:11:34 deraadt Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.123 2000/07/18 01:25:01 djm Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -642,6 +642,7 @@
s2 = dup(s1);
sock_in = dup(0);
sock_out = dup(1);
+ startup_pipe = -1;
/*
* We intentionally do not close the descriptors 0, 1, and 2
* as our code for setting the descriptors won\'t work if