summaryrefslogtreecommitdiff
path: root/sshconnect1.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-01-14 20:05:27 +0000
committerDamien Miller <djm@mindrot.org>2015-01-15 21:37:34 +1100
commit141efe49542f7156cdbc2e4cd0a041d8b1aab622 (patch)
treea9142350f2b8689f4d42548ca272ed577b32a881 /sshconnect1.c
parent0088c57af302cda278bd26d8c3ae81d5b6f7c289 (diff)
upstream commit
move authfd.c and its tentacles to the new buffer/key API; ok markus@
Diffstat (limited to 'sshconnect1.c')
-rw-r--r--sshconnect1.c72
1 files changed, 41 insertions, 31 deletions
diff --git a/sshconnect1.c b/sshconnect1.c
index 08589f5e..016abbce 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect1.c,v 1.76 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: sshconnect1.c,v 1.77 2015/01/14 20:05:27 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -22,6 +22,7 @@
#include <openssl/bn.h>
+#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@@ -49,6 +50,7 @@
#include "hostfile.h"
#include "auth.h"
#include "digest.h"
+#include "ssherr.h"
/* Session id for the current session. */
u_char session_id[16];
@@ -64,33 +66,38 @@ extern char *__progname;
static int
try_agent_authentication(void)
{
- int type;
- char *comment;
- AuthenticationConnection *auth;
+ int r, type, agent_fd, ret = 0;
u_char response[16];
- u_int i;
- Key *key;
+ size_t i;
BIGNUM *challenge;
+ struct ssh_identitylist *idlist = NULL;
/* Get connection to the agent. */
- auth = ssh_get_authentication_connection();
- if (!auth)
+ if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
+ if (r != SSH_ERR_AGENT_NOT_PRESENT)
+ debug("%s: ssh_get_authentication_socket: %s",
+ __func__, ssh_err(r));
return 0;
+ }
if ((challenge = BN_new()) == NULL)
fatal("try_agent_authentication: BN_new failed");
- /* Loop through identities served by the agent. */
- for (key = ssh_get_first_identity(auth, &comment, 1);
- key != NULL;
- key = ssh_get_next_identity(auth, &comment, 1)) {
+ /* Loop through identities served by the agent. */
+ if ((r = ssh_fetch_identitylist(agent_fd, 1, &idlist)) != 0) {
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
+ debug("%s: ssh_fetch_identitylist: %s",
+ __func__, ssh_err(r));
+ goto out;
+ }
+ for (i = 0; i < idlist->nkeys; i++) {
/* Try this identity. */
- debug("Trying RSA authentication via agent with '%.100s'", comment);
- free(comment);
+ debug("Trying RSA authentication via agent with '%.100s'",
+ idlist->comments[i]);
/* Tell the server that we are willing to authenticate using this key. */
packet_start(SSH_CMSG_AUTH_RSA);
- packet_put_bignum(key->rsa->n);
+ packet_put_bignum(idlist->keys[i]->rsa->n);
packet_send();
packet_write_wait();
@@ -101,7 +108,6 @@ try_agent_authentication(void)
does not support RSA authentication. */
if (type == SSH_SMSG_FAILURE) {
debug("Server refused our key.");
- key_free(key);
continue;
}
/* Otherwise it should have sent a challenge. */
@@ -115,16 +121,17 @@ try_agent_authentication(void)
debug("Received RSA challenge from server.");
/* Ask the agent to decrypt the challenge. */
- if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
+ if ((r = ssh_decrypt_challenge(agent_fd, idlist->keys[i],
+ challenge, session_id, response)) != 0) {
/*
* The agent failed to authenticate this identifier
* although it advertised it supports this. Just
* return a wrong value.
*/
- logit("Authentication agent failed to decrypt challenge.");
+ logit("Authentication agent failed to decrypt "
+ "challenge: %s", ssh_err(r));
explicit_bzero(response, sizeof(response));
}
- key_free(key);
debug("Sending response to RSA challenge.");
/* Send the decrypted challenge back to the server. */
@@ -137,22 +144,25 @@ try_agent_authentication(void)
/* Wait for response from the server. */
type = packet_read();
- /* The server returns success if it accepted the authentication. */
+ /*
+ * The server returns success if it accepted the
+ * authentication.
+ */
if (type == SSH_SMSG_SUCCESS) {
- ssh_close_authentication_connection(auth);
- BN_clear_free(challenge);
debug("RSA authentication accepted by server.");
- return 1;
- }
- /* Otherwise it should return failure. */
- if (type != SSH_SMSG_FAILURE)
- packet_disconnect("Protocol error waiting RSA auth response: %d",
- type);
+ ret = 1;
+ break;
+ } else if (type != SSH_SMSG_FAILURE)
+ packet_disconnect("Protocol error waiting RSA auth "
+ "response: %d", type);
}
- ssh_close_authentication_connection(auth);
+ if (ret != 1)
+ debug("RSA authentication using agent refused.");
+ out:
+ ssh_free_identitylist(idlist);
+ ssh_close_authentication_socket(agent_fd);
BN_clear_free(challenge);
- debug("RSA authentication using agent refused.");
- return 0;
+ return ret;
}
/*