author: Dag-Erling Smørgrav <des@FreeBSD.org> 2018-05-08 23:13:11 +0000
committer: Dag-Erling Smørgrav <des@FreeBSD.org> 2018-05-08 23:13:11 +0000
commit: 4f52dfbb8d6c4d446500c5b097e3806ec219fbd4 (patch)
tree: 3d0f4c2a20549b73d485fc90aa0998746af9a217 /crypto/openssh/authfd.c
parent: 57b493651403c93009b81f8a4d1df5592f6573f5 (diff)
parent: 20adc8f2a99cd37b64a80ef63dfc5ba6627d4dfb (diff)
download: src-test2-4f52dfbb8d6c4d446500c5b097e3806ec219fbd4.tar.gz
src-test2-4f52dfbb8d6c4d446500c5b097e3806ec219fbd4.zip
1 files changed, 18 insertions, 156 deletions
diff --git a/crypto/openssh/authfd.c b/crypto/openssh/authfd.c
index a634bcb81c58..a460fa350c8a 100644
--- a/crypto/openssh/authfd.c
+++ b/crypto/openssh/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: authfd.c,v 1.105 2017/07/01 13:50:45 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -51,7 +51,6 @@
 
 #include "xmalloc.h"
 #include "ssh.h"
-#include "rsa.h"
 #include "sshbuf.h"
 #include "sshkey.h"
 #include "authfd.h"
@@ -199,43 +198,6 @@ ssh_lock_agent(int sock, int lock, const char *password)
 	return r;
 }
 
-#ifdef WITH_SSH1
-static int
-deserialise_identity1(struct sshbuf *ids, struct sshkey **keyp, char **commentp)
-{
-	struct sshkey *key;
-	int r, keybits;
-	u_int32_t bits;
-	char *comment = NULL;
-
-	if ((key = sshkey_new(KEY_RSA1)) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_get_u32(ids, &bits)) != 0 ||
-	    (r = sshbuf_get_bignum1(ids, key->rsa->e)) != 0 ||
-	    (r = sshbuf_get_bignum1(ids, key->rsa->n)) != 0 ||
-	    (r = sshbuf_get_cstring(ids, &comment, NULL)) != 0)
-		goto out;
-	keybits = BN_num_bits(key->rsa->n);
-	/* XXX previously we just warned here. I think we should be strict */
-	if (keybits < 0 || bits != (u_int)keybits) {
-		r = SSH_ERR_KEY_BITS_MISMATCH;
-		goto out;
-	}
-	if (keyp != NULL) {
-		*keyp = key;
-		key = NULL;
-	}
-	if (commentp != NULL) {
-		*commentp = comment;
-		comment = NULL;
-	}
-	r = 0;
- out:
-	sshkey_free(key);
-	free(comment);
-	return r;
-}
-#endif
 
 static int
 deserialise_identity2(struct sshbuf *ids, struct sshkey **keyp, char **commentp)
@@ -264,35 +226,21 @@ deserialise_identity2(struct sshbuf *ids, struct sshkey **keyp, char **commentp)
  * Fetch list of identities held by the agent.
  */
 int
-ssh_fetch_identitylist(int sock, int version, struct ssh_identitylist **idlp)
+ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp)
 {
-	u_char type, code1 = 0, code2 = 0;
+	u_char type;
 	u_int32_t num, i;
 	struct sshbuf *msg;
 	struct ssh_identitylist *idl = NULL;
 	int r;
 
-	/* Determine request and expected response types */
-	switch (version) {
-	case 1:
-		code1 = SSH_AGENTC_REQUEST_RSA_IDENTITIES;
-		code2 = SSH_AGENT_RSA_IDENTITIES_ANSWER;
-		break;
-	case 2:
-		code1 = SSH2_AGENTC_REQUEST_IDENTITIES;
-		code2 = SSH2_AGENT_IDENTITIES_ANSWER;
-		break;
-	default:
-		return SSH_ERR_INVALID_ARGUMENT;
-	}
-
 	/*
 	 * Send a message to the agent requesting for a list of the
 	 * identities it can represent.
 	 */
 	if ((msg = sshbuf_new()) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_put_u8(msg, code1)) != 0)
+	if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_REQUEST_IDENTITIES)) != 0)
 		goto out;
 
 	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
@@ -304,7 +252,7 @@ ssh_fetch_identitylist(int sock, int version, struct ssh_identitylist **idlp)
 	if (agent_failed(type)) {
 		r = SSH_ERR_AGENT_FAILURE;
 		goto out;
-	} else if (type != code2) {
+	} else if (type != SSH2_AGENT_IDENTITIES_ANSWER) {
 		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}
@@ -329,25 +277,14 @@ ssh_fetch_identitylist(int sock, int version, struct ssh_identitylist **idlp)
 		goto out;
 	}
 	for (i = 0; i < num;) {
-		switch (version) {
-		case 1:
-#ifdef WITH_SSH1
-			if ((r = deserialise_identity1(msg,
-			    &(idl->keys[i]), &(idl->comments[i]))) != 0)
+		if ((r = deserialise_identity2(msg, &(idl->keys[i]),
+		    &(idl->comments[i]))) != 0) {
+			if (r == SSH_ERR_KEY_TYPE_UNKNOWN) {
+				/* Gracefully skip unknown key types */
+				num--;
+				continue;
+			} else
 				goto out;
-#endif
-			break;
-		case 2:
-			if ((r = deserialise_identity2(msg,
-			    &(idl->keys[i]), &(idl->comments[i]))) != 0) {
-				if (r == SSH_ERR_KEY_TYPE_UNKNOWN) {
-					/* Gracefully skip unknown key types */
-					num--;
-					continue;
-				} else
-					goto out;
-			}
-			break;
 		}
 		i++;
 	}
@@ -385,50 +322,10 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
  * otherwise.
  */
 
-#ifdef WITH_SSH1
-int
-ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
-    u_char session_id[16], u_char response[16])
-{
-	struct sshbuf *msg;
-	int r;
-	u_char type;
-
-	if (key->type != KEY_RSA1)
-		return SSH_ERR_INVALID_ARGUMENT;
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_put_u8(msg, SSH_AGENTC_RSA_CHALLENGE)) != 0 ||
-	    (r = sshbuf_put_u32(msg, BN_num_bits(key->rsa->n))) != 0 ||
-	    (r = sshbuf_put_bignum1(msg, key->rsa->e)) != 0 ||
-	    (r = sshbuf_put_bignum1(msg, key->rsa->n)) != 0 ||
-	    (r = sshbuf_put_bignum1(msg, challenge)) != 0 ||
-	    (r = sshbuf_put(msg, session_id, 16)) != 0 ||
-	    (r = sshbuf_put_u32(msg, 1)) != 0) /* Response type for proto 1.1 */
-		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-		goto out;
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	if (agent_failed(type)) {
-		r = SSH_ERR_AGENT_FAILURE;
-		goto out;
-	} else if (type != SSH_AGENT_RSA_RESPONSE) {
-		r = SSH_ERR_INVALID_FORMAT;
-		goto out;
-	}
-	if ((r = sshbuf_get(msg, response, 16)) != 0)
-		goto out;
-	r = 0;
- out:
-	sshbuf_free(msg);
-	return r;
-}
-#endif
 
 /* encode signature algoritm in flag bits, so we can keep the msg format */
 static u_int
-agent_encode_alg(struct sshkey *key, const char *alg)
+agent_encode_alg(const struct sshkey *key, const char *alg)
 {
 	if (alg != NULL && key->type == KEY_RSA) {
 		if (strcmp(alg, "rsa-sha2-256") == 0)
@@ -441,7 +338,7 @@ agent_encode_alg(struct sshkey *key, const char *alg)
 
 /* ask agent to sign data, returns err.h code on error, 0 on success */
 int
-ssh_agent_sign(int sock, struct sshkey *key,
+ssh_agent_sign(int sock, const struct sshkey *key,
     u_char **sigp, size_t *lenp,
     const u_char *data, size_t datalen, const char *alg, u_int compat)
 {
@@ -494,25 +391,6 @@ ssh_agent_sign(int sock, struct sshkey *key,
 
 /* Encode key for a message to the agent. */
 
-#ifdef WITH_SSH1
-static int
-ssh_encode_identity_rsa1(struct sshbuf *b, RSA *key, const char *comment)
-{
-	int r;
-
-	/* To keep within the protocol: p < q for ssh. in SSL p > q */
-	if ((r = sshbuf_put_u32(b, BN_num_bits(key->n))) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->n)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->e)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->d)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->iqmp)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->q)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->p)) != 0 ||
-	    (r = sshbuf_put_cstring(b, comment)) != 0)
-		return r;
-	return 0;
-}
-#endif
 
 static int
 ssh_encode_identity_ssh2(struct sshbuf *b, struct sshkey *key,
@@ -561,16 +439,6 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
 		return SSH_ERR_ALLOC_FAIL;
 
 	switch (key->type) {
-#ifdef WITH_SSH1
-	case KEY_RSA1:
-		type = constrained ?
-		    SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
-		    SSH_AGENTC_ADD_RSA_IDENTITY;
-		if ((r = sshbuf_put_u8(msg, type)) != 0 ||
-		    (r = ssh_encode_identity_rsa1(msg, key->rsa, comment)) != 0)
-			goto out;
-		break;
-#endif
 #ifdef WITH_OPENSSL
 	case KEY_RSA:
 	case KEY_RSA_CERT:
@@ -620,16 +488,6 @@ ssh_remove_identity(int sock, struct sshkey *key)
 	if ((msg = sshbuf_new()) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
 
-#ifdef WITH_SSH1
-	if (key->type == KEY_RSA1) {
-		if ((r = sshbuf_put_u8(msg,
-		    SSH_AGENTC_REMOVE_RSA_IDENTITY)) != 0 ||
-		    (r = sshbuf_put_u32(msg, BN_num_bits(key->rsa->n))) != 0 ||
-		    (r = sshbuf_put_bignum1(msg, key->rsa->e)) != 0 ||
-		    (r = sshbuf_put_bignum1(msg, key->rsa->n)) != 0)
-			goto out;
-	} else
-#endif
 	if (key->type != KEY_UNSPEC) {
 		if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
 			goto out;
@@ -696,6 +554,10 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
 /*
  * Removes all identities from the agent.
  * This call is intended only for use by ssh-add(1) and like applications.
+ *
+ * This supports the SSH protocol 1 message to because, when clearing all
+ * keys from an agent, we generally want to clear both protocol v1 and v2
+ * keys.
  */
 int
 ssh_remove_all_identities(int sock, int version)
author	Dag-Erling Smørgrav <des@FreeBSD.org>	2018-05-08 23:13:11 +0000
committer	Dag-Erling Smørgrav <des@FreeBSD.org>	2018-05-08 23:13:11 +0000
commit	4f52dfbb8d6c4d446500c5b097e3806ec219fbd4 (patch)
tree	3d0f4c2a20549b73d485fc90aa0998746af9a217 /crypto/openssh/authfd.c
parent	57b493651403c93009b81f8a4d1df5592f6573f5 (diff)
parent	20adc8f2a99cd37b64a80ef63dfc5ba6627d4dfb (diff)
download	src-test2-4f52dfbb8d6c4d446500c5b097e3806ec219fbd4.tar.gz src-test2-4f52dfbb8d6c4d446500c5b097e3806ec219fbd4.zip