-/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
+ * Copyright (c) 2008 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
#include <sys/stat.h>
#include <errno.h>
+#include <netdb.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
+#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
+#include <vis.h>
+#endif
#include "openbsd-compat/sys-queue.h"
#include "msg.h"
#include "pathnames.h"
#include "uidswap.h"
+#include "schnorr.h"
+#include "jpake.h"
#ifdef GSSAPI
#include "ssh-gss.h"
extern int tty_flag;
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+
/*
* SSH2 key exchange
*/
else
gss_host = host;
- gss = ssh_gssapi_client_mechanisms(gss_host);
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
if (gss) {
debug("Offering GSSAPI proposal: %s", gss);
xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
- }
-
+ }
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
myproposal[PROPOSAL_ENC_ALGS_STOC] =
orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
"%s,null", orig);
+ xfree(gss);
}
#endif
if (options.rekey_limit)
- packet_set_rekey_limit(options.rekey_limit);
+ packet_set_rekey_limit((u_int32_t)options.rekey_limit);
/* start key exchange */
kex = kex_setup(myproposal);
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
#ifdef GSSAPI
- kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
- kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
- kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+ }
#endif
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->verify_host_key=&verify_host_key_callback;
#ifdef GSSAPI
- kex->gss_deleg_creds = options.gss_deleg_creds;
- kex->gss_trust_dns = options.gss_trust_dns;
- kex->gss_host = gss_host;
+ if (options.gss_keyex) {
+ kex->gss_deleg_creds = options.gss_deleg_creds;
+ kex->gss_trust_dns = options.gss_trust_dns;
+ kex->gss_client = options.gss_client_identity;
+ kex->gss_host = gss_host;
+ }
#endif
xxx_kex = kex;
struct Authmethod {
char *name; /* string to compare against server's list */
int (*userauth)(Authctxt *authctxt);
+ void (*cleanup)(Authctxt *authctxt);
int *enabled; /* flag in option struct that enables method */
int *batch_flag; /* flag in option struct that disables method */
};
void input_userauth_info_req(int, u_int32_t, void *);
void input_userauth_pk_ok(int, u_int32_t, void *);
void input_userauth_passwd_changereq(int, u_int32_t, void *);
+void input_userauth_jpake_server_step1(int, u_int32_t, void *);
+void input_userauth_jpake_server_step2(int, u_int32_t, void *);
+void input_userauth_jpake_server_confirm(int, u_int32_t, void *);
int userauth_none(Authctxt *);
int userauth_pubkey(Authctxt *);
int userauth_passwd(Authctxt *);
int userauth_kbdint(Authctxt *);
int userauth_hostbased(Authctxt *);
-int userauth_kerberos(Authctxt *);
+int userauth_jpake(Authctxt *);
+
+void userauth_jpake_cleanup(Authctxt *);
#ifdef GSSAPI
int userauth_external(Authctxt *authctxt);
#ifdef GSSAPI
{"gssapi-keyex",
userauth_gsskeyex,
+ NULL,
&options.gss_authentication,
NULL},
{"external-keyx",
userauth_external,
+ NULL,
&options.gss_authentication,
NULL},
{"gssapi-with-mic",
userauth_gssapi,
+ NULL,
&options.gss_authentication,
NULL},
{"gssapi",
userauth_gssapi,
+ NULL,
&options.gss_authentication,
NULL},
#endif
{"hostbased",
userauth_hostbased,
+ NULL,
&options.hostbased_authentication,
NULL},
{"publickey",
userauth_pubkey,
+ NULL,
&options.pubkey_authentication,
NULL},
+#ifdef JPAKE
+ {"jpake-01@openssh.com",
+ userauth_jpake,
+ userauth_jpake_cleanup,
+ &options.zero_knowledge_password_authentication,
+ &options.batch_mode},
+#endif
{"keyboard-interactive",
userauth_kbdint,
+ NULL,
&options.kbd_interactive_authentication,
&options.batch_mode},
{"password",
userauth_passwd,
+ NULL,
&options.password_authentication,
&options.batch_mode},
{"none",
userauth_none,
NULL,
+ NULL,
NULL},
- {NULL, NULL, NULL, NULL}
+ {NULL, NULL, NULL, NULL, NULL}
};
void
void
userauth(Authctxt *authctxt, char *authlist)
{
+ if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
+ authctxt->method->cleanup(authctxt);
+
if (authctxt->methoddata) {
xfree(authctxt->methoddata);
authctxt->methoddata = NULL;
}
}
+/* ARGSUSED */
void
input_userauth_error(int type, u_int32_t seq, void *ctxt)
{
"type %d", type);
}
+/* ARGSUSED */
void
input_userauth_banner(int type, u_int32_t seq, void *ctxt)
{
- char *msg, *lang;
+ char *msg, *raw, *lang;
+ u_int len;
debug3("input_userauth_banner");
- msg = packet_get_string(NULL);
+ raw = packet_get_string(&len);
lang = packet_get_string(NULL);
- if (options.log_level >= SYSLOG_LEVEL_INFO)
+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
+ if (len > 65536)
+ len = 65536;
+ msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+ strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
fprintf(stderr, "%s", msg);
- xfree(msg);
+ xfree(msg);
+ }
+ xfree(raw);
xfree(lang);
}
+/* ARGSUSED */
void
input_userauth_success(int type, u_int32_t seq, void *ctxt)
{
authctxt->success = 1; /* break out */
}
+/* ARGSUSED */
void
input_userauth_failure(int type, u_int32_t seq, void *ctxt)
{
userauth(authctxt, authlist);
}
+
+/* ARGSUSED */
void
input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
{
* once. */
if (gss_supported == NULL)
- gss_indicate_mechs(&min, &gss_supported);
+ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
+ gss_supported = NULL;
+ return 0;
+ }
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], gss_host)) {
+ &gss_supported->elements[mech], gss_host,
+ options.gss_client_identity)) {
ok = 1; /* Mechanism works */
} else {
mech++;
return status;
}
+/* ARGSUSED */
void
input_gssapi_response(int type, u_int32_t plen, void *ctxt)
{
}
}
+/* ARGSUSED */
void
input_gssapi_token(int type, u_int32_t plen, void *ctxt)
{
}
}
+/* ARGSUSED */
void
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
{
/* Server will be returning a failed packet after this one */
}
+/* ARGSUSED */
void
input_gssapi_error(int type, u_int32_t plen, void *ctxt)
{
int
userauth_external(Authctxt *authctxt)
{
- static int attempt = 0;
+ static int attempt = 0;
- if (attempt++ >= 1)
- return 0;
+ if (attempt++ >= 1)
+ return 0;
/* The client MUST NOT try this method if initial key exchange
was not performed using a GSSAPI-based key exchange
return 0;
}
- debug2("userauth_external");
- packet_start(SSH2_MSG_USERAUTH_REQUEST);
+ debug2("userauth_external");
+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
#ifdef GSI
- if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
- packet_put_cstring("");
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ packet_put_cstring("");
} else {
#endif
- packet_put_cstring(authctxt->server_user);
+ packet_put_cstring(authctxt->server_user);
#ifdef GSI
}
#endif
- packet_put_cstring(authctxt->service);
- packet_put_cstring(authctxt->method->name);
- packet_send();
- packet_write_wait();
- return 1;
+ packet_put_cstring(authctxt->service);
+ packet_put_cstring(authctxt->method->name);
+ packet_send();
+ packet_write_wait();
+ return 1;
}
int
userauth_gsskeyex(Authctxt *authctxt)
}
#ifdef GSI
- if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
- ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex");
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex");
} else {
#endif
- ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
- "gssapi-keyex");
+ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
+ "gssapi-keyex");
#ifdef GSI
}
#endif
packet_start(SSH2_MSG_USERAUTH_REQUEST);
#ifdef GSI
- if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
- packet_put_cstring("");
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ packet_put_cstring("");
} else {
#endif
packet_put_cstring(authctxt->server_user);
return 1;
}
+
/*
* parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
*/
+/* ARGSUSED */
void
input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
{
&input_userauth_passwd_changereq);
}
+#ifdef JPAKE
+static char *
+pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
+{
+ /* OpenBSD crypt(3) handles all of these */
+ if (strcmp(crypt_scheme, "crypt") == 0 ||
+ strcmp(crypt_scheme, "bcrypt") == 0 ||
+ strcmp(crypt_scheme, "md5crypt") == 0 ||
+ strcmp(crypt_scheme, "crypt-extended") == 0)
+ return xstrdup(crypt(password, salt));
+ error("%s: unsupported password encryption scheme \"%.100s\"",
+ __func__, crypt_scheme);
+ return NULL;
+}
+
+static BIGNUM *
+jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
+ const char *salt)
+{
+ char prompt[256], *password, *crypted;
+ u_char *secret;
+ u_int secret_len;
+ BIGNUM *ret;
+
+ snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
+ authctxt->server_user, authctxt->host);
+ password = read_passphrase(prompt, 0);
+
+ if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
+ logit("Disabling %s authentication", authctxt->method->name);
+ authctxt->method->enabled = NULL;
+ /* Continue with an empty password to fail gracefully */
+ crypted = xstrdup("");
+ }
+
+#ifdef JPAKE_DEBUG
+ debug3("%s: salt = %s", __func__, salt);
+ debug3("%s: scheme = %s", __func__, crypt_scheme);
+ debug3("%s: crypted = %s", __func__, crypted);
+#endif
+
+ if (hash_buffer(crypted, strlen(crypted), EVP_sha256(),
+ &secret, &secret_len) != 0)
+ fatal("%s: hash_buffer", __func__);
+
+ bzero(password, strlen(password));
+ bzero(crypted, strlen(crypted));
+ xfree(password);
+ xfree(crypted);
+
+ if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
+ fatal("%s: BN_bin2bn (secret)", __func__);
+ bzero(secret, secret_len);
+ xfree(secret);
+
+ return ret;
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
+{
+ Authctxt *authctxt = ctxt;
+ struct jpake_ctx *pctx = authctxt->methoddata;
+ u_char *x3_proof, *x4_proof, *x2_s_proof;
+ u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
+ char *crypt_scheme, *salt;
+
+ /* Disable this message */
+ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
+
+ if ((pctx->g_x3 = BN_new()) == NULL ||
+ (pctx->g_x4 = BN_new()) == NULL)
+ fatal("%s: BN_new", __func__);
+
+ /* Fetch step 1 values */
+ crypt_scheme = packet_get_string(NULL);
+ salt = packet_get_string(NULL);
+ pctx->server_id = packet_get_string(&pctx->server_id_len);
+ packet_get_bignum2(pctx->g_x3);
+ packet_get_bignum2(pctx->g_x4);
+ x3_proof = packet_get_string(&x3_proof_len);
+ x4_proof = packet_get_string(&x4_proof_len);
+ packet_check_eom();
+
+ JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
+
+ /* Obtain password and derive secret */
+ pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
+ bzero(crypt_scheme, strlen(crypt_scheme));
+ bzero(salt, strlen(salt));
+ xfree(crypt_scheme);
+ xfree(salt);
+ JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
+
+ /* Calculate step 2 values */
+ jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
+ pctx->g_x3, pctx->g_x4, pctx->x2,
+ pctx->server_id, pctx->server_id_len,
+ pctx->client_id, pctx->client_id_len,
+ x3_proof, x3_proof_len,
+ x4_proof, x4_proof_len,
+ &pctx->a,
+ &x2_s_proof, &x2_s_proof_len);
+
+ bzero(x3_proof, x3_proof_len);
+ bzero(x4_proof, x4_proof_len);
+ xfree(x3_proof);
+ xfree(x4_proof);
+
+ JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
+
+ /* Send values for step 2 */
+ packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
+ packet_put_bignum2(pctx->a);
+ packet_put_string(x2_s_proof, x2_s_proof_len);
+ packet_send();
+
+ bzero(x2_s_proof, x2_s_proof_len);
+ xfree(x2_s_proof);
+
+ /* Expect step 2 packet from peer */
+ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
+ input_userauth_jpake_server_step2);
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
+{
+ Authctxt *authctxt = ctxt;
+ struct jpake_ctx *pctx = authctxt->methoddata;
+ u_char *x4_s_proof;
+ u_int x4_s_proof_len;
+
+ /* Disable this message */
+ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
+
+ if ((pctx->b = BN_new()) == NULL)
+ fatal("%s: BN_new", __func__);
+
+ /* Fetch step 2 values */
+ packet_get_bignum2(pctx->b);
+ x4_s_proof = packet_get_string(&x4_s_proof_len);
+ packet_check_eom();
+
+ JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
+
+ /* Derive shared key and calculate confirmation hash */
+ jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
+ pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
+ pctx->client_id, pctx->client_id_len,
+ pctx->server_id, pctx->server_id_len,
+ session_id2, session_id2_len,
+ x4_s_proof, x4_s_proof_len,
+ &pctx->k,
+ &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
+
+ bzero(x4_s_proof, x4_s_proof_len);
+ xfree(x4_s_proof);
+
+ JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
+
+ /* Send key confirmation proof */
+ packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
+ packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
+ packet_send();
+
+ /* Expect confirmation from peer */
+ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
+ input_userauth_jpake_server_confirm);
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
+{
+ Authctxt *authctxt = ctxt;
+ struct jpake_ctx *pctx = authctxt->methoddata;
+
+ /* Disable this message */
+ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
+
+ pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
+ packet_check_eom();
+
+ JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
+
+ /* Verify expected confirmation hash */
+ if (jpake_check_confirm(pctx->k,
+ pctx->server_id, pctx->server_id_len,
+ session_id2, session_id2_len,
+ pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
+ debug("%s: %s success", __func__, authctxt->method->name);
+ else {
+ debug("%s: confirmation mismatch", __func__);
+ /* XXX stash this so if auth succeeds then we can warn/kill */
+ }
+
+ userauth_jpake_cleanup(authctxt);
+}
+#endif /* JPAKE */
+
static int
identity_sign(Identity *id, u_char **sigp, u_int *lenp,
u_char *data, u_int datalen)
Sensitive *sensitive = authctxt->sensitive;
Buffer b;
u_char *signature, *blob;
- char *chost, *pkalg, *p;
+ char *chost, *pkalg, *p, myname[NI_MAXHOST];
const char *service;
u_int blen, slen;
int ok, i, len, found = 0;
return 0;
}
/* figure out a name for the client host */
- p = get_local_name(packet_get_connection_in());
+ p = NULL;
+ if (packet_connection_is_on_socket())
+ p = get_local_name(packet_get_connection_in());
+ if (p == NULL) {
+ if (gethostname(myname, sizeof(myname)) == -1) {
+ verbose("userauth_hostbased: gethostname: %s",
+ strerror(errno));
+ } else
+ p = xstrdup(myname);
+ }
if (p == NULL) {
error("userauth_hostbased: cannot get local ipaddr/name");
key_free(private);
return 1;
}
+#ifdef JPAKE
+int
+userauth_jpake(Authctxt *authctxt)
+{
+ struct jpake_ctx *pctx;
+ u_char *x1_proof, *x2_proof;
+ u_int x1_proof_len, x2_proof_len;
+ static int attempt = 0; /* XXX share with userauth_password's? */
+
+ if (attempt++ >= options.number_of_password_prompts)
+ return 0;
+ if (attempt != 1)
+ error("Permission denied, please try again.");
+
+ if (authctxt->methoddata != NULL)
+ fatal("%s: authctxt->methoddata already set (%p)",
+ __func__, authctxt->methoddata);
+
+ authctxt->methoddata = pctx = jpake_new();
+
+ /*
+ * Send request immediately, to get the protocol going while
+ * we do the initial computations.
+ */
+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
+ packet_put_cstring(authctxt->server_user);
+ packet_put_cstring(authctxt->service);
+ packet_put_cstring(authctxt->method->name);
+ packet_send();
+ packet_write_wait();
+
+ jpake_step1(pctx->grp,
+ &pctx->client_id, &pctx->client_id_len,
+ &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
+ &x1_proof, &x1_proof_len,
+ &x2_proof, &x2_proof_len);
+
+ JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
+
+ packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
+ packet_put_string(pctx->client_id, pctx->client_id_len);
+ packet_put_bignum2(pctx->g_x1);
+ packet_put_bignum2(pctx->g_x2);
+ packet_put_string(x1_proof, x1_proof_len);
+ packet_put_string(x2_proof, x2_proof_len);
+ packet_send();
+
+ bzero(x1_proof, x1_proof_len);
+ bzero(x2_proof, x2_proof_len);
+ xfree(x1_proof);
+ xfree(x2_proof);
+
+ /* Expect step 1 packet from peer */
+ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
+ input_userauth_jpake_server_step1);
+
+ return 1;
+}
+
+void
+userauth_jpake_cleanup(Authctxt *authctxt)
+{
+ debug3("%s: clean up", __func__);
+ if (authctxt->methoddata != NULL) {
+ jpake_free(authctxt->methoddata);
+ authctxt->methoddata = NULL;
+ }
+}
+#endif /* JPAKE */
+
/* find auth method */
/*
buffer_free(&b);
return list;
}
+