- millert@cvs.openbsd.org 2001/03/04 17:42:28

[openssh.git] / sshconnect1.c

diff --git a/sshconnect1.c b/sshconnect1.c
index d6230529f2a6c3754b0902792479727c3b97ad76..c5ff7213a01e7dfeda64f41c6061808f7d7ca5c5 100644 (file)
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,25 +13,36 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.13 2000/12/19 23:17:58 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.27 2001/02/15 23:19:59 markus Exp $");
 
 #include <openssl/bn.h>
-#include <openssl/dsa.h>
-#include <openssl/rsa.h>
 #include <openssl/evp.h>
 
+#ifdef KRB4
+#include <krb.h>
+#endif
+#ifdef AFS
+#include <kafs.h>
+#include "radix.h"
+#endif
+
+#include "ssh.h"
+#include "ssh1.h"
 #include "xmalloc.h"
 #include "rsa.h"
-#include "ssh.h"
 #include "buffer.h"
 #include "packet.h"
 #include "mpaux.h"
 #include "uidswap.h"
+#include "log.h"
 #include "readconf.h"
 #include "key.h"
 #include "authfd.h"
 #include "sshconnect.h"
 #include "authfile.h"
+#include "readpass.h"
+#include "cipher.h"
+#include "canohost.h"
 
 /* Session id for the current session. */
 u_char session_id[16];
@@ -45,7 +56,7 @@ extern char *__progname;
  * authenticate using the agent.
  */
 int
-try_agent_authentication()
+try_agent_authentication(void)
 {
        int type;
        char *comment;
@@ -62,7 +73,6 @@ try_agent_authentication()
                return 0;
 
        challenge = BN_new();
-       key = key_new(KEY_RSA1);
 
        /* Loop through identities served by the agent. */
        for (key = ssh_get_first_identity(auth, &comment, 1);
@@ -125,6 +135,7 @@ try_agent_authentication()
 
                /* The server returns success if it accepted the authentication. */
                if (type == SSH_SMSG_SUCCESS) {
+                       ssh_close_authentication_connection(auth);
                        BN_clear_free(challenge);
                        debug("RSA authentication accepted by server.");
                        return 1;
@@ -134,6 +145,7 @@ try_agent_authentication()
                        packet_disconnect("Protocol error waiting RSA auth response: %d",
                                          type);
        }
+       ssh_close_authentication_connection(auth);
        BN_clear_free(challenge);
        debug("RSA authentication using agent refused.");
        return 0;
@@ -151,14 +163,17 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
        int i, len;
 
        /* Decrypt the challenge using the private key. */
-       rsa_private_decrypt(challenge, challenge, prv);
+       /* XXX think about Bleichenbacher, too */
+       if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
+               packet_disconnect(
+                   "respond_to_rsa_challenge: rsa_private_decrypt failed");
 
        /* Compute the response. */
        /* The response is MD5 of decrypted challenge plus session id. */
        len = BN_num_bytes(challenge);
        if (len <= 0 || len > sizeof(buf))
-               packet_disconnect("respond_to_rsa_challenge: bad challenge length %d",
-                                 len);
+               packet_disconnect(
+                   "respond_to_rsa_challenge: bad challenge length %d", len);
 
        memset(buf, 0, sizeof(buf));
        BN_bn2bin(challenge, buf + sizeof(buf) - len);
@@ -270,6 +285,8 @@ try_rsa_authentication(const char *authfile)
                        /* Expect the server to reject it... */
                        packet_read_expect(&plen, SSH_SMSG_FAILURE);
                        xfree(comment);
+                       key_free(private);
+                       BN_clear_free(challenge);
                        return 0;
                }
                /* Destroy the passphrase. */
@@ -363,7 +380,7 @@ try_rhosts_rsa_authentication(const char *local_user, RSA * host_key)
 
 #ifdef KRB4
 int
-try_kerberos_authentication()
+try_kerberos_authentication(void)
 {
        KTEXT_ST auth;          /* Kerberos data */
        char *reply;
@@ -382,11 +399,11 @@ try_kerberos_authentication()
        if (stat(tkt_string(), &st) < 0)
                return 0;
 
-       strncpy(inst, (char *) krb_get_phost(get_canonical_hostname()), INST_SZ);
+       strncpy(inst, (char *) krb_get_phost(get_canonical_hostname(1)), INST_SZ);
 
-       realm = (char *) krb_realmofhost(get_canonical_hostname());
+       realm = (char *) krb_realmofhost(get_canonical_hostname(1));
        if (!realm) {
-               debug("Kerberos V4: no realm for %s", get_canonical_hostname());
+               debug("Kerberos V4: no realm for %s", get_canonical_hostname(1));
                return 0;
        }
        /* This can really be anything. */
@@ -480,7 +497,7 @@ try_kerberos_authentication()
 
 #ifdef AFS
 int
-send_kerberos_tgt()
+send_kerberos_tgt(void)
 {
        CREDENTIALS *creds;
        char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
@@ -574,7 +591,7 @@ send_afs_tokens(void)
                creds.pinst[0] = '\0';
 
                /* Encode token, ship it off. */
-               if (creds_to_radix(&creds, (u_char*) buffer, sizeof buffer) <= 0)
+               if (creds_to_radix(&creds, (u_char *) buffer, sizeof buffer) <= 0)
                        break;
                packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
                packet_put_string(buffer, strlen(buffer));
@@ -599,7 +616,7 @@ send_afs_tokens(void)
  * Note that the client code is not tied to s/key or TIS.
  */
 int
-try_skey_authentication()
+try_challenge_reponse_authentication(void)
 {
        int type, i;
        int payload_len;
@@ -607,7 +624,7 @@ try_skey_authentication()
        char prompt[1024];
        char *challenge, *response;
 
-       debug("Doing skey authentication.");
+       debug("Doing challenge reponse authentication.");
 
        for (i = 0; i < options.number_of_password_prompts; i++) {
                /* request a challenge */
@@ -619,15 +636,16 @@ try_skey_authentication()
                if (type != SSH_SMSG_FAILURE &&
                    type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
                        packet_disconnect("Protocol error: got %d in response "
-                           "to skey-auth", type);
+                           "to SSH_CMSG_AUTH_TIS", type);
                }
                if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
-                       debug("No challenge for skey authentication.");
+                       debug("No challenge.");
                        return 0;
                }
                challenge = packet_get_string(&clen);
                packet_integrity_check(payload_len, (4 + clen), type);
-               snprintf(prompt, sizeof prompt, "%s\nResponse: ", challenge);
+               snprintf(prompt, sizeof prompt, "%s%s", challenge,
+                    strchr(challenge, '\n') ? "" : "\nResponse: ");
                xfree(challenge);
                if (i != 0)
                        error("Permission denied, please try again.");
@@ -640,7 +658,7 @@ try_skey_authentication()
                        break;
                }
                packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
-               packet_put_string(response, strlen(response));
+               ssh_put_password(response);
                memset(response, 0, strlen(response));
                xfree(response);
                packet_send();
@@ -650,7 +668,7 @@ try_skey_authentication()
                        return 1;
                if (type != SSH_SMSG_FAILURE)
                        packet_disconnect("Protocol error: got %d in response "
-                           "to skey-auth-reponse", type);
+                           "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
        }
        /* failure */
        return 0;
@@ -673,7 +691,7 @@ try_password_authentication(char *prompt)
                        error("Permission denied, please try again.");
                password = read_passphrase(prompt, 0);
                packet_start(SSH_CMSG_AUTH_PASSWORD);
-               packet_put_string(password, strlen(password));
+               ssh_put_password(password);
                memset(password, 0, strlen(password));
                xfree(password);
                packet_send();
@@ -894,8 +912,8 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
  */
 void
 ssh_userauth(
-    const char* local_user,
-    const char* server_user,
+    const char *local_user,
+    const char *server_user,
     char *host,
     int host_key_valid, RSA *own_host_key)
 {
@@ -1003,10 +1021,10 @@ ssh_userauth(
                            try_rsa_authentication(options.identity_files[i]))
                                return;
        }
-       /* Try skey authentication if the server supports it. */
+       /* Try challenge response authentication if the server supports it. */
        if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
-           options.skey_authentication && !options.batch_mode) {
-               if (try_skey_authentication())
+           options.challenge_reponse_authentication && !options.batch_mode) {
+               if (try_challenge_reponse_authentication())
                        return;
        }
        /* Try password authentication if the server supports it. */
@@ -1014,7 +1032,7 @@ ssh_userauth(
            options.password_authentication && !options.batch_mode) {
                char prompt[80];
 
-               snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
+               snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
                    server_user, host);
                if (try_password_authentication(prompt))
                        return;