* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
- * Created: Sat Mar 18 22:15:47 1995 ylo
* Code to connect to a remote host, and to perform the client side of the
* login (authentication) dialog.
*
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose. Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.1 2000/04/26 21:28:33 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.6 2000/09/07 20:27:54 deraadt Exp $");
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include "ssh.h"
#include "buffer.h"
#include "packet.h"
-#include "authfd.h"
#include "cipher.h"
#include "mpaux.h"
#include "uidswap.h"
#include "readconf.h"
#include "key.h"
+#include "authfd.h"
#include "sshconnect.h"
#include "authfile.h"
int
try_agent_authentication()
{
- int status, type;
+ int type;
char *comment;
AuthenticationConnection *auth;
unsigned char response[16];
unsigned int i;
- BIGNUM *e, *n, *challenge;
+ int plen, clen;
+ Key *key;
+ BIGNUM *challenge;
/* Get connection to the agent. */
auth = ssh_get_authentication_connection();
if (!auth)
return 0;
- e = BN_new();
- n = BN_new();
challenge = BN_new();
+ key = key_new(KEY_RSA);
/* Loop through identities served by the agent. */
- for (status = ssh_get_first_identity(auth, e, n, &comment);
- status;
- status = ssh_get_next_identity(auth, e, n, &comment)) {
- int plen, clen;
+ for (key = ssh_get_first_identity(auth, &comment, 1);
+ key != NULL;
+ key = ssh_get_next_identity(auth, &comment, 1)) {
/* Try this identity. */
debug("Trying RSA authentication via agent with '%.100s'", comment);
/* Tell the server that we are willing to authenticate using this key. */
packet_start(SSH_CMSG_AUTH_RSA);
- packet_put_bignum(n);
+ packet_put_bignum(key->rsa->n);
packet_send();
packet_write_wait();
does not support RSA authentication. */
if (type == SSH_SMSG_FAILURE) {
debug("Server refused our key.");
+ key_free(key);
continue;
}
/* Otherwise it should have sent a challenge. */
debug("Received RSA challenge from server.");
/* Ask the agent to decrypt the challenge. */
- if (!ssh_decrypt_challenge(auth, e, n, challenge,
- session_id, 1, response)) {
- /* The agent failed to authenticate this identifier although it
- advertised it supports this. Just return a wrong value. */
+ if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
+ /*
+ * The agent failed to authenticate this identifier
+ * although it advertised it supports this. Just
+ * return a wrong value.
+ */
log("Authentication agent failed to decrypt challenge.");
memset(response, 0, sizeof(response));
}
+ key_free(key);
debug("Sending response to RSA challenge.");
/* Send the decrypted challenge back to the server. */
/* The server returns success if it accepted the authentication. */
if (type == SSH_SMSG_SUCCESS) {
- debug("RSA authentication accepted by server.");
- BN_clear_free(e);
- BN_clear_free(n);
BN_clear_free(challenge);
+ debug("RSA authentication accepted by server.");
return 1;
}
/* Otherwise it should return failure. */
packet_disconnect("Protocol error waiting RSA auth response: %d",
type);
}
-
- BN_clear_free(e);
- BN_clear_free(n);
BN_clear_free(challenge);
-
debug("RSA authentication using agent refused.");
return 0;
}
debug("Kerberos V4 ticket expired: %s", TKT_FILE);
return 0;
}
- creds_to_radix(creds, (unsigned char *)buffer);
+ creds_to_radix(creds, (unsigned char *)buffer, sizeof buffer);
xfree(creds);
packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
creds.pinst[0] = '\0';
/* Encode token, ship it off. */
- if (!creds_to_radix(&creds, (unsigned char*) buffer))
+ if (creds_to_radix(&creds, (unsigned char*) buffer, sizeof buffer) <= 0)
break;
packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
packet_put_string(buffer, strlen(buffer));
RSA_free(public_key);
RSA_free(host_key);
- if (options.cipher == SSH_CIPHER_NOT_SET) {
+ if (options.cipher == SSH_CIPHER_ILLEGAL) {
+ log("No valid SSH1 cipher, using %.100s instead.",
+ cipher_name(SSH_FALLBACK_CIPHER));
+ options.cipher = SSH_FALLBACK_CIPHER;
+ } else if (options.cipher == SSH_CIPHER_NOT_SET) {
if (cipher_mask1() & supported_ciphers & (1 << ssh_cipher_default))
options.cipher = ssh_cipher_default;
else {
debug("Cipher %s not supported, using %.100s instead.",
- cipher_name(ssh_cipher_default),
- cipher_name(SSH_FALLBACK_CIPHER));
+ cipher_name(ssh_cipher_default),
+ cipher_name(SSH_FALLBACK_CIPHER));
options.cipher = SSH_FALLBACK_CIPHER;
}
}