X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/54b974dcab3a3e8486caf6181ad0555efd181154..8b10e20eb8ee80a99659f4cd42648ff7d8eec2c1:/authfd.c?ds=sidebyside diff --git a/authfd.c b/authfd.c index 76e91775..f04e0858 100644 --- a/authfd.c +++ b/authfd.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.37 2001/03/04 17:42:27 millert Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.57 2002/09/11 18:27:26 stevesk Exp $"); #include @@ -53,12 +53,30 @@ RCSID("$OpenBSD: authfd.c,v 1.37 2001/03/04 17:42:27 millert Exp $"); #include "log.h" #include "atomicio.h" +static int agent_present = 0; + /* helper */ int decode_reply(int type); /* macro to check for "agent failure" message */ #define agent_failed(x) \ - ((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE)) + ((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE) || \ + (x == SSH2_AGENT_FAILURE)) + +int +ssh_agent_present(void) +{ + int authfd; + + if (agent_present) + return 1; + if ((authfd = ssh_get_authentication_socket()) == -1) + return 0; + else { + ssh_close_authentication_socket(authfd); + return 1; + } +} /* Returns the number of the authentication fd, or -1 if there is none. */ @@ -66,7 +84,7 @@ int ssh_get_authentication_socket(void) { const char *authsocket; - int sock, len; + int sock; struct sockaddr_un sunaddr; authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME); @@ -75,10 +93,6 @@ ssh_get_authentication_socket(void) sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); - len = SUN_LEN(&sunaddr)+1; -#ifdef HAVE_SUN_LEN_IN_SOCKADDR_UN - sunaddr.sun_len = len; -#endif /* HAVE_SUN_LEN_IN_SOCKADDR_UN */ sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) @@ -89,14 +103,15 @@ ssh_get_authentication_socket(void) close(sock); return -1; } - if (connect(sock, (struct sockaddr *) & sunaddr, len) < 0) { + if (connect(sock, (struct sockaddr *) &sunaddr, sizeof sunaddr) < 0) { close(sock); return -1; } + agent_present = 1; return sock; } -int +static int ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply) { int l, len; @@ -120,6 +135,8 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply len = 4; while (len > 0) { l = read(auth->fd, buf + 4 - len, len); + if (l == -1 && (errno == EAGAIN || errno == EINTR)) + continue; if (l <= 0) { error("Error reading response length from authentication socket."); return 0; @@ -139,11 +156,13 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply if (l > sizeof(buf)) l = sizeof(buf); l = read(auth->fd, buf, l); + if (l == -1 && (errno == EAGAIN || errno == EINTR)) + continue; if (l <= 0) { error("Error reading response from authentication socket."); return 0; } - buffer_append(reply, (char *) buf, l); + buffer_append(reply, buf, l); len -= l; } return 1; @@ -206,6 +225,26 @@ ssh_close_authentication_connection(AuthenticationConnection *auth) xfree(auth); } +/* Lock/unlock agent */ +int +ssh_lock_agent(AuthenticationConnection *auth, int lock, const char *password) +{ + int type; + Buffer msg; + + buffer_init(&msg); + buffer_put_char(&msg, lock ? SSH_AGENTC_LOCK : SSH_AGENTC_UNLOCK); + buffer_put_cstring(&msg, password); + + if (ssh_request_reply(auth, &msg, &msg) == 0) { + buffer_free(&msg); + return 0; + } + type = buffer_get_char(&msg); + buffer_free(&msg); + return decode_reply(type); +} + /* * Returns the first authentication identity held by the agent. */ @@ -216,7 +255,7 @@ ssh_get_num_identities(AuthenticationConnection *auth, int version) int type, code1 = 0, code2 = 0; Buffer request; - switch(version){ + switch (version) { case 1: code1 = SSH_AGENTC_REQUEST_RSA_IDENTITIES; code2 = SSH_AGENT_RSA_IDENTITIES_ANSWER; @@ -285,7 +324,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio * Get the next entry from the packet. These will abort with a fatal * error if the packet is too short or contains corrupt data. */ - switch(version){ + switch (version) { case 1: key = key_new(KEY_RSA1); bits = buffer_get_int(&auth->identities); @@ -343,7 +382,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth, buffer_put_bignum(&buffer, key->rsa->e); buffer_put_bignum(&buffer, key->rsa->n); buffer_put_bignum(&buffer, challenge); - buffer_append(&buffer, (char *) session_id, 16); + buffer_append(&buffer, session_id, 16); buffer_put_int(&buffer, response_type); if (ssh_request_reply(auth, &buffer, &buffer) == 0) { @@ -373,8 +412,8 @@ ssh_decrypt_challenge(AuthenticationConnection *auth, int ssh_agent_sign(AuthenticationConnection *auth, Key *key, - u_char **sigp, int *lenp, - u_char *data, int datalen) + u_char **sigp, u_int *lenp, + u_char *data, u_int datalen) { extern int datafellows; Buffer msg; @@ -415,11 +454,9 @@ ssh_agent_sign(AuthenticationConnection *auth, /* Encode key for a message to the agent. */ -void +static void ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) { - buffer_clear(b); - buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY); buffer_put_int(b, BN_num_bits(key->n)); buffer_put_bignum(b, key->n); buffer_put_bignum(b, key->e); @@ -428,16 +465,14 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) buffer_put_bignum(b, key->iqmp); /* ssh key->u */ buffer_put_bignum(b, key->q); /* ssh key->p, SSL key->q */ buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */ - buffer_put_string(b, comment, strlen(comment)); + buffer_put_cstring(b, comment); } -void +static void ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) { - buffer_clear(b); - buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY); buffer_put_cstring(b, key_ssh_name(key)); - switch(key->type){ + switch (key->type) { case KEY_RSA: buffer_put_bignum2(b, key->rsa->n); buffer_put_bignum2(b, key->rsa->e); @@ -463,19 +498,28 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) */ int -ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) +ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, + const char *comment, u_int life) { Buffer msg; - int type; + int type, constrained = (life != 0); buffer_init(&msg); switch (key->type) { case KEY_RSA1: + type = constrained ? + SSH_AGENTC_ADD_RSA_ID_CONSTRAINED : + SSH_AGENTC_ADD_RSA_IDENTITY; + buffer_put_char(&msg, type); ssh_encode_identity_rsa1(&msg, key->rsa, comment); break; case KEY_RSA: case KEY_DSA: + type = constrained ? + SSH2_AGENTC_ADD_ID_CONSTRAINED : + SSH2_AGENTC_ADD_IDENTITY; + buffer_put_char(&msg, type); ssh_encode_identity_ssh2(&msg, key, comment); break; default: @@ -483,6 +527,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) return 0; break; } + if (constrained) { + if (life != 0) { + buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); + buffer_put_int(&msg, life); + } + } if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); return 0; @@ -492,6 +542,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) return decode_reply(type); } +int +ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) +{ + return ssh_add_identity_constrained(auth, key, comment, 0); +} + /* * Removes an identity from the authentication server. This call is not * meant to be used by normal applications. @@ -530,6 +586,26 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) return decode_reply(type); } +int +ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin) +{ + Buffer msg; + int type; + + buffer_init(&msg); + buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY : + SSH_AGENTC_REMOVE_SMARTCARD_KEY); + buffer_put_cstring(&msg, reader_id); + buffer_put_cstring(&msg, pin); + if (ssh_request_reply(auth, &msg, &msg) == 0) { + buffer_free(&msg); + return 0; + } + type = buffer_get_char(&msg); + buffer_free(&msg); + return decode_reply(type); +} + /* * Removes all identities from the agent. This call is not meant to be used * by normal applications. @@ -562,6 +638,7 @@ decode_reply(int type) switch (type) { case SSH_AGENT_FAILURE: case SSH_COM_AGENT2_FAILURE: + case SSH2_AGENT_FAILURE: log("SSH_AGENT_FAILURE"); return 0; case SSH_AGENT_SUCCESS: