source-git / libssh

Clone
Source Code
GIT

Blame src/agent.c

c8 c8s master
  1.   31306d91f22e7d6012d23346d4a5526234573d35
  2.   src
  3.   agent.c
Blob History Raw
Packit Service 31306d 
/*
Packit Service 31306d 
 * agent.c - ssh agent functions
Packit Service 31306d 
 *
Packit Service 31306d 
 * This file is part of the SSH Library
Packit Service 31306d 
 *
Packit Service 31306d 
 * Copyright (c) 2008-2013 by Andreas Schneider <asn@cryptomilk.org>
Packit Service 31306d 
 *
Packit Service 31306d 
 * This library is free software; you can redistribute it and/or
Packit Service 31306d 
 * modify it under the terms of the GNU Lesser General Public
Packit Service 31306d 
 * License as published by the Free Software Foundation; either
Packit Service 31306d 
 * version 2.1 of the License, or (at your option) any later version.
Packit Service 31306d 
 *
Packit Service 31306d 
 * This library is distributed in the hope that it will be useful,
Packit Service 31306d 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service 31306d 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Packit Service 31306d 
 * Lesser General Public License for more details.
Packit Service 31306d 
 *
Packit Service 31306d 
 * You should have received a copy of the GNU Lesser General Public
Packit Service 31306d 
 * License along with this library; if not, write to the Free Software
Packit Service 31306d 
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Packit Service 31306d 
 */
Packit Service 31306d
Packit Service 31306d 
/* This file is based on authfd.c from OpenSSH */
Packit Service 31306d
Packit Service 31306d 
/*
Packit Service 31306d 
 * How does the ssh-agent work?
Packit Service 31306d 
 *
Packit Service 31306d 
 * a) client sends a request to get a list of all keys
Packit Service 31306d 
 *    the agent returns the count and all public keys
Packit Service 31306d 
 * b) iterate over them to check if the server likes one
Packit Service 31306d 
 * c) the client sends a sign request to the agent
Packit Service 31306d 
 *    type, pubkey as blob, data to sign, flags
Packit Service 31306d 
 *    the agent returns the signed data
Packit Service 31306d 
 */
Packit Service 31306d
Packit Service 31306d 
#ifndef _WIN32
Packit Service 31306d
Packit Service 31306d 
#include "config.h"
Packit Service 31306d
Packit Service 31306d 
#include <stdlib.h>
Packit Service 31306d 
#include <errno.h>
Packit Service 31306d 
#include <string.h>
Packit Service 31306d 
#include <stdio.h>
Packit Service 31306d
Packit Service 31306d 
#ifdef HAVE_UNISTD_H
Packit Service 31306d 
#include <unistd.h>
Packit Service 31306d 
#endif
Packit Service 31306d
Packit Service 31306d 
#include <netinet/in.h>
Packit Service 31306d 
#include <arpa/inet.h>
Packit Service 31306d
Packit Service 31306d 
#include "libssh/agent.h"
Packit Service 31306d 
#include "libssh/priv.h"
Packit Service 31306d 
#include "libssh/socket.h"
Packit Service 31306d 
#include "libssh/buffer.h"
Packit Service 31306d 
#include "libssh/session.h"
Packit Service 31306d 
#include "libssh/poll.h"
Packit Service 31306d 
#include "libssh/pki.h"
Packit Service 31306d 
#include "libssh/bytearray.h"
Packit Service 31306d
Packit Service 31306d 
/* macro to check for "agent failure" message */
Packit Service 31306d 
#define agent_failed(x) \
Packit Service 31306d 
  (((x) == SSH_AGENT_FAILURE) || ((x) == SSH_COM_AGENT2_FAILURE) || \
Packit Service 31306d 
   ((x) == SSH2_AGENT_FAILURE))
Packit Service 31306d
Packit Service 31306d 
static size_t atomicio(struct ssh_agent_struct *agent, void *buf, size_t n, int do_read) {
Packit Service 31306d 
  char *b = buf;
Packit Service 31306d 
  size_t pos = 0;
Packit Service 31306d 
  ssize_t res;
Packit Service 31306d 
  ssh_pollfd_t pfd;
Packit Service 31306d 
  ssh_channel channel = agent->channel;
Packit Service 31306d 
  socket_t fd;
Packit Service 31306d
Packit Service 31306d 
  /* Using a socket ? */
Packit Service 31306d 
  if (channel == NULL) {
Packit Service 31306d 
    fd = ssh_socket_get_fd(agent->sock);
Packit Service 31306d 
    pfd.fd = fd;
Packit Service 31306d 
    pfd.events = do_read ? POLLIN : POLLOUT;
Packit Service 31306d
Packit Service 31306d 
    while (n > pos) {
Packit Service 31306d 
      if (do_read) {
Packit Service 31306d 
        res = read(fd, b + pos, n - pos);
Packit Service 31306d 
      } else {
Packit Service 31306d 
        res = write(fd, b + pos, n - pos);
Packit Service 31306d 
      }
Packit Service 31306d 
      switch (res) {
Packit Service 31306d 
      case -1:
Packit Service 31306d 
        if (errno == EINTR) {
Packit Service 31306d 
          continue;
Packit Service 31306d 
        }
Packit Service 31306d 
#ifdef EWOULDBLOCK
Packit Service 31306d 
        if (errno == EAGAIN || errno == EWOULDBLOCK) {
Packit Service 31306d 
#else
Packit Service 31306d 
          if (errno == EAGAIN) {
Packit Service 31306d 
#endif
Packit Service 31306d 
            (void) ssh_poll(&pfd, 1, -1);
Packit Service 31306d 
            continue;
Packit Service 31306d 
          }
Packit Service 31306d 
          return 0;
Packit Service 31306d 
      case 0:
Packit Service 31306d 
        /* read returns 0 on end-of-file */
Packit Service 31306d 
        errno = do_read ? 0 : EPIPE;
Packit Service 31306d 
        return pos;
Packit Service 31306d 
      default:
Packit Service 31306d 
        pos += (size_t) res;
Packit Service 31306d 
        }
Packit Service 31306d 
      }
Packit Service 31306d 
      return pos;
Packit Service 31306d 
    } else {
Packit Service 31306d 
      /* using an SSH channel */
Packit Service 31306d 
      while (n > pos){
Packit Service 31306d 
        if (do_read)
Packit Service 31306d 
          res = ssh_channel_read(channel,b + pos, n-pos, 0);
Packit Service 31306d 
        else
Packit Service 31306d 
          res = ssh_channel_write(channel, b+pos, n-pos);
Packit Service 31306d 
        if (res == SSH_AGAIN)
Packit Service 31306d 
          continue;
Packit Service 31306d 
        if (res == SSH_ERROR)
Packit Service 31306d 
          return 0;
Packit Service 31306d 
        pos += (size_t)res;
Packit Service 31306d 
      }
Packit Service 31306d 
      return pos;
Packit Service 31306d 
    }
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
ssh_agent ssh_agent_new(struct ssh_session_struct *session) {
Packit Service 31306d 
  ssh_agent agent = NULL;
Packit Service 31306d
Packit Service 31306d 
  agent = malloc(sizeof(struct ssh_agent_struct));
Packit Service 31306d 
  if (agent == NULL) {
Packit Service 31306d 
    return NULL;
Packit Service 31306d 
  }
Packit Service 31306d 
  ZERO_STRUCTP(agent);
Packit Service 31306d
Packit Service 31306d 
  agent->count = 0;
Packit Service 31306d 
  agent->sock = ssh_socket_new(session);
Packit Service 31306d 
  if (agent->sock == NULL) {
Packit Service 31306d 
    SAFE_FREE(agent);
Packit Service 31306d 
    return NULL;
Packit Service 31306d 
  }
Packit Service 31306d 
  agent->channel = NULL;
Packit Service 31306d 
  return agent;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
static void agent_set_channel(struct ssh_agent_struct *agent, ssh_channel channel){
Packit Service 31306d 
  agent->channel = channel;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
/** @brief sets the SSH agent channel.
Packit Service 31306d 
 * The SSH agent channel will be used to authenticate this client using
Packit Service 31306d 
 * an agent through a channel, from another session. The most likely use
Packit Service 31306d 
 * is to implement SSH Agent forwarding into a SSH proxy.
Packit Service 31306d 
 * @param[in] channel a SSH channel from another session.
Packit Service 31306d 
 * @returns SSH_OK in case of success
Packit Service 31306d 
 *          SSH_ERROR in case of an error
Packit Service 31306d 
 */
Packit Service 31306d 
int ssh_set_agent_channel(ssh_session session, ssh_channel channel){
Packit Service 31306d 
  if (!session)
Packit Service 31306d 
    return SSH_ERROR;
Packit Service 31306d 
  if (!session->agent){
Packit Service 31306d 
    ssh_set_error(session, SSH_REQUEST_DENIED, "Session has no active agent");
Packit Service 31306d 
    return SSH_ERROR;
Packit Service 31306d 
  }
Packit Service 31306d 
  agent_set_channel(session->agent, channel);
Packit Service 31306d 
  return SSH_OK;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
/** @brief sets the SSH agent socket.
Packit Service 31306d 
 * The SSH agent will be used to authenticate this client using
Packit Service 31306d 
 * the given socket to communicate with the ssh-agent. The caller
Packit Service 31306d 
 * is responsible for connecting to the socket prior to calling
Packit Service 31306d 
 * this function.
Packit Service 31306d 
 * @returns SSH_OK in case of success
Packit Service 31306d 
 *          SSH_ERROR in case of an error
Packit Service 31306d 
 */
Packit Service 31306d 
int ssh_set_agent_socket(ssh_session session, socket_t fd){
Packit Service 31306d 
  if (!session)
Packit Service 31306d 
    return SSH_ERROR;
Packit Service 31306d 
  if (!session->agent){
Packit Service 31306d 
    ssh_set_error(session, SSH_REQUEST_DENIED, "Session has no active agent");
Packit Service 31306d 
    return SSH_ERROR;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  ssh_socket_set_fd(session->agent->sock, fd);
Packit Service 31306d 
  return SSH_OK;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
void ssh_agent_close(struct ssh_agent_struct *agent) {
Packit Service 31306d 
  if (agent == NULL) {
Packit Service 31306d 
    return;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  ssh_socket_close(agent->sock);
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
void ssh_agent_free(ssh_agent agent) {
Packit Service 31306d 
  if (agent) {
Packit Service 31306d 
    if (agent->ident) {
Packit Service 31306d 
      SSH_BUFFER_FREE(agent->ident);
Packit Service 31306d 
    }
Packit Service 31306d 
    if (agent->sock) {
Packit Service 31306d 
      ssh_agent_close(agent);
Packit Service 31306d 
      ssh_socket_free(agent->sock);
Packit Service 31306d 
    }
Packit Service 31306d 
    SAFE_FREE(agent);
Packit Service 31306d 
  }
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
static int agent_connect(ssh_session session) {
Packit Service 31306d 
  const char *auth_sock = NULL;
Packit Service 31306d
Packit Service 31306d 
  if (session == NULL || session->agent == NULL) {
Packit Service 31306d 
    return -1;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  if (session->agent->channel != NULL)
Packit Service 31306d 
    return 0;
Packit Service 31306d
Packit Service 31306d 
  auth_sock = getenv("SSH_AUTH_SOCK");
Packit Service 31306d
Packit Service 31306d 
  if (auth_sock && *auth_sock) {
Packit Service 31306d 
    if (ssh_socket_unix(session->agent->sock, auth_sock) < 0) {
Packit Service 31306d 
      return -1;
Packit Service 31306d 
    }
Packit Service 31306d 
    return 0;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  return -1;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
#if 0
Packit Service 31306d 
static int agent_decode_reply(struct ssh_session_struct *session, int type) {
Packit Service 31306d 
  switch (type) {
Packit Service 31306d 
    case SSH_AGENT_FAILURE:
Packit Service 31306d 
    case SSH2_AGENT_FAILURE:
Packit Service 31306d 
    case SSH_COM_AGENT2_FAILURE:
Packit Service 31306d 
      ssh_log(session, SSH_LOG_RARE, "SSH_AGENT_FAILURE");
Packit Service 31306d 
      return 0;
Packit Service 31306d 
    case SSH_AGENT_SUCCESS:
Packit Service 31306d 
      return 1;
Packit Service 31306d 
    default:
Packit Service 31306d 
      ssh_set_error(session, SSH_FATAL,
Packit Service 31306d 
          "Bad response from authentication agent: %d", type);
Packit Service 31306d 
      break;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  return -1;
Packit Service 31306d 
}
Packit Service 31306d 
#endif
Packit Service 31306d
Packit Service 31306d 
static int agent_talk(struct ssh_session_struct *session,
Packit Service 31306d 
    struct ssh_buffer_struct *request, struct ssh_buffer_struct *reply) {
Packit Service 31306d 
  uint32_t len = 0;
Packit Service 31306d 
  uint8_t payload[1024] = {0};
Packit Service 31306d
Packit Service 31306d 
  len = ssh_buffer_get_len(request);
Packit Service 31306d 
  SSH_LOG(SSH_LOG_TRACE, "Request length: %u", len);
Packit Service 31306d 
  PUSH_BE_U32(payload, 0, len);
Packit Service 31306d
Packit Service 31306d 
  /* send length and then the request packet */
Packit Service 31306d 
  if (atomicio(session->agent, payload, 4, 0) == 4) {
Packit Service 31306d 
    if (atomicio(session->agent, ssh_buffer_get(request), len, 0)
Packit Service 31306d 
        != len) {
Packit Service 31306d 
      SSH_LOG(SSH_LOG_WARN, "atomicio sending request failed: %s",
Packit Service 31306d 
          strerror(errno));
Packit Service 31306d 
      return -1;
Packit Service 31306d 
    }
Packit Service 31306d 
  } else {
Packit Service 31306d 
    SSH_LOG(SSH_LOG_WARN,
Packit Service 31306d 
        "atomicio sending request length failed: %s",
Packit Service 31306d 
        strerror(errno));
Packit Service 31306d 
    return -1;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  /* wait for response, read the length of the response packet */
Packit Service 31306d 
  if (atomicio(session->agent, payload, 4, 1) != 4) {
Packit Service 31306d 
    SSH_LOG(SSH_LOG_WARN, "atomicio read response length failed: %s",
Packit Service 31306d 
        strerror(errno));
Packit Service 31306d 
    return -1;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  len = PULL_BE_U32(payload, 0);
Packit Service 31306d 
  if (len > 256 * 1024) {
Packit Service 31306d 
    ssh_set_error(session, SSH_FATAL,
Packit Service 31306d 
        "Authentication response too long: %u", len);
Packit Service 31306d 
    return -1;
Packit Service 31306d 
  }
Packit Service 31306d 
  SSH_LOG(SSH_LOG_TRACE, "Response length: %u", len);
Packit Service 31306d
Packit Service 31306d 
  while (len > 0) {
Packit Service 31306d 
    size_t n = len;
Packit Service 31306d 
    if (n > sizeof(payload)) {
Packit Service 31306d 
      n = sizeof(payload);
Packit Service 31306d 
    }
Packit Service 31306d 
    if (atomicio(session->agent, payload, n, 1) != n) {
Packit Service 31306d 
      SSH_LOG(SSH_LOG_WARN,
Packit Service 31306d 
          "Error reading response from authentication socket.");
Packit Service 31306d 
      return -1;
Packit Service 31306d 
    }
Packit Service 31306d 
    if (ssh_buffer_add_data(reply, payload, n) < 0) {
Packit Service 31306d 
      SSH_LOG(SSH_LOG_WARN, "Not enough space");
Packit Service 31306d 
      return -1;
Packit Service 31306d 
    }
Packit Service 31306d 
    len -= n;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  return 0;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
uint32_t ssh_agent_get_ident_count(struct ssh_session_struct *session)
Packit Service 31306d 
{
Packit Service 31306d 
    ssh_buffer request = NULL;
Packit Service 31306d 
    ssh_buffer reply = NULL;
Packit Service 31306d 
    unsigned int type = 0;
Packit Service 31306d 
    uint32_t count = 0;
Packit Service 31306d 
    int rc;
Packit Service 31306d
Packit Service 31306d 
    /* send message to the agent requesting the list of identities */
Packit Service 31306d 
    request = ssh_buffer_new();
Packit Service 31306d 
    if (request == NULL) {
Packit Service 31306d 
        ssh_set_error_oom(session);
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    }
Packit Service 31306d 
    if (ssh_buffer_add_u8(request, SSH2_AGENTC_REQUEST_IDENTITIES) < 0) {
Packit Service 31306d 
        ssh_set_error_oom(session);
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    reply = ssh_buffer_new();
Packit Service 31306d 
    if (reply == NULL) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        ssh_set_error(session, SSH_FATAL, "Not enough space");
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    if (agent_talk(session, request, reply) < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    }
Packit Service 31306d 
    SSH_BUFFER_FREE(request);
Packit Service 31306d
Packit Service 31306d 
    /* get message type and verify the answer */
Packit Service 31306d 
    rc = ssh_buffer_get_u8(reply, (uint8_t *) &type);
Packit Service 31306d 
    if (rc != sizeof(uint8_t)) {
Packit Service 31306d 
        ssh_set_error(session, SSH_FATAL,
Packit Service 31306d 
                "Bad authentication reply size: %d", rc);
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    }
Packit Service 31306d 
#ifdef WORDS_BIGENDIAN
Packit Service 31306d 
    type = bswap_32(type);
Packit Service 31306d 
#endif
Packit Service 31306d
Packit Service 31306d 
    SSH_LOG(SSH_LOG_WARN,
Packit Service 31306d 
            "Answer type: %d, expected answer: %d",
Packit Service 31306d 
            type, SSH2_AGENT_IDENTITIES_ANSWER);
Packit Service 31306d
Packit Service 31306d 
    if (agent_failed(type)) {
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    } else if (type != SSH2_AGENT_IDENTITIES_ANSWER) {
Packit Service 31306d 
        ssh_set_error(session, SSH_FATAL,
Packit Service 31306d 
                "Bad authentication reply message type: %u", type);
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_buffer_get_u32(reply, &count);
Packit Service 31306d 
    if (rc != 4) {
Packit Service 31306d 
        ssh_set_error(session,
Packit Service 31306d 
                SSH_FATAL,
Packit Service 31306d 
                "Failed to read count");
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    }
Packit Service 31306d 
    session->agent->count = ntohl(count);
Packit Service 31306d 
    SSH_LOG(SSH_LOG_DEBUG, "Agent count: %d",
Packit Service 31306d 
            session->agent->count);
Packit Service 31306d 
    if (session->agent->count > 1024) {
Packit Service 31306d 
        ssh_set_error(session, SSH_FATAL,
Packit Service 31306d 
                "Too many identities in authentication reply: %d",
Packit Service 31306d 
                session->agent->count);
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return 0;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    if (session->agent->ident) {
Packit Service 31306d 
        ssh_buffer_reinit(session->agent->ident);
Packit Service 31306d 
    }
Packit Service 31306d 
    session->agent->ident = reply;
Packit Service 31306d
Packit Service 31306d 
    return session->agent->count;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
/* caller has to free commment */
Packit Service 31306d 
ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session,
Packit Service 31306d 
                              char **comment) {
Packit Service 31306d 
    if (ssh_agent_get_ident_count(session) > 0) {
Packit Service 31306d 
        return ssh_agent_get_next_ident(session, comment);
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    return NULL;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
/* caller has to free commment */
Packit Service 31306d 
ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session,
Packit Service 31306d 
    char **comment) {
Packit Service 31306d 
    struct ssh_key_struct *key;
Packit Service 31306d 
    struct ssh_string_struct *blob = NULL;
Packit Service 31306d 
    struct ssh_string_struct *tmp = NULL;
Packit Service 31306d 
    int rc;
Packit Service 31306d
Packit Service 31306d 
    if (session->agent->count == 0) {
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* get the blob */
Packit Service 31306d 
    blob = ssh_buffer_get_ssh_string(session->agent->ident);
Packit Service 31306d 
    if (blob == NULL) {
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* get the comment */
Packit Service 31306d 
    tmp = ssh_buffer_get_ssh_string(session->agent->ident);
Packit Service 31306d 
    if (tmp == NULL) {
Packit Service 31306d 
        SSH_STRING_FREE(blob);
Packit Service 31306d
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    if (comment) {
Packit Service 31306d 
        *comment = ssh_string_to_char(tmp);
Packit Service 31306d 
    } else {
Packit Service 31306d 
        SSH_STRING_FREE(blob);
Packit Service 31306d 
        SSH_STRING_FREE(tmp);
Packit Service 31306d
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d 
    SSH_STRING_FREE(tmp);
Packit Service 31306d
Packit Service 31306d 
    /* get key from blob */
Packit Service 31306d 
    rc = ssh_pki_import_pubkey_blob(blob, &key);
Packit Service 31306d 
    if (rc == SSH_ERROR) {
Packit Service 31306d 
        /* Try again as a cert. */
Packit Service 31306d 
        rc = ssh_pki_import_cert_blob(blob, &key);
Packit Service 31306d 
    }
Packit Service 31306d 
    SSH_STRING_FREE(blob);
Packit Service 31306d 
    if (rc == SSH_ERROR) {
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    return key;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
int ssh_agent_is_running(ssh_session session) {
Packit Service 31306d 
  if (session == NULL || session->agent == NULL) {
Packit Service 31306d 
    return 0;
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  if (ssh_socket_is_open(session->agent->sock)) {
Packit Service 31306d 
    return 1;
Packit Service 31306d 
  } else {
Packit Service 31306d 
    if (agent_connect(session) < 0) {
Packit Service 31306d 
      return 0;
Packit Service 31306d 
    } else {
Packit Service 31306d 
      return 1;
Packit Service 31306d 
    }
Packit Service 31306d 
  }
Packit Service 31306d
Packit Service 31306d 
  return 0;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
ssh_string ssh_agent_sign_data(ssh_session session,
Packit Service 31306d 
                               const ssh_key pubkey,
Packit Service 31306d 
                               struct ssh_buffer_struct *data)
Packit Service 31306d 
{
Packit Service 31306d 
    ssh_buffer request;
Packit Service 31306d 
    ssh_buffer reply;
Packit Service 31306d 
    ssh_string key_blob;
Packit Service 31306d 
    ssh_string sig_blob;
Packit Service 31306d 
    unsigned int type = 0;
Packit Service 31306d 
    unsigned int flags = 0;
Packit Service 31306d 
    uint32_t dlen;
Packit Service 31306d 
    int rc;
Packit Service 31306d
Packit Service 31306d 
    request = ssh_buffer_new();
Packit Service 31306d 
    if (request == NULL) {
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* create request */
Packit Service 31306d 
    if (ssh_buffer_add_u8(request, SSH2_AGENTC_SIGN_REQUEST) < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_pki_export_pubkey_blob(pubkey, &key_blob);
Packit Service 31306d 
    if (rc < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /*
Packit Service 31306d 
     * make sure it already can contain all the expected content:
Packit Service 31306d 
     * - 1 x uint8_t
Packit Service 31306d 
     * - 2 x uint32_t
Packit Service 31306d 
     * - 1 x ssh_string (uint8_t + data)
Packit Service 31306d 
     */
Packit Service 31306d 
    rc = ssh_buffer_allocate_size(request,
Packit Service 31306d 
                                  sizeof(uint8_t) * 2 +
Packit Service 31306d 
                                  sizeof(uint32_t) * 2 +
Packit Service 31306d 
                                  ssh_string_len(key_blob));
Packit Service 31306d 
    if (rc < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* adds len + blob */
Packit Service 31306d 
    rc = ssh_buffer_add_ssh_string(request, key_blob);
Packit Service 31306d 
    SSH_STRING_FREE(key_blob);
Packit Service 31306d 
    if (rc < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* Add data */
Packit Service 31306d 
    dlen = ssh_buffer_get_len(data);
Packit Service 31306d 
    if (ssh_buffer_add_u32(request, htonl(dlen)) < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d 
    if (ssh_buffer_add_data(request, ssh_buffer_get(data), dlen) < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* Add Flags: SHA2 extension (RFC 8332) if negotiated */
Packit Service 31306d 
    if (ssh_key_type_plain(pubkey->type) == SSH_KEYTYPE_RSA) {
Packit Service 31306d 
        if (session->extensions & SSH_EXT_SIG_RSA_SHA512) {
Packit Service 31306d 
            flags |= SSH_AGENT_RSA_SHA2_512;
Packit Service 31306d 
        } else if (session->extensions & SSH_EXT_SIG_RSA_SHA256) {
Packit Service 31306d 
            flags |= SSH_AGENT_RSA_SHA2_256;
Packit Service 31306d 
        }
Packit Service 31306d 
    }
Packit Service 31306d 
    if (ssh_buffer_add_u32(request, htonl(flags)) < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    reply = ssh_buffer_new();
Packit Service 31306d 
    if (reply == NULL) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* send the request */
Packit Service 31306d 
    if (agent_talk(session, request, reply) < 0) {
Packit Service 31306d 
        SSH_BUFFER_FREE(request);
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d 
    SSH_BUFFER_FREE(request);
Packit Service 31306d
Packit Service 31306d 
    /* check if reply is valid */
Packit Service 31306d 
    if (ssh_buffer_get_u8(reply, (uint8_t *) &type) != sizeof(uint8_t)) {
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d 
#ifdef WORDS_BIGENDIAN
Packit Service 31306d 
    type = bswap_32(type);
Packit Service 31306d 
#endif
Packit Service 31306d
Packit Service 31306d 
    if (agent_failed(type)) {
Packit Service 31306d 
        SSH_LOG(SSH_LOG_WARN, "Agent reports failure in signing the key");
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    } else if (type != SSH2_AGENT_SIGN_RESPONSE) {
Packit Service 31306d 
        ssh_set_error(session,
Packit Service 31306d 
                      SSH_FATAL,
Packit Service 31306d 
                      "Bad authentication response: %u",
Packit Service 31306d 
                      type);
Packit Service 31306d 
        SSH_BUFFER_FREE(reply);
Packit Service 31306d 
        return NULL;
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    sig_blob = ssh_buffer_get_ssh_string(reply);
Packit Service 31306d 
    SSH_BUFFER_FREE(reply);
Packit Service 31306d
Packit Service 31306d 
    return sig_blob;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
#endif /* _WIN32 */

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation