Attachment #2895 for bug #2642





/* encode signature algoritm in flag bits, so we can keep the msg format */
static u_int
agent_encode_alg(const struct sshkey *key, const char *alg)
{
	if (alg != NULL && key->type == KEY_RSA) {
		if (strcmp(alg, "rsa-sha2-256") == 0)


/* ask agent to sign data, returns err.h code on error, 0 on success */
int
ssh_agent_sign(int sock, const struct sshkey *key,
    u_char **sigp, size_t *lenp,
    const u_char *data, size_t datalen, const char *alg, u_int compat)
{


#ifdef WITH_SSH1
static int
ssh_encode_identity_rsa1(struct sshbuf *b, const RSA *key, const char *comment)
{
	int r;


#endif

static int
ssh_encode_identity_ssh2(struct sshbuf *b, const struct sshkey *key,
    const char *comment)
{
	int r;

 * This call is intended only for use by ssh-add(1) and like applications.
 */
int
ssh_add_identity_constrained(int sock, const struct sshkey *key,
    const char *comment, u_int life, u_int confirm)
{
	struct sshbuf *msg;
	int r, constrained = (life || confirm);

Lines 30-36 int ssh_lock_agent(int sock, int lock, const char *password); Link Here

(-)a/authfd.h (-2 / +2 lines)
30	int ssh_fetch_identitylist(int sock, int version,	30	int ssh_fetch_identitylist(int sock, int version,
31	struct ssh_identitylist **idlp);	31	struct ssh_identitylist **idlp);
32	void ssh_free_identitylist(struct ssh_identitylist *idl);	32	void ssh_free_identitylist(struct ssh_identitylist *idl);
33	int ssh_add_identity_constrained(int sock, struct sshkey *key,	33	int ssh_add_identity_constrained(int sock, const struct sshkey *key,
34	const char *comment, u_int life, u_int confirm);	34	const char *comment, u_int life, u_int confirm);
35	int ssh_remove_identity(int sock, struct sshkey *key);	35	int ssh_remove_identity(int sock, struct sshkey *key);
36	int ssh_update_card(int sock, int add, const char *reader_id,	36	int ssh_update_card(int sock, int add, const char *reader_id,
Lines 39-45 int ssh_remove_all_identities(int sock, int version); Link Here
39		39
40	int ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,	40	int ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
41	u_char session_id[16], u_char response[16]);	41	u_char session_id[16], u_char response[16]);
42	int ssh_agent_sign(int sock, struct sshkey *key,	42	int ssh_agent_sign(int sock, const struct sshkey *key,
43	u_char *sigp, size_t lenp,	43	u_char *sigp, size_t lenp,
44	const u_char data, size_t datalen, const char alg, u_int compat);	44	const u_char data, size_t datalen, const char alg, u_int compat);
45		45

Lines 1516-1523 ssh_local_cmd(const char *args) Link Here

(-)a/sshconnect.c (-2 / +2 lines)
1516	}	1516	}
1517		1517
1518	void	1518	void
1519	maybe_add_key_to_agent(char authfile, Key private, char *comment,	1519	maybe_add_key_to_agent(const char authfile, const Key private,
1520	char *passphrase)	1520	const char comment, const char passphrase)
1521	{	1521	{
1522	int auth_sock = -1, r;	1522	int auth_sock = -1, r;
1523		1523

Lines 55-61 void ssh_userauth2(const char , const char , char , Sensitive ); Link Here

(-)a/sshconnect.h (-1 / +2 lines)
55	void ssh_put_password(char *);	55	void ssh_put_password(char *);
56	int ssh_local_cmd(const char *);	56	int ssh_local_cmd(const char *);
57		57
58	void maybe_add_key_to_agent(char , Key , char , char );	58	void maybe_add_key_to_agent(const char , const Key , const char *,
		59	const char *);
59		60
60	/*	61	/*
61	* Macros to raise/lower permissions.	62	* Macros to raise/lower permissions.





void	userauth(Authctxt *, char *);

static int sign_and_send_pubkey(Authctxt *, const Identity *);
static void pubkey_prepare(Authctxt *);
static void pubkey_cleanup(Authctxt *);
static void pubkey_reset(Authctxt *);
static Key *load_identity_file(const Identity *);

static Authmethod *authmethod_get(char *authlist);
static Authmethod *authmethod_lookup(const char *name);

	if (partial != 0) {
		verbose("Authenticated with partial success.");
		/* reset state */
		pubkey_reset(authctxt);
		pubkey_prepare(authctxt);
	}
	debug("Authentications that can continue: %s", authlist);


}

static const char *
identity_sign_encode(const struct identity *id)
{
	struct ssh *ssh = active_state;


}

static int
identity_sign(const struct identity *id, u_char **sigp, size_t *lenp,
    const u_char *data, size_t datalen, u_int compat)
{
	Key *prv;

}

static int
sign_and_send_pubkey(Authctxt *authctxt, const Identity *id)
{
	Buffer b;
	Identity *private_id;

}

static int
send_pubkey_test(Authctxt *authctxt, const Identity *id)
{
	u_char *blob;
	u_int bloblen, have_sig = 0;

}

static Key *
load_identity_file(const Identity *id)
{
	Key *private = NULL;
	char prompt[300], *passphrase, *comment;

	}
}

static void
pubkey_reset(Authctxt *authctxt)
{
	Identity *id, *last;

	last = TAILQ_LAST(&authctxt->keys, idlist);
	while ((id = TAILQ_FIRST(&authctxt->keys)) &&
	    (id->tried != last->tried)) {
		id->tried++;
		TAILQ_REMOVE(&authctxt->keys, id, next);
		TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
		last = id;
	}
	TAILQ_FOREACH(id, &authctxt->keys, next)
		id->tried = 0;
}

static int
try_identity(const Identity *id)
{
	if (!id->key)
		return (0);

					id->isprivate = 1;
					sent = sign_and_send_pubkey(
					    authctxt, id);
					id->isprivate = 0;
				}
				key_free(id->key);
				id->key = NULL;

Return to bug 2642

Lines 428-434 ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge, Link Here

(-)a/authfd.c (-6 / +6 lines)
428		428
429	/* encode signature algoritm in flag bits, so we can keep the msg format */	429	/* encode signature algoritm in flag bits, so we can keep the msg format */
430	static u_int	430	static u_int
431	agent_encode_alg(struct sshkey key, const char alg)	431	agent_encode_alg(const struct sshkey key, const char alg)
432	{	432	{
433	if (alg != NULL && key->type == KEY_RSA) {	433	if (alg != NULL && key->type == KEY_RSA) {
434	if (strcmp(alg, "rsa-sha2-256") == 0)	434	if (strcmp(alg, "rsa-sha2-256") == 0)
Lines 441-447 agent_encode_alg(struct sshkey key, const char alg) Link Here
441		441
442	/* ask agent to sign data, returns err.h code on error, 0 on success */	442	/* ask agent to sign data, returns err.h code on error, 0 on success */
443	int	443	int
444	ssh_agent_sign(int sock, struct sshkey *key,	444	ssh_agent_sign(int sock, const struct sshkey *key,
445	u_char *sigp, size_t lenp,	445	u_char *sigp, size_t lenp,
446	const u_char data, size_t datalen, const char alg, u_int compat)	446	const u_char data, size_t datalen, const char alg, u_int compat)
447	{	447	{
Lines 496-502 ssh_agent_sign(int sock, struct sshkey *key, Link Here
496		496
497	#ifdef WITH_SSH1	497	#ifdef WITH_SSH1
498	static int	498	static int
499	ssh_encode_identity_rsa1(struct sshbuf b, RSA key, const char *comment)	499	ssh_encode_identity_rsa1(struct sshbuf b, const RSA key, const char *comment)
500	{	500	{
501	int r;	501	int r;
502		502
Lines 515-521 ssh_encode_identity_rsa1(struct sshbuf b, RSA key, const char *comment) Link Here
515	#endif	515	#endif
516		516
517	static int	517	static int
518	ssh_encode_identity_ssh2(struct sshbuf b, struct sshkey key,	518	ssh_encode_identity_ssh2(struct sshbuf b, const struct sshkey key,
519	const char *comment)	519	const char *comment)
520	{	520	{
521	int r;	521	int r;
Lines 550-557 encode_constraints(struct sshbuf *m, u_int life, u_int confirm) Link Here
550	* This call is intended only for use by ssh-add(1) and like applications.	550	* This call is intended only for use by ssh-add(1) and like applications.
551	*/	551	*/
552	int	552	int
553	ssh_add_identity_constrained(int sock, struct sshkey key, const char comment,	553	ssh_add_identity_constrained(int sock, const struct sshkey *key,
554	u_int life, u_int confirm)	554	const char *comment, u_int life, u_int confirm)
555	{	555	{
556	struct sshbuf *msg;	556	struct sshbuf *msg;
557	int r, constrained = (life \|\| confirm);	557	int r, constrained = (life \|\| confirm);

Lines 315-324 int input_gssapi_errtok(int, u_int32_t, void *); Link Here

(-)a/sshconnect2.c (-10 / +28 lines)
315		315
316	void userauth(Authctxt , char );	316	void userauth(Authctxt , char );
317		317
318	static int sign_and_send_pubkey(Authctxt , Identity );	318	static int sign_and_send_pubkey(Authctxt , const Identity );
319	static void pubkey_prepare(Authctxt *);	319	static void pubkey_prepare(Authctxt *);
320	static void pubkey_cleanup(Authctxt *);	320	static void pubkey_cleanup(Authctxt *);
321	static Key load_identity_file(Identity );	321	static void pubkey_reset(Authctxt *);
		322	static Key load_identity_file(const Identity );
322		323
323	static Authmethod authmethod_get(char authlist);	324	static Authmethod authmethod_get(char authlist);
324	static Authmethod authmethod_lookup(const char name);	325	static Authmethod authmethod_lookup(const char name);
Lines 560-567 input_userauth_failure(int type, u_int32_t seq, void *ctxt) Link Here
560	if (partial != 0) {	561	if (partial != 0) {
561	verbose("Authenticated with partial success.");	562	verbose("Authenticated with partial success.");
562	/* reset state */	563	/* reset state */
563	pubkey_cleanup(authctxt);	564	pubkey_reset(authctxt);
564	pubkey_prepare(authctxt);
565	}	565	}
566	debug("Authentications that can continue: %s", authlist);	566	debug("Authentications that can continue: %s", authlist);
567		567
Lines 996-1002 input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) Link Here
996	}	996	}
997		997
998	static const char *	998	static const char *
999	identity_sign_encode(struct identity *id)	999	identity_sign_encode(const struct identity *id)
1000	{	1000	{
1001	struct ssh *ssh = active_state;	1001	struct ssh *ssh = active_state;
1002		1002
Lines 1012-1018 identity_sign_encode(struct identity *id) Link Here
1012	}	1012	}
1013		1013
1014	static int	1014	static int
1015	identity_sign(struct identity id, u_char sigp, size_t lenp,	1015	identity_sign(const struct identity id, u_char sigp, size_t lenp,
1016	const u_char *data, size_t datalen, u_int compat)	1016	const u_char *data, size_t datalen, u_int compat)
1017	{	1017	{
1018	Key *prv;	1018	Key *prv;
Lines 1042-1048 identity_sign(struct identity id, u_char sigp, size_t lenp, Link Here
1042	}	1042	}
1043		1043
1044	static int	1044	static int
1045	sign_and_send_pubkey(Authctxt authctxt, Identity id)	1045	sign_and_send_pubkey(Authctxt authctxt, const Identity id)
1046	{	1046	{
1047	Buffer b;	1047	Buffer b;
1048	Identity *private_id;	1048	Identity *private_id;
Lines 1160-1166 sign_and_send_pubkey(Authctxt authctxt, Identity id) Link Here
1160	}	1160	}
1161		1161
1162	static int	1162	static int
1163	send_pubkey_test(Authctxt authctxt, Identity id)	1163	send_pubkey_test(Authctxt authctxt, const Identity id)
1164	{	1164	{
1165	u_char *blob;	1165	u_char *blob;
1166	u_int bloblen, have_sig = 0;	1166	u_int bloblen, have_sig = 0;
Lines 1189-1195 send_pubkey_test(Authctxt authctxt, Identity id) Link Here
1189	}	1189	}
1190		1190
1191	static Key *	1191	static Key *
1192	load_identity_file(Identity *id)	1192	load_identity_file(const Identity *id)
1193	{	1193	{
1194	Key *private = NULL;	1194	Key *private = NULL;
1195	char prompt[300], passphrase, comment;	1195	char prompt[300], passphrase, comment;
Lines 1414-1421 pubkey_cleanup(Authctxt *authctxt) Link Here
1414	}	1414	}
1415	}	1415	}
1416		1416
		1417	static void
		1418	pubkey_reset(Authctxt *authctxt)
		1419	{
		1420	Identity id, last;
		1421
		1422	last = TAILQ_LAST(&authctxt->keys, idlist);
		1423	while ((id = TAILQ_FIRST(&authctxt->keys)) &&
		1424	(id->tried != last->tried)) {
		1425	id->tried++;
		1426	TAILQ_REMOVE(&authctxt->keys, id, next);
		1427	TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
		1428	last = id;
		1429	}
		1430	TAILQ_FOREACH(id, &authctxt->keys, next)
		1431	id->tried = 0;
		1432	}
		1433
1417	static int	1434	static int
1418	try_identity(Identity *id)	1435	try_identity(const Identity *id)
1419	{	1436	{
1420	if (!id->key)	1437	if (!id->key)
1421	return (0);	1438	return (0);
Lines 1459-1464 userauth_pubkey(Authctxt *authctxt) Link Here
1459	id->isprivate = 1;	1476	id->isprivate = 1;
1460	sent = sign_and_send_pubkey(	1477	sent = sign_and_send_pubkey(
1461	authctxt, id);	1478	authctxt, id);
		1479	id->isprivate = 0;
1462	}	1480	}
1463	key_free(id->key);	1481	key_free(id->key);
1464	id->key = NULL;	1482	id->key = NULL;