Bugzilla – Attachment 2895 Details for
Bug 2642
[sshconnect2] publickey authentication only properly works if used first: pubkey_prepare doesn't work after pubkey_cleanup
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Only reorder and resent count of authctxt->keys between authentications
Only_Reorder_and_reset_count_of_keys_between_runs.patch (text/plain), 6.71 KB, created by
Vincent Brillault
on 2016-11-24 10:03:53 AEDT
(
hide
)
Description:
Only reorder and resent count of authctxt->keys between authentications
Filename:
MIME Type:
Creator:
Vincent Brillault
Created:
2016-11-24 10:03:53 AEDT
Size:
6.71 KB
patch
obsolete
>diff --git a/authfd.c b/authfd.c >index a634bcb..af82b33 100644 >--- a/authfd.c >+++ b/authfd.c >@@ -428,7 +428,7 @@ ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge, > > /* encode signature algoritm in flag bits, so we can keep the msg format */ > static u_int >-agent_encode_alg(struct sshkey *key, const char *alg) >+agent_encode_alg(const struct sshkey *key, const char *alg) > { > if (alg != NULL && key->type == KEY_RSA) { > if (strcmp(alg, "rsa-sha2-256") == 0) >@@ -441,7 +441,7 @@ agent_encode_alg(struct sshkey *key, const char *alg) > > /* ask agent to sign data, returns err.h code on error, 0 on success */ > int >-ssh_agent_sign(int sock, struct sshkey *key, >+ssh_agent_sign(int sock, const struct sshkey *key, > u_char **sigp, size_t *lenp, > const u_char *data, size_t datalen, const char *alg, u_int compat) > { >@@ -496,7 +496,7 @@ ssh_agent_sign(int sock, struct sshkey *key, > > #ifdef WITH_SSH1 > static int >-ssh_encode_identity_rsa1(struct sshbuf *b, RSA *key, const char *comment) >+ssh_encode_identity_rsa1(struct sshbuf *b, const RSA *key, const char *comment) > { > int r; > >@@ -515,7 +515,7 @@ ssh_encode_identity_rsa1(struct sshbuf *b, RSA *key, const char *comment) > #endif > > static int >-ssh_encode_identity_ssh2(struct sshbuf *b, struct sshkey *key, >+ssh_encode_identity_ssh2(struct sshbuf *b, const struct sshkey *key, > const char *comment) > { > int r; >@@ -550,8 +550,8 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm) > * This call is intended only for use by ssh-add(1) and like applications. > */ > int >-ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment, >- u_int life, u_int confirm) >+ssh_add_identity_constrained(int sock, const struct sshkey *key, >+ const char *comment, u_int life, u_int confirm) > { > struct sshbuf *msg; > int r, constrained = (life || confirm); >diff --git a/authfd.h b/authfd.h >index 4b417e3..60366d4 100644 >--- a/authfd.h >+++ b/authfd.h >@@ -30,7 +30,7 @@ int ssh_lock_agent(int sock, int lock, const char *password); > int ssh_fetch_identitylist(int sock, int version, > struct ssh_identitylist **idlp); > void ssh_free_identitylist(struct ssh_identitylist *idl); >-int ssh_add_identity_constrained(int sock, struct sshkey *key, >+int ssh_add_identity_constrained(int sock, const struct sshkey *key, > const char *comment, u_int life, u_int confirm); > int ssh_remove_identity(int sock, struct sshkey *key); > int ssh_update_card(int sock, int add, const char *reader_id, >@@ -39,7 +39,7 @@ int ssh_remove_all_identities(int sock, int version); > > int ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge, > u_char session_id[16], u_char response[16]); >-int ssh_agent_sign(int sock, struct sshkey *key, >+int ssh_agent_sign(int sock, const struct sshkey *key, > u_char **sigp, size_t *lenp, > const u_char *data, size_t datalen, const char *alg, u_int compat); > >diff --git a/sshconnect.c b/sshconnect.c >index 96b91ce..f55d6ec 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -1516,8 +1516,8 @@ ssh_local_cmd(const char *args) > } > > void >-maybe_add_key_to_agent(char *authfile, Key *private, char *comment, >- char *passphrase) >+maybe_add_key_to_agent(const char *authfile, const Key *private, >+ const char *comment, const char *passphrase) > { > int auth_sock = -1, r; > >diff --git a/sshconnect.h b/sshconnect.h >index cf1851a..fa68dd1 100644 >--- a/sshconnect.h >+++ b/sshconnect.h >@@ -55,7 +55,8 @@ void ssh_userauth2(const char *, const char *, char *, Sensitive *); > void ssh_put_password(char *); > int ssh_local_cmd(const char *); > >-void maybe_add_key_to_agent(char *, Key *, char *, char *); >+void maybe_add_key_to_agent(const char *, const Key *, const char *, >+ const char *); > > /* > * Macros to raise/lower permissions. >diff --git a/sshconnect2.c b/sshconnect2.c >index 7a8b7ea..dd56868 100644 >--- a/sshconnect2.c >+++ b/sshconnect2.c >@@ -315,10 +315,11 @@ int input_gssapi_errtok(int, u_int32_t, void *); > > void userauth(Authctxt *, char *); > >-static int sign_and_send_pubkey(Authctxt *, Identity *); >+static int sign_and_send_pubkey(Authctxt *, const Identity *); > static void pubkey_prepare(Authctxt *); > static void pubkey_cleanup(Authctxt *); >-static Key *load_identity_file(Identity *); >+static void pubkey_reset(Authctxt *); >+static Key *load_identity_file(const Identity *); > > static Authmethod *authmethod_get(char *authlist); > static Authmethod *authmethod_lookup(const char *name); >@@ -560,8 +561,7 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt) > if (partial != 0) { > verbose("Authenticated with partial success."); > /* reset state */ >- pubkey_cleanup(authctxt); >- pubkey_prepare(authctxt); >+ pubkey_reset(authctxt); > } > debug("Authentications that can continue: %s", authlist); > >@@ -996,7 +996,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) > } > > static const char * >-identity_sign_encode(struct identity *id) >+identity_sign_encode(const struct identity *id) > { > struct ssh *ssh = active_state; > >@@ -1012,7 +1012,7 @@ identity_sign_encode(struct identity *id) > } > > static int >-identity_sign(struct identity *id, u_char **sigp, size_t *lenp, >+identity_sign(const struct identity *id, u_char **sigp, size_t *lenp, > const u_char *data, size_t datalen, u_int compat) > { > Key *prv; >@@ -1042,7 +1042,7 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, > } > > static int >-sign_and_send_pubkey(Authctxt *authctxt, Identity *id) >+sign_and_send_pubkey(Authctxt *authctxt, const Identity *id) > { > Buffer b; > Identity *private_id; >@@ -1160,7 +1160,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) > } > > static int >-send_pubkey_test(Authctxt *authctxt, Identity *id) >+send_pubkey_test(Authctxt *authctxt, const Identity *id) > { > u_char *blob; > u_int bloblen, have_sig = 0; >@@ -1189,7 +1189,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id) > } > > static Key * >-load_identity_file(Identity *id) >+load_identity_file(const Identity *id) > { > Key *private = NULL; > char prompt[300], *passphrase, *comment; >@@ -1414,8 +1414,25 @@ pubkey_cleanup(Authctxt *authctxt) > } > } > >+static void >+pubkey_reset(Authctxt *authctxt) >+{ >+ Identity *id, *last; >+ >+ last = TAILQ_LAST(&authctxt->keys, idlist); >+ while ((id = TAILQ_FIRST(&authctxt->keys)) && >+ (id->tried != last->tried)) { >+ id->tried++; >+ TAILQ_REMOVE(&authctxt->keys, id, next); >+ TAILQ_INSERT_TAIL(&authctxt->keys, id, next); >+ last = id; >+ } >+ TAILQ_FOREACH(id, &authctxt->keys, next) >+ id->tried = 0; >+} >+ > static int >-try_identity(Identity *id) >+try_identity(const Identity *id) > { > if (!id->key) > return (0); >@@ -1459,6 +1476,7 @@ userauth_pubkey(Authctxt *authctxt) > id->isprivate = 1; > sent = sign_and_send_pubkey( > authctxt, id); >+ id->isprivate = 0; > } > key_free(id->key); > id->key = NULL;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2895">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2642
:
2895
|
2897
|
2898
|
2900