cli-agentfwd.c 7.46 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/*
 * Dropbear - a SSH2 server
 * 
 * Copyright (c) 2005 Matt Johnston
 * All rights reserved.
 * 
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 * 
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE. */

#include "includes.h"

27
#if DROPBEAR_CLI_AGENTFWD
28
29
30
31
32
33
34
35
36

#include "agentfwd.h"
#include "session.h"
#include "ssh.h"
#include "dbutil.h"
#include "chansession.h"
#include "channel.h"
#include "packet.h"
#include "buffer.h"
37
#include "dbrandom.h"
38
39
40
41
42
43
#include "listener.h"
#include "runopts.h"
#include "atomicio.h"
#include "signkey.h"
#include "auth.h"

44
45
46
/* The protocol implemented to talk to OpenSSH's SSH2 agent is documented in
   PROTOCOL.agent in recent OpenSSH source distributions (5.1p1 has it). */

47
48
static int new_agent_chan(struct Channel * channel);

49
const struct ChanType cli_chan_agent = {
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
	0, /* sepfds */
	"[email protected]",
	new_agent_chan,
	NULL,
	NULL,
	NULL
};

static int connect_agent() {

	int fd = -1;
	char* agent_sock = NULL;

	agent_sock = getenv("SSH_AUTH_SOCK");
	if (agent_sock == NULL)
		return -1;

	fd = connect_unix(agent_sock);

69
70
71
72
	if (fd < 0) {
		dropbear_log(LOG_INFO, "Failed to connect to agent");
	}

73
74
75
	return fd;
}

Matt Johnston's avatar
Matt Johnston committed
76
77
/* handle a request for a connection to the locally running ssh-agent
   or forward. */
78
79
80
81
82
83
84
85
static int new_agent_chan(struct Channel * channel) {

	int fd = -1;

	if (!cli_opts.agent_fwd)
		return SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;

	fd = connect_agent();
86
	if (fd < 0) {
87
88
		return SSH_OPEN_CONNECT_FAILED;
	}
89
90
91
92
93

	setnonblocking(fd);

	ses.maxfd = MAX(ses.maxfd, fd);

94
95
	channel->readfd = fd;
	channel->writefd = fd;
96
97
98
99
100
101

	return 0;
}

/* Sends a request to the agent, returning a newly allocated buffer
 * with the response */
102
103
104
/* This function will block waiting for a response - it will
 * only be used by client authentication (not for forwarded requests)
 * won't cause problems for interactivity. */
105
106
107
108
/* Packet format (from draft-ylonen)
   4 bytes     Length, msb first.  Does not include length itself.
   1 byte      Packet type.  The value 255 is reserved for future extensions.
   data        Any data, depending on packet type.  Encoding as in the ssh packet
109
               protocol.
110
*/
111
static buffer * agent_request(unsigned char type, buffer *data) {
112
113
114
115
116

	buffer * payload = NULL;
	buffer * inbuf = NULL;
	size_t readlen = 0;
	ssize_t ret;
117
118
119
120
121
122
	const int fd = cli_opts.agent_fd;
	unsigned int data_len = 0;
	if (data)
	{
		data_len = data->len;
	}
123

124
	payload = buf_new(4 + 1 + data_len);
125

126
	buf_putint(payload, 1 + data_len);
127
	buf_putbyte(payload, type);
128
129
130
	if (data) {
		buf_putbytes(payload, data->data, data->len);
	}
131
	buf_setpos(payload, 0);
132

Francois Perrad's avatar
Francois Perrad committed
133
	ret = atomicio(vwrite, fd, buf_getptr(payload, payload->len), payload->len);
134
	if ((size_t)ret != payload->len) {
135
		TRACE(("write failed fd %d for agent_request, %s", fd, strerror(errno)))
136
137
138
139
140
		goto out;
	}

	buf_free(payload);
	payload = NULL;
141
	TRACE(("Wrote out bytes for agent_request"))
142
143
144
145
146
147
148
	/* Now we read the response */
	inbuf = buf_new(4);
	ret = atomicio(read, fd, buf_getwriteptr(inbuf, 4), 4);
	if (ret != 4) {
		TRACE(("read of length failed for agent_request"))
		goto out;
	}
149
150
	buf_setpos(inbuf, 0);
	buf_setlen(inbuf, ret);
151
152
153
154
155
156

	readlen = buf_getint(inbuf);
	if (readlen > MAX_AGENT_REPLY) {
		TRACE(("agent reply is too big"));
		goto out;
	}
157
	
158
	inbuf = buf_resize(inbuf, readlen);
159
	buf_setpos(inbuf, 0);
160
161
162
163
164
	ret = atomicio(read, fd, buf_getwriteptr(inbuf, readlen), readlen);
	if ((size_t)ret != readlen) {
		TRACE(("read of data failed for agent_request"))
		goto out;
	}
165
166
	buf_incrwritepos(inbuf, readlen);
	buf_setpos(inbuf, 0);
167
168
169
170
171
172
173
174

out:
	if (payload)
		buf_free(payload);

	return inbuf;
}

175
static void agent_get_key_list(m_list * ret_list)
176
177
178
179
180
181
182
{
	buffer * inbuf = NULL;
	unsigned int num = 0;
	unsigned char packet_type;
	unsigned int i;
	int ret;

183
	inbuf = agent_request(SSH2_AGENTC_REQUEST_IDENTITIES, NULL);
184
	if (!inbuf) {
185
		TRACE(("agent_request failed returning identities"))
186
187
188
189
		goto out;
	}

	/* The reply has a format of:
190
191
192
193
194
		byte			SSH2_AGENT_IDENTITIES_ANSWER
		uint32			num_keys
  	   Followed by zero or more consecutive keys, encoded as:
       	 string			key_blob
    	 string			key_comment
195
196
197
198
199
200
201
202
203
	 */
	packet_type = buf_getbyte(inbuf);
	if (packet_type != SSH2_AGENT_IDENTITIES_ANSWER) {
		goto out;
	}

	num = buf_getint(inbuf);
	for (i = 0; i < num; i++) {
		sign_key * pubkey = NULL;
Matt Johnston's avatar
Matt Johnston committed
204
		enum signkey_type key_type = DROPBEAR_SIGNKEY_ANY;
205
		buffer * key_buf;
206

207
208
		/* each public key is encoded as a string */
		key_buf = buf_getstringbuf(inbuf);
209
		pubkey = new_sign_key();
210
211
		ret = buf_get_pub_key(key_buf, pubkey, &key_type);
		buf_free(key_buf);
212
		if (ret != DROPBEAR_SUCCESS) {
Matt Johnston's avatar
Matt Johnston committed
213
			TRACE(("Skipping bad/unknown type pubkey from agent"));
214
215
216
217
			sign_key_free(pubkey);
		} else {
			pubkey->type = key_type;
			pubkey->source = SIGNKEY_SOURCE_AGENT;
218

219
220
			list_append(ret_list, pubkey);
		}
221

222
		/* We'll ignore the comment for now. might want it later.*/
223
224
225
226
227
228
229
230
231
232
		buf_eatstring(inbuf);
	}

out:
	if (inbuf) {
		buf_free(inbuf);
		inbuf = NULL;
	}
}

Matt Johnston's avatar
Matt Johnston committed
233
234
235
236
237
void cli_setup_agent(struct Channel *channel) {
	if (!getenv("SSH_AUTH_SOCK")) {
		return;
	}
	
238
	start_send_channel_request(channel, "[email protected]");
Matt Johnston's avatar
Matt Johnston committed
239
240
241
242
243
	/* Don't want replies */
	buf_putbyte(ses.writepayload, 0);
	encrypt_packet();
}

244
245
/* Returned keys are prepended to ret_list, which will
   be updated. */
Matt Johnston's avatar
Matt Johnston committed
246
void cli_load_agent_keys(m_list *ret_list) {
247
248
249
	/* agent_fd will be closed after successful auth */
	cli_opts.agent_fd = connect_agent();
	if (cli_opts.agent_fd < 0) {
250
		return;
251
252
	}

253
	agent_get_key_list(ret_list);
254
}
255
256

void agent_buf_sign(buffer *sigblob, sign_key *key, 
257
		buffer *data_buf) {
258
259
	buffer *request_data = NULL;
	buffer *response = NULL;
Matt Johnston's avatar
Matt Johnston committed
260
	unsigned int siglen;
261
262
263
264
265
266
267
268
	int packet_type;
	
	/* Request format
	byte			SSH2_AGENTC_SIGN_REQUEST
	string			key_blob
	string			data
	uint32			flags
	*/
269
	request_data = buf_new(MAX_PUBKEY_SIZE + data_buf->len + 12);
270
271
	buf_put_pub_key(request_data, key, key->type);
	
272
	buf_putbufstring(request_data, data_buf);
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
	buf_putint(request_data, 0);
	
	response = agent_request(SSH2_AGENTC_SIGN_REQUEST, request_data);
	
	if (!response) {
		goto fail;
	}
	
	packet_type = buf_getbyte(response);
	if (packet_type != SSH2_AGENT_SIGN_RESPONSE) {
		goto fail;
	}
	
	/* Response format
	byte			SSH2_AGENT_SIGN_RESPONSE
	string			signature_blob
	*/
	siglen = buf_getint(response);
	buf_putbytes(sigblob, buf_getptr(response, siglen), siglen);
292
	goto cleanup;
293
294
295
296
297
298
	
fail:
	/* XXX don't fail badly here. instead propagate a failure code back up to
	   the cli auth pubkey code, and just remove this key from the list of 
	   ones to try. */
	dropbear_exit("Agent failed signing key");
299
300
301
302
303
304
305
306

cleanup:
	if (request_data) {
		buf_free(request_data);
	}
	if (response) {
		buf_free(response);
	}
307
}
308
309

#endif