Merge branch 'vendor/OPENSSH'
[dragonfly.git] / crypto / openssh / sshconnect2.c
1 /* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */
2 /*
3  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
4  * Copyright (c) 2008 Damien Miller.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26
27 #include "includes.h"
28
29 #include <sys/types.h>
30 #include <sys/socket.h>
31 #include <sys/wait.h>
32 #include <sys/stat.h>
33
34 #include <errno.h>
35 #include <fcntl.h>
36 #include <netdb.h>
37 #include <pwd.h>
38 #include <signal.h>
39 #include <stdarg.h>
40 #include <stdio.h>
41 #include <string.h>
42 #include <unistd.h>
43 #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
44 #include <vis.h>
45 #endif
46
47 #include "openbsd-compat/sys-queue.h"
48
49 #include "xmalloc.h"
50 #include "ssh.h"
51 #include "ssh2.h"
52 #include "buffer.h"
53 #include "packet.h"
54 #include "compat.h"
55 #include "cipher.h"
56 #include "key.h"
57 #include "kex.h"
58 #include "myproposal.h"
59 #include "sshconnect.h"
60 #include "authfile.h"
61 #include "dh.h"
62 #include "authfd.h"
63 #include "log.h"
64 #include "readconf.h"
65 #include "misc.h"
66 #include "match.h"
67 #include "dispatch.h"
68 #include "canohost.h"
69 #include "msg.h"
70 #include "pathnames.h"
71 #include "uidswap.h"
72 #include "hostfile.h"
73 #include "schnorr.h"
74 #include "jpake.h"
75
76 #ifdef GSSAPI
77 #include "ssh-gss.h"
78 #endif
79
80 /* import */
81 extern char *client_version_string;
82 extern char *server_version_string;
83 extern Options options;
84 extern Kex *xxx_kex;
85
86 /* tty_flag is set in ssh.c. use this in ssh_userauth2 */
87 /* if it is set then prevent the switch to the null cipher */
88
89 extern int tty_flag;
90
91 /*
92  * SSH2 key exchange
93  */
94
95 u_char *session_id2 = NULL;
96 u_int session_id2_len = 0;
97
98 char *xxx_host;
99 struct sockaddr *xxx_hostaddr;
100
101 Kex *xxx_kex = NULL;
102
103 static int
104 verify_host_key_callback(Key *hostkey)
105 {
106         if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
107                 fatal("Host key verification failed.");
108         return 0;
109 }
110
111 static char *
112 order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
113 {
114         char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
115         size_t maxlen;
116         struct hostkeys *hostkeys;
117         int ktype;
118         u_int i;
119
120         /* Find all hostkeys for this hostname */
121         get_hostfile_hostname_ipaddr(host, hostaddr, port, &hostname, NULL);
122         hostkeys = init_hostkeys();
123         for (i = 0; i < options.num_user_hostfiles; i++)
124                 load_hostkeys(hostkeys, hostname, options.user_hostfiles[i]);
125         for (i = 0; i < options.num_system_hostfiles; i++)
126                 load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
127
128         oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
129         maxlen = strlen(avail) + 1;
130         first = xmalloc(maxlen);
131         last = xmalloc(maxlen);
132         *first = *last = '\0';
133
134 #define ALG_APPEND(to, from) \
135         do { \
136                 if (*to != '\0') \
137                         strlcat(to, ",", maxlen); \
138                 strlcat(to, from, maxlen); \
139         } while (0)
140
141         while ((alg = strsep(&avail, ",")) && *alg != '\0') {
142                 if ((ktype = key_type_from_name(alg)) == KEY_UNSPEC)
143                         fatal("%s: unknown alg %s", __func__, alg);
144                 if (lookup_key_in_hostkeys_by_type(hostkeys,
145                     key_type_plain(ktype), NULL))
146                         ALG_APPEND(first, alg);
147                 else
148                         ALG_APPEND(last, alg);
149         }
150 #undef ALG_APPEND
151         xasprintf(&ret, "%s%s%s", first, *first == '\0' ? "" : ",", last);
152         if (*first != '\0')
153                 debug3("%s: prefer hostkeyalgs: %s", __func__, first);
154
155         xfree(first);
156         xfree(last);
157         xfree(hostname);
158         xfree(oavail);
159         free_hostkeys(hostkeys);
160
161         return ret;
162 }
163
164 void
165 ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
166 {
167         Kex *kex;
168
169         xxx_host = host;
170         xxx_hostaddr = hostaddr;
171
172         if (options.ciphers == (char *)-1) {
173                 logit("No valid ciphers for protocol version 2 given, using defaults.");
174                 options.ciphers = NULL;
175         }
176         if (options.ciphers != NULL) {
177                 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
178                 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
179         }
180         myproposal[PROPOSAL_ENC_ALGS_CTOS] =
181             compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
182         myproposal[PROPOSAL_ENC_ALGS_STOC] =
183             compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
184         if (options.compression) {
185                 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
186                 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
187         } else {
188                 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
189                 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
190         }
191         if (options.macs != NULL) {
192                 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
193                 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
194         }
195         if (options.hostkeyalgorithms != NULL)
196                 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
197                     options.hostkeyalgorithms;
198         else {
199                 /* Prefer algorithms that we already have keys for */
200                 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
201                     order_hostkeyalgs(host, hostaddr, port);
202         }
203         if (options.kex_algorithms != NULL)
204                 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
205
206         if (options.rekey_limit)
207                 packet_set_rekey_limit((u_int32_t)options.rekey_limit);
208
209         /* start key exchange */
210         kex = kex_setup(myproposal);
211         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
212         kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
213         kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
214         kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
215         kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
216         kex->client_version_string=client_version_string;
217         kex->server_version_string=server_version_string;
218         kex->verify_host_key=&verify_host_key_callback;
219
220         xxx_kex = kex;
221
222         dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
223
224         if (options.use_roaming && !kex->roaming) {
225                 debug("Roaming not allowed by server");
226                 options.use_roaming = 0;
227         }
228
229         session_id2 = kex->session_id;
230         session_id2_len = kex->session_id_len;
231
232 #ifdef DEBUG_KEXDH
233         /* send 1st encrypted/maced/compressed message */
234         packet_start(SSH2_MSG_IGNORE);
235         packet_put_cstring("markus");
236         packet_send();
237         packet_write_wait();
238 #endif
239 }
240
241 /*
242  * Authenticate user
243  */
244
245 typedef struct Authctxt Authctxt;
246 typedef struct Authmethod Authmethod;
247 typedef struct identity Identity;
248 typedef struct idlist Idlist;
249
250 struct identity {
251         TAILQ_ENTRY(identity) next;
252         AuthenticationConnection *ac;   /* set if agent supports key */
253         Key     *key;                   /* public/private key */
254         char    *filename;              /* comment for agent-only keys */
255         int     tried;
256         int     isprivate;              /* key points to the private key */
257 };
258 TAILQ_HEAD(idlist, identity);
259
260 struct Authctxt {
261         const char *server_user;
262         const char *local_user;
263         const char *host;
264         const char *service;
265         Authmethod *method;
266         sig_atomic_t success;
267         char *authlist;
268         /* pubkey */
269         Idlist keys;
270         AuthenticationConnection *agent;
271         /* hostbased */
272         Sensitive *sensitive;
273         /* kbd-interactive */
274         int info_req_seen;
275         /* generic */
276         void *methoddata;
277 };
278 struct Authmethod {
279         char    *name;          /* string to compare against server's list */
280         int     (*userauth)(Authctxt *authctxt);
281         void    (*cleanup)(Authctxt *authctxt);
282         int     *enabled;       /* flag in option struct that enables method */
283         int     *batch_flag;    /* flag in option struct that disables method */
284 };
285
286 void    input_userauth_success(int, u_int32_t, void *);
287 void    input_userauth_success_unexpected(int, u_int32_t, void *);
288 void    input_userauth_failure(int, u_int32_t, void *);
289 void    input_userauth_banner(int, u_int32_t, void *);
290 void    input_userauth_error(int, u_int32_t, void *);
291 void    input_userauth_info_req(int, u_int32_t, void *);
292 void    input_userauth_pk_ok(int, u_int32_t, void *);
293 void    input_userauth_passwd_changereq(int, u_int32_t, void *);
294 void    input_userauth_jpake_server_step1(int, u_int32_t, void *);
295 void    input_userauth_jpake_server_step2(int, u_int32_t, void *);
296 void    input_userauth_jpake_server_confirm(int, u_int32_t, void *);
297
298 int     userauth_none(Authctxt *);
299 int     userauth_pubkey(Authctxt *);
300 int     userauth_passwd(Authctxt *);
301 int     userauth_kbdint(Authctxt *);
302 int     userauth_hostbased(Authctxt *);
303 int     userauth_jpake(Authctxt *);
304
305 void    userauth_jpake_cleanup(Authctxt *);
306
307 #ifdef GSSAPI
308 int     userauth_gssapi(Authctxt *authctxt);
309 void    input_gssapi_response(int type, u_int32_t, void *);
310 void    input_gssapi_token(int type, u_int32_t, void *);
311 void    input_gssapi_hash(int type, u_int32_t, void *);
312 void    input_gssapi_error(int, u_int32_t, void *);
313 void    input_gssapi_errtok(int, u_int32_t, void *);
314 #endif
315
316 void    userauth(Authctxt *, char *);
317
318 static int sign_and_send_pubkey(Authctxt *, Identity *);
319 static void pubkey_prepare(Authctxt *);
320 static void pubkey_cleanup(Authctxt *);
321 static Key *load_identity_file(char *);
322
323 static Authmethod *authmethod_get(char *authlist);
324 static Authmethod *authmethod_lookup(const char *name);
325 static char *authmethods_get(void);
326
327 Authmethod authmethods[] = {
328 #ifdef GSSAPI
329         {"gssapi-with-mic",
330                 userauth_gssapi,
331                 NULL,
332                 &options.gss_authentication,
333                 NULL},
334 #endif
335         {"hostbased",
336                 userauth_hostbased,
337                 NULL,
338                 &options.hostbased_authentication,
339                 NULL},
340         {"publickey",
341                 userauth_pubkey,
342                 NULL,
343                 &options.pubkey_authentication,
344                 NULL},
345 #ifdef JPAKE
346         {"jpake-01@openssh.com",
347                 userauth_jpake,
348                 userauth_jpake_cleanup,
349                 &options.zero_knowledge_password_authentication,
350                 &options.batch_mode},
351 #endif
352         {"keyboard-interactive",
353                 userauth_kbdint,
354                 NULL,
355                 &options.kbd_interactive_authentication,
356                 &options.batch_mode},
357         {"password",
358                 userauth_passwd,
359                 NULL,
360                 &options.password_authentication,
361                 &options.batch_mode},
362         {"none",
363                 userauth_none,
364                 NULL,
365                 NULL,
366                 NULL},
367         {NULL, NULL, NULL, NULL, NULL}
368 };
369
370 void
371 ssh_userauth2(const char *local_user, const char *server_user, char *host,
372     Sensitive *sensitive)
373 {
374         Authctxt authctxt;
375         int type;
376
377         if (options.challenge_response_authentication)
378                 options.kbd_interactive_authentication = 1;
379
380         packet_start(SSH2_MSG_SERVICE_REQUEST);
381         packet_put_cstring("ssh-userauth");
382         packet_send();
383         debug("SSH2_MSG_SERVICE_REQUEST sent");
384         packet_write_wait();
385         type = packet_read();
386         if (type != SSH2_MSG_SERVICE_ACCEPT)
387                 fatal("Server denied authentication request: %d", type);
388         if (packet_remaining() > 0) {
389                 char *reply = packet_get_string(NULL);
390                 debug2("service_accept: %s", reply);
391                 xfree(reply);
392         } else {
393                 debug2("buggy server: service_accept w/o service");
394         }
395         packet_check_eom();
396         debug("SSH2_MSG_SERVICE_ACCEPT received");
397
398         if (options.preferred_authentications == NULL)
399                 options.preferred_authentications = authmethods_get();
400
401         /* setup authentication context */
402         memset(&authctxt, 0, sizeof(authctxt));
403         pubkey_prepare(&authctxt);
404         authctxt.server_user = server_user;
405         authctxt.local_user = local_user;
406         authctxt.host = host;
407         authctxt.service = "ssh-connection";            /* service name */
408         authctxt.success = 0;
409         authctxt.method = authmethod_lookup("none");
410         authctxt.authlist = NULL;
411         authctxt.methoddata = NULL;
412         authctxt.sensitive = sensitive;
413         authctxt.info_req_seen = 0;
414         if (authctxt.method == NULL)
415                 fatal("ssh_userauth2: internal error: cannot send userauth none request");
416
417         /* initial userauth request */
418         userauth_none(&authctxt);
419
420         dispatch_init(&input_userauth_error);
421         dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
422         dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
423         dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
424         dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt);     /* loop until success */
425
426         pubkey_cleanup(&authctxt);
427         dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
428
429         /* if the user wants to use the none cipher do it */
430         /* post authentication and only if the right conditions are met */
431         /* both of the NONE commands must be true and there must be no */
432         /* tty allocated */
433         if ((options.none_switch == 1) && (options.none_enabled == 1))
434         {
435                 if (!tty_flag) /* no null on tty sessions */
436                 {
437                         debug("Requesting none rekeying...");
438                         myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
439                         myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
440                         kex_prop2buf(&xxx_kex->my,myproposal);
441                         packet_request_rekeying();
442                         fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
443                 }
444                 else
445                 {
446                         /* requested NONE cipher when in a tty */
447                         debug("Cannot switch to NONE cipher with tty allocated");
448                         fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
449                 }
450         }
451         debug("Authentication succeeded (%s).", authctxt.method->name);
452 }
453
454 void
455 userauth(Authctxt *authctxt, char *authlist)
456 {
457         if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
458                 authctxt->method->cleanup(authctxt);
459
460         if (authctxt->methoddata) {
461                 xfree(authctxt->methoddata);
462                 authctxt->methoddata = NULL;
463         }
464         if (authlist == NULL) {
465                 authlist = authctxt->authlist;
466         } else {
467                 if (authctxt->authlist)
468                         xfree(authctxt->authlist);
469                 authctxt->authlist = authlist;
470         }
471         for (;;) {
472                 Authmethod *method = authmethod_get(authlist);
473                 if (method == NULL)
474                         fatal("Permission denied (%s).", authlist);
475                 authctxt->method = method;
476
477                 /* reset the per method handler */
478                 dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN,
479                     SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL);
480
481                 /* and try new method */
482                 if (method->userauth(authctxt) != 0) {
483                         debug2("we sent a %s packet, wait for reply", method->name);
484                         break;
485                 } else {
486                         debug2("we did not send a packet, disable method");
487                         method->enabled = NULL;
488                 }
489         }
490 }
491
492 /* ARGSUSED */
493 void
494 input_userauth_error(int type, u_int32_t seq, void *ctxt)
495 {
496         fatal("input_userauth_error: bad message during authentication: "
497             "type %d", type);
498 }
499
500 /* ARGSUSED */
501 void
502 input_userauth_banner(int type, u_int32_t seq, void *ctxt)
503 {
504         char *msg, *raw, *lang;
505         u_int len;
506
507         debug3("input_userauth_banner");
508         raw = packet_get_string(&len);
509         lang = packet_get_string(NULL);
510         if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
511                 if (len > 65536)
512                         len = 65536;
513                 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
514                 strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
515                 fprintf(stderr, "%s", msg);
516                 xfree(msg);
517         }
518         xfree(raw);
519         xfree(lang);
520 }
521
522 /* ARGSUSED */
523 void
524 input_userauth_success(int type, u_int32_t seq, void *ctxt)
525 {
526         Authctxt *authctxt = ctxt;
527
528         if (authctxt == NULL)
529                 fatal("input_userauth_success: no authentication context");
530         if (authctxt->authlist) {
531                 xfree(authctxt->authlist);
532                 authctxt->authlist = NULL;
533         }
534         if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
535                 authctxt->method->cleanup(authctxt);
536         if (authctxt->methoddata) {
537                 xfree(authctxt->methoddata);
538                 authctxt->methoddata = NULL;
539         }
540         authctxt->success = 1;                  /* break out */
541 }
542
543 void
544 input_userauth_success_unexpected(int type, u_int32_t seq, void *ctxt)
545 {
546         Authctxt *authctxt = ctxt;
547
548         if (authctxt == NULL)
549                 fatal("%s: no authentication context", __func__);
550
551         fatal("Unexpected authentication success during %s.",
552             authctxt->method->name);
553 }
554
555 /* ARGSUSED */
556 void
557 input_userauth_failure(int type, u_int32_t seq, void *ctxt)
558 {
559         Authctxt *authctxt = ctxt;
560         char *authlist = NULL;
561         int partial;
562
563         if (authctxt == NULL)
564                 fatal("input_userauth_failure: no authentication context");
565
566         authlist = packet_get_string(NULL);
567         partial = packet_get_char();
568         packet_check_eom();
569
570         if (partial != 0)
571                 logit("Authenticated with partial success.");
572         debug("Authentications that can continue: %s", authlist);
573
574         userauth(authctxt, authlist);
575 }
576
577 /* ARGSUSED */
578 void
579 input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
580 {
581         Authctxt *authctxt = ctxt;
582         Key *key = NULL;
583         Identity *id = NULL;
584         Buffer b;
585         int pktype, sent = 0;
586         u_int alen, blen;
587         char *pkalg, *fp;
588         u_char *pkblob;
589
590         if (authctxt == NULL)
591                 fatal("input_userauth_pk_ok: no authentication context");
592         if (datafellows & SSH_BUG_PKOK) {
593                 /* this is similar to SSH_BUG_PKAUTH */
594                 debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
595                 pkblob = packet_get_string(&blen);
596                 buffer_init(&b);
597                 buffer_append(&b, pkblob, blen);
598                 pkalg = buffer_get_string(&b, &alen);
599                 buffer_free(&b);
600         } else {
601                 pkalg = packet_get_string(&alen);
602                 pkblob = packet_get_string(&blen);
603         }
604         packet_check_eom();
605
606         debug("Server accepts key: pkalg %s blen %u", pkalg, blen);
607
608         if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
609                 debug("unknown pkalg %s", pkalg);
610                 goto done;
611         }
612         if ((key = key_from_blob(pkblob, blen)) == NULL) {
613                 debug("no key from blob. pkalg %s", pkalg);
614                 goto done;
615         }
616         if (key->type != pktype) {
617                 error("input_userauth_pk_ok: type mismatch "
618                     "for decoded key (received %d, expected %d)",
619                     key->type, pktype);
620                 goto done;
621         }
622         fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
623         debug2("input_userauth_pk_ok: fp %s", fp);
624         xfree(fp);
625
626         /*
627          * search keys in the reverse order, because last candidate has been
628          * moved to the end of the queue.  this also avoids confusion by
629          * duplicate keys
630          */
631         TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
632                 if (key_equal(key, id->key)) {
633                         sent = sign_and_send_pubkey(authctxt, id);
634                         break;
635                 }
636         }
637 done:
638         if (key != NULL)
639                 key_free(key);
640         xfree(pkalg);
641         xfree(pkblob);
642
643         /* try another method if we did not send a packet */
644         if (sent == 0)
645                 userauth(authctxt, NULL);
646 }
647
648 #ifdef GSSAPI
649 int
650 userauth_gssapi(Authctxt *authctxt)
651 {
652         Gssctxt *gssctxt = NULL;
653         static gss_OID_set gss_supported = NULL;
654         static u_int mech = 0;
655         OM_uint32 min;
656         int ok = 0;
657
658         /* Try one GSSAPI method at a time, rather than sending them all at
659          * once. */
660
661         if (gss_supported == NULL)
662                 gss_indicate_mechs(&min, &gss_supported);
663
664         /* Check to see if the mechanism is usable before we offer it */
665         while (mech < gss_supported->count && !ok) {
666                 /* My DER encoding requires length<128 */
667                 if (gss_supported->elements[mech].length < 128 &&
668                     ssh_gssapi_check_mechanism(&gssctxt, 
669                     &gss_supported->elements[mech], authctxt->host)) {
670                         ok = 1; /* Mechanism works */
671                 } else {
672                         mech++;
673                 }
674         }
675
676         if (!ok)
677                 return 0;
678
679         authctxt->methoddata=(void *)gssctxt;
680
681         packet_start(SSH2_MSG_USERAUTH_REQUEST);
682         packet_put_cstring(authctxt->server_user);
683         packet_put_cstring(authctxt->service);
684         packet_put_cstring(authctxt->method->name);
685
686         packet_put_int(1);
687
688         packet_put_int((gss_supported->elements[mech].length) + 2);
689         packet_put_char(SSH_GSS_OIDTYPE);
690         packet_put_char(gss_supported->elements[mech].length);
691         packet_put_raw(gss_supported->elements[mech].elements,
692             gss_supported->elements[mech].length);
693
694         packet_send();
695
696         dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response);
697         dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
698         dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
699         dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
700
701         mech++; /* Move along to next candidate */
702
703         return 1;
704 }
705
706 static OM_uint32
707 process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
708 {
709         Authctxt *authctxt = ctxt;
710         Gssctxt *gssctxt = authctxt->methoddata;
711         gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
712         gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
713         gss_buffer_desc gssbuf;
714         OM_uint32 status, ms, flags;
715         Buffer b;
716
717         status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
718             recv_tok, &send_tok, &flags);
719
720         if (send_tok.length > 0) {
721                 if (GSS_ERROR(status))
722                         packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
723                 else
724                         packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
725
726                 packet_put_string(send_tok.value, send_tok.length);
727                 packet_send();
728                 gss_release_buffer(&ms, &send_tok);
729         }
730
731         if (status == GSS_S_COMPLETE) {
732                 /* send either complete or MIC, depending on mechanism */
733                 if (!(flags & GSS_C_INTEG_FLAG)) {
734                         packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
735                         packet_send();
736                 } else {
737                         ssh_gssapi_buildmic(&b, authctxt->server_user,
738                             authctxt->service, "gssapi-with-mic");
739
740                         gssbuf.value = buffer_ptr(&b);
741                         gssbuf.length = buffer_len(&b);
742
743                         status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
744
745                         if (!GSS_ERROR(status)) {
746                                 packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
747                                 packet_put_string(mic.value, mic.length);
748
749                                 packet_send();
750                         }
751
752                         buffer_free(&b);
753                         gss_release_buffer(&ms, &mic);
754                 }
755         }
756
757         return status;
758 }
759
760 /* ARGSUSED */
761 void
762 input_gssapi_response(int type, u_int32_t plen, void *ctxt)
763 {
764         Authctxt *authctxt = ctxt;
765         Gssctxt *gssctxt;
766         int oidlen;
767         char *oidv;
768
769         if (authctxt == NULL)
770                 fatal("input_gssapi_response: no authentication context");
771         gssctxt = authctxt->methoddata;
772
773         /* Setup our OID */
774         oidv = packet_get_string(&oidlen);
775
776         if (oidlen <= 2 ||
777             oidv[0] != SSH_GSS_OIDTYPE ||
778             oidv[1] != oidlen - 2) {
779                 xfree(oidv);
780                 debug("Badly encoded mechanism OID received");
781                 userauth(authctxt, NULL);
782                 return;
783         }
784
785         if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
786                 fatal("Server returned different OID than expected");
787
788         packet_check_eom();
789
790         xfree(oidv);
791
792         if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
793                 /* Start again with next method on list */
794                 debug("Trying to start again");
795                 userauth(authctxt, NULL);
796                 return;
797         }
798 }
799
800 /* ARGSUSED */
801 void
802 input_gssapi_token(int type, u_int32_t plen, void *ctxt)
803 {
804         Authctxt *authctxt = ctxt;
805         gss_buffer_desc recv_tok;
806         OM_uint32 status;
807         u_int slen;
808
809         if (authctxt == NULL)
810                 fatal("input_gssapi_response: no authentication context");
811
812         recv_tok.value = packet_get_string(&slen);
813         recv_tok.length = slen; /* safe typecast */
814
815         packet_check_eom();
816
817         status = process_gssapi_token(ctxt, &recv_tok);
818
819         xfree(recv_tok.value);
820
821         if (GSS_ERROR(status)) {
822                 /* Start again with the next method in the list */
823                 userauth(authctxt, NULL);
824                 return;
825         }
826 }
827
828 /* ARGSUSED */
829 void
830 input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
831 {
832         Authctxt *authctxt = ctxt;
833         Gssctxt *gssctxt;
834         gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
835         gss_buffer_desc recv_tok;
836         OM_uint32 status, ms;
837         u_int len;
838
839         if (authctxt == NULL)
840                 fatal("input_gssapi_response: no authentication context");
841         gssctxt = authctxt->methoddata;
842
843         recv_tok.value = packet_get_string(&len);
844         recv_tok.length = len;
845
846         packet_check_eom();
847
848         /* Stick it into GSSAPI and see what it says */
849         status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
850             &recv_tok, &send_tok, NULL);
851
852         xfree(recv_tok.value);
853         gss_release_buffer(&ms, &send_tok);
854
855         /* Server will be returning a failed packet after this one */
856 }
857
858 /* ARGSUSED */
859 void
860 input_gssapi_error(int type, u_int32_t plen, void *ctxt)
861 {
862         OM_uint32 maj, min;
863         char *msg;
864         char *lang;
865
866         maj=packet_get_int();
867         min=packet_get_int();
868         msg=packet_get_string(NULL);
869         lang=packet_get_string(NULL);
870
871         packet_check_eom();
872
873         debug("Server GSSAPI Error:\n%s", msg);
874         xfree(msg);
875         xfree(lang);
876 }
877 #endif /* GSSAPI */
878
879 int
880 userauth_none(Authctxt *authctxt)
881 {
882         /* initial userauth request */
883         packet_start(SSH2_MSG_USERAUTH_REQUEST);
884         packet_put_cstring(authctxt->server_user);
885         packet_put_cstring(authctxt->service);
886         packet_put_cstring(authctxt->method->name);
887         packet_send();
888         return 1;
889 }
890
891 int
892 userauth_passwd(Authctxt *authctxt)
893 {
894         static int attempt = 0;
895         char prompt[150];
896         char *password;
897         const char *host = options.host_key_alias ?  options.host_key_alias :
898             authctxt->host;
899
900         if (attempt++ >= options.number_of_password_prompts)
901                 return 0;
902
903         if (attempt != 1)
904                 error("Permission denied, please try again.");
905
906         snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
907             authctxt->server_user, host);
908         password = read_passphrase(prompt, 0);
909         packet_start(SSH2_MSG_USERAUTH_REQUEST);
910         packet_put_cstring(authctxt->server_user);
911         packet_put_cstring(authctxt->service);
912         packet_put_cstring(authctxt->method->name);
913         packet_put_char(0);
914         packet_put_cstring(password);
915         memset(password, 0, strlen(password));
916         xfree(password);
917         packet_add_padding(64);
918         packet_send();
919
920         dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
921             &input_userauth_passwd_changereq);
922
923         return 1;
924 }
925
926 /*
927  * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
928  */
929 /* ARGSUSED */
930 void
931 input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
932 {
933         Authctxt *authctxt = ctxt;
934         char *info, *lang, *password = NULL, *retype = NULL;
935         char prompt[150];
936         const char *host = options.host_key_alias ? options.host_key_alias :
937             authctxt->host;
938
939         debug2("input_userauth_passwd_changereq");
940
941         if (authctxt == NULL)
942                 fatal("input_userauth_passwd_changereq: "
943                     "no authentication context");
944
945         info = packet_get_string(NULL);
946         lang = packet_get_string(NULL);
947         if (strlen(info) > 0)
948                 logit("%s", info);
949         xfree(info);
950         xfree(lang);
951         packet_start(SSH2_MSG_USERAUTH_REQUEST);
952         packet_put_cstring(authctxt->server_user);
953         packet_put_cstring(authctxt->service);
954         packet_put_cstring(authctxt->method->name);
955         packet_put_char(1);                     /* additional info */
956         snprintf(prompt, sizeof(prompt),
957             "Enter %.30s@%.128s's old password: ",
958             authctxt->server_user, host);
959         password = read_passphrase(prompt, 0);
960         packet_put_cstring(password);
961         memset(password, 0, strlen(password));
962         xfree(password);
963         password = NULL;
964         while (password == NULL) {
965                 snprintf(prompt, sizeof(prompt),
966                     "Enter %.30s@%.128s's new password: ",
967                     authctxt->server_user, host);
968                 password = read_passphrase(prompt, RP_ALLOW_EOF);
969                 if (password == NULL) {
970                         /* bail out */
971                         return;
972                 }
973                 snprintf(prompt, sizeof(prompt),
974                     "Retype %.30s@%.128s's new password: ",
975                     authctxt->server_user, host);
976                 retype = read_passphrase(prompt, 0);
977                 if (strcmp(password, retype) != 0) {
978                         memset(password, 0, strlen(password));
979                         xfree(password);
980                         logit("Mismatch; try again, EOF to quit.");
981                         password = NULL;
982                 }
983                 memset(retype, 0, strlen(retype));
984                 xfree(retype);
985         }
986         packet_put_cstring(password);
987         memset(password, 0, strlen(password));
988         xfree(password);
989         packet_add_padding(64);
990         packet_send();
991
992         dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
993             &input_userauth_passwd_changereq);
994 }
995
996 #ifdef JPAKE
997 static char *
998 pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
999 {
1000         /* OpenBSD crypt(3) handles all of these */
1001         if (strcmp(crypt_scheme, "crypt") == 0 ||
1002             strcmp(crypt_scheme, "bcrypt") == 0 ||
1003             strcmp(crypt_scheme, "md5crypt") == 0 ||
1004             strcmp(crypt_scheme, "crypt-extended") == 0)
1005                 return xstrdup(crypt(password, salt));
1006         error("%s: unsupported password encryption scheme \"%.100s\"",
1007             __func__, crypt_scheme);
1008         return NULL;
1009 }
1010
1011 static BIGNUM *
1012 jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
1013     const char *salt)
1014 {
1015         char prompt[256], *password, *crypted;
1016         u_char *secret;
1017         u_int secret_len;
1018         BIGNUM *ret;
1019
1020         snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
1021             authctxt->server_user, authctxt->host);
1022         password = read_passphrase(prompt, 0);
1023
1024         if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
1025                 logit("Disabling %s authentication", authctxt->method->name);
1026                 authctxt->method->enabled = NULL;
1027                 /* Continue with an empty password to fail gracefully */
1028                 crypted = xstrdup("");
1029         }
1030
1031 #ifdef JPAKE_DEBUG
1032         debug3("%s: salt = %s", __func__, salt);
1033         debug3("%s: scheme = %s", __func__, crypt_scheme);
1034         debug3("%s: crypted = %s", __func__, crypted);
1035 #endif
1036
1037         if (hash_buffer(crypted, strlen(crypted), EVP_sha256(),
1038             &secret, &secret_len) != 0)
1039                 fatal("%s: hash_buffer", __func__);
1040
1041         bzero(password, strlen(password));
1042         bzero(crypted, strlen(crypted));
1043         xfree(password);
1044         xfree(crypted);
1045
1046         if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
1047                 fatal("%s: BN_bin2bn (secret)", __func__);
1048         bzero(secret, secret_len);
1049         xfree(secret);
1050
1051         return ret;
1052 }
1053
1054 /* ARGSUSED */
1055 void
1056 input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1057 {
1058         Authctxt *authctxt = ctxt;
1059         struct jpake_ctx *pctx = authctxt->methoddata;
1060         u_char *x3_proof, *x4_proof, *x2_s_proof;
1061         u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
1062         char *crypt_scheme, *salt;
1063
1064         /* Disable this message */
1065         dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
1066
1067         if ((pctx->g_x3 = BN_new()) == NULL ||
1068             (pctx->g_x4 = BN_new()) == NULL)
1069                 fatal("%s: BN_new", __func__);
1070
1071         /* Fetch step 1 values */
1072         crypt_scheme = packet_get_string(NULL);
1073         salt = packet_get_string(NULL);
1074         pctx->server_id = packet_get_string(&pctx->server_id_len);
1075         packet_get_bignum2(pctx->g_x3);
1076         packet_get_bignum2(pctx->g_x4);
1077         x3_proof = packet_get_string(&x3_proof_len);
1078         x4_proof = packet_get_string(&x4_proof_len);
1079         packet_check_eom();
1080
1081         JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
1082
1083         /* Obtain password and derive secret */
1084         pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
1085         bzero(crypt_scheme, strlen(crypt_scheme));
1086         bzero(salt, strlen(salt));
1087         xfree(crypt_scheme);
1088         xfree(salt);
1089         JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
1090
1091         /* Calculate step 2 values */
1092         jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
1093             pctx->g_x3, pctx->g_x4, pctx->x2,
1094             pctx->server_id, pctx->server_id_len,
1095             pctx->client_id, pctx->client_id_len,
1096             x3_proof, x3_proof_len,
1097             x4_proof, x4_proof_len,
1098             &pctx->a,
1099             &x2_s_proof, &x2_s_proof_len);
1100
1101         bzero(x3_proof, x3_proof_len);
1102         bzero(x4_proof, x4_proof_len);
1103         xfree(x3_proof);
1104         xfree(x4_proof);
1105
1106         JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
1107
1108         /* Send values for step 2 */
1109         packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
1110         packet_put_bignum2(pctx->a);
1111         packet_put_string(x2_s_proof, x2_s_proof_len);
1112         packet_send();
1113
1114         bzero(x2_s_proof, x2_s_proof_len);
1115         xfree(x2_s_proof);
1116
1117         /* Expect step 2 packet from peer */
1118         dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
1119             input_userauth_jpake_server_step2);
1120 }
1121
1122 /* ARGSUSED */
1123 void
1124 input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
1125 {
1126         Authctxt *authctxt = ctxt;
1127         struct jpake_ctx *pctx = authctxt->methoddata;
1128         u_char *x4_s_proof;
1129         u_int x4_s_proof_len;
1130
1131         /* Disable this message */
1132         dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
1133
1134         if ((pctx->b = BN_new()) == NULL)
1135                 fatal("%s: BN_new", __func__);
1136
1137         /* Fetch step 2 values */
1138         packet_get_bignum2(pctx->b);
1139         x4_s_proof = packet_get_string(&x4_s_proof_len);
1140         packet_check_eom();
1141
1142         JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
1143
1144         /* Derive shared key and calculate confirmation hash */
1145         jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
1146             pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
1147             pctx->client_id, pctx->client_id_len,
1148             pctx->server_id, pctx->server_id_len,
1149             session_id2, session_id2_len,
1150             x4_s_proof, x4_s_proof_len,
1151             &pctx->k,
1152             &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
1153
1154         bzero(x4_s_proof, x4_s_proof_len);
1155         xfree(x4_s_proof);
1156
1157         JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
1158
1159         /* Send key confirmation proof */
1160         packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
1161         packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
1162         packet_send();
1163
1164         /* Expect confirmation from peer */
1165         dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
1166             input_userauth_jpake_server_confirm);
1167 }
1168
1169 /* ARGSUSED */
1170 void
1171 input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
1172 {
1173         Authctxt *authctxt = ctxt;
1174         struct jpake_ctx *pctx = authctxt->methoddata;
1175
1176         /* Disable this message */
1177         dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
1178
1179         pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
1180         packet_check_eom();
1181
1182         JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
1183
1184         /* Verify expected confirmation hash */
1185         if (jpake_check_confirm(pctx->k,
1186             pctx->server_id, pctx->server_id_len,
1187             session_id2, session_id2_len,
1188             pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
1189                 debug("%s: %s success", __func__, authctxt->method->name);
1190         else {
1191                 debug("%s: confirmation mismatch", __func__);
1192                 /* XXX stash this so if auth succeeds then we can warn/kill */
1193         }
1194
1195         userauth_jpake_cleanup(authctxt);
1196 }
1197 #endif /* JPAKE */
1198
1199 static int
1200 identity_sign(Identity *id, u_char **sigp, u_int *lenp,
1201     u_char *data, u_int datalen)
1202 {
1203         Key *prv;
1204         int ret;
1205
1206         /* the agent supports this key */
1207         if (id->ac)
1208                 return (ssh_agent_sign(id->ac, id->key, sigp, lenp,
1209                     data, datalen));
1210         /*
1211          * we have already loaded the private key or
1212          * the private key is stored in external hardware
1213          */
1214         if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
1215                 return (key_sign(id->key, sigp, lenp, data, datalen));
1216         /* load the private key from the file */
1217         if ((prv = load_identity_file(id->filename)) == NULL)
1218                 return (-1);
1219         ret = key_sign(prv, sigp, lenp, data, datalen);
1220         key_free(prv);
1221         return (ret);
1222 }
1223
1224 static int
1225 sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1226 {
1227         Buffer b;
1228         u_char *blob, *signature;
1229         u_int bloblen, slen;
1230         u_int skip = 0;
1231         int ret = -1;
1232         int have_sig = 1;
1233         char *fp;
1234
1235         fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
1236         debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
1237         xfree(fp);
1238
1239         if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1240                 /* we cannot handle this key */
1241                 debug3("sign_and_send_pubkey: cannot handle key");
1242                 return 0;
1243         }
1244         /* data to be signed */
1245         buffer_init(&b);
1246         if (datafellows & SSH_OLD_SESSIONID) {
1247                 buffer_append(&b, session_id2, session_id2_len);
1248                 skip = session_id2_len;
1249         } else {
1250                 buffer_put_string(&b, session_id2, session_id2_len);
1251                 skip = buffer_len(&b);
1252         }
1253         buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1254         buffer_put_cstring(&b, authctxt->server_user);
1255         buffer_put_cstring(&b,
1256             datafellows & SSH_BUG_PKSERVICE ?
1257             "ssh-userauth" :
1258             authctxt->service);
1259         if (datafellows & SSH_BUG_PKAUTH) {
1260                 buffer_put_char(&b, have_sig);
1261         } else {
1262                 buffer_put_cstring(&b, authctxt->method->name);
1263                 buffer_put_char(&b, have_sig);
1264                 buffer_put_cstring(&b, key_ssh_name(id->key));
1265         }
1266         buffer_put_string(&b, blob, bloblen);
1267
1268         /* generate signature */
1269         ret = identity_sign(id, &signature, &slen,
1270             buffer_ptr(&b), buffer_len(&b));
1271         if (ret == -1) {
1272                 xfree(blob);
1273                 buffer_free(&b);
1274                 return 0;
1275         }
1276 #ifdef DEBUG_PK
1277         buffer_dump(&b);
1278 #endif
1279         if (datafellows & SSH_BUG_PKSERVICE) {
1280                 buffer_clear(&b);
1281                 buffer_append(&b, session_id2, session_id2_len);
1282                 skip = session_id2_len;
1283                 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1284                 buffer_put_cstring(&b, authctxt->server_user);
1285                 buffer_put_cstring(&b, authctxt->service);
1286                 buffer_put_cstring(&b, authctxt->method->name);
1287                 buffer_put_char(&b, have_sig);
1288                 if (!(datafellows & SSH_BUG_PKAUTH))
1289                         buffer_put_cstring(&b, key_ssh_name(id->key));
1290                 buffer_put_string(&b, blob, bloblen);
1291         }
1292         xfree(blob);
1293
1294         /* append signature */
1295         buffer_put_string(&b, signature, slen);
1296         xfree(signature);
1297
1298         /* skip session id and packet type */
1299         if (buffer_len(&b) < skip + 1)
1300                 fatal("userauth_pubkey: internal error");
1301         buffer_consume(&b, skip + 1);
1302
1303         /* put remaining data from buffer into packet */
1304         packet_start(SSH2_MSG_USERAUTH_REQUEST);
1305         packet_put_raw(buffer_ptr(&b), buffer_len(&b));
1306         buffer_free(&b);
1307         packet_send();
1308
1309         return 1;
1310 }
1311
1312 static int
1313 send_pubkey_test(Authctxt *authctxt, Identity *id)
1314 {
1315         u_char *blob;
1316         u_int bloblen, have_sig = 0;
1317
1318         debug3("send_pubkey_test");
1319
1320         if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1321                 /* we cannot handle this key */
1322                 debug3("send_pubkey_test: cannot handle key");
1323                 return 0;
1324         }
1325         /* register callback for USERAUTH_PK_OK message */
1326         dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
1327
1328         packet_start(SSH2_MSG_USERAUTH_REQUEST);
1329         packet_put_cstring(authctxt->server_user);
1330         packet_put_cstring(authctxt->service);
1331         packet_put_cstring(authctxt->method->name);
1332         packet_put_char(have_sig);
1333         if (!(datafellows & SSH_BUG_PKAUTH))
1334                 packet_put_cstring(key_ssh_name(id->key));
1335         packet_put_string(blob, bloblen);
1336         xfree(blob);
1337         packet_send();
1338         return 1;
1339 }
1340
1341 static Key *
1342 load_identity_file(char *filename)
1343 {
1344         Key *private;
1345         char prompt[300], *passphrase;
1346         int perm_ok = 0, quit, i;
1347         struct stat st;
1348
1349         if (stat(filename, &st) < 0) {
1350                 debug3("no such identity: %s", filename);
1351                 return NULL;
1352         }
1353         private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
1354         if (!perm_ok)
1355                 return NULL;
1356         if (private == NULL) {
1357                 if (options.batch_mode)
1358                         return NULL;
1359                 snprintf(prompt, sizeof prompt,
1360                     "Enter passphrase for key '%.100s': ", filename);
1361                 for (i = 0; i < options.number_of_password_prompts; i++) {
1362                         passphrase = read_passphrase(prompt, 0);
1363                         if (strcmp(passphrase, "") != 0) {
1364                                 private = key_load_private_type(KEY_UNSPEC,
1365                                     filename, passphrase, NULL, NULL);
1366                                 quit = 0;
1367                         } else {
1368                                 debug2("no passphrase given, try next key");
1369                                 quit = 1;
1370                         }
1371                         memset(passphrase, 0, strlen(passphrase));
1372                         xfree(passphrase);
1373                         if (private != NULL || quit)
1374                                 break;
1375                         debug2("bad passphrase given, try again...");
1376                 }
1377         }
1378         return private;
1379 }
1380
1381 /*
1382  * try keys in the following order:
1383  *      1. agent keys that are found in the config file
1384  *      2. other agent keys
1385  *      3. keys that are only listed in the config file
1386  */
1387 static void
1388 pubkey_prepare(Authctxt *authctxt)
1389 {
1390         Identity *id;
1391         Idlist agent, files, *preferred;
1392         Key *key;
1393         AuthenticationConnection *ac;
1394         char *comment;
1395         int i, found;
1396
1397         TAILQ_INIT(&agent);     /* keys from the agent */
1398         TAILQ_INIT(&files);     /* keys from the config file */
1399         preferred = &authctxt->keys;
1400         TAILQ_INIT(preferred);  /* preferred order of keys */
1401
1402         /* list of keys stored in the filesystem */
1403         for (i = 0; i < options.num_identity_files; i++) {
1404                 key = options.identity_keys[i];
1405                 if (key && key->type == KEY_RSA1)
1406                         continue;
1407                 if (key && key->cert && key->cert->type != SSH2_CERT_TYPE_USER)
1408                         continue;
1409                 options.identity_keys[i] = NULL;
1410                 id = xcalloc(1, sizeof(*id));
1411                 id->key = key;
1412                 id->filename = xstrdup(options.identity_files[i]);
1413                 TAILQ_INSERT_TAIL(&files, id, next);
1414         }
1415         /* list of keys supported by the agent */
1416         if ((ac = ssh_get_authentication_connection())) {
1417                 for (key = ssh_get_first_identity(ac, &comment, 2);
1418                     key != NULL;
1419                     key = ssh_get_next_identity(ac, &comment, 2)) {
1420                         found = 0;
1421                         TAILQ_FOREACH(id, &files, next) {
1422                                 /* agent keys from the config file are preferred */
1423                                 if (key_equal(key, id->key)) {
1424                                         key_free(key);
1425                                         xfree(comment);
1426                                         TAILQ_REMOVE(&files, id, next);
1427                                         TAILQ_INSERT_TAIL(preferred, id, next);
1428                                         id->ac = ac;
1429                                         found = 1;
1430                                         break;
1431                                 }
1432                         }
1433                         if (!found && !options.identities_only) {
1434                                 id = xcalloc(1, sizeof(*id));
1435                                 id->key = key;
1436                                 id->filename = comment;
1437                                 id->ac = ac;
1438                                 TAILQ_INSERT_TAIL(&agent, id, next);
1439                         }
1440                 }
1441                 /* append remaining agent keys */
1442                 for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) {
1443                         TAILQ_REMOVE(&agent, id, next);
1444                         TAILQ_INSERT_TAIL(preferred, id, next);
1445                 }
1446                 authctxt->agent = ac;
1447         }
1448         /* append remaining keys from the config file */
1449         for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
1450                 TAILQ_REMOVE(&files, id, next);
1451                 TAILQ_INSERT_TAIL(preferred, id, next);
1452         }
1453         TAILQ_FOREACH(id, preferred, next) {
1454                 debug2("key: %s (%p)", id->filename, id->key);
1455         }
1456 }
1457
1458 static void
1459 pubkey_cleanup(Authctxt *authctxt)
1460 {
1461         Identity *id;
1462
1463         if (authctxt->agent != NULL)
1464                 ssh_close_authentication_connection(authctxt->agent);
1465         for (id = TAILQ_FIRST(&authctxt->keys); id;
1466             id = TAILQ_FIRST(&authctxt->keys)) {
1467                 TAILQ_REMOVE(&authctxt->keys, id, next);
1468                 if (id->key)
1469                         key_free(id->key);
1470                 if (id->filename)
1471                         xfree(id->filename);
1472                 xfree(id);
1473         }
1474 }
1475
1476 int
1477 userauth_pubkey(Authctxt *authctxt)
1478 {
1479         Identity *id;
1480         int sent = 0;
1481
1482         while ((id = TAILQ_FIRST(&authctxt->keys))) {
1483                 if (id->tried++)
1484                         return (0);
1485                 /* move key to the end of the queue */
1486                 TAILQ_REMOVE(&authctxt->keys, id, next);
1487                 TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
1488                 /*
1489                  * send a test message if we have the public key. for
1490                  * encrypted keys we cannot do this and have to load the
1491                  * private key instead
1492                  */
1493                 if (id->key && id->key->type != KEY_RSA1) {
1494                         debug("Offering %s public key: %s", key_type(id->key),
1495                             id->filename);
1496                         sent = send_pubkey_test(authctxt, id);
1497                 } else if (id->key == NULL) {
1498                         debug("Trying private key: %s", id->filename);
1499                         id->key = load_identity_file(id->filename);
1500                         if (id->key != NULL) {
1501                                 id->isprivate = 1;
1502                                 sent = sign_and_send_pubkey(authctxt, id);
1503                                 key_free(id->key);
1504                                 id->key = NULL;
1505                         }
1506                 }
1507                 if (sent)
1508                         return (sent);
1509         }
1510         return (0);
1511 }
1512
1513 /*
1514  * Send userauth request message specifying keyboard-interactive method.
1515  */
1516 int
1517 userauth_kbdint(Authctxt *authctxt)
1518 {
1519         static int attempt = 0;
1520
1521         if (attempt++ >= options.number_of_password_prompts)
1522                 return 0;
1523         /* disable if no SSH2_MSG_USERAUTH_INFO_REQUEST has been seen */
1524         if (attempt > 1 && !authctxt->info_req_seen) {
1525                 debug3("userauth_kbdint: disable: no info_req_seen");
1526                 dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);
1527                 return 0;
1528         }
1529
1530         debug2("userauth_kbdint");
1531         packet_start(SSH2_MSG_USERAUTH_REQUEST);
1532         packet_put_cstring(authctxt->server_user);
1533         packet_put_cstring(authctxt->service);
1534         packet_put_cstring(authctxt->method->name);
1535         packet_put_cstring("");                                 /* lang */
1536         packet_put_cstring(options.kbd_interactive_devices ?
1537             options.kbd_interactive_devices : "");
1538         packet_send();
1539
1540         dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req);
1541         return 1;
1542 }
1543
1544 /*
1545  * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
1546  */
1547 void
1548 input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1549 {
1550         Authctxt *authctxt = ctxt;
1551         char *name, *inst, *lang, *prompt, *response;
1552         u_int num_prompts, i;
1553         int echo = 0;
1554
1555         debug2("input_userauth_info_req");
1556
1557         if (authctxt == NULL)
1558                 fatal("input_userauth_info_req: no authentication context");
1559
1560         authctxt->info_req_seen = 1;
1561
1562         name = packet_get_string(NULL);
1563         inst = packet_get_string(NULL);
1564         lang = packet_get_string(NULL);
1565         if (strlen(name) > 0)
1566                 logit("%s", name);
1567         if (strlen(inst) > 0)
1568                 logit("%s", inst);
1569         xfree(name);
1570         xfree(inst);
1571         xfree(lang);
1572
1573         num_prompts = packet_get_int();
1574         /*
1575          * Begin to build info response packet based on prompts requested.
1576          * We commit to providing the correct number of responses, so if
1577          * further on we run into a problem that prevents this, we have to
1578          * be sure and clean this up and send a correct error response.
1579          */
1580         packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
1581         packet_put_int(num_prompts);
1582
1583         debug2("input_userauth_info_req: num_prompts %d", num_prompts);
1584         for (i = 0; i < num_prompts; i++) {
1585                 prompt = packet_get_string(NULL);
1586                 echo = packet_get_char();
1587
1588                 response = read_passphrase(prompt, echo ? RP_ECHO : 0);
1589
1590                 packet_put_cstring(response);
1591                 memset(response, 0, strlen(response));
1592                 xfree(response);
1593                 xfree(prompt);
1594         }
1595         packet_check_eom(); /* done with parsing incoming message. */
1596
1597         packet_add_padding(64);
1598         packet_send();
1599 }
1600
1601 static int
1602 ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
1603     u_char *data, u_int datalen)
1604 {
1605         Buffer b;
1606         struct stat st;
1607         pid_t pid;
1608         int to[2], from[2], status, version = 2;
1609
1610         debug2("ssh_keysign called");
1611
1612         if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
1613                 error("ssh_keysign: not installed: %s", strerror(errno));
1614                 return -1;
1615         }
1616         if (fflush(stdout) != 0)
1617                 error("ssh_keysign: fflush: %s", strerror(errno));
1618         if (pipe(to) < 0) {
1619                 error("ssh_keysign: pipe: %s", strerror(errno));
1620                 return -1;
1621         }
1622         if (pipe(from) < 0) {
1623                 error("ssh_keysign: pipe: %s", strerror(errno));
1624                 return -1;
1625         }
1626         if ((pid = fork()) < 0) {
1627                 error("ssh_keysign: fork: %s", strerror(errno));
1628                 return -1;
1629         }
1630         if (pid == 0) {
1631                 /* keep the socket on exec */
1632                 fcntl(packet_get_connection_in(), F_SETFD, 0);
1633                 permanently_drop_suid(getuid());
1634                 close(from[0]);
1635                 if (dup2(from[1], STDOUT_FILENO) < 0)
1636                         fatal("ssh_keysign: dup2: %s", strerror(errno));
1637                 close(to[1]);
1638                 if (dup2(to[0], STDIN_FILENO) < 0)
1639                         fatal("ssh_keysign: dup2: %s", strerror(errno));
1640                 close(from[1]);
1641                 close(to[0]);
1642                 execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0);
1643                 fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN,
1644                     strerror(errno));
1645         }
1646         close(from[1]);
1647         close(to[0]);
1648
1649         buffer_init(&b);
1650         buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
1651         buffer_put_string(&b, data, datalen);
1652         if (ssh_msg_send(to[1], version, &b) == -1)
1653                 fatal("ssh_keysign: couldn't send request");
1654
1655         if (ssh_msg_recv(from[0], &b) < 0) {
1656                 error("ssh_keysign: no reply");
1657                 buffer_free(&b);
1658                 return -1;
1659         }
1660         close(from[0]);
1661         close(to[1]);
1662
1663         while (waitpid(pid, &status, 0) < 0)
1664                 if (errno != EINTR)
1665                         break;
1666
1667         if (buffer_get_char(&b) != version) {
1668                 error("ssh_keysign: bad version");
1669                 buffer_free(&b);
1670                 return -1;
1671         }
1672         *sigp = buffer_get_string(&b, lenp);
1673         buffer_free(&b);
1674
1675         return 0;
1676 }
1677
1678 int
1679 userauth_hostbased(Authctxt *authctxt)
1680 {
1681         Key *private = NULL;
1682         Sensitive *sensitive = authctxt->sensitive;
1683         Buffer b;
1684         u_char *signature, *blob;
1685         char *chost, *pkalg, *p;
1686         const char *service;
1687         u_int blen, slen;
1688         int ok, i, found = 0;
1689
1690         /* check for a useful key */
1691         for (i = 0; i < sensitive->nkeys; i++) {
1692                 private = sensitive->keys[i];
1693                 if (private && private->type != KEY_RSA1) {
1694                         found = 1;
1695                         /* we take and free the key */
1696                         sensitive->keys[i] = NULL;
1697                         break;
1698                 }
1699         }
1700         if (!found) {
1701                 debug("No more client hostkeys for hostbased authentication.");
1702                 return 0;
1703         }
1704         if (key_to_blob(private, &blob, &blen) == 0) {
1705                 key_free(private);
1706                 return 0;
1707         }
1708         /* figure out a name for the client host */
1709         p = get_local_name(packet_get_connection_in());
1710         if (p == NULL) {
1711                 error("userauth_hostbased: cannot get local ipaddr/name");
1712                 key_free(private);
1713                 xfree(blob);
1714                 return 0;
1715         }
1716         xasprintf(&chost, "%s.", p);
1717         debug2("userauth_hostbased: chost %s", chost);
1718         xfree(p);
1719
1720         service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
1721             authctxt->service;
1722         pkalg = xstrdup(key_ssh_name(private));
1723         buffer_init(&b);
1724         /* construct data */
1725         buffer_put_string(&b, session_id2, session_id2_len);
1726         buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1727         buffer_put_cstring(&b, authctxt->server_user);
1728         buffer_put_cstring(&b, service);
1729         buffer_put_cstring(&b, authctxt->method->name);
1730         buffer_put_cstring(&b, pkalg);
1731         buffer_put_string(&b, blob, blen);
1732         buffer_put_cstring(&b, chost);
1733         buffer_put_cstring(&b, authctxt->local_user);
1734 #ifdef DEBUG_PK
1735         buffer_dump(&b);
1736 #endif
1737         if (sensitive->external_keysign)
1738                 ok = ssh_keysign(private, &signature, &slen,
1739                     buffer_ptr(&b), buffer_len(&b));
1740         else
1741                 ok = key_sign(private, &signature, &slen,
1742                     buffer_ptr(&b), buffer_len(&b));
1743         key_free(private);
1744         buffer_free(&b);
1745         if (ok != 0) {
1746                 error("key_sign failed");
1747                 xfree(chost);
1748                 xfree(pkalg);
1749                 xfree(blob);
1750                 return 0;
1751         }
1752         packet_start(SSH2_MSG_USERAUTH_REQUEST);
1753         packet_put_cstring(authctxt->server_user);
1754         packet_put_cstring(authctxt->service);
1755         packet_put_cstring(authctxt->method->name);
1756         packet_put_cstring(pkalg);
1757         packet_put_string(blob, blen);
1758         packet_put_cstring(chost);
1759         packet_put_cstring(authctxt->local_user);
1760         packet_put_string(signature, slen);
1761         memset(signature, 's', slen);
1762         xfree(signature);
1763         xfree(chost);
1764         xfree(pkalg);
1765         xfree(blob);
1766
1767         packet_send();
1768         return 1;
1769 }
1770
1771 #ifdef JPAKE
1772 int
1773 userauth_jpake(Authctxt *authctxt)
1774 {
1775         struct jpake_ctx *pctx;
1776         u_char *x1_proof, *x2_proof;
1777         u_int x1_proof_len, x2_proof_len;
1778         static int attempt = 0; /* XXX share with userauth_password's? */
1779
1780         if (attempt++ >= options.number_of_password_prompts)
1781                 return 0;
1782         if (attempt != 1)
1783                 error("Permission denied, please try again.");
1784
1785         if (authctxt->methoddata != NULL)
1786                 fatal("%s: authctxt->methoddata already set (%p)",
1787                     __func__, authctxt->methoddata);
1788
1789         authctxt->methoddata = pctx = jpake_new();
1790
1791         /*
1792          * Send request immediately, to get the protocol going while
1793          * we do the initial computations.
1794          */
1795         packet_start(SSH2_MSG_USERAUTH_REQUEST);
1796         packet_put_cstring(authctxt->server_user);
1797         packet_put_cstring(authctxt->service);
1798         packet_put_cstring(authctxt->method->name);
1799         packet_send();
1800         packet_write_wait();
1801
1802         jpake_step1(pctx->grp,
1803             &pctx->client_id, &pctx->client_id_len,
1804             &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
1805             &x1_proof, &x1_proof_len,
1806             &x2_proof, &x2_proof_len);
1807
1808         JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
1809
1810         packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
1811         packet_put_string(pctx->client_id, pctx->client_id_len);
1812         packet_put_bignum2(pctx->g_x1);
1813         packet_put_bignum2(pctx->g_x2);
1814         packet_put_string(x1_proof, x1_proof_len);
1815         packet_put_string(x2_proof, x2_proof_len);
1816         packet_send();
1817
1818         bzero(x1_proof, x1_proof_len);
1819         bzero(x2_proof, x2_proof_len);
1820         xfree(x1_proof);
1821         xfree(x2_proof);
1822
1823         /* Expect step 1 packet from peer */
1824         dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
1825             input_userauth_jpake_server_step1);
1826         dispatch_set(SSH2_MSG_USERAUTH_SUCCESS,
1827             &input_userauth_success_unexpected);
1828
1829         return 1;
1830 }
1831
1832 void
1833 userauth_jpake_cleanup(Authctxt *authctxt)
1834 {
1835         debug3("%s: clean up", __func__);
1836         if (authctxt->methoddata != NULL) {
1837                 jpake_free(authctxt->methoddata);
1838                 authctxt->methoddata = NULL;
1839         }
1840         dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
1841 }
1842 #endif /* JPAKE */
1843
1844 /* find auth method */
1845
1846 /*
1847  * given auth method name, if configurable options permit this method fill
1848  * in auth_ident field and return true, otherwise return false.
1849  */
1850 static int
1851 authmethod_is_enabled(Authmethod *method)
1852 {
1853         if (method == NULL)
1854                 return 0;
1855         /* return false if options indicate this method is disabled */
1856         if  (method->enabled == NULL || *method->enabled == 0)
1857                 return 0;
1858         /* return false if batch mode is enabled but method needs interactive mode */
1859         if  (method->batch_flag != NULL && *method->batch_flag != 0)
1860                 return 0;
1861         return 1;
1862 }
1863
1864 static Authmethod *
1865 authmethod_lookup(const char *name)
1866 {
1867         Authmethod *method = NULL;
1868         if (name != NULL)
1869                 for (method = authmethods; method->name != NULL; method++)
1870                         if (strcmp(name, method->name) == 0)
1871                                 return method;
1872         debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
1873         return NULL;
1874 }
1875
1876 /* XXX internal state */
1877 static Authmethod *current = NULL;
1878 static char *supported = NULL;
1879 static char *preferred = NULL;
1880
1881 /*
1882  * Given the authentication method list sent by the server, return the
1883  * next method we should try.  If the server initially sends a nil list,
1884  * use a built-in default list.
1885  */
1886 static Authmethod *
1887 authmethod_get(char *authlist)
1888 {
1889         char *name = NULL;
1890         u_int next;
1891
1892         /* Use a suitable default if we're passed a nil list.  */
1893         if (authlist == NULL || strlen(authlist) == 0)
1894                 authlist = options.preferred_authentications;
1895
1896         if (supported == NULL || strcmp(authlist, supported) != 0) {
1897                 debug3("start over, passed a different list %s", authlist);
1898                 if (supported != NULL)
1899                         xfree(supported);
1900                 supported = xstrdup(authlist);
1901                 preferred = options.preferred_authentications;
1902                 debug3("preferred %s", preferred);
1903                 current = NULL;
1904         } else if (current != NULL && authmethod_is_enabled(current))
1905                 return current;
1906
1907         for (;;) {
1908                 if ((name = match_list(preferred, supported, &next)) == NULL) {
1909                         debug("No more authentication methods to try.");
1910                         current = NULL;
1911                         return NULL;
1912                 }
1913                 preferred += next;
1914                 debug3("authmethod_lookup %s", name);
1915                 debug3("remaining preferred: %s", preferred);
1916                 if ((current = authmethod_lookup(name)) != NULL &&
1917                     authmethod_is_enabled(current)) {
1918                         debug3("authmethod_is_enabled %s", name);
1919                         debug("Next authentication method: %s", name);
1920                         xfree(name);
1921                         return current;
1922                 }
1923         }
1924 }
1925
1926 static char *
1927 authmethods_get(void)
1928 {
1929         Authmethod *method = NULL;
1930         Buffer b;
1931         char *list;
1932
1933         buffer_init(&b);
1934         for (method = authmethods; method->name != NULL; method++) {
1935                 if (authmethod_is_enabled(method)) {
1936                         if (buffer_len(&b) > 0)
1937                                 buffer_append(&b, ",", 1);
1938                         buffer_append(&b, method->name, strlen(method->name));
1939                 }
1940         }
1941         buffer_append(&b, "\0", 1);
1942         list = xstrdup(buffer_ptr(&b));
1943         buffer_free(&b);
1944         return list;
1945 }
1946