1/*
2 * agent.c - ssh agent functions
3 *
4 * This file is part of the SSH Library
5 *
6 * Copyright (c) 2008-2013 by Andreas Schneider <asn@cryptomilk.org>
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21 */
22
23/* This file is based on authfd.c from OpenSSH */
24
25/*
26 * How does the ssh-agent work?
27 *
28 * a) client sends a request to get a list of all keys
29 * the agent returns the count and all public keys
30 * b) iterate over them to check if the server likes one
31 * c) the client sends a sign request to the agent
32 * type, pubkey as blob, data to sign, flags
33 * the agent returns the signed data
34 */
35
36#ifndef _WIN32
37
38#include "config.h"
39
40#include <stdlib.h>
41#include <errno.h>
42#include <string.h>
43#include <stdio.h>
44
45#ifdef HAVE_UNISTD_H
46#include <unistd.h>
47#endif
48
49#include <netinet/in.h>
50#include <arpa/inet.h>
51
52#include "libssh/agent.h"
53#include "libssh/priv.h"
54#include "libssh/socket.h"
55#include "libssh/buffer.h"
56#include "libssh/session.h"
57#include "libssh/poll.h"
58#include "libssh/pki.h"
59
60/* macro to check for "agent failure" message */
61#define agent_failed(x) \
62 (((x) == SSH_AGENT_FAILURE) || ((x) == SSH_COM_AGENT2_FAILURE) || \
63 ((x) == SSH2_AGENT_FAILURE))
64
65static uint32_t agent_get_u32(const void *vp) {
66 const uint8_t *p = (const uint8_t *)vp;
67 uint32_t v;
68
69 v = (uint32_t)p[0] << 24;
70 v |= (uint32_t)p[1] << 16;
71 v |= (uint32_t)p[2] << 8;
72 v |= (uint32_t)p[3];
73
74 return v;
75}
76
77static void agent_put_u32(void *vp, uint32_t v) {
78 uint8_t *p = (uint8_t *)vp;
79
80 p[0] = (uint8_t)(v >> 24) & 0xff;
81 p[1] = (uint8_t)(v >> 16) & 0xff;
82 p[2] = (uint8_t)(v >> 8) & 0xff;
83 p[3] = (uint8_t)v & 0xff;
84}
85
86static size_t atomicio(struct ssh_agent_struct *agent, void *buf, size_t n, int do_read) {
87 char *b = buf;
88 size_t pos = 0;
89 ssize_t res;
90 ssh_pollfd_t pfd;
91 ssh_channel channel = agent->channel;
92 socket_t fd;
93
94 /* Using a socket ? */
95 if (channel == NULL) {
96 fd = ssh_socket_get_fd_in(agent->sock);
97 pfd.fd = fd;
98 pfd.events = do_read ? POLLIN : POLLOUT;
99
100 while (n > pos) {
101 if (do_read) {
102 res = read(fd, b + pos, n - pos);
103 } else {
104 res = write(fd, b + pos, n - pos);
105 }
106 switch (res) {
107 case -1:
108 if (errno == EINTR) {
109 continue;
110 }
111#ifdef EWOULDBLOCK
112 if (errno == EAGAIN || errno == EWOULDBLOCK) {
113#else
114 if (errno == EAGAIN) {
115#endif
116 (void) ssh_poll(&pfd, 1, -1);
117 continue;
118 }
119 return 0;
120 case 0:
121 /* read returns 0 on end-of-file */
122 errno = do_read ? 0 : EPIPE;
123 return pos;
124 default:
125 pos += (size_t) res;
126 }
127 }
128 return pos;
129 } else {
130 /* using an SSH channel */
131 while (n > pos){
132 if (do_read)
133 res = ssh_channel_read(channel,b + pos, n-pos, 0);
134 else
135 res = ssh_channel_write(channel, b+pos, n-pos);
136 if (res == SSH_AGAIN)
137 continue;
138 if (res == SSH_ERROR)
139 return 0;
140 pos += (size_t)res;
141 }
142 return pos;
143 }
144}
145
146ssh_agent agent_new(struct ssh_session_struct *session) {
147 ssh_agent agent = NULL;
148
149 agent = malloc(sizeof(struct ssh_agent_struct));
150 if (agent == NULL) {
151 return NULL;
152 }
153 ZERO_STRUCTP(agent);
154
155 agent->count = 0;
156 agent->sock = ssh_socket_new(session);
157 if (agent->sock == NULL) {
158 SAFE_FREE(agent);
159 return NULL;
160 }
161 agent->channel = NULL;
162 return agent;
163}
164
165static void agent_set_channel(struct ssh_agent_struct *agent, ssh_channel channel){
166 agent->channel = channel;
167}
168
169/** @brief sets the SSH agent channel.
170 * The SSH agent channel will be used to authenticate this client using
171 * an agent through a channel, from another session. The most likely use
172 * is to implement SSH Agent forwarding into a SSH proxy.
173 * @param[in] channel a SSH channel from another session.
174 * @returns SSH_OK in case of success
175 * SSH_ERROR in case of an error
176 */
177int ssh_set_agent_channel(ssh_session session, ssh_channel channel){
178 if (!session)
179 return SSH_ERROR;
180 if (!session->agent){
181 ssh_set_error(session, SSH_REQUEST_DENIED, "Session has no active agent");
182 return SSH_ERROR;
183 }
184 agent_set_channel(session->agent, channel);
185 return SSH_OK;
186}
187
188/** @brief sets the SSH agent socket.
189 * The SSH agent will be used to authenticate this client using
190 * the given socket to communicate with the ssh-agent. The caller
191 * is responsible for connecting to the socket prior to calling
192 * this function.
193 * @returns SSH_OK in case of success
194 * SSH_ERROR in case of an error
195 */
196int ssh_set_agent_socket(ssh_session session, socket_t fd){
197 if (!session)
198 return SSH_ERROR;
199 if (!session->agent){
200 ssh_set_error(session, SSH_REQUEST_DENIED, "Session has no active agent");
201 return SSH_ERROR;
202 }
203
204 ssh_socket_set_fd(session->agent->sock, fd);
205 return SSH_OK;
206}
207
208void agent_close(struct ssh_agent_struct *agent) {
209 if (agent == NULL) {
210 return;
211 }
212
213 ssh_socket_close(agent->sock);
214}
215
216void agent_free(ssh_agent agent) {
217 if (agent) {
218 if (agent->ident) {
219 ssh_buffer_free(agent->ident);
220 }
221 if (agent->sock) {
222 agent_close(agent);
223 ssh_socket_free(agent->sock);
224 }
225 SAFE_FREE(agent);
226 }
227}
228
229static int agent_connect(ssh_session session) {
230 const char *auth_sock = NULL;
231
232 if (session == NULL || session->agent == NULL) {
233 return -1;
234 }
235
236 if (session->agent->channel != NULL)
237 return 0;
238
239 auth_sock = getenv("SSH_AUTH_SOCK");
240
241 if (auth_sock && *auth_sock) {
242 if (ssh_socket_unix(session->agent->sock, auth_sock) < 0) {
243 return -1;
244 }
245 return 0;
246 }
247
248 return -1;
249}
250
251#if 0
252static int agent_decode_reply(struct ssh_session_struct *session, int type) {
253 switch (type) {
254 case SSH_AGENT_FAILURE:
255 case SSH2_AGENT_FAILURE:
256 case SSH_COM_AGENT2_FAILURE:
257 ssh_log(session, SSH_LOG_RARE, "SSH_AGENT_FAILURE");
258 return 0;
259 case SSH_AGENT_SUCCESS:
260 return 1;
261 default:
262 ssh_set_error(session, SSH_FATAL,
263 "Bad response from authentication agent: %d", type);
264 break;
265 }
266
267 return -1;
268}
269#endif
270
271static int agent_talk(struct ssh_session_struct *session,
272 struct ssh_buffer_struct *request, struct ssh_buffer_struct *reply) {
273 uint32_t len = 0;
274 uint8_t payload[1024] = {0};
275
276 len = buffer_get_rest_len(request);
277 SSH_LOG(SSH_LOG_TRACE, "Request length: %u", len);
278 agent_put_u32(payload, len);
279
280 /* send length and then the request packet */
281 if (atomicio(session->agent, payload, 4, 0) == 4) {
282 if (atomicio(session->agent, buffer_get_rest(request), len, 0)
283 != len) {
284 SSH_LOG(SSH_LOG_WARN, "atomicio sending request failed: %s",
285 strerror(errno));
286 return -1;
287 }
288 } else {
289 SSH_LOG(SSH_LOG_WARN,
290 "atomicio sending request length failed: %s",
291 strerror(errno));
292 return -1;
293 }
294
295 /* wait for response, read the length of the response packet */
296 if (atomicio(session->agent, payload, 4, 1) != 4) {
297 SSH_LOG(SSH_LOG_WARN, "atomicio read response length failed: %s",
298 strerror(errno));
299 return -1;
300 }
301
302 len = agent_get_u32(payload);
303 if (len > 256 * 1024) {
304 ssh_set_error(session, SSH_FATAL,
305 "Authentication response too long: %u", len);
306 return -1;
307 }
308 SSH_LOG(SSH_LOG_TRACE, "Response length: %u", len);
309
310 while (len > 0) {
311 size_t n = len;
312 if (n > sizeof(payload)) {
313 n = sizeof(payload);
314 }
315 if (atomicio(session->agent, payload, n, 1) != n) {
316 SSH_LOG(SSH_LOG_WARN,
317 "Error reading response from authentication socket.");
318 return -1;
319 }
320 if (ssh_buffer_add_data(reply, payload, n) < 0) {
321 SSH_LOG(SSH_LOG_WARN, "Not enough space");
322 return -1;
323 }
324 len -= n;
325 }
326
327 return 0;
328}
329
330int ssh_agent_get_ident_count(struct ssh_session_struct *session) {
331 ssh_buffer request = NULL;
332 ssh_buffer reply = NULL;
333 unsigned int type = 0;
334 unsigned int c1 = 0, c2 = 0;
335 uint8_t buf[4] = {0};
336 int rc;
337
338 switch (session->version) {
339 case 1:
340 c1 = SSH_AGENTC_REQUEST_RSA_IDENTITIES;
341 c2 = SSH_AGENT_RSA_IDENTITIES_ANSWER;
342 break;
343 case 2:
344 c1 = SSH2_AGENTC_REQUEST_IDENTITIES;
345 c2 = SSH2_AGENT_IDENTITIES_ANSWER;
346 break;
347 default:
348 return 0;
349 }
350
351 /* send message to the agent requesting the list of identities */
352 request = ssh_buffer_new();
353 if (request == NULL) {
354 ssh_set_error_oom(session);
355 return -1;
356 }
357 if (buffer_add_u8(request, c1) < 0) {
358 ssh_set_error_oom(session);
359 ssh_buffer_free(request);
360 return -1;
361 }
362
363 reply = ssh_buffer_new();
364 if (reply == NULL) {
365 ssh_buffer_free(request);
366 ssh_set_error(session, SSH_FATAL, "Not enough space");
367 return -1;
368 }
369
370 if (agent_talk(session, request, reply) < 0) {
371 ssh_buffer_free(request);
372 ssh_buffer_free(reply);
373 return 0;
374 }
375 ssh_buffer_free(request);
376
377 /* get message type and verify the answer */
378 rc = buffer_get_u8(reply, (uint8_t *) &type);
379 if (rc != sizeof(uint8_t)) {
380 ssh_set_error(session, SSH_FATAL,
381 "Bad authentication reply size: %d", rc);
382 ssh_buffer_free(reply);
383 return -1;
384 }
385#ifdef WORDS_BIGENDIAN
386 type = bswap_32(type);
387#endif
388
389 SSH_LOG(SSH_LOG_WARN,
390 "Answer type: %d, expected answer: %d",
391 type, c2);
392
393 if (agent_failed(type)) {
394 ssh_buffer_free(reply);
395 return 0;
396 } else if (type != c2) {
397 ssh_set_error(session, SSH_FATAL,
398 "Bad authentication reply message type: %u", type);
399 ssh_buffer_free(reply);
400 return -1;
401 }
402
403 buffer_get_u32(reply, (uint32_t *) buf);
404 session->agent->count = agent_get_u32(buf);
405 SSH_LOG(SSH_LOG_DEBUG, "Agent count: %d",
406 session->agent->count);
407 if (session->agent->count > 1024) {
408 ssh_set_error(session, SSH_FATAL,
409 "Too many identities in authentication reply: %d",
410 session->agent->count);
411 ssh_buffer_free(reply);
412 return -1;
413 }
414
415 if (session->agent->ident) {
416 ssh_buffer_reinit(session->agent->ident);
417 }
418 session->agent->ident = reply;
419
420 return session->agent->count;
421}
422
423/* caller has to free commment */
424ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session,
425 char **comment) {
426 if (ssh_agent_get_ident_count(session) > 0) {
427 return ssh_agent_get_next_ident(session, comment);
428 }
429
430 return NULL;
431}
432
433/* caller has to free commment */
434ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session,
435 char **comment) {
436 struct ssh_key_struct *key;
437 struct ssh_string_struct *blob = NULL;
438 struct ssh_string_struct *tmp = NULL;
439 int rc;
440
441 if (session->agent->count == 0) {
442 return NULL;
443 }
444
445 switch(session->version) {
446 case 1:
447 return NULL;
448 case 2:
449 /* get the blob */
450 blob = buffer_get_ssh_string(session->agent->ident);
451 if (blob == NULL) {
452 return NULL;
453 }
454
455 /* get the comment */
456 tmp = buffer_get_ssh_string(session->agent->ident);
457 if (tmp == NULL) {
458 ssh_string_free(blob);
459
460 return NULL;
461 }
462
463 if (comment) {
464 *comment = ssh_string_to_char(tmp);
465 } else {
466 ssh_string_free(blob);
467 ssh_string_free(tmp);
468
469 return NULL;
470 }
471 ssh_string_free(tmp);
472
473 /* get key from blob */
474 rc = ssh_pki_import_pubkey_blob(blob, &key);
475 ssh_string_free(blob);
476 if (rc == SSH_ERROR) {
477 return NULL;
478 }
479 break;
480 default:
481 return NULL;
482 }
483
484 return key;
485}
486
487int agent_is_running(ssh_session session) {
488 if (session == NULL || session->agent == NULL) {
489 return 0;
490 }
491
492 if (ssh_socket_is_open(session->agent->sock)) {
493 return 1;
494 } else {
495 if (agent_connect(session) < 0) {
496 return 0;
497 } else {
498 return 1;
499 }
500 }
501
502 return 0;
503}
504
505ssh_string ssh_agent_sign_data(ssh_session session,
506 const ssh_key pubkey,
507 struct ssh_buffer_struct *data)
508{
509 ssh_buffer request;
510 ssh_buffer reply;
511 ssh_string key_blob;
512 ssh_string sig_blob;
513 unsigned int type = 0;
514 unsigned int flags = 0;
515 uint32_t dlen;
516 int rc;
517
518 request = ssh_buffer_new();
519 if (request == NULL) {
520 return NULL;
521 }
522
523 /* create request */
524 if (buffer_add_u8(request, SSH2_AGENTC_SIGN_REQUEST) < 0) {
525 ssh_buffer_free(request);
526 return NULL;
527 }
528
529 rc = ssh_pki_export_pubkey_blob(pubkey, &key_blob);
530 if (rc < 0) {
531 ssh_buffer_free(request);
532 return NULL;
533 }
534
535 /* adds len + blob */
536 rc = buffer_add_ssh_string(request, key_blob);
537 ssh_string_free(key_blob);
538 if (rc < 0) {
539 ssh_buffer_free(request);
540 return NULL;
541 }
542
543 /* Add data */
544 dlen = buffer_get_rest_len(data);
545 if (buffer_add_u32(request, htonl(dlen)) < 0) {
546 ssh_buffer_free(request);
547 return NULL;
548 }
549 if (ssh_buffer_add_data(request, buffer_get_rest(data), dlen) < 0) {
550 ssh_buffer_free(request);
551 return NULL;
552 }
553
554 if (buffer_add_u32(request, htonl(flags)) < 0) {
555 ssh_buffer_free(request);
556 return NULL;
557 }
558
559 reply = ssh_buffer_new();
560 if (reply == NULL) {
561 ssh_buffer_free(request);
562 return NULL;
563 }
564
565 /* send the request */
566 if (agent_talk(session, request, reply) < 0) {
567 ssh_buffer_free(request);
568 ssh_buffer_free(reply);
569 return NULL;
570 }
571 ssh_buffer_free(request);
572
573 /* check if reply is valid */
574 if (buffer_get_u8(reply, (uint8_t *) &type) != sizeof(uint8_t)) {
575 ssh_buffer_free(reply);
576 return NULL;
577 }
578#ifdef WORDS_BIGENDIAN
579 type = bswap_32(type);
580#endif
581
582 if (agent_failed(type)) {
583 SSH_LOG(SSH_LOG_WARN, "Agent reports failure in signing the key");
584 ssh_buffer_free(reply);
585 return NULL;
586 } else if (type != SSH2_AGENT_SIGN_RESPONSE) {
587 ssh_set_error(session,
588 SSH_FATAL,
589 "Bad authentication response: %u",
590 type);
591 ssh_buffer_free(reply);
592 return NULL;
593 }
594
595 sig_blob = buffer_get_ssh_string(reply);
596 ssh_buffer_free(reply);
597
598 return sig_blob;
599}
600
601#endif /* _WIN32 */
602
603/* vim: set ts=4 sw=4 et cindent: */
604