release/src/router/dropbear/cli-agentfwd.c

   1 /*
   2  * Dropbear - a SSH2 server
   3  *
   4  * Copyright (c) 2005 Matt Johnston
   5  * All rights reserved.
   6  *
   7  * Permission is hereby granted, free of charge, to any person obtaining a copy
   8  * of this software and associated documentation files (the "Software"), to deal
   9  * in the Software without restriction, including without limitation the rights
  10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  11  * copies of the Software, and to permit persons to whom the Software is
  12  * furnished to do so, subject to the following conditions:
  13  *
  14  * The above copyright notice and this permission notice shall be included in
  15  * all copies or substantial portions of the Software.
  16  *
  17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  20  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  23  * SOFTWARE. */
  24
  25 #include "includes.h"
  26
  27 #ifdef ENABLE_CLI_AGENTFWD
  28
  29 #include "agentfwd.h"
  30 #include "session.h"
  31 #include "ssh.h"
  32 #include "dbutil.h"
  33 #include "chansession.h"
  34 #include "channel.h"
  35 #include "packet.h"
  36 #include "buffer.h"
  37 #include "dbrandom.h"
  38 #include "listener.h"
  39 #include "runopts.h"
  40 #include "atomicio.h"
  41 #include "signkey.h"
  42 #include "auth.h"
  43
  44 /* The protocol implemented to talk to OpenSSH's SSH2 agent is documented in
  45    PROTOCOL.agent in recent OpenSSH source distributions (5.1p1 has it). */
  46
  47 static int new_agent_chan(struct Channel * channel);
  48
  49 const struct ChanType cli_chan_agent = {
  50         0, /* sepfds */
  51         "auth-agent@openssh.com",
  52         new_agent_chan,
  53         NULL,
  54         NULL,
  55         NULL
  56 };
  57
  58 static int connect_agent() {
  59
  60         int fd = -1;
  61         char* agent_sock = NULL;
  62
  63         agent_sock = getenv("SSH_AUTH_SOCK");
  64         if (agent_sock == NULL)
  65                 return -1;
  66
  67         fd = connect_unix(agent_sock);
  68
  69         if (fd < 0) {
  70                 dropbear_log(LOG_INFO, "Failed to connect to agent");
  71         }
  72
  73         return fd;
  74 }
  75
  76 /* handle a request for a connection to the locally running ssh-agent
  77    or forward. */
  78 static int new_agent_chan(struct Channel * channel) {
  79
  80         int fd = -1;
  81
  82         if (!cli_opts.agent_fwd)
  83                 return SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
  84
  85         fd = connect_agent();
  86         if (fd < 0) {
  87                 return SSH_OPEN_CONNECT_FAILED;
  88         }
  89
  90         setnonblocking(fd);
  91
  92         ses.maxfd = MAX(ses.maxfd, fd);
  93
  94         channel->readfd = fd;
  95         channel->writefd = fd;
  96
  97         return 0;
  98 }
  99
 100 /* Sends a request to the agent, returning a newly allocated buffer
 101  * with the response */
 102 /* This function will block waiting for a response - it will
 103  * only be used by client authentication (not for forwarded requests)
 104  * won't cause problems for interactivity. */
 105 /* Packet format (from draft-ylonen)
 106    4 bytes     Length, msb first.  Does not include length itself.
 107    1 byte      Packet type.  The value 255 is reserved for future extensions.
 108    data        Any data, depending on packet type.  Encoding as in the ssh packet
 109                protocol.
 110 */
 111 static buffer * agent_request(unsigned char type, buffer *data) {
 112
 113         buffer * payload = NULL;
 114         buffer * inbuf = NULL;
 115         size_t readlen = 0;
 116         ssize_t ret;
 117         const int fd = cli_opts.agent_fd;
 118         unsigned int data_len = 0;
 119         if (data)
 120         {
 121                 data_len = data->len;
 122         }
 123
 124         payload = buf_new(4 + 1 + data_len);
 125
 126         buf_putint(payload, 1 + data_len);
 127         buf_putbyte(payload, type);
 128         if (data) {
 129                 buf_putbytes(payload, data->data, data->len);
 130         }
 131         buf_setpos(payload, 0);
 132
 133         ret = atomicio(write, fd, buf_getptr(payload, payload->len), payload->len);
 134         if ((size_t)ret != payload->len) {
 135                 TRACE(("write failed fd %d for agent_request, %s", fd, strerror(errno)))
 136                 goto out;
 137         }
 138
 139         buf_free(payload);
 140         payload = NULL;
 141         TRACE(("Wrote out bytes for agent_request"))
 142         /* Now we read the response */
 143         inbuf = buf_new(4);
 144         ret = atomicio(read, fd, buf_getwriteptr(inbuf, 4), 4);
 145         if (ret != 4) {
 146                 TRACE(("read of length failed for agent_request"))
 147                 goto out;
 148         }
 149         buf_setpos(inbuf, 0);
 150         buf_setlen(inbuf, ret);
 151
 152         readlen = buf_getint(inbuf);
 153         if (readlen > MAX_AGENT_REPLY) {
 154                 TRACE(("agent reply is too big"));
 155                 goto out;
 156         }
 157
 158         inbuf = buf_resize(inbuf, readlen);
 159         buf_setpos(inbuf, 0);
 160         ret = atomicio(read, fd, buf_getwriteptr(inbuf, readlen), readlen);
 161         if ((size_t)ret != readlen) {
 162                 TRACE(("read of data failed for agent_request"))
 163                 goto out;
 164         }
 165         buf_incrwritepos(inbuf, readlen);
 166         buf_setpos(inbuf, 0);
 167
 168 out:
 169         if (payload)
 170                 buf_free(payload);
 171
 172         return inbuf;
 173 }
 174
 175 static void agent_get_key_list(m_list * ret_list)
 176 {
 177         buffer * inbuf = NULL;
 178         unsigned int num = 0;
 179         unsigned char packet_type;
 180         unsigned int i;
 181         int ret;
 182
 183         inbuf = agent_request(SSH2_AGENTC_REQUEST_IDENTITIES, NULL);
 184         if (!inbuf) {
 185                 TRACE(("agent_request failed returning identities"))
 186                 goto out;
 187         }
 188
 189         /* The reply has a format of:
 190                 byte                    SSH2_AGENT_IDENTITIES_ANSWER
 191                 uint32                  num_keys
 192            Followed by zero or more consecutive keys, encoded as:
 193          string                 key_blob
 194          string                 key_comment
 195          */
 196         packet_type = buf_getbyte(inbuf);
 197         if (packet_type != SSH2_AGENT_IDENTITIES_ANSWER) {
 198                 goto out;
 199         }
 200
 201         num = buf_getint(inbuf);
 202         for (i = 0; i < num; i++) {
 203                 sign_key * pubkey = NULL;
 204                 enum signkey_type key_type = DROPBEAR_SIGNKEY_ANY;
 205                 buffer * key_buf;
 206
 207                 /* each public key is encoded as a string */
 208                 key_buf = buf_getstringbuf(inbuf);
 209                 pubkey = new_sign_key();
 210                 ret = buf_get_pub_key(key_buf, pubkey, &key_type);
 211                 buf_free(key_buf);
 212                 if (ret != DROPBEAR_SUCCESS) {
 213                         TRACE(("Skipping bad/unknown type pubkey from agent"));
 214                         sign_key_free(pubkey);
 215                 } else {
 216                         pubkey->type = key_type;
 217                         pubkey->source = SIGNKEY_SOURCE_AGENT;
 218
 219                         list_append(ret_list, pubkey);
 220                 }
 221
 222                 /* We'll ignore the comment for now. might want it later.*/
 223                 buf_eatstring(inbuf);
 224         }
 225
 226 out:
 227         if (inbuf) {
 228                 buf_free(inbuf);
 229                 inbuf = NULL;
 230         }
 231 }
 232
 233 void cli_setup_agent(struct Channel *channel) {
 234         if (!getenv("SSH_AUTH_SOCK")) {
 235                 return;
 236         }
 237
 238         start_send_channel_request(channel, "auth-agent-req@openssh.com");
 239         /* Don't want replies */
 240         buf_putbyte(ses.writepayload, 0);
 241         encrypt_packet();
 242 }
 243
 244 /* Returned keys are prepended to ret_list, which will
 245    be updated. */
 246 void cli_load_agent_keys(m_list *ret_list) {
 247         /* agent_fd will be closed after successful auth */
 248         cli_opts.agent_fd = connect_agent();
 249         if (cli_opts.agent_fd < 0) {
 250                 return;
 251         }
 252
 253         agent_get_key_list(ret_list);
 254 }
 255
 256 void agent_buf_sign(buffer *sigblob, sign_key *key,
 257                 buffer *data_buf) {
 258         buffer *request_data = NULL;
 259         buffer *response = NULL;
 260         unsigned int siglen;
 261         int packet_type;
 262
 263         /* Request format
 264         byte                    SSH2_AGENTC_SIGN_REQUEST
 265         string                  key_blob
 266         string                  data
 267         uint32                  flags
 268         */
 269         request_data = buf_new(MAX_PUBKEY_SIZE + data_buf->len + 12);
 270         buf_put_pub_key(request_data, key, key->type);
 271
 272         buf_putbufstring(request_data, data_buf);
 273         buf_putint(request_data, 0);
 274
 275         response = agent_request(SSH2_AGENTC_SIGN_REQUEST, request_data);
 276
 277         if (!response) {
 278                 goto fail;
 279         }
 280
 281         packet_type = buf_getbyte(response);
 282         if (packet_type != SSH2_AGENT_SIGN_RESPONSE) {
 283                 goto fail;
 284         }
 285
 286         /* Response format
 287         byte                    SSH2_AGENT_SIGN_RESPONSE
 288         string                  signature_blob
 289         */
 290         siglen = buf_getint(response);
 291         buf_putbytes(sigblob, buf_getptr(response, siglen), siglen);
 292         goto cleanup;
 293
 294 fail:
 295         /* XXX don't fail badly here. instead propagate a failure code back up to
 296            the cli auth pubkey code, and just remove this key from the list of
 297            ones to try. */
 298         dropbear_exit("Agent failed signing key");
 299
 300 cleanup:
 301         if (request_data) {
 302                 buf_free(request_data);
 303         }
 304         if (response) {
 305                 buf_free(response);
 306         }
 307 }
 308
 309 #endif