1 files changed, 336 insertions, 17 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 185e7b204..bb72db5dd 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,6 +1,7 @@
-/* $OpenBSD: sshconnect2.c,v 1.166 2008/07/17 08:48:00 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2008 Damien Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -67,6 +68,7 @@
 #include "msg.h"
 #include "pathnames.h"
 #include "uidswap.h"
+#include "jpake.h"
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -121,7 +123,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                else
                        gss_host = host;
-                gss = ssh_gssapi_client_mechanisms(gss_host);
+                gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
                if (gss) {
                        debug("Offering GSSAPI proposal: %s", gss);
                        xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
@@ -164,6 +166,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
                xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 
                    "%s,null", orig);
+                xfree(gss);
        }
 #endif
@@ -177,18 +180,23 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 #ifdef GSSAPI
-        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
+        if (options.gss_keyex) {
-        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
-        kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+        }
 #endif
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;
        kex->verify_host_key=&verify_host_key_callback;
 #ifdef GSSAPI
-        kex->gss_deleg_creds = options.gss_deleg_creds;
+        if (options.gss_keyex) {
-        kex->gss_trust_dns = options.gss_trust_dns;
+                kex->gss_deleg_creds = options.gss_deleg_creds;
-        kex->gss_host = gss_host;
+                kex->gss_trust_dns = options.gss_trust_dns;
+                kex->gss_client = options.gss_client_identity;
+                kex->gss_host = gss_host;
+        }
 #endif
        xxx_kex = kex;
@@ -247,6 +255,7 @@ struct Authctxt {
 struct Authmethod {
        char    *name;          /* string to compare against server's list */
        int     (*userauth)(Authctxt *authctxt);
+        void    (*cleanup)(Authctxt *authctxt);
        int     *enabled;       /* flag in option struct that enables method */
        int     *batch_flag;    /* flag in option struct that disables method */
 };
@@ -258,13 +267,18 @@ void	input_userauth_error(int, u_int32_t, void *);
 void    input_userauth_info_req(int, u_int32_t, void *);
 void    input_userauth_pk_ok(int, u_int32_t, void *);
 void    input_userauth_passwd_changereq(int, u_int32_t, void *);
+void    input_userauth_jpake_server_step1(int, u_int32_t, void *);
+void    input_userauth_jpake_server_step2(int, u_int32_t, void *);
+void    input_userauth_jpake_server_confirm(int, u_int32_t, void *);
 int     userauth_none(Authctxt *);
 int     userauth_pubkey(Authctxt *);
 int     userauth_passwd(Authctxt *);
 int     userauth_kbdint(Authctxt *);
 int     userauth_hostbased(Authctxt *);
-int     userauth_kerberos(Authctxt *);
+int     userauth_jpake(Authctxt *);
+void    userauth_jpake_cleanup(Authctxt *);
 #ifdef GSSAPI
 int     userauth_gssapi(Authctxt *authctxt);
@@ -295,6 +309,7 @@ Authmethod authmethods[] = {
                NULL},
        {"gssapi-with-mic",
                userauth_gssapi,
+                NULL,
                &options.gss_authentication,
                NULL},
        {"gssapi",
@@ -304,25 +319,37 @@ Authmethod authmethods[] = {
 #endif
        {"hostbased",
                userauth_hostbased,
+                NULL,
                &options.hostbased_authentication,
                NULL},
        {"publickey",
                userauth_pubkey,
+                NULL,
                &options.pubkey_authentication,
                NULL},
+#ifdef JPAKE
+        {"jpake-01@openssh.com",
+                userauth_jpake,
+                userauth_jpake_cleanup,
+                &options.zero_knowledge_password_authentication,
+                &options.batch_mode},
+#endif
        {"keyboard-interactive",
                userauth_kbdint,
+                NULL,
                &options.kbd_interactive_authentication,
                &options.batch_mode},
        {"password",
                userauth_passwd,
+                NULL,
                &options.password_authentication,
                &options.batch_mode},
        {"none",
                userauth_none,
                NULL,
+                NULL,
                NULL},
-        {NULL, NULL, NULL, NULL}
+        {NULL, NULL, NULL, NULL, NULL}
 };
 void
@@ -390,6 +417,9 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
 void
 userauth(Authctxt *authctxt, char *authlist)
 {
+        if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
+                authctxt->method->cleanup(authctxt);
        if (authctxt->methoddata) {
                xfree(authctxt->methoddata);
                authctxt->methoddata = NULL;
@@ -422,6 +452,7 @@ userauth(Authctxt *authctxt, char *authlist)
        }
 }
+/* ARGSUSED */
 void
 input_userauth_error(int type, u_int32_t seq, void *ctxt)
 {
@@ -429,6 +460,7 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
            "type %d", type);
 }
+/* ARGSUSED */
 void
 input_userauth_banner(int type, u_int32_t seq, void *ctxt)
 {
@@ -438,12 +470,11 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
        debug3("input_userauth_banner");
        raw = packet_get_string(&len);
        lang = packet_get_string(NULL);
-        if (options.log_level >= SYSLOG_LEVEL_INFO) {
+        if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
                if (len > 65536)
                        len = 65536;
                msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
                strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
-                msg[len*4] = '\0';
                fprintf(stderr, "%s", msg);
                xfree(msg);
        }
@@ -451,6 +482,7 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
        xfree(lang);
 }
+/* ARGSUSED */
 void
 input_userauth_success(int type, u_int32_t seq, void *ctxt)
 {
@@ -468,6 +500,7 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt)
        authctxt->success = 1;                  /* break out */
 }
+/* ARGSUSED */
 void
 input_userauth_failure(int type, u_int32_t seq, void *ctxt)
 {
@@ -488,6 +521,8 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt)
        userauth(authctxt, authlist);
 }
+/* ARGSUSED */
 void
 input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 {
@@ -567,26 +602,30 @@ userauth_gssapi(Authctxt *authctxt)
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
-        char *gss_host = NULL;
+        const char *gss_host;
        int old_gssapi_method;
        if (options.gss_trust_dns)
-                gss_host = (char *)get_canonical_hostname(1);
+                gss_host = get_canonical_hostname(1);
        else
-                gss_host = (char *)authctxt->host;
+                gss_host = authctxt->host;
        /* Try one GSSAPI method at a time, rather than sending them all at
         * once. */
        if (gss_supported == NULL)
-                gss_indicate_mechs(&min, &gss_supported);
+                if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
+                        gss_supported = NULL;
+                        return 0;
+                }
        /* Check to see if the mechanism is usable before we offer it */
        while (mech < gss_supported->count && !ok) {
                /* My DER encoding requires length<128 */
                if (gss_supported->elements[mech].length < 128 &&
                    ssh_gssapi_check_mechanism(&gssctxt, 
-                    &gss_supported->elements[mech], gss_host)) {
+                    &gss_supported->elements[mech], gss_host, 
+                    options.gss_client_identity)) {
                        ok = 1; /* Mechanism works */
                } else {
                        mech++;
@@ -691,6 +730,7 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
        return status;
 }
+/* ARGSUSED */
 void
 input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
@@ -736,6 +776,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
        }
 }
+/* ARGSUSED */
 void
 input_gssapi_token(int type, u_int32_t plen, void *ctxt)
 {
@@ -763,6 +804,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
        }
 }
+/* ARGSUSED */
 void
 input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
 {
@@ -792,6 +834,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
        /* Server will be returning a failed packet after this one */
 }
+/* ARGSUSED */
 void
 input_gssapi_error(int type, u_int32_t plen, void *ctxt)
 {
@@ -898,9 +941,11 @@ userauth_passwd(Authctxt *authctxt)
        return 1;
 }
 /*
 * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
 */
+/* ARGSUSED */
 void
 input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
 {
@@ -965,6 +1010,209 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
            &input_userauth_passwd_changereq);
 }
+#ifdef JPAKE
+static char *
+pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
+{
+        /* OpenBSD crypt(3) handles all of these */
+        if (strcmp(crypt_scheme, "crypt") == 0 ||
+            strcmp(crypt_scheme, "bcrypt") == 0 ||
+            strcmp(crypt_scheme, "md5crypt") == 0 ||
+            strcmp(crypt_scheme, "crypt-extended") == 0)
+                return xstrdup(crypt(password, salt));
+        error("%s: unsupported password encryption scheme \"%.100s\"",
+            __func__, crypt_scheme);
+        return NULL;
+}
+static BIGNUM *
+jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
+    const char *salt)
+{
+        char prompt[256], *password, *crypted;
+        u_char *secret;
+        u_int secret_len;
+        BIGNUM *ret;
+        snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
+            authctxt->server_user, authctxt->host);
+        password = read_passphrase(prompt, 0);
+        if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
+                logit("Disabling %s authentication", authctxt->method->name);
+                authctxt->method->enabled = NULL;
+                /* Continue with an empty password to fail gracefully */
+                crypted = xstrdup("");
+        }
+#ifdef JPAKE_DEBUG
+        debug3("%s: salt = %s", __func__, salt);
+        debug3("%s: scheme = %s", __func__, crypt_scheme);
+        debug3("%s: crypted = %s", __func__, crypted);
+#endif
+        if (hash_buffer(crypted, strlen(crypted), EVP_sha256(),
+            &secret, &secret_len) != 0)
+                fatal("%s: hash_buffer", __func__);
+        bzero(password, strlen(password));
+        bzero(crypted, strlen(crypted));
+        xfree(password);
+        xfree(crypted);
+        if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
+                fatal("%s: BN_bin2bn (secret)", __func__);
+        bzero(secret, secret_len);
+        xfree(secret);
+        return ret;
+}
+/* ARGSUSED */
+void
+input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        struct jpake_ctx *pctx = authctxt->methoddata;
+        u_char *x3_proof, *x4_proof, *x2_s_proof;
+        u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
+        char *crypt_scheme, *salt;
+        /* Disable this message */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
+        if ((pctx->g_x3 = BN_new()) == NULL ||
+            (pctx->g_x4 = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+        /* Fetch step 1 values */
+        crypt_scheme = packet_get_string(NULL);
+        salt = packet_get_string(NULL);
+        pctx->server_id = packet_get_string(&pctx->server_id_len);
+        packet_get_bignum2(pctx->g_x3);
+        packet_get_bignum2(pctx->g_x4);
+        x3_proof = packet_get_string(&x3_proof_len);
+        x4_proof = packet_get_string(&x4_proof_len);
+        packet_check_eom();
+        JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
+        /* Obtain password and derive secret */
+        pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
+        bzero(crypt_scheme, strlen(crypt_scheme));
+        bzero(salt, strlen(salt));
+        xfree(crypt_scheme);
+        xfree(salt);
+        JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
+        /* Calculate step 2 values */
+        jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
+            pctx->g_x3, pctx->g_x4, pctx->x2,
+            pctx->server_id, pctx->server_id_len,
+            pctx->client_id, pctx->client_id_len,
+            x3_proof, x3_proof_len,
+            x4_proof, x4_proof_len,
+            &pctx->a,
+            &x2_s_proof, &x2_s_proof_len);
+        bzero(x3_proof, x3_proof_len);
+        bzero(x4_proof, x4_proof_len);
+        xfree(x3_proof);
+        xfree(x4_proof);
+        JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
+        /* Send values for step 2 */
+        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
+        packet_put_bignum2(pctx->a);
+        packet_put_string(x2_s_proof, x2_s_proof_len);
+        packet_send();
+        bzero(x2_s_proof, x2_s_proof_len);
+        xfree(x2_s_proof);
+        /* Expect step 2 packet from peer */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
+            input_userauth_jpake_server_step2);
+}
+/* ARGSUSED */
+void
+input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        struct jpake_ctx *pctx = authctxt->methoddata;
+        u_char *x4_s_proof;
+        u_int x4_s_proof_len;
+        /* Disable this message */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
+        if ((pctx->b = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+        /* Fetch step 2 values */
+        packet_get_bignum2(pctx->b);
+        x4_s_proof = packet_get_string(&x4_s_proof_len);
+        packet_check_eom();
+        JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
+        /* Derive shared key and calculate confirmation hash */
+        jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
+            pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
+            pctx->client_id, pctx->client_id_len,
+            pctx->server_id, pctx->server_id_len,
+            session_id2, session_id2_len,
+            x4_s_proof, x4_s_proof_len,
+            &pctx->k,
+            &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
+        bzero(x4_s_proof, x4_s_proof_len);
+        xfree(x4_s_proof);
+        JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
+        /* Send key confirmation proof */
+        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
+        packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
+        packet_send();
+        /* Expect confirmation from peer */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
+            input_userauth_jpake_server_confirm);
+}
+/* ARGSUSED */
+void
+input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        struct jpake_ctx *pctx = authctxt->methoddata;
+        /* Disable this message */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
+        pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
+        packet_check_eom();
+        JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
+        /* Verify expected confirmation hash */
+        if (jpake_check_confirm(pctx->k,
+            pctx->server_id, pctx->server_id_len,
+            session_id2, session_id2_len,
+            pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
+                debug("%s: %s success", __func__, authctxt->method->name);
+        else {
+                debug("%s: confirmation mismatch", __func__);
+                /* XXX stash this so if auth succeeds then we can warn/kill */
+        }
+        userauth_jpake_cleanup(authctxt);
+}
+#endif /* JPAKE */
 static int
 identity_sign(Identity *id, u_char **sigp, u_int *lenp,
    u_char *data, u_int datalen)
@@ -1541,6 +1789,76 @@ userauth_hostbased(Authctxt *authctxt)
        return 1;
 }
+#ifdef JPAKE
+int
+userauth_jpake(Authctxt *authctxt)
+{
+        struct jpake_ctx *pctx;
+        u_char *x1_proof, *x2_proof;
+        u_int x1_proof_len, x2_proof_len;
+        static int attempt = 0; /* XXX share with userauth_password's? */
+        if (attempt++ >= options.number_of_password_prompts)
+                return 0;
+        if (attempt != 1)
+                error("Permission denied, please try again.");
+        if (authctxt->methoddata != NULL)
+                fatal("%s: authctxt->methoddata already set (%p)",
+                    __func__, authctxt->methoddata);
+        authctxt->methoddata = pctx = jpake_new();
+        /*
+         * Send request immediately, to get the protocol going while
+         * we do the initial computations.
+         */
+        packet_start(SSH2_MSG_USERAUTH_REQUEST);
+        packet_put_cstring(authctxt->server_user);
+        packet_put_cstring(authctxt->service);
+        packet_put_cstring(authctxt->method->name);
+        packet_send();
+        packet_write_wait();
+        jpake_step1(pctx->grp,
+            &pctx->client_id, &pctx->client_id_len,
+            &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
+            &x1_proof, &x1_proof_len,
+            &x2_proof, &x2_proof_len);
+        JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
+        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
+        packet_put_string(pctx->client_id, pctx->client_id_len);
+        packet_put_bignum2(pctx->g_x1);
+        packet_put_bignum2(pctx->g_x2);
+        packet_put_string(x1_proof, x1_proof_len);
+        packet_put_string(x2_proof, x2_proof_len);
+        packet_send();
+        bzero(x1_proof, x1_proof_len);
+        bzero(x2_proof, x2_proof_len);
+        xfree(x1_proof);
+        xfree(x2_proof);
+        /* Expect step 1 packet from peer */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
+            input_userauth_jpake_server_step1);
+        return 1;
+}
+void
+userauth_jpake_cleanup(Authctxt *authctxt)
+{
+        debug3("%s: clean up", __func__);
+        if (authctxt->methoddata != NULL) {
+                jpake_free(authctxt->methoddata);
+                authctxt->methoddata = NULL;
+        }
+}
+#endif /* JPAKE */
 /* find auth method */
 /*
@@ -1642,3 +1960,4 @@ authmethods_get(void)
        buffer_free(&b);
        return list;
 }