Upgrade to OpenSSH 5.2p1.

MFC after:	3 months

1 files changed, 315 insertions, 6 deletions

diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
index 067c875..a762eec 100644
--- a/crypto/openssh/sshconnect2.c
+++ b/crypto/openssh/sshconnect2.c
@@ -1,6 +1,7 @@
-/* $OpenBSD: sshconnect2.c,v 1.166 2008/07/17 08:48:00 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2008 Damien Miller.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -67,6 +68,7 @@
 #include "msg.h"
 #include "pathnames.h"
 #include "uidswap.h"
+#include "jpake.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -201,6 +203,7 @@ struct Authctxt {
 struct Authmethod {
 	char	*name;		/* string to compare against server's list */
 	int	(*userauth)(Authctxt *authctxt);
+	void	(*cleanup)(Authctxt *authctxt);
 	int	*enabled;	/* flag in option struct that enables method */
 	int	*batch_flag;	/* flag in option struct that disables method */
 };
@@ -212,13 +215,18 @@ void	input_userauth_error(int, u_int32_t, void *);
 void	input_userauth_info_req(int, u_int32_t, void *);
 void	input_userauth_pk_ok(int, u_int32_t, void *);
 void	input_userauth_passwd_changereq(int, u_int32_t, void *);
+void	input_userauth_jpake_server_step1(int, u_int32_t, void *);
+void	input_userauth_jpake_server_step2(int, u_int32_t, void *);
+void	input_userauth_jpake_server_confirm(int, u_int32_t, void *);
 
 int	userauth_none(Authctxt *);
 int	userauth_pubkey(Authctxt *);
 int	userauth_passwd(Authctxt *);
 int	userauth_kbdint(Authctxt *);
 int	userauth_hostbased(Authctxt *);
-int	userauth_kerberos(Authctxt *);
+int	userauth_jpake(Authctxt *);
+
+void	userauth_jpake_cleanup(Authctxt *);
 
 #ifdef GSSAPI
 int	userauth_gssapi(Authctxt *authctxt);
@@ -244,30 +252,43 @@ Authmethod authmethods[] = {
 #ifdef GSSAPI
 	{"gssapi-with-mic",
 		userauth_gssapi,
+		NULL,
 		&options.gss_authentication,
 		NULL},
 #endif
 	{"hostbased",
 		userauth_hostbased,
+		NULL,
 		&options.hostbased_authentication,
 		NULL},
 	{"publickey",
 		userauth_pubkey,
+		NULL,
 		&options.pubkey_authentication,
 		NULL},
+#ifdef JPAKE
+	{"jpake-01@openssh.com",
+		userauth_jpake,
+		userauth_jpake_cleanup,
+		&options.zero_knowledge_password_authentication,
+		&options.batch_mode},
+#endif
 	{"keyboard-interactive",
 		userauth_kbdint,
+		NULL,
 		&options.kbd_interactive_authentication,
 		&options.batch_mode},
 	{"password",
 		userauth_passwd,
+		NULL,
 		&options.password_authentication,
 		&options.batch_mode},
 	{"none",
 		userauth_none,
 		NULL,
+		NULL,
 		NULL},
-	{NULL, NULL, NULL, NULL}
+	{NULL, NULL, NULL, NULL, NULL}
 };
 
 void
@@ -335,6 +356,9 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
 void
 userauth(Authctxt *authctxt, char *authlist)
 {
+	if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
+		authctxt->method->cleanup(authctxt);
+
 	if (authctxt->methoddata) {
 		xfree(authctxt->methoddata);
 		authctxt->methoddata = NULL;
@@ -367,6 +391,7 @@ userauth(Authctxt *authctxt, char *authlist)
 	}
 }
 
+/* ARGSUSED */
 void
 input_userauth_error(int type, u_int32_t seq, void *ctxt)
 {
@@ -374,6 +399,7 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
 	    "type %d", type);
 }
 
+/* ARGSUSED */
 void
 input_userauth_banner(int type, u_int32_t seq, void *ctxt)
 {
@@ -383,12 +409,11 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
 	debug3("input_userauth_banner");
 	raw = packet_get_string(&len);
 	lang = packet_get_string(NULL);
-	if (options.log_level >= SYSLOG_LEVEL_INFO) {
+	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
 		if (len > 65536)
 			len = 65536;
 		msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
-		strnvis(msg, raw, len * 4, VIS_SAFE|VIS_OCTAL);
-		msg[len*4] = '\0';
+		strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
 		fprintf(stderr, "%s", msg);
 		xfree(msg);
 	}
@@ -396,6 +421,7 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
 	xfree(lang);
 }
 
+/* ARGSUSED */
 void
 input_userauth_success(int type, u_int32_t seq, void *ctxt)
 {
@@ -413,6 +439,7 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt)
 	authctxt->success = 1;			/* break out */
 }
 
+/* ARGSUSED */
 void
 input_userauth_failure(int type, u_int32_t seq, void *ctxt)
 {
@@ -433,6 +460,8 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt)
 
 	userauth(authctxt, authlist);
 }
+
+/* ARGSUSED */
 void
 input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 {
@@ -615,6 +644,7 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
 	return status;
 }
 
+/* ARGSUSED */
 void
 input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
@@ -654,6 +684,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 	}
 }
 
+/* ARGSUSED */
 void
 input_gssapi_token(int type, u_int32_t plen, void *ctxt)
 {
@@ -681,6 +712,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
 	}
 }
 
+/* ARGSUSED */
 void
 input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
 {
@@ -710,6 +742,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
 	/* Server will be returning a failed packet after this one */
 }
 
+/* ARGSUSED */
 void
 input_gssapi_error(int type, u_int32_t plen, void *ctxt)
 {
@@ -774,9 +807,11 @@ userauth_passwd(Authctxt *authctxt)
 
 	return 1;
 }
+
 /*
  * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
  */
+/* ARGSUSED */
 void
 input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
 {
@@ -841,6 +876,209 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
 	    &input_userauth_passwd_changereq);
 }
 
+#ifdef JPAKE
+static char *
+pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
+{
+	/* OpenBSD crypt(3) handles all of these */
+	if (strcmp(crypt_scheme, "crypt") == 0 ||
+	    strcmp(crypt_scheme, "bcrypt") == 0 ||
+	    strcmp(crypt_scheme, "md5crypt") == 0 ||
+	    strcmp(crypt_scheme, "crypt-extended") == 0)
+		return xstrdup(crypt(password, salt));
+	error("%s: unsupported password encryption scheme \"%.100s\"",
+	    __func__, crypt_scheme);
+	return NULL;
+}
+
+static BIGNUM *
+jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
+    const char *salt)
+{
+	char prompt[256], *password, *crypted;
+	u_char *secret;
+	u_int secret_len;
+	BIGNUM *ret;
+
+	snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
+	    authctxt->server_user, authctxt->host);
+	password = read_passphrase(prompt, 0);
+
+	if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
+		logit("Disabling %s authentication", authctxt->method->name);
+		authctxt->method->enabled = NULL;
+		/* Continue with an empty password to fail gracefully */
+		crypted = xstrdup("");
+	}
+
+#ifdef JPAKE_DEBUG
+	debug3("%s: salt = %s", __func__, salt);
+	debug3("%s: scheme = %s", __func__, crypt_scheme);
+	debug3("%s: crypted = %s", __func__, crypted);
+#endif
+
+	if (hash_buffer(crypted, strlen(crypted), EVP_sha256(),
+	    &secret, &secret_len) != 0)
+		fatal("%s: hash_buffer", __func__);
+
+	bzero(password, strlen(password));
+	bzero(crypted, strlen(crypted));
+	xfree(password);
+	xfree(crypted);
+
+	if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
+		fatal("%s: BN_bin2bn (secret)", __func__);
+	bzero(secret, secret_len);
+	xfree(secret);
+
+	return ret;
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	struct jpake_ctx *pctx = authctxt->methoddata;
+	u_char *x3_proof, *x4_proof, *x2_s_proof;
+	u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
+	char *crypt_scheme, *salt;
+
+	/* Disable this message */
+	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
+
+	if ((pctx->g_x3 = BN_new()) == NULL ||
+	    (pctx->g_x4 = BN_new()) == NULL)
+		fatal("%s: BN_new", __func__);
+
+	/* Fetch step 1 values */
+	crypt_scheme = packet_get_string(NULL);
+	salt = packet_get_string(NULL);
+	pctx->server_id = packet_get_string(&pctx->server_id_len);
+	packet_get_bignum2(pctx->g_x3);
+	packet_get_bignum2(pctx->g_x4);
+	x3_proof = packet_get_string(&x3_proof_len);
+	x4_proof = packet_get_string(&x4_proof_len);
+	packet_check_eom();
+
+	JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
+
+	/* Obtain password and derive secret */
+	pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
+	bzero(crypt_scheme, strlen(crypt_scheme));
+	bzero(salt, strlen(salt));
+	xfree(crypt_scheme);
+	xfree(salt);
+	JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
+
+	/* Calculate step 2 values */
+	jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
+	    pctx->g_x3, pctx->g_x4, pctx->x2,
+	    pctx->server_id, pctx->server_id_len,
+	    pctx->client_id, pctx->client_id_len,
+	    x3_proof, x3_proof_len,
+	    x4_proof, x4_proof_len,
+	    &pctx->a,
+	    &x2_s_proof, &x2_s_proof_len);
+
+	bzero(x3_proof, x3_proof_len);
+	bzero(x4_proof, x4_proof_len);
+	xfree(x3_proof);
+	xfree(x4_proof);
+
+	JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
+
+	/* Send values for step 2 */
+	packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
+	packet_put_bignum2(pctx->a);
+	packet_put_string(x2_s_proof, x2_s_proof_len);
+	packet_send();
+
+	bzero(x2_s_proof, x2_s_proof_len);
+	xfree(x2_s_proof);
+
+	/* Expect step 2 packet from peer */
+	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
+	    input_userauth_jpake_server_step2);
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	struct jpake_ctx *pctx = authctxt->methoddata;
+	u_char *x4_s_proof;
+	u_int x4_s_proof_len;
+
+	/* Disable this message */
+	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
+
+	if ((pctx->b = BN_new()) == NULL)
+		fatal("%s: BN_new", __func__);
+
+	/* Fetch step 2 values */
+	packet_get_bignum2(pctx->b);
+	x4_s_proof = packet_get_string(&x4_s_proof_len);
+	packet_check_eom();
+
+	JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
+
+	/* Derive shared key and calculate confirmation hash */
+	jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
+	    pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
+	    pctx->client_id, pctx->client_id_len,
+	    pctx->server_id, pctx->server_id_len,
+	    session_id2, session_id2_len,
+	    x4_s_proof, x4_s_proof_len,
+	    &pctx->k,
+	    &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
+
+	bzero(x4_s_proof, x4_s_proof_len);
+	xfree(x4_s_proof);
+
+	JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
+
+	/* Send key confirmation proof */
+	packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
+	packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
+	packet_send();
+
+	/* Expect confirmation from peer */
+	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
+	    input_userauth_jpake_server_confirm);
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	struct jpake_ctx *pctx = authctxt->methoddata;
+
+	/* Disable this message */
+	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
+
+	pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
+	packet_check_eom();
+
+	JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
+
+	/* Verify expected confirmation hash */
+	if (jpake_check_confirm(pctx->k,
+	    pctx->server_id, pctx->server_id_len,
+	    session_id2, session_id2_len,
+	    pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
+		debug("%s: %s success", __func__, authctxt->method->name);
+	else {
+		debug("%s: confirmation mismatch", __func__);
+		/* XXX stash this so if auth succeeds then we can warn/kill */
+	}
+
+	userauth_jpake_cleanup(authctxt);
+}
+#endif /* JPAKE */
+
 static int
 identity_sign(Identity *id, u_char **sigp, u_int *lenp,
     u_char *data, u_int datalen)
@@ -1415,6 +1653,76 @@ userauth_hostbased(Authctxt *authctxt)
 	return 1;
 }
 
+#ifdef JPAKE
+int
+userauth_jpake(Authctxt *authctxt)
+{
+	struct jpake_ctx *pctx;
+	u_char *x1_proof, *x2_proof;
+	u_int x1_proof_len, x2_proof_len;
+	static int attempt = 0; /* XXX share with userauth_password's? */
+
+	if (attempt++ >= options.number_of_password_prompts)
+		return 0;
+	if (attempt != 1)
+		error("Permission denied, please try again.");
+
+	if (authctxt->methoddata != NULL)
+		fatal("%s: authctxt->methoddata already set (%p)",
+		    __func__, authctxt->methoddata);
+
+	authctxt->methoddata = pctx = jpake_new();
+
+	/*
+	 * Send request immediately, to get the protocol going while
+	 * we do the initial computations.
+	 */
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(authctxt->server_user);
+	packet_put_cstring(authctxt->service);
+	packet_put_cstring(authctxt->method->name);
+	packet_send();
+	packet_write_wait();
+
+	jpake_step1(pctx->grp,
+	    &pctx->client_id, &pctx->client_id_len,
+	    &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
+	    &x1_proof, &x1_proof_len,
+	    &x2_proof, &x2_proof_len);
+
+	JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
+
+	packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
+	packet_put_string(pctx->client_id, pctx->client_id_len);
+	packet_put_bignum2(pctx->g_x1);
+	packet_put_bignum2(pctx->g_x2);
+	packet_put_string(x1_proof, x1_proof_len);
+	packet_put_string(x2_proof, x2_proof_len);
+	packet_send();
+
+	bzero(x1_proof, x1_proof_len);
+	bzero(x2_proof, x2_proof_len);
+	xfree(x1_proof);
+	xfree(x2_proof);
+
+	/* Expect step 1 packet from peer */
+	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
+	    input_userauth_jpake_server_step1);
+
+	return 1;
+}
+
+void
+userauth_jpake_cleanup(Authctxt *authctxt)
+{
+	debug3("%s: clean up", __func__);
+	if (authctxt->methoddata != NULL) {
+		jpake_free(authctxt->methoddata);
+		authctxt->methoddata = NULL;
+	}
+}
+#endif /* JPAKE */
+
 /* find auth method */
 
 /*
@@ -1516,3 +1824,4 @@ authmethods_get(void)
 	buffer_free(&b);
 	return list;
 }
+