Generate and use a private key for SSH connections.

49b335f3 · Deucе · 4785e858 · 49b335f3 · 49b335f3 · 49b335f3
Commit 49b335f3 authored 1 year ago by Deucе
--- a/src/syncterm/ssh.c
+++ b/src/syncterm/ssh.c
@@ -244,17 +244,34 @@ sftp_send(uint8_t *buf, size_t sz, void *cb_data)
 }
 #endif

+static void
+error_popup(struct bbslist *bbs, const char *blurb, int status)
+{
+	char str[1024];
+	sprintf(str, "Error %d %s", status, blurb);
+	if (!bbs->hidepopups)
+		uifcmsg("Error %s", str);
+	conn_api.terminate = 1;
+	if (!bbs->hidepopups)
+		uifc.pop(NULL);
+}
+
+#define KEY_PASSWORD "TODO:ThisIsDumb"
+#define KEY_LABEL "ssh_key"
 int
 ssh_connect(struct bbslist *bbs)
 {
-	int         off = 1;
-	int         status;
-	char        password[MAX_PASSWD_LEN + 1];
-	char        username[MAX_USER_LEN + 1];
-	int         rows, cols;
-	const char *term;
-	int         slen;
-	uint8_t     server_fp[sizeof(bbs->ssh_fingerprint)];
+	int           off = 1;
+	int           status;
+	char          password[MAX_PASSWD_LEN + 1];
+	char          username[MAX_USER_LEN + 1];
+	int           rows, cols;
+	const char   *term;
+	int           slen;
+	uint8_t       server_fp[sizeof(bbs->ssh_fingerprint)];
+	char          path[MAX_PATH+1];
+	CRYPT_KEYSET  ssh_keyset;
+	CRYPT_CONTEXT ssh_context;

 	ssh_channel = -1;
 	sftp_channel = -1;
@@ -278,6 +295,60 @@ ssh_connect(struct bbslist *bbs)
 		}
 	}

+	get_syncterm_filename(path, sizeof(path), SYNCTERM_PATH_KEYS, false);
+	if(cryptStatusOK(cl.KeysetOpen(&ssh_keyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, path, CRYPT_KEYOPT_READONLY))) {
+		status = cl.GetPrivateKey(ssh_keyset, &ssh_context, CRYPT_KEYID_NAME, KEY_LABEL, KEY_PASSWORD);
+		if(cryptStatusError(status)) {
+			error_popup(bbs, "creating context", status);
+		}
+		status = cl.KeysetClose(ssh_keyset);
+		if (cryptStatusError(status)) {
+			error_popup(bbs, "closing keyset", status);
+		}
+	}
+	else {
+		do {
+			/* Couldn't do that... create a new context and use the key from there... */
+			status = cl.CreateContext(&ssh_context, CRYPT_UNUSED, CRYPT_ALGO_RSA);
+			if (cryptStatusError(status)) {
+				error_popup(bbs, "creating context", status);
+				break;
+			}
+			status = cl.SetAttributeString(ssh_context, CRYPT_CTXINFO_LABEL, KEY_LABEL, 10);
+			if (cryptStatusError(status)) {
+				error_popup(bbs, "setting label", status);
+				break;
+			}
+			status = cl.GenerateKey(ssh_context);
+			if (cryptStatusError(status)) {
+				error_popup(bbs, "generating key", status);
+				break;
+			}
+
+			/* Ok, now try saving this one... use the syspass to encrypt it. */
+			status = cl.KeysetOpen(&ssh_keyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, path, CRYPT_KEYOPT_CREATE);
+			if (cryptStatusError(status)) {
+				error_popup(bbs, "creating keyset", status);
+				break;
+			}
+			status = cl.AddPrivateKey(ssh_keyset, ssh_context, KEY_PASSWORD);
+			if (cryptStatusError(status)) {
+				cl.KeysetClose(ssh_keyset);
+				error_popup(bbs, "adding private key", status);
+				break;
+			}
+			status = cl.KeysetClose(ssh_keyset);
+			if (cryptStatusError(status)) {
+				error_popup(bbs, "closing keyset", status);
+				break;
+			}
+		} while(0);
+	}
+	if (cryptStatusError(status)) {
+		cl.DestroyContext(ssh_context);
+		ssh_context = -1;
+	}
+
 	ssh_sock = conn_socket_connect(bbs);
 	if (ssh_sock == INVALID_SOCKET)
 		return -1;
@@ -288,13 +359,7 @@ ssh_connect(struct bbslist *bbs)
 		uifc.pop("Creating Session");
 	status = cl.CreateSession(&ssh_session, CRYPT_UNUSED, CRYPT_SESSION_SSH);
 	if (cryptStatusError(status)) {
-		char str[1024];
-		sprintf(str, "Error %d creating session", status);
-		if (!bbs->hidepopups)
-			uifcmsg("Error creating session", str);
-		conn_api.terminate = 1;
-		if (!bbs->hidepopups)
-			uifc.pop(NULL);
+		error_popup(bbs, "creating session", status);
 		return -1;
 	}

@@ -322,13 +387,7 @@ ssh_connect(struct bbslist *bbs)
        /* Add username/password */
 	status = cl.SetAttributeString(ssh_session, CRYPT_SESSINFO_USERNAME, username, strlen(username));
 	if (cryptStatusError(status)) {
-		char str[1024];
-		sprintf(str, "Error %d setting username", status);
-		if (!bbs->hidepopups)
-			uifcmsg("Error setting username", str);
-		conn_api.terminate = 1;
-		if (!bbs->hidepopups)
-			uifc.pop(NULL);
+		error_popup(bbs, "setting username", status);
 		return -1;
 	}

@@ -337,13 +396,7 @@ ssh_connect(struct bbslist *bbs)
 	if (bbs->conn_type == CONN_TYPE_SSHNA) {
 		status = cl.SetAttribute(ssh_session, CRYPT_SESSINFO_SSH_OPTIONS, CRYPT_SSHOPTION_NONE_AUTH);
 		if (cryptStatusError(status)) {
-			char str[1024];
-			sprintf(str, "Error %d disabling password auth", status);
-			if (!bbs->hidepopups)
-				uifcmsg("Error disabling password auth", str);
-			conn_api.terminate = 1;
-			if (!bbs->hidepopups)
-				uifc.pop(NULL);
+			error_popup(bbs, "disabling password auth", status);
 			return -1;
 		}
 	}
@@ -360,13 +413,15 @@ ssh_connect(struct bbslist *bbs)
 			uifc.pop("Setting Password");
 		status = cl.SetAttributeString(ssh_session, CRYPT_SESSINFO_PASSWORD, password, strlen(password));
 		if (cryptStatusError(status)) {
-			char str[1024];
-			sprintf(str, "Error %d setting password", status);
-			if (!bbs->hidepopups)
-				uifcmsg("Error setting password", str);
-			conn_api.terminate = 1;
-			if (!bbs->hidepopups)
-				uifc.pop(NULL);
+			error_popup(bbs, "setting password", status);
+			return -1;
+		}
+
+		if (!bbs->hidepopups)
+			uifc.pop("Setting Private Key");
+		status = cl.SetAttribute(ssh_session, CRYPT_SESSINFO_PRIVATEKEY, ssh_context);
+		if (cryptStatusError(status)) {
+			error_popup(bbs, "setting private key", status);
 			return -1;
 		}
 	}
@@ -379,13 +434,7 @@ ssh_connect(struct bbslist *bbs)
        /* Pass socket to cryptlib */
 	status = cl.SetAttribute(ssh_session, CRYPT_SESSINFO_NETWORKSOCKET, ssh_sock);
 	if (cryptStatusError(status)) {
-		char str[1024];
-		sprintf(str, "Error %d passing socket", status);
-		if (!bbs->hidepopups)
-			uifcmsg("Error passing socket", str);
-		conn_api.terminate = 1;
-		if (!bbs->hidepopups)
-			uifc.pop(NULL);
+		error_popup(bbs, "passing socket", status);
 		return -1;
 	}


--- a/src/syncterm/st_crypt.c
+++ b/src/syncterm/st_crypt.c
@@ -54,6 +54,13 @@ init_crypt(void)
 	cl.DestroySession = cryptDestroySession;
 	cl.AddRandom = cryptAddRandom;
 	cl.DeleteAttribute = cryptDeleteAttribute;
+	cl.KeysetOpen = cryptKeysetOpen;
+	cl.KeysetClose = cryptKeysetClose;
+	cl.GenerateKey = cryptGenerateKey;
+	cl.AddPrivateKey = cryptAddPrivateKey;
+	cl.GetPrivateKey = cryptGetPrivateKey;
+	cl.CreateContext = cryptCreateContext;
+	cl.DestroyContext = cryptDestroyContext;
 #else
 	cryptlib = xp_dlopen(libnames, RTLD_LAZY, CRYPTLIB_VERSION / 1000);
 	if (cryptlib == NULL)
@@ -110,6 +117,35 @@ init_crypt(void)
 		xp_dlclose(cryptlib);
 		return -1;
 	}
+
+	if ((cl.KeysetOpen = xp_dlsym(cryptlib, cryptKeysetOpen)) == NULL) {
+		xp_dlclose(cryptlib);
+		return -1;
+	}
+	if ((cl.KeysetClose = xp_dlsym(cryptlib, cryptKeysetClose)) == NULL) {
+		xp_dlclose(cryptlib);
+		return -1;
+	}
+	if ((cl.GenerateKey = xp_dlsym(cryptlib, cryptGenerateKey)) == NULL) {
+		xp_dlclose(cryptlib);
+		return -1;
+	}
+	if ((cl.AddPrivateKey = xp_dlsym(cryptlib, cryptAddPrivateKey)) == NULL) {
+		xp_dlclose(cryptlib);
+		return -1;
+	}
+	if ((cl.GetPrivateKey = xp_dlsym(cryptlib, cryptGetPrivateKey)) == NULL) {
+		xp_dlclose(cryptlib);
+		return -1;
+	}
+	if ((cl.CreateContext = xp_dlsym(cryptlib, cryptCreateContext)) == NULL) {
+		xp_dlclose(cryptlib);
+		return -1;
+	}
+	if ((cl.DestroyContext = xp_dlsym(cryptlib, cryptDestroyContext)) == NULL) {
+		xp_dlclose(cryptlib);
+		return -1;
+	}
 #endif /* ifdef STATIC_CRYPTLIB */
 	if (cryptStatusOK(cl.Init())) {
 		if (cryptStatusOK(cl.AddRandom(NULL, CRYPT_RANDOM_SLOWPOLL))) {

--- a/src/syncterm/st_crypt.h
+++ b/src/syncterm/st_crypt.h
@@ -39,6 +39,23 @@ struct crypt_funcs {
 	int (*AddRandom)(C_IN void C_PTR randomData, C_IN int randomDataLength);
 	int (*DeleteAttribute)(C_IN CRYPT_HANDLE cryptHandle,
 	    C_IN CRYPT_ATTRIBUTE_TYPE            attributeType);
+	int (*KeysetOpen)(C_OUT CRYPT_KEYSET C_PTR keyset,
+            C_IN CRYPT_USER cryptUser,
+            C_IN CRYPT_KEYSET_TYPE keysetType,
+            C_IN C_STR name, C_IN CRYPT_KEYOPT_TYPE options);
+        int (*KeysetClose)(C_IN CRYPT_KEYSET keyset);
+        int (*GenerateKey)(C_IN CRYPT_CONTEXT cryptContext);
+	int (*AddPrivateKey)(C_IN CRYPT_KEYSET keyset,
+	    C_IN CRYPT_HANDLE cryptKey,
+	    C_IN C_STR password );
+	int (*GetPrivateKey)(C_IN CRYPT_KEYSET keyset,
+	    C_OUT CRYPT_CONTEXT C_PTR cryptContext,
+	    C_IN CRYPT_KEYID_TYPE keyIDtype,
+	    C_IN C_STR keyID, C_IN_OPT C_STR password );
+	int (*CreateContext)(C_OUT CRYPT_CONTEXT C_PTR cryptContext,
+	    C_IN CRYPT_USER cryptUser,
+	    C_IN CRYPT_ALGO_TYPE cryptAlgo);
+	int (*DestroyContext)(C_IN CRYPT_CONTEXT cryptContext);
 };

 #endif // ifndef WITHOUT_CRYPTLIB

--- a/src/syncterm/syncterm.c
+++ b/src/syncterm/syncterm.c
@@ -983,6 +983,7 @@ get_new_OSX_filename(char *fn, int fnlen, int type, int shared)
 	switch (type) {
 		case SYNCTERM_PATH_INI:
 		case SYNCTERM_PATH_LIST:
+		case SYNCTERM_PATH_KEYS:
 			if (FSFindFolder(shared ? kLocalDomain : kUserDomain, kPreferencesFolderType, kCreateFolder,
 			    &ref) != noErr)
 				return NULL;
@@ -1027,6 +1028,9 @@ get_new_OSX_filename(char *fn, int fnlen, int type, int shared)
 		case SYNCTERM_PATH_LIST:
 			strncat(fn, "SyncTERM.lst", fnlen - strlen(fn) - 1);
 			return fn;
+		case SYNCTERM_PATH_KEYS:
+			strncat(fn, "SyncTERM.ssh", fnlen - strlen(fn) - 1);
+			return fn;
 	}
 	return NULL;
 }
@@ -1083,6 +1087,7 @@ get_syncterm_filename(char *fn, int fnlen, int type, bool shared)
 			switch (type) {
 				case SYNCTERM_PATH_INI:
 				case SYNCTERM_PATH_LIST:
+				case SYNCTERM_PATH_KEYS:
 					if (shared) {
 						if (GKFP(&FOLDERID_ProgramData, KF_FLAG_CREATE, NULL, &path) == S_OK)
 							we_got_this = true;
@@ -1190,6 +1195,10 @@ get_syncterm_filename(char *fn, int fnlen, int type, bool shared)
 					fn[0] = 0;
 			}
 			break;
+		case SYNCTERM_PATH_INI:
+			backslash(fn);
+			strncat(fn, "syncterm.ssh", fnlen - strlen(fn) - 1);
+			break;
 	}
 #else /* ifdef _WIN32 */
        /* UNIX */
@@ -1275,6 +1284,9 @@ get_syncterm_filename(char *fn, int fnlen, int type, bool shared)
 			}
 #endif
 			break;
+		case SYNCTERM_PATH_KEYS:
+			strncat(fn, "syncterm.ssh", fnlen - strlen(fn) - 1);
+			break;
 	}

 #if defined(__APPLE__) && defined(__MACH__)

--- a/src/syncterm/syncterm.h
+++ b/src/syncterm/syncterm.h
@@ -20,6 +20,8 @@ enum {
 	SYNCTERM_DEFAULT_TRANSFER_PATH
 	,
 	SYNCTERM_PATH_CACHE
+	,
+	SYNCTERM_PATH_KEYS
 };

 /* Default modem device */