You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
419 lines
12 KiB
419 lines
12 KiB
var Socket = require('net').Socket;
|
|
var EventEmitter = require('events').EventEmitter;
|
|
var inherits = require('util').inherits;
|
|
var path = require('path');
|
|
var fs = require('fs');
|
|
var cp = require('child_process');
|
|
|
|
var readUInt32BE = require('./buffer-helpers').readUInt32BE;
|
|
var writeUInt32BE = require('./buffer-helpers').writeUInt32BE;
|
|
var writeUInt32LE = require('./buffer-helpers').writeUInt32LE;
|
|
|
|
var REQUEST_IDENTITIES = 11;
|
|
var IDENTITIES_ANSWER = 12;
|
|
var SIGN_REQUEST = 13;
|
|
var SIGN_RESPONSE = 14;
|
|
var FAILURE = 5;
|
|
|
|
var RE_CYGWIN_SOCK = /^\!<socket >(\d+) s ([A-Z0-9]{8}\-[A-Z0-9]{8}\-[A-Z0-9]{8}\-[A-Z0-9]{8})/;
|
|
|
|
// Format of `//./pipe/ANYTHING`, with forward slashes and backward slashes being interchangeable
|
|
var WINDOWS_PIPE_REGEX = /^[/\\][/\\]\.[/\\]pipe[/\\].+/;
|
|
|
|
module.exports = function(sockPath, key, keyType, data, cb) {
|
|
var sock;
|
|
var error;
|
|
var sig;
|
|
var datalen;
|
|
var keylen = 0;
|
|
var isSigning = Buffer.isBuffer(key);
|
|
var type;
|
|
var count = 0;
|
|
var siglen = 0;
|
|
var nkeys = 0;
|
|
var keys;
|
|
var comlen = 0;
|
|
var comment = false;
|
|
var accept;
|
|
var reject;
|
|
|
|
if (typeof key === 'function' && typeof keyType === 'function') {
|
|
// agent forwarding
|
|
accept = key;
|
|
reject = keyType;
|
|
} else if (isSigning) {
|
|
keylen = key.length;
|
|
datalen = data.length;
|
|
} else {
|
|
cb = key;
|
|
key = undefined;
|
|
}
|
|
|
|
function onconnect() {
|
|
var buf;
|
|
if (isSigning) {
|
|
/*
|
|
byte SSH2_AGENTC_SIGN_REQUEST
|
|
string key_blob
|
|
string data
|
|
uint32 flags
|
|
*/
|
|
var p = 9;
|
|
buf = Buffer.allocUnsafe(4 + 1 + 4 + keylen + 4 + datalen + 4);
|
|
writeUInt32BE(buf, buf.length - 4, 0);
|
|
buf[4] = SIGN_REQUEST;
|
|
writeUInt32BE(buf, keylen, 5);
|
|
key.copy(buf, p);
|
|
writeUInt32BE(buf, datalen, p += keylen);
|
|
data.copy(buf, p += 4);
|
|
writeUInt32BE(buf, 0, p += datalen);
|
|
sock.write(buf);
|
|
} else {
|
|
/*
|
|
byte SSH2_AGENTC_REQUEST_IDENTITIES
|
|
*/
|
|
sock.write(Buffer.from([0, 0, 0, 1, REQUEST_IDENTITIES]));
|
|
}
|
|
}
|
|
function ondata(chunk) {
|
|
for (var i = 0, len = chunk.length; i < len; ++i) {
|
|
if (type === undefined) {
|
|
// skip over packet length
|
|
if (++count === 5) {
|
|
type = chunk[i];
|
|
count = 0;
|
|
}
|
|
} else if (type === SIGN_RESPONSE) {
|
|
/*
|
|
byte SSH2_AGENT_SIGN_RESPONSE
|
|
string signature_blob
|
|
*/
|
|
if (!sig) {
|
|
siglen <<= 8;
|
|
siglen += chunk[i];
|
|
if (++count === 4) {
|
|
sig = Buffer.allocUnsafe(siglen);
|
|
count = 0;
|
|
}
|
|
} else {
|
|
sig[count] = chunk[i];
|
|
if (++count === siglen) {
|
|
sock.removeAllListeners('data');
|
|
return sock.destroy();
|
|
}
|
|
}
|
|
} else if (type === IDENTITIES_ANSWER) {
|
|
/*
|
|
byte SSH2_AGENT_IDENTITIES_ANSWER
|
|
uint32 num_keys
|
|
|
|
Followed by zero or more consecutive keys, encoded as:
|
|
|
|
string public key blob
|
|
string public key comment
|
|
*/
|
|
if (keys === undefined) {
|
|
nkeys <<= 8;
|
|
nkeys += chunk[i];
|
|
if (++count === 4) {
|
|
keys = new Array(nkeys);
|
|
count = 0;
|
|
if (nkeys === 0) {
|
|
sock.removeAllListeners('data');
|
|
return sock.destroy();
|
|
}
|
|
}
|
|
} else {
|
|
if (!key) {
|
|
keylen <<= 8;
|
|
keylen += chunk[i];
|
|
if (++count === 4) {
|
|
key = Buffer.allocUnsafe(keylen);
|
|
count = 0;
|
|
}
|
|
} else if (comment === false) {
|
|
key[count] = chunk[i];
|
|
if (++count === keylen) {
|
|
keys[nkeys - 1] = key;
|
|
keylen = 0;
|
|
count = 0;
|
|
comment = true;
|
|
if (--nkeys === 0) {
|
|
key = undefined;
|
|
sock.removeAllListeners('data');
|
|
return sock.destroy();
|
|
}
|
|
}
|
|
} else if (comment === true) {
|
|
comlen <<= 8;
|
|
comlen += chunk[i];
|
|
if (++count === 4) {
|
|
count = 0;
|
|
if (comlen > 0)
|
|
comment = comlen;
|
|
else {
|
|
key = undefined;
|
|
comment = false;
|
|
}
|
|
comlen = 0;
|
|
}
|
|
} else {
|
|
// skip comments
|
|
if (++count === comment) {
|
|
comment = false;
|
|
count = 0;
|
|
key = undefined;
|
|
}
|
|
}
|
|
}
|
|
} else if (type === FAILURE) {
|
|
if (isSigning)
|
|
error = new Error('Agent unable to sign data');
|
|
else
|
|
error = new Error('Unable to retrieve list of keys from agent');
|
|
sock.removeAllListeners('data');
|
|
return sock.destroy();
|
|
}
|
|
}
|
|
}
|
|
function onerror(err) {
|
|
error = err;
|
|
}
|
|
function onclose() {
|
|
if (error)
|
|
cb(error);
|
|
else if ((isSigning && !sig) || (!isSigning && !keys))
|
|
cb(new Error('Unexpected disconnection from agent'));
|
|
else if (isSigning && sig)
|
|
cb(undefined, sig);
|
|
else if (!isSigning && keys)
|
|
cb(undefined, keys);
|
|
}
|
|
|
|
if (process.platform === 'win32' && !WINDOWS_PIPE_REGEX.test(sockPath)) {
|
|
if (sockPath === 'pageant') {
|
|
// Pageant (PuTTY authentication agent)
|
|
sock = new PageantSock();
|
|
} else {
|
|
// cygwin ssh-agent instance
|
|
var triedCygpath = false;
|
|
fs.readFile(sockPath, function readCygsocket(err, data) {
|
|
if (err) {
|
|
if (triedCygpath)
|
|
return cb(new Error('Invalid cygwin unix socket path'));
|
|
// try using `cygpath` to convert a possible *nix-style path to the
|
|
// real Windows path before giving up ...
|
|
cp.exec('cygpath -w "' + sockPath + '"',
|
|
function(err, stdout, stderr) {
|
|
if (err || stdout.length === 0)
|
|
return cb(new Error('Invalid cygwin unix socket path'));
|
|
triedCygpath = true;
|
|
sockPath = stdout.toString().replace(/[\r\n]/g, '');
|
|
fs.readFile(sockPath, readCygsocket);
|
|
});
|
|
return;
|
|
}
|
|
|
|
var m;
|
|
if (m = RE_CYGWIN_SOCK.exec(data.toString('ascii'))) {
|
|
var port;
|
|
var secret;
|
|
var secretbuf;
|
|
var state;
|
|
var bc = 0;
|
|
var isRetrying = false;
|
|
var inbuf = [];
|
|
var credsbuf = Buffer.allocUnsafe(12);
|
|
var i;
|
|
var j;
|
|
|
|
// use 0 for pid, uid, and gid to ensure we get an error and also
|
|
// a valid uid and gid from cygwin so that we don't have to figure it
|
|
// out ourselves
|
|
credsbuf.fill(0);
|
|
|
|
// parse cygwin unix socket file contents
|
|
port = parseInt(m[1], 10);
|
|
secret = m[2].replace(/\-/g, '');
|
|
secretbuf = Buffer.allocUnsafe(16);
|
|
for (i = 0, j = 0; j < 32; ++i,j+=2)
|
|
secretbuf[i] = parseInt(secret.substring(j, j + 2), 16);
|
|
|
|
// convert to host order (always LE for Windows)
|
|
for (i = 0; i < 16; i += 4)
|
|
writeUInt32LE(secretbuf, readUInt32BE(secretbuf, i), i);
|
|
|
|
function _onconnect() {
|
|
bc = 0;
|
|
state = 'secret';
|
|
sock.write(secretbuf);
|
|
}
|
|
function _ondata(data) {
|
|
bc += data.length;
|
|
if (state === 'secret') {
|
|
// the secret we sent is echoed back to us by cygwin, not sure of
|
|
// the reason for that, but we ignore it nonetheless ...
|
|
if (bc === 16) {
|
|
bc = 0;
|
|
state = 'creds';
|
|
sock.write(credsbuf);
|
|
}
|
|
} else if (state === 'creds') {
|
|
// if this is the first attempt, make sure to gather the valid
|
|
// uid and gid for our next attempt
|
|
if (!isRetrying)
|
|
inbuf.push(data);
|
|
|
|
if (bc === 12) {
|
|
sock.removeListener('connect', _onconnect);
|
|
sock.removeListener('data', _ondata);
|
|
sock.removeListener('close', _onclose);
|
|
if (isRetrying) {
|
|
addSockListeners();
|
|
sock.emit('connect');
|
|
} else {
|
|
isRetrying = true;
|
|
credsbuf = Buffer.concat(inbuf);
|
|
writeUInt32LE(credsbuf, process.pid, 0);
|
|
sock.destroy();
|
|
tryConnect();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
function _onclose() {
|
|
cb(new Error('Problem negotiating cygwin unix socket security'));
|
|
}
|
|
function tryConnect() {
|
|
sock = new Socket();
|
|
sock.once('connect', _onconnect);
|
|
sock.on('data', _ondata);
|
|
sock.once('close', _onclose);
|
|
sock.connect(port);
|
|
}
|
|
tryConnect();
|
|
} else
|
|
cb(new Error('Malformed cygwin unix socket file'));
|
|
});
|
|
return;
|
|
}
|
|
} else
|
|
sock = new Socket();
|
|
|
|
function addSockListeners() {
|
|
if (!accept && !reject) {
|
|
sock.once('connect', onconnect);
|
|
sock.on('data', ondata);
|
|
sock.once('error', onerror);
|
|
sock.once('close', onclose);
|
|
} else {
|
|
var chan;
|
|
sock.once('connect', function() {
|
|
chan = accept();
|
|
var isDone = false;
|
|
function onDone() {
|
|
if (isDone)
|
|
return;
|
|
sock.destroy();
|
|
isDone = true;
|
|
}
|
|
chan.once('end', onDone)
|
|
.once('close', onDone)
|
|
.on('data', function(data) {
|
|
sock.write(data);
|
|
});
|
|
sock.on('data', function(data) {
|
|
chan.write(data);
|
|
});
|
|
});
|
|
sock.once('close', function() {
|
|
if (!chan)
|
|
reject();
|
|
});
|
|
}
|
|
}
|
|
addSockListeners();
|
|
sock.connect(sockPath);
|
|
};
|
|
|
|
|
|
// win32 only ------------------------------------------------------------------
|
|
if (process.platform === 'win32') {
|
|
var RET_ERR_BADARGS = 10;
|
|
var RET_ERR_UNAVAILABLE = 11;
|
|
var RET_ERR_NOMAP = 12;
|
|
var RET_ERR_BINSTDIN = 13;
|
|
var RET_ERR_BINSTDOUT = 14;
|
|
var RET_ERR_BADLEN = 15;
|
|
|
|
var ERROR = {};
|
|
var EXEPATH = path.resolve(__dirname, '..', 'util/pagent.exe');
|
|
ERROR[RET_ERR_BADARGS] = new Error('Invalid pagent.exe arguments');
|
|
ERROR[RET_ERR_UNAVAILABLE] = new Error('Pageant is not running');
|
|
ERROR[RET_ERR_NOMAP] = new Error('pagent.exe could not create an mmap');
|
|
ERROR[RET_ERR_BINSTDIN] = new Error('pagent.exe could not set mode for stdin');
|
|
ERROR[RET_ERR_BINSTDOUT] = new Error('pagent.exe could not set mode for stdout');
|
|
ERROR[RET_ERR_BADLEN] = new Error('pagent.exe did not get expected input payload');
|
|
|
|
function PageantSock() {
|
|
this.proc = undefined;
|
|
this.buffer = null;
|
|
}
|
|
inherits(PageantSock, EventEmitter);
|
|
|
|
PageantSock.prototype.write = function(buf) {
|
|
if (this.buffer === null)
|
|
this.buffer = buf;
|
|
else {
|
|
this.buffer = Buffer.concat([this.buffer, buf],
|
|
this.buffer.length + buf.length);
|
|
}
|
|
// Wait for at least all length bytes
|
|
if (this.buffer.length < 4)
|
|
return;
|
|
|
|
var len = readUInt32BE(this.buffer, 0);
|
|
// Make sure we have a full message before querying pageant
|
|
if ((this.buffer.length - 4) < len)
|
|
return;
|
|
|
|
buf = this.buffer.slice(0, 4 + len);
|
|
if (this.buffer.length > (4 + len))
|
|
this.buffer = this.buffer.slice(4 + len);
|
|
else
|
|
this.buffer = null;
|
|
|
|
var self = this;
|
|
var proc;
|
|
var hadError = false;
|
|
proc = this.proc = cp.spawn(EXEPATH, [ buf.length ]);
|
|
proc.stdout.on('data', function(data) {
|
|
self.emit('data', data);
|
|
});
|
|
proc.once('error', function(err) {
|
|
if (!hadError) {
|
|
hadError = true;
|
|
self.emit('error', err);
|
|
}
|
|
});
|
|
proc.once('close', function(code) {
|
|
self.proc = undefined;
|
|
if (ERROR[code] && !hadError) {
|
|
hadError = true;
|
|
self.emit('error', ERROR[code]);
|
|
}
|
|
self.emit('close', hadError);
|
|
});
|
|
proc.stdin.end(buf);
|
|
};
|
|
PageantSock.prototype.end = PageantSock.prototype.destroy = function() {
|
|
this.buffer = null;
|
|
if (this.proc) {
|
|
this.proc.kill();
|
|
this.proc = undefined;
|
|
}
|
|
};
|
|
PageantSock.prototype.connect = function() {
|
|
this.emit('connect');
|
|
};
|
|
}
|
|
|