*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.44 2001/07/23 18:14:58 stevesk Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.50 2001/12/28 14:50:54 markus Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
#include "log.h"
#include "servconf.h"
#include "auth.h"
+#include "hostfile.h"
/* import */
extern ServerOptions options;
u_char buf[32], mdbuf[16], response[16];
MD5_CTX md;
u_int i;
- int plen, len;
+ int len;
- encrypted_challenge = BN_new();
- challenge = BN_new();
+ if ((encrypted_challenge = BN_new()) == NULL)
+ fatal("auth_rsa_challenge_dialog: BN_new() failed");
+ if ((challenge = BN_new()) == NULL)
+ fatal("auth_rsa_challenge_dialog: BN_new() failed");
/* Generate a random challenge. */
BN_rand(challenge, 256, 0, 0);
- ctx = BN_CTX_new();
+ if ((ctx = BN_CTX_new()) == NULL)
+ fatal("auth_rsa_challenge_dialog: BN_CTX_new() failed");
BN_mod(challenge, challenge, pk->n, ctx);
BN_CTX_free(ctx);
packet_write_wait();
/* Wait for a response. */
- packet_read_expect(&plen, SSH_CMSG_AUTH_RSA_RESPONSE);
- packet_integrity_check(plen, 16, SSH_CMSG_AUTH_RSA_RESPONSE);
+ packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
for (i = 0; i < 16; i++)
response[i] = packet_get_char();
+ packet_check_eom();
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
FILE *f;
u_long linenum = 0;
struct stat st;
- RSA *pk;
+ Key *key;
+ char *fp;
/* no user given */
if (pw == NULL)
/* Flag indicating whether authentication has succeeded. */
authenticated = 0;
- pk = RSA_new();
- pk->e = BN_new();
- pk->n = BN_new();
+ key = key_new(KEY_RSA1);
/*
* Go though the accepted keys, looking for the current key. If
options = NULL;
/* Parse the key from the line. */
- if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
+ if (hostfile_read_key(&cp, &bits, key) == 0) {
debug("%.100s, line %lu: non ssh1 key syntax",
file, linenum);
continue;
/* cp now points to the comment part. */
/* Check if the we have found the desired key (identified by its modulus). */
- if (BN_cmp(pk->n, client_n) != 0)
+ if (BN_cmp(key->rsa->n, client_n) != 0)
continue;
/* check the real bits */
- if (bits != BN_num_bits(pk->n))
+ if (bits != BN_num_bits(key->rsa->n))
log("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
- file, linenum, BN_num_bits(pk->n), bits);
+ file, linenum, BN_num_bits(key->rsa->n), bits);
/* We have found the desired key. */
/*
continue;
/* Perform the challenge-response dialog for this key. */
- if (!auth_rsa_challenge_dialog(pk)) {
+ if (!auth_rsa_challenge_dialog(key->rsa)) {
/* Wrong response. */
verbose("Wrong response to RSA authentication challenge.");
packet_send_debug("Wrong response to RSA authentication challenge.");
- continue;
+ /*
+ * Break out of the loop. Otherwise we might send
+ * another challenge and break the protocol.
+ */
+ break;
}
/*
* Correct response. The client has been successfully
* otherwise continue searching.
*/
authenticated = 1;
+
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ verbose("Found matching %s key: %s",
+ key_type(key), fp);
+ xfree(fp);
+
break;
}
xfree(file);
fclose(f);
- RSA_free(pk);
+ key_free(key);
if (authenticated)
packet_send_debug("RSA authentication accepted.");