X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/22616013c4eef383b19b8ad4f95780a316d0a51b..9f2c8cb950fea61c599edeb9721aca66f4bd61f6:/openssh/auth-rsa.c diff --git a/openssh/auth-rsa.c b/openssh/auth-rsa.c index bf54620..701d8bd 100644 --- a/openssh/auth-rsa.c +++ b/openssh/auth-rsa.c @@ -1,4 +1,3 @@ -/* $OpenBSD: auth-rsa.c,v 1.73 2008/07/02 12:03:51 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -15,38 +14,23 @@ */ #include "includes.h" - -#include -#include +RCSID("$OpenBSD: auth-rsa.c,v 1.44 2001/07/23 18:14:58 stevesk Exp $"); #include #include -#include -#include -#include -#include - -#include "xmalloc.h" #include "rsa.h" #include "packet.h" +#include "xmalloc.h" #include "ssh1.h" +#include "mpaux.h" #include "uidswap.h" #include "match.h" -#include "buffer.h" #include "auth-options.h" #include "pathnames.h" #include "log.h" #include "servconf.h" -#include "key.h" -#include "hostfile.h" #include "auth.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" -#include "ssh.h" -#include "misc.h" /* import */ extern ServerOptions options; @@ -63,64 +47,10 @@ extern u_char session_id[16]; * options bits e n comment * where bits, e and n are decimal numbers, * and comment is any string of characters up to newline. The maximum - * length of a line is SSH_MAX_PUBKEY_BYTES characters. See sshd(8) for a + * length of a line is 8000 characters. See the documentation for a * description of the options. */ -BIGNUM * -auth_rsa_generate_challenge(Key *key) -{ - BIGNUM *challenge; - BN_CTX *ctx; - - if ((challenge = BN_new()) == NULL) - fatal("auth_rsa_generate_challenge: BN_new() failed"); - /* Generate a random challenge. */ - if (BN_rand(challenge, 256, 0, 0) == 0) - fatal("auth_rsa_generate_challenge: BN_rand failed"); - if ((ctx = BN_CTX_new()) == NULL) - fatal("auth_rsa_generate_challenge: BN_CTX_new failed"); - if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0) - fatal("auth_rsa_generate_challenge: BN_mod failed"); - BN_CTX_free(ctx); - - return challenge; -} - -int -auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) -{ - u_char buf[32], mdbuf[16]; - MD5_CTX md; - int len; - - /* don't allow short keys */ - if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { - error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits", - BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); - return (0); - } - - /* The response is MD5 of decrypted challenge plus session id. */ - len = BN_num_bytes(challenge); - if (len <= 0 || len > 32) - fatal("auth_rsa_verify_response: bad challenge length %d", len); - memset(buf, 0, 32); - BN_bn2bin(challenge, buf + 32 - len); - MD5_Init(&md); - MD5_Update(&md, buf, 32); - MD5_Update(&md, session_id, 16); - MD5_Final(mdbuf, &md); - - /* Verify that the response is the original challenge. */ - if (memcmp(response, mdbuf, 16) != 0) { - /* Wrong answer. */ - return (0); - } - /* Correct answer. */ - return (1); -} - /* * Performs the RSA authentication challenge-response dialog with the client, * and returns true (non-zero) if the client gave the correct answer to @@ -128,19 +58,26 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) */ int -auth_rsa_challenge_dialog(Key *key) +auth_rsa_challenge_dialog(RSA *pk) { BIGNUM *challenge, *encrypted_challenge; - u_char response[16]; - int i, success; + BN_CTX *ctx; + u_char buf[32], mdbuf[16], response[16]; + MD5_CTX md; + u_int i; + int plen, len; - if ((encrypted_challenge = BN_new()) == NULL) - fatal("auth_rsa_challenge_dialog: BN_new() failed"); + encrypted_challenge = BN_new(); + challenge = BN_new(); - challenge = PRIVSEP(auth_rsa_generate_challenge(key)); + /* Generate a random challenge. */ + BN_rand(challenge, 256, 0, 0); + ctx = BN_CTX_new(); + BN_mod(challenge, challenge, pk->n, ctx); + BN_CTX_free(ctx); /* Encrypt the challenge with the public key. */ - rsa_public_encrypt(encrypted_challenge, challenge, key->rsa); + rsa_public_encrypt(encrypted_challenge, challenge, pk); /* Send the encrypted challenge to the client. */ packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE); @@ -150,30 +87,52 @@ auth_rsa_challenge_dialog(Key *key) packet_write_wait(); /* Wait for a response. */ - packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE); + packet_read_expect(&plen, SSH_CMSG_AUTH_RSA_RESPONSE); + packet_integrity_check(plen, 16, SSH_CMSG_AUTH_RSA_RESPONSE); for (i = 0; i < 16; i++) - response[i] = (u_char)packet_get_char(); - packet_check_eom(); + response[i] = packet_get_char(); - success = PRIVSEP(auth_rsa_verify_response(key, challenge, response)); + /* The response is MD5 of decrypted challenge plus session id. */ + len = BN_num_bytes(challenge); + if (len <= 0 || len > 32) + fatal("auth_rsa_challenge_dialog: bad challenge length %d", len); + memset(buf, 0, 32); + BN_bn2bin(challenge, buf + 32 - len); + MD5_Init(&md); + MD5_Update(&md, buf, 32); + MD5_Update(&md, session_id, 16); + MD5_Final(mdbuf, &md); BN_clear_free(challenge); - return (success); + + /* Verify that the response is the original challenge. */ + if (memcmp(response, mdbuf, 16) != 0) { + /* Wrong answer. */ + return 0; + } + /* Correct answer. */ + return 1; } /* - * check if there's user key matching client_n, - * return key if login is allowed, NULL otherwise + * Performs the RSA authentication dialog with the client. This returns + * 0 if the client could not be authenticated, and 1 if authentication was + * successful. This may exit if there is a serious protocol violation. */ int -auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) +auth_rsa(struct passwd *pw, BIGNUM *client_n) { - char line[SSH_MAX_PUBKEY_BYTES], *file; - int allowed = 0; + char line[8192], *file; + int authenticated; u_int bits; FILE *f; u_long linenum = 0; - Key *key; + struct stat st; + RSA *pk; + + /* no user given */ + if (pw == NULL) + return 0; /* Temporarily use the user's uid. */ temporarily_use_uid(pw); @@ -181,27 +140,50 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) /* The authorized keys. */ file = authorized_keys_file(pw); debug("trying public RSA key file %s", file); - f = auth_openkeyfile(file, pw, options.strict_modes); + + /* Fail quietly if file does not exist */ + if (stat(file, &st) < 0) { + /* Restore the privileged uid. */ + restore_uid(); + xfree(file); + return 0; + } + /* Open the file containing the authorized keys. */ + f = fopen(file, "r"); if (!f) { + /* Restore the privileged uid. */ + restore_uid(); + packet_send_debug("Could not open %.900s for reading.", file); + packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); xfree(file); + return 0; + } + if (options.strict_modes && + secure_filename(f, file, pw, line, sizeof(line)) != 0) { + xfree(file); + fclose(f); + log("Authentication refused: %s", line); + packet_send_debug("Authentication refused: %s", line); restore_uid(); - return (0); + return 0; } + /* Flag indicating whether authentication has succeeded. */ + authenticated = 0; - /* Flag indicating whether the key is allowed. */ - allowed = 0; - - key = key_new(KEY_RSA1); + pk = RSA_new(); + pk->e = BN_new(); + pk->n = BN_new(); /* * Go though the accepted keys, looking for the current key. If * found, perform a challenge-response dialog to verify that the * user really has the corresponding private key. */ - while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { + while (fgets(line, sizeof(line), f)) { char *cp; - char *key_options; - int keybits; + char *options; + + linenum++; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) @@ -217,7 +199,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) */ if (*cp < '0' || *cp > '9') { int quoted = 0; - key_options = cp; + options = cp; for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if (*cp == '\\' && cp[1] == '"') cp++; /* Skip both */ @@ -225,10 +207,10 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) quoted = !quoted; } } else - key_options = NULL; + options = NULL; /* Parse the key from the line. */ - if (hostfile_read_key(&cp, &bits, key) == 0) { + if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { debug("%.100s, line %lu: non ssh1 key syntax", file, linenum); continue; @@ -236,26 +218,39 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) /* cp now points to the comment part. */ /* Check if the we have found the desired key (identified by its modulus). */ - if (BN_cmp(key->rsa->n, client_n) != 0) + if (BN_cmp(pk->n, client_n) != 0) continue; /* check the real bits */ - keybits = BN_num_bits(key->rsa->n); - if (keybits < 0 || bits != (u_int)keybits) - logit("Warning: %s, line %lu: keysize mismatch: " + if (bits != BN_num_bits(pk->n)) + log("Warning: %s, line %lu: keysize mismatch: " "actual %d vs. announced %d.", - file, linenum, BN_num_bits(key->rsa->n), bits); + file, linenum, BN_num_bits(pk->n), bits); /* We have found the desired key. */ /* * If our options do not allow this key to be used, * do not send challenge. */ - if (!auth_parse_options(pw, key_options, file, linenum)) + if (!auth_parse_options(pw, options, file, linenum)) continue; - /* break out, this key is allowed */ - allowed = 1; + /* Perform the challenge-response dialog for this key. */ + if (!auth_rsa_challenge_dialog(pk)) { + /* Wrong response. */ + verbose("Wrong response to RSA authentication challenge."); + packet_send_debug("Wrong response to RSA authentication challenge."); + continue; + } + /* + * Correct response. The client has been successfully + * authenticated. Note that we have not yet processed the + * options; this will be reset if the options cause the + * authentication to be rejected. + * Break out of the loop if authentication was successful; + * otherwise continue searching. + */ + authenticated = 1; break; } @@ -266,59 +261,13 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) xfree(file); fclose(f); - /* return key if allowed */ - if (allowed && rkey != NULL) - *rkey = key; - else - key_free(key); - return (allowed); -} - -/* - * Performs the RSA authentication dialog with the client. This returns - * 0 if the client could not be authenticated, and 1 if authentication was - * successful. This may exit if there is a serious protocol violation. - */ -int -auth_rsa(Authctxt *authctxt, BIGNUM *client_n) -{ - Key *key; - char *fp; - struct passwd *pw = authctxt->pw; - - /* no user given */ - if (!authctxt->valid) - return 0; + RSA_free(pk); - if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) { + if (authenticated) + packet_send_debug("RSA authentication accepted."); + else auth_clear_options(); - return (0); - } - /* Perform the challenge-response dialog for this key. */ - if (!auth_rsa_challenge_dialog(key)) { - /* Wrong response. */ - verbose("Wrong response to RSA authentication challenge."); - packet_send_debug("Wrong response to RSA authentication challenge."); - /* - * Break out of the loop. Otherwise we might send - * another challenge and break the protocol. - */ - key_free(key); - return (0); - } - /* - * Correct response. The client has been successfully - * authenticated. Note that we have not yet processed the - * options; this will be reset if the options cause the - * authentication to be rejected. - */ - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(key), fp); - xfree(fp); - key_free(key); - - packet_send_debug("RSA authentication accepted."); - return (1); + /* Return authentication result. */ + return authenticated; }