X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/996d5e62b203304a38c5c400d764db9ff9121b48..22ce3a3becb01f9487f7fa12b859100c162e231c:/openssh/authfile.c diff --git a/openssh/authfile.c b/openssh/authfile.c index 6a04cd7..135be76 100644 --- a/openssh/authfile.c +++ b/openssh/authfile.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.39 2001/10/07 10:29:52 markus Exp $"); #include #include @@ -50,8 +50,6 @@ RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $"); #include "ssh.h" #include "log.h" #include "authfile.h" -#include "rsa.h" -#include "misc.h" /* Version identification string for SSH v1 identity files. */ static const char authfile_id_string[] = @@ -69,28 +67,30 @@ key_save_private_rsa1(Key *key, const char *filename, const char *passphrase, const char *comment) { Buffer buffer, encrypted; - u_char buf[100], *cp; - int fd, i, cipher_num; + char buf[100], *cp; + int fd, i; CipherContext ciphercontext; Cipher *cipher; - u_int32_t rnd; + u_int32_t rand; /* * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. */ - cipher_num = (strcmp(passphrase, "") == 0) ? - SSH_CIPHER_NONE : SSH_AUTHFILE_CIPHER; - if ((cipher = cipher_by_number(cipher_num)) == NULL) + if (strcmp(passphrase, "") == 0) + cipher = cipher_by_number(SSH_CIPHER_NONE); + else + cipher = cipher_by_number(SSH_AUTHFILE_CIPHER); + if (cipher == NULL) fatal("save_private_key_rsa: bad cipher"); /* This buffer is used to built the secret part of the private key. */ buffer_init(&buffer); /* Put checkbytes for checking passphrase validity. */ - rnd = arc4random(); - buf[0] = rnd & 0xff; - buf[1] = (rnd >> 8) & 0xff; + rand = arc4random(); + buf[0] = rand & 0xff; + buf[1] = (rand >> 8) & 0xff; buf[2] = buf[0]; buf[3] = buf[1]; buffer_append(&buffer, buf, 4); @@ -118,7 +118,7 @@ key_save_private_rsa1(Key *key, const char *filename, const char *passphrase, buffer_put_char(&encrypted, 0); /* Store cipher type. */ - buffer_put_char(&encrypted, cipher_num); + buffer_put_char(&encrypted, cipher->number); buffer_put_int(&encrypted, 0); /* For future extension */ /* Store public key. This will be in plain text. */ @@ -128,13 +128,11 @@ key_save_private_rsa1(Key *key, const char *filename, const char *passphrase, buffer_put_cstring(&encrypted, comment); /* Allocate space for the private part of the key in the buffer. */ - cp = buffer_append_space(&encrypted, buffer_len(&buffer)); + buffer_append_space(&encrypted, &cp, buffer_len(&buffer)); - cipher_set_key_string(&ciphercontext, cipher, passphrase, - CIPHER_ENCRYPT); - cipher_crypt(&ciphercontext, cp, - buffer_ptr(&buffer), buffer_len(&buffer)); - cipher_cleanup(&ciphercontext); + cipher_set_key_string(&ciphercontext, cipher, passphrase); + cipher_encrypt(&ciphercontext, (u_char *) cp, + (u_char *) buffer_ptr(&buffer), buffer_len(&buffer)); memset(&ciphercontext, 0, sizeof(ciphercontext)); /* Destroy temporary data. */ @@ -144,13 +142,12 @@ key_save_private_rsa1(Key *key, const char *filename, const char *passphrase, fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd < 0) { error("open %s failed: %s.", filename, strerror(errno)); - buffer_free(&encrypted); return 0; } if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) != buffer_len(&encrypted)) { error("write to key file %s failed: %s", filename, - strerror(errno)); + strerror(errno)); buffer_free(&encrypted); close(fd); unlink(filename); @@ -170,8 +167,8 @@ key_save_private_pem(Key *key, const char *filename, const char *_passphrase, int fd; int success = 0; int len = strlen(_passphrase); - u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; - const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; + char *passphrase = (len > 0) ? (char *)_passphrase : NULL; + EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; if (len > 0 && len <= 4) { error("passphrase too short: have %d bytes, need > 4", len); @@ -234,24 +231,15 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp) { Buffer buffer; Key *pub; - struct stat st; char *cp; int i; - size_t len; + off_t len; - if (fstat(fd, &st) < 0) { - error("fstat for key file %.200s failed: %.100s", - filename, strerror(errno)); - return NULL; - } - if (st.st_size > 1*1024*1024) { - error("key file %.200s too large", filename); - return NULL; - } - len = (size_t)st.st_size; /* truncated */ + len = lseek(fd, (off_t) 0, SEEK_END); + lseek(fd, (off_t) 0, SEEK_SET); buffer_init(&buffer); - cp = buffer_append_space(&buffer, len); + buffer_append_space(&buffer, &cp, len); if (read(fd, cp, (size_t) len) != (size_t) len) { debug("Read from key file %.200s failed: %.100s", filename, @@ -281,7 +269,7 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp) (void) buffer_get_int(&buffer); /* reserved */ /* Read the public key from the buffer. */ - (void) buffer_get_int(&buffer); + buffer_get_int(&buffer); pub = key_new(KEY_RSA1); buffer_get_bignum(&buffer, pub->rsa->n); buffer_get_bignum(&buffer, pub->rsa->e); @@ -323,29 +311,20 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase, char **commentp) { int i, check1, check2, cipher_type; - size_t len; + off_t len; Buffer buffer, decrypted; - u_char *cp; + char *cp; CipherContext ciphercontext; Cipher *cipher; + BN_CTX *ctx; + BIGNUM *aux; Key *prv = NULL; - struct stat st; - if (fstat(fd, &st) < 0) { - error("fstat for key file %.200s failed: %.100s", - filename, strerror(errno)); - close(fd); - return NULL; - } - if (st.st_size > 1*1024*1024) { - error("key file %.200s too large", filename); - close(fd); - return (NULL); - } - len = (size_t)st.st_size; /* truncated */ + len = lseek(fd, (off_t) 0, SEEK_END); + lseek(fd, (off_t) 0, SEEK_SET); buffer_init(&buffer); - cp = buffer_append_space(&buffer, len); + buffer_append_space(&buffer, &cp, len); if (read(fd, cp, (size_t) len) != (size_t) len) { debug("Read from key file %.200s failed: %.100s", filename, @@ -379,7 +358,7 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase, (void) buffer_get_int(&buffer); /* Reserved data. */ /* Read the public key from the buffer. */ - (void) buffer_get_int(&buffer); + buffer_get_int(&buffer); prv = key_new_private(KEY_RSA1); buffer_get_bignum(&buffer, prv->rsa->n); @@ -399,14 +378,12 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase, } /* Initialize space for decrypted data. */ buffer_init(&decrypted); - cp = buffer_append_space(&decrypted, buffer_len(&buffer)); + buffer_append_space(&decrypted, &cp, buffer_len(&buffer)); /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ - cipher_set_key_string(&ciphercontext, cipher, passphrase, - CIPHER_DECRYPT); - cipher_crypt(&ciphercontext, cp, - buffer_ptr(&buffer), buffer_len(&buffer)); - cipher_cleanup(&ciphercontext); + cipher_set_key_string(&ciphercontext, cipher, passphrase); + cipher_decrypt(&ciphercontext, (u_char *) cp, + (u_char *) buffer_ptr(&buffer), buffer_len(&buffer)); memset(&ciphercontext, 0, sizeof(ciphercontext)); buffer_free(&buffer); @@ -429,15 +406,19 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase, buffer_get_bignum(&decrypted, prv->rsa->p); /* q */ /* calculate p-1 and q-1 */ - rsa_generate_additional_parameters(prv->rsa); + ctx = BN_CTX_new(); + aux = BN_new(); - buffer_free(&decrypted); + BN_sub(aux, prv->rsa->q, BN_value_one()); + BN_mod(prv->rsa->dmq1, prv->rsa->d, aux, ctx); - /* enable blinding */ - if (RSA_blinding_on(prv->rsa, NULL) != 1) { - error("key_load_private_rsa1: RSA_blinding_on failed"); - goto fail; - } + BN_sub(aux, prv->rsa->p, BN_value_one()); + BN_mod(prv->rsa->dmp1, prv->rsa->d, aux, ctx); + + BN_clear_free(aux); + BN_CTX_free(ctx); + + buffer_free(&decrypted); close(fd); return prv; @@ -449,7 +430,7 @@ fail: return NULL; } -Key * +static Key * key_load_private_pem(int fd, int type, const char *passphrase, char **commentp) { @@ -469,7 +450,7 @@ key_load_private_pem(int fd, int type, const char *passphrase, debug("PEM_read_PrivateKey failed"); (void)ERR_get_error(); } else if (pk->type == EVP_PKEY_RSA && - (type == KEY_UNSPEC||type==KEY_RSA)) { + (type == KEY_UNSPEC||type==KEY_RSA)) { prv = key_new(KEY_UNSPEC); prv->rsa = EVP_PKEY_get1_RSA(pk); prv->type = KEY_RSA; @@ -477,13 +458,8 @@ key_load_private_pem(int fd, int type, const char *passphrase, #ifdef DEBUG_PK RSA_print_fp(stderr, prv->rsa, 8); #endif - if (RSA_blinding_on(prv->rsa, NULL) != 1) { - error("key_load_private_pem: RSA_blinding_on failed"); - key_free(prv); - prv = NULL; - } } else if (pk->type == EVP_PKEY_DSA && - (type == KEY_UNSPEC||type==KEY_DSA)) { + (type == KEY_UNSPEC||type==KEY_DSA)) { prv = key_new(KEY_UNSPEC); prv->dsa = EVP_PKEY_get1_DSA(pk); prv->type = KEY_DSA; @@ -525,7 +501,7 @@ key_perm_ok(int fd, const char *filename) error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("Permissions 0%3.3o for '%s' are too open.", - (u_int)st.st_mode & 0777, filename); + st.st_mode & 0777, filename); error("It is recommended that your private key files are NOT accessible by others."); error("This private key will be ignored."); return 0; @@ -602,16 +578,15 @@ static int key_try_load_public(Key *k, const char *filename, char **commentp) { FILE *f; - char line[SSH_MAX_PUBKEY_BYTES]; + char line[4096]; char *cp; - u_long linenum = 0; f = fopen(filename, "r"); if (f != NULL) { - while (read_keyfile_line(f, filename, line, sizeof(line), - &linenum) != -1) { + while (fgets(line, sizeof(line), f)) { + line[sizeof(line)-1] = '\0'; cp = line; - switch (*cp) { + switch(*cp){ case '#': case '\n': case '\0': @@ -641,18 +616,9 @@ key_load_public(const char *filename, char **commentp) Key *pub; char file[MAXPATHLEN]; - /* try rsa1 private key */ pub = key_load_public_type(KEY_RSA1, filename, commentp); if (pub != NULL) return pub; - - /* try rsa1 public key */ - pub = key_new(KEY_RSA1); - if (key_try_load_public(pub, filename, commentp) == 1) - return pub; - key_free(pub); - - /* try ssh2 public key */ pub = key_new(KEY_UNSPEC); if (key_try_load_public(pub, filename, commentp) == 1) return pub;