*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.52 2002/03/18 17:50:31 provos Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.59 2004/05/09 01:19:27 djm Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
#include "packet.h"
#include "xmalloc.h"
#include "ssh1.h"
-#include "mpaux.h"
#include "uidswap.h"
#include "match.h"
#include "auth-options.h"
#include "auth.h"
#include "hostfile.h"
#include "monitor_wrap.h"
+#include "ssh.h"
/* import */
extern ServerOptions options;
MD5_CTX md;
int len;
+ /* don't allow short keys */
+ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits",
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
+ return (0);
+ }
+
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
if (len <= 0 || len > 32)
/* Restore the privileged uid. */
restore_uid();
xfree(file);
- return (NULL);
+ return (0);
}
/* Open the file containing the authorized keys. */
f = fopen(file, "r");
/* Restore the privileged uid. */
restore_uid();
xfree(file);
- return (NULL);
+ return (0);
}
if (options.strict_modes &&
secure_filename(f, file, pw, line, sizeof(line)) != 0) {
xfree(file);
fclose(f);
- log("Authentication refused: %s", line);
+ logit("Authentication refused: %s", line);
restore_uid();
- return (NULL);
+ return (0);
}
/* Flag indicating whether the key is allowed. */
/* check the real bits */
if (bits != BN_num_bits(key->rsa->n))
- log("Warning: %s, line %lu: keysize mismatch: "
+ logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
* successful. This may exit if there is a serious protocol violation.
*/
int
-auth_rsa(struct passwd *pw, BIGNUM *client_n)
+auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
{
Key *key;
char *fp;
+ struct passwd *pw = authctxt->pw;
/* no user given */
- if (pw == NULL)
+ if (!authctxt->valid)
return 0;
if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) {