X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/c8445989f9005acc20e4a123673a93fb3cc57ead..1e5e896ca0af10d05ff7b5248c07f03a026181dc:/auth-rsa.c

diff --git a/auth-rsa.c b/auth-rsa.c
index 491ed81d..f7ae03cf 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.41 2001/05/20 17:20:35 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.50 2001/12/28 14:50:54 markus Exp $");
 
 #include <openssl/rsa.h>
 #include <openssl/md5.h>
@@ -31,6 +31,7 @@ RCSID("$OpenBSD: auth-rsa.c,v 1.41 2001/05/20 17:20:35 markus Exp $");
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
+#include "hostfile.h"
 
 /* import */
 extern ServerOptions options;
@@ -65,14 +66,17 @@ auth_rsa_challenge_dialog(RSA *pk)
 	u_char buf[32], mdbuf[16], response[16];
 	MD5_CTX md;
 	u_int i;
-	int plen, len;
+	int len;
 
-	encrypted_challenge = BN_new();
-	challenge = BN_new();
+	if ((encrypted_challenge = BN_new()) == NULL)
+		fatal("auth_rsa_challenge_dialog: BN_new() failed");
+	if ((challenge = BN_new()) == NULL)
+		fatal("auth_rsa_challenge_dialog: BN_new() failed");
 
 	/* Generate a random challenge. */
 	BN_rand(challenge, 256, 0, 0);
-	ctx = BN_CTX_new();
+	if ((ctx = BN_CTX_new()) == NULL)
+		fatal("auth_rsa_challenge_dialog: BN_CTX_new() failed");
 	BN_mod(challenge, challenge, pk->n, ctx);
 	BN_CTX_free(ctx);
 
@@ -87,10 +91,10 @@ auth_rsa_challenge_dialog(RSA *pk)
 	packet_write_wait();
 
 	/* Wait for a response. */
-	packet_read_expect(&plen, SSH_CMSG_AUTH_RSA_RESPONSE);
-	packet_integrity_check(plen, 16, SSH_CMSG_AUTH_RSA_RESPONSE);
+	packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
 	for (i = 0; i < 16; i++)
 		response[i] = packet_get_char();
+	packet_check_eom();
 
 	/* The response is MD5 of decrypted challenge plus session id. */
 	len = BN_num_bytes(challenge);
@@ -128,7 +132,8 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 	FILE *f;
 	u_long linenum = 0;
 	struct stat st;
-	RSA *pk;
+	Key *key;
+	char *fp;
 
 	/* no user given */
 	if (pw == NULL)
@@ -159,7 +164,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 		return 0;
 	}
 	if (options.strict_modes &&
-	    secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) {
+	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
 		xfree(file);
 		fclose(f);
 		log("Authentication refused: %s", line);
@@ -170,9 +175,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 	/* Flag indicating whether authentication has succeeded. */
 	authenticated = 0;
 
-	pk = RSA_new();
-	pk->e = BN_new();
-	pk->n = BN_new();
+	key = key_new(KEY_RSA1);
 
 	/*
 	 * Go though the accepted keys, looking for the current key.  If
@@ -210,24 +213,22 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 			options = NULL;
 
 		/* Parse the key from the line. */
-		if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
-			debug("%.100s, line %lu: bad key syntax",
-			    file, linenum);
-			packet_send_debug("%.100s, line %lu: bad key syntax",
+		if (hostfile_read_key(&cp, &bits, key) == 0) {
+			debug("%.100s, line %lu: non ssh1 key syntax",
 			    file, linenum);
 			continue;
 		}
 		/* cp now points to the comment part. */
 
 		/* Check if the we have found the desired key (identified by its modulus). */
-		if (BN_cmp(pk->n, client_n) != 0)
+		if (BN_cmp(key->rsa->n, client_n) != 0)
 			continue;
 
 		/* check the real bits  */
-		if (bits != BN_num_bits(pk->n))
-			log("Warning: %s, line %ld: keysize mismatch: "
+		if (bits != BN_num_bits(key->rsa->n))
+			log("Warning: %s, line %lu: keysize mismatch: "
 			    "actual %d vs. announced %d.",
-			    file, linenum, BN_num_bits(pk->n), bits);
+			    file, linenum, BN_num_bits(key->rsa->n), bits);
 
 		/* We have found the desired key. */
 		/*
@@ -238,11 +239,15 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 			continue;
 
 		/* Perform the challenge-response dialog for this key. */
-		if (!auth_rsa_challenge_dialog(pk)) {
+		if (!auth_rsa_challenge_dialog(key->rsa)) {
 			/* Wrong response. */
 			verbose("Wrong response to RSA authentication challenge.");
 			packet_send_debug("Wrong response to RSA authentication challenge.");
-			continue;
+			/*
+			 * Break out of the loop. Otherwise we might send
+			 * another challenge and break the protocol.
+			 */
+			break;
 		}
 		/*
 		 * Correct response.  The client has been successfully
@@ -253,6 +258,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 		 * otherwise continue searching.
 		 */
 		authenticated = 1;
+
+	 	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+		verbose("Found matching %s key: %s",
+		    key_type(key), fp);
+		xfree(fp);
+
 		break;
 	}
 
@@ -263,7 +274,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 	xfree(file);
 	fclose(f);
 
-	RSA_free(pk);
+	key_free(key);
 
 	if (authenticated)
 		packet_send_debug("RSA authentication accepted.");