X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/ea067773e7c51e90cd791dc3946834dd804fa844..HEAD:/auth-rsa.c diff --git a/auth-rsa.c b/auth-rsa.c index 2060f839..bf546207 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,3 +1,4 @@ +/* $OpenBSD: auth-rsa.c,v 1.73 2008/07/02 12:03:51 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -14,25 +15,38 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.61 2004/12/06 11:41:03 dtucker Exp $"); + +#include +#include #include #include +#include +#include +#include +#include + +#include "xmalloc.h" #include "rsa.h" #include "packet.h" -#include "xmalloc.h" #include "ssh1.h" #include "uidswap.h" #include "match.h" +#include "buffer.h" #include "auth-options.h" #include "pathnames.h" #include "log.h" #include "servconf.h" -#include "auth.h" +#include "key.h" #include "hostfile.h" +#include "auth.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "ssh.h" +#include "misc.h" /* import */ extern ServerOptions options; @@ -62,10 +76,12 @@ auth_rsa_generate_challenge(Key *key) if ((challenge = BN_new()) == NULL) fatal("auth_rsa_generate_challenge: BN_new() failed"); /* Generate a random challenge. */ - BN_rand(challenge, 256, 0, 0); + if (BN_rand(challenge, 256, 0, 0) == 0) + fatal("auth_rsa_generate_challenge: BN_rand failed"); if ((ctx = BN_CTX_new()) == NULL) - fatal("auth_rsa_generate_challenge: BN_CTX_new() failed"); - BN_mod(challenge, challenge, key->rsa->n, ctx); + fatal("auth_rsa_generate_challenge: BN_CTX_new failed"); + if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0) + fatal("auth_rsa_generate_challenge: BN_mod failed"); BN_CTX_free(ctx); return challenge; @@ -136,7 +152,7 @@ auth_rsa_challenge_dialog(Key *key) /* Wait for a response. */ packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE); for (i = 0; i < 16; i++) - response[i] = packet_get_char(); + response[i] = (u_char)packet_get_char(); packet_check_eom(); success = PRIVSEP(auth_rsa_verify_response(key, challenge, response)); @@ -157,7 +173,6 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) u_int bits; FILE *f; u_long linenum = 0; - struct stat st; Key *key; /* Temporarily use the user's uid. */ @@ -166,27 +181,9 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) /* The authorized keys. */ file = authorized_keys_file(pw); debug("trying public RSA key file %s", file); - - /* Fail quietly if file does not exist */ - if (stat(file, &st) < 0) { - /* Restore the privileged uid. */ - restore_uid(); - xfree(file); - return (0); - } - /* Open the file containing the authorized keys. */ - f = fopen(file, "r"); + f = auth_openkeyfile(file, pw, options.strict_modes); if (!f) { - /* Restore the privileged uid. */ - restore_uid(); - xfree(file); - return (0); - } - if (options.strict_modes && - secure_filename(f, file, pw, line, sizeof(line)) != 0) { xfree(file); - fclose(f); - logit("Authentication refused: %s", line); restore_uid(); return (0); } @@ -204,6 +201,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp; char *key_options; + int keybits; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) @@ -242,7 +240,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) continue; /* check the real bits */ - if (bits != BN_num_bits(key->rsa->n)) + keybits = BN_num_bits(key->rsa->n); + if (keybits < 0 || bits != (u_int)keybits) logit("Warning: %s, line %lu: keysize mismatch: " "actual %d vs. announced %d.", file, linenum, BN_num_bits(key->rsa->n), bits);