crypto/openssh/auth-rsa.c

   1 /* $OpenBSD: auth-rsa.c,v 1.90 2015/01/28 22:36:00 djm Exp $ */
   2 /*
   3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
   4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   5  *                    All rights reserved
   6  * RSA-based authentication.  This code determines whether to admit a login
   7  * based on RSA authentication.  This file also contains functions to check
   8  * validity of the host key.
   9  *
  10  * As far as I am concerned, the code I have written for this software
  11  * can be used freely for any purpose.  Any derived versions of this
  12  * software must be clearly marked as such, and if the derived work is
  13  * incompatible with the protocol description in the RFC file, it must be
  14  * called by a name other than "ssh" or "Secure Shell".
  15  */
  16
  17 #include "includes.h"
  18
  19 #ifdef WITH_SSH1
  20
  21 #include <sys/types.h>
  22 #include <sys/stat.h>
  23
  24 #include <openssl/rsa.h>
  25
  26 #include <pwd.h>
  27 #include <stdio.h>
  28 #include <stdarg.h>
  29 #include <string.h>
  30
  31 #include "xmalloc.h"
  32 #include "rsa.h"
  33 #include "packet.h"
  34 #include "ssh1.h"
  35 #include "uidswap.h"
  36 #include "match.h"
  37 #include "buffer.h"
  38 #include "pathnames.h"
  39 #include "log.h"
  40 #include "misc.h"
  41 #include "servconf.h"
  42 #include "key.h"
  43 #include "auth-options.h"
  44 #include "hostfile.h"
  45 #include "auth.h"
  46 #ifdef GSSAPI
  47 #include "ssh-gss.h"
  48 #endif
  49 #include "monitor_wrap.h"
  50 #include "ssh.h"
  51
  52 #include "digest.h"
  53
  54 /* import */
  55 extern ServerOptions options;
  56
  57 /*
  58  * Session identifier that is used to bind key exchange and authentication
  59  * responses to a particular session.
  60  */
  61 extern u_char session_id[16];
  62
  63 /*
  64  * The .ssh/authorized_keys file contains public keys, one per line, in the
  65  * following format:
  66  *   options bits e n comment
  67  * where bits, e and n are decimal numbers,
  68  * and comment is any string of characters up to newline.  The maximum
  69  * length of a line is SSH_MAX_PUBKEY_BYTES characters.  See sshd(8) for a
  70  * description of the options.
  71  */
  72
  73 BIGNUM *
  74 auth_rsa_generate_challenge(Key *key)
  75 {
  76         BIGNUM *challenge;
  77         BN_CTX *ctx;
  78
  79         if ((challenge = BN_new()) == NULL)
  80                 fatal("auth_rsa_generate_challenge: BN_new() failed");
  81         /* Generate a random challenge. */
  82         if (BN_rand(challenge, 256, 0, 0) == 0)
  83                 fatal("auth_rsa_generate_challenge: BN_rand failed");
  84         if ((ctx = BN_CTX_new()) == NULL)
  85                 fatal("auth_rsa_generate_challenge: BN_CTX_new failed");
  86         if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0)
  87                 fatal("auth_rsa_generate_challenge: BN_mod failed");
  88         BN_CTX_free(ctx);
  89
  90         return challenge;
  91 }
  92
  93 int
  94 auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
  95 {
  96         u_char buf[32], mdbuf[16];
  97         struct ssh_digest_ctx *md;
  98         int len;
  99
 100         /* don't allow short keys */
 101         if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
 102                 error("%s: RSA modulus too small: %d < minimum %d bits",
 103                     __func__,
 104                     BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
 105                 return (0);
 106         }
 107
 108         /* The response is MD5 of decrypted challenge plus session id. */
 109         len = BN_num_bytes(challenge);
 110         if (len <= 0 || len > 32)
 111                 fatal("%s: bad challenge length %d", __func__, len);
 112         memset(buf, 0, 32);
 113         BN_bn2bin(challenge, buf + 32 - len);
 114         if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
 115             ssh_digest_update(md, buf, 32) < 0 ||
 116             ssh_digest_update(md, session_id, 16) < 0 ||
 117             ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
 118                 fatal("%s: md5 failed", __func__);
 119         ssh_digest_free(md);
 120
 121         /* Verify that the response is the original challenge. */
 122         if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
 123                 /* Wrong answer. */
 124                 return (0);
 125         }
 126         /* Correct answer. */
 127         return (1);
 128 }
 129
 130 /*
 131  * Performs the RSA authentication challenge-response dialog with the client,
 132  * and returns true (non-zero) if the client gave the correct answer to
 133  * our challenge; returns zero if the client gives a wrong answer.
 134  */
 135
 136 int
 137 auth_rsa_challenge_dialog(Key *key)
 138 {
 139         BIGNUM *challenge, *encrypted_challenge;
 140         u_char response[16];
 141         int i, success;
 142
 143         if ((encrypted_challenge = BN_new()) == NULL)
 144                 fatal("auth_rsa_challenge_dialog: BN_new() failed");
 145
 146         challenge = PRIVSEP(auth_rsa_generate_challenge(key));
 147
 148         /* Encrypt the challenge with the public key. */
 149         if (rsa_public_encrypt(encrypted_challenge, challenge, key->rsa) != 0)
 150                 fatal("%s: rsa_public_encrypt failed", __func__);
 151
 152         /* Send the encrypted challenge to the client. */
 153         packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
 154         packet_put_bignum(encrypted_challenge);
 155         packet_send();
 156         BN_clear_free(encrypted_challenge);
 157         packet_write_wait();
 158
 159         /* Wait for a response. */
 160         packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
 161         for (i = 0; i < 16; i++)
 162                 response[i] = (u_char)packet_get_char();
 163         packet_check_eom();
 164
 165         success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
 166         BN_clear_free(challenge);
 167         return (success);
 168 }
 169
 170 static int
 171 rsa_key_allowed_in_file(struct passwd *pw, char *file,
 172     const BIGNUM *client_n, Key **rkey)
 173 {
 174         char *fp, line[SSH_MAX_PUBKEY_BYTES];
 175         int allowed = 0, bits;
 176         FILE *f;
 177         u_long linenum = 0;
 178         Key *key;
 179
 180         debug("trying public RSA key file %s", file);
 181         if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
 182                 return 0;
 183
 184         /*
 185          * Go though the accepted keys, looking for the current key.  If
 186          * found, perform a challenge-response dialog to verify that the
 187          * user really has the corresponding private key.
 188          */
 189         key = key_new(KEY_RSA1);
 190         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
 191                 char *cp;
 192                 char *key_options;
 193                 int keybits;
 194
 195                 /* Skip leading whitespace, empty and comment lines. */
 196                 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
 197                         ;
 198                 if (!*cp || *cp == '\n' || *cp == '#')
 199                         continue;
 200
 201                 /*
 202                  * Check if there are options for this key, and if so,
 203                  * save their starting address and skip the option part
 204                  * for now.  If there are no options, set the starting
 205                  * address to NULL.
 206                  */
 207                 if (*cp < '0' || *cp > '9') {
 208                         int quoted = 0;
 209                         key_options = cp;
 210                         for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
 211                                 if (*cp == '\\' && cp[1] == '"')
 212                                         cp++;   /* Skip both */
 213                                 else if (*cp == '"')
 214                                         quoted = !quoted;
 215                         }
 216                 } else
 217                         key_options = NULL;
 218
 219                 /* Parse the key from the line. */
 220                 if (hostfile_read_key(&cp, &bits, key) == 0) {
 221                         debug("%.100s, line %lu: non ssh1 key syntax",
 222                             file, linenum);
 223                         continue;
 224                 }
 225                 /* cp now points to the comment part. */
 226
 227                 /*
 228                  * Check if the we have found the desired key (identified
 229                  * by its modulus).
 230                  */
 231                 if (BN_cmp(key->rsa->n, client_n) != 0)
 232                         continue;
 233
 234                 /* check the real bits  */
 235                 keybits = BN_num_bits(key->rsa->n);
 236                 if (keybits < 0 || bits != keybits)
 237                         logit("Warning: %s, line %lu: keysize mismatch: "
 238                             "actual %d vs. announced %d.",
 239                             file, linenum, BN_num_bits(key->rsa->n), bits);
 240
 241                 if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
 242                     SSH_FP_DEFAULT)) == NULL)
 243                         continue;
 244                 debug("matching key found: file %s, line %lu %s %s",
 245                     file, linenum, key_type(key), fp);
 246                 free(fp);
 247
 248                 /* Never accept a revoked key */
 249                 if (auth_key_is_revoked(key))
 250                         break;
 251
 252                 /* We have found the desired key. */
 253                 /*
 254                  * If our options do not allow this key to be used,
 255                  * do not send challenge.
 256                  */
 257                 if (!auth_parse_options(pw, key_options, file, linenum))
 258                         continue;
 259                 if (key_is_cert_authority)
 260                         continue;
 261                 /* break out, this key is allowed */
 262                 allowed = 1;
 263                 break;
 264         }
 265
 266         /* Close the file. */
 267         fclose(f);
 268
 269         /* return key if allowed */
 270         if (allowed && rkey != NULL)
 271                 *rkey = key;
 272         else
 273                 key_free(key);
 274
 275         return allowed;
 276 }
 277
 278 /*
 279  * check if there's user key matching client_n,
 280  * return key if login is allowed, NULL otherwise
 281  */
 282
 283 int
 284 auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 285 {
 286         char *file;
 287         u_int i, allowed = 0;
 288
 289         temporarily_use_uid(pw);
 290
 291         for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
 292                 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
 293                         continue;
 294                 file = expand_authorized_keys(
 295                     options.authorized_keys_files[i], pw);
 296                 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
 297                 free(file);
 298         }
 299
 300         restore_uid();
 301
 302         return allowed;
 303 }
 304
 305 /*
 306  * Performs the RSA authentication dialog with the client.  This returns
 307  * 0 if the client could not be authenticated, and 1 if authentication was
 308  * successful.  This may exit if there is a serious protocol violation.
 309  */
 310 int
 311 auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
 312 {
 313         Key *key;
 314         struct passwd *pw = authctxt->pw;
 315
 316         /* no user given */
 317         if (!authctxt->valid)
 318                 return 0;
 319
 320         if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) {
 321                 auth_clear_options();
 322                 return (0);
 323         }
 324
 325         /* Perform the challenge-response dialog for this key. */
 326         if (!auth_rsa_challenge_dialog(key)) {
 327                 /* Wrong response. */
 328                 verbose("Wrong response to RSA authentication challenge.");
 329                 packet_send_debug("Wrong response to RSA authentication challenge.");
 330                 /*
 331                  * Break out of the loop. Otherwise we might send
 332                  * another challenge and break the protocol.
 333                  */
 334                 key_free(key);
 335                 return (0);
 336         }
 337         /*
 338          * Correct response.  The client has been successfully
 339          * authenticated. Note that we have not yet processed the
 340          * options; this will be reset if the options cause the
 341          * authentication to be rejected.
 342          */
 343         pubkey_auth_info(authctxt, key, NULL);
 344
 345         packet_send_debug("RSA authentication accepted.");
 346         return (1);
 347 }
 348
 349 #endif /* WITH_SSH1 */