search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
usbmodeswitch: Updated to v.1.2.6 from shibby's branch.
[tomato.git] / release / src / router / dropbear / svr-authpubkey.c
blobd483e9d1c72adc17213d70481d6635e82708cb52
1 /*
2 * Dropbear - a SSH2 server
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE. */
24 /*
25 * This file incorporates work covered by the following copyright and
26 * permission notice:
27 *
28 * Copyright (c) 2000 Markus Friedl. All rights reserved.
29 *
30 * Redistribution and use in source and binary forms, with or without
31 * modification, are permitted provided that the following conditions
32 * are met:
33 * 1. Redistributions of source code must retain the above copyright
34 * notice, this list of conditions and the following disclaimer.
35 * 2. Redistributions in binary form must reproduce the above copyright
36 * notice, this list of conditions and the following disclaimer in the
37 * documentation and/or other materials provided with the distribution.
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
40 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
41 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
42 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
43 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
45 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
46 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
47 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
48 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 *
50 * This copyright and permission notice applies to the code parsing public keys
51 * options string which can also be found in OpenSSH auth2-pubkey.c file
52 * (user_key_allowed2). It has been adapted to work with buffers.
53 *
54 */
55
56 /* Process a pubkey auth request */
57
58 #include "includes.h"
59 #include "session.h"
60 #include "dbutil.h"
61 #include "buffer.h"
62 #include "signkey.h"
63 #include "auth.h"
64 #include "ssh.h"
65 #include "packet.h"
66 #include "algo.h"
67
68 #ifdef ENABLE_SVR_PUBKEY_AUTH
69
70 #define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */
71 #define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */
72
73 static int checkpubkey(unsigned char* algo, unsigned int algolen,
74 unsigned char* keyblob, unsigned int keybloblen);
75 static int checkpubkeyperms();
76 static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen,
77 unsigned char* keyblob, unsigned int keybloblen);
78 static int checkfileperm(char * filename);
79
80 /* process a pubkey auth request, sending success or failure message as
81 * appropriate */
82 void svr_auth_pubkey() {
83
84 unsigned char testkey; /* whether we're just checking if a key is usable */
85 unsigned char* algo = NULL; /* pubkey algo */
86 unsigned int algolen;
87 unsigned char* keyblob = NULL;
88 unsigned int keybloblen;
89 buffer * signbuf = NULL;
90 sign_key * key = NULL;
91 char* fp = NULL;
92 int type = -1;
93
94 TRACE(("enter pubkeyauth"))
95
96 /* 0 indicates user just wants to check if key can be used, 1 is an
97 * actual attempt*/
98 testkey = (buf_getbool(ses.payload) == 0);
99
100 algo = buf_getstring(ses.payload, &algolen);
101 keybloblen = buf_getint(ses.payload);
102 keyblob = buf_getptr(ses.payload, keybloblen);
103
104 /* check if the key is valid */
105 if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) {
106 send_msg_userauth_failure(0, 0);
107 goto out;
108 }
109
110 /* let them know that the key is ok to use */
111 if (testkey) {
112 send_msg_userauth_pk_ok(algo, algolen, keyblob, keybloblen);
113 goto out;
114 }
115
116 /* now we can actually verify the signature */
117
118 /* get the key */
119 key = new_sign_key();
120 type = DROPBEAR_SIGNKEY_ANY;
121 if (buf_get_pub_key(ses.payload, key, &type) == DROPBEAR_FAILURE) {
122 send_msg_userauth_failure(0, 1);
123 goto out;
124 }
125
126 /* create the data which has been signed - this a string containing
127 * session_id, concatenated with the payload packet up to the signature */
128 signbuf = buf_new(ses.payload->pos + 4 + SHA1_HASH_SIZE);
129 buf_putstring(signbuf, ses.session_id, SHA1_HASH_SIZE);
130 buf_putbytes(signbuf, ses.payload->data, ses.payload->pos);
131 buf_setpos(signbuf, 0);
132
133 /* ... and finally verify the signature */
134 fp = sign_key_fingerprint(keyblob, keybloblen);
135 if (buf_verify(ses.payload, key, buf_getptr(signbuf, signbuf->len),
136 signbuf->len) == DROPBEAR_SUCCESS) {
137 dropbear_log(LOG_NOTICE,
138 "Pubkey auth succeeded for '%s' with key %s from %s",
139 ses.authstate.pw_name, fp, svr_ses.addrstring);
140 send_msg_userauth_success();
141 } else {
142 dropbear_log(LOG_WARNING,
143 "Pubkey auth bad signature for '%s' with key %s from %s",
144 ses.authstate.pw_name, fp, svr_ses.addrstring);
145 send_msg_userauth_failure(0, 1);
146 }
147 m_free(fp);
148
149 out:
150 /* cleanup stuff */
151 if (signbuf) {
152 buf_free(signbuf);
153 }
154 if (algo) {
155 m_free(algo);
156 }
157 if (key) {
158 sign_key_free(key);
159 key = NULL;
160 }
161 TRACE(("leave pubkeyauth"))
162 }
163
164 /* Reply that the key is valid for auth, this is sent when the user sends
165 * a straight copy of their pubkey to test, to avoid having to perform
166 * expensive signing operations with a worthless key */
167 static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen,
168 unsigned char* keyblob, unsigned int keybloblen) {
169
170 TRACE(("enter send_msg_userauth_pk_ok"))
171 CHECKCLEARTOWRITE();
172
173 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_PK_OK);
174 buf_putstring(ses.writepayload, algo, algolen);
175 buf_putstring(ses.writepayload, keyblob, keybloblen);
176
177 encrypt_packet();
178 TRACE(("leave send_msg_userauth_pk_ok"))
179
180 }
181
182 /* Checks whether a specified publickey (and associated algorithm) is an
183 * acceptable key for authentication */
184 /* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
185 static int checkpubkey(unsigned char* algo, unsigned int algolen,
186 unsigned char* keyblob, unsigned int keybloblen) {
187
188 FILE * authfile = NULL;
189 char * filename = NULL;
190 int ret = DROPBEAR_FAILURE;
191 buffer * line = NULL;
192 unsigned int len, pos;
193 buffer * options_buf = NULL;
194 int line_num;
195
196 TRACE(("enter checkpubkey"))
197
198 /* check that we can use the algo */
199 if (have_algo(algo, algolen, sshhostkey) == DROPBEAR_FAILURE) {
200 dropbear_log(LOG_WARNING,
201 "Pubkey auth attempt with unknown algo for '%s' from %s",
202 ses.authstate.pw_name, svr_ses.addrstring);
203 goto out;
204 }
205
206 /* check file permissions, also whether file exists */
207 if (checkpubkeyperms() == DROPBEAR_FAILURE) {
208 TRACE(("bad authorized_keys permissions, or file doesn't exist"))
209 goto out;
210 }
211
212 /* we don't need to check pw and pw_dir for validity, since
213 * its been done in checkpubkeyperms. */
214 len = strlen(ses.authstate.pw_dir);
215 /* allocate max required pathname storage,
216 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
217 filename = m_malloc(len + 22);
218 snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
219 ses.authstate.pw_dir);
220
221 /* open the file */
222 authfile = fopen(filename, "r");
223 if (authfile == NULL) {
224 goto out;
225 }
226 TRACE(("checkpubkey: opened authorized_keys OK"))
227
228 line = buf_new(MAX_AUTHKEYS_LINE);
229 line_num = 0;
230
231 /* iterate through the lines */
232 do {
233 /* new line : potentially new options */
234 if (options_buf) {
235 buf_free(options_buf);
236 options_buf = NULL;
237 }
238
239 if (buf_getline(line, authfile) == DROPBEAR_FAILURE) {
240 /* EOF reached */
241 TRACE(("checkpubkey: authorized_keys EOF reached"))
242 break;
243 }
244 line_num++;
245
246 if (line->len < MIN_AUTHKEYS_LINE) {
247 TRACE(("checkpubkey: line too short"))
248 continue; /* line is too short for it to be a valid key */
249 }
250
251 /* check the key type - will fail if there are options */
252 TRACE(("a line!"))
253
254 if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) {
255 int is_comment = 0;
256 char *options_start = NULL;
257 int options_len = 0;
258 int escape, quoted;
259
260 /* skip over any comments or leading whitespace */
261 while (line->pos < line->len) {
262 const char c = buf_getbyte(line);
263 if (c == ' ' || c == '\t') {
264 continue;
265 } else if (c == '#') {
266 is_comment = 1;
267 break;
268 }
269 buf_incrpos(line, -1);
270 break;
271 }
272 if (is_comment) {
273 /* next line */
274 continue;
275 }
276
277 /* remember start of options */
278 options_start = buf_getptr(line, 1);
279 quoted = 0;
280 escape = 0;
281 options_len = 0;
282
283 /* figure out where the options are */
284 while (line->pos < line->len) {
285 const char c = buf_getbyte(line);
286 if (!quoted && (c == ' ' || c == '\t')) {
287 break;
288 }
289 escape = (!escape && c == '\\');
290 if (!escape && c == '"') {
291 quoted = !quoted;
292 }
293 options_len++;
294 }
295 options_buf = buf_new(options_len);
296 buf_putbytes(options_buf, options_start, options_len);
297
298 /* compare the algorithm */
299 if (line->pos + algolen > line->len) {
300 continue;
301 }
302 if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) {
303 continue;
304 }
305 }
306 buf_incrpos(line, algolen);
307
308 /* check for space (' ') character */
309 if (buf_getbyte(line) != ' ') {
310 TRACE(("checkpubkey: space character expected, isn't there"))
311 continue;
312 }
313
314 /* truncate the line at the space after the base64 data */
315 pos = line->pos;
316 for (len = 0; line->pos < line->len; len++) {
317 if (buf_getbyte(line) == ' ') break;
318 }
319 buf_setpos(line, pos);
320 buf_setlen(line, line->pos + len);
321
322 TRACE(("checkpubkey: line pos = %d len = %d", line->pos, line->len))
323
324 ret = cmp_base64_key(keyblob, keybloblen, algo, algolen, line, NULL);
325
326 if (ret == DROPBEAR_SUCCESS && options_buf) {
327 ret = svr_add_pubkey_options(options_buf, line_num, filename);
328 }
329
330 if (ret == DROPBEAR_SUCCESS) {
331 break;
332 }
333
334 /* We continue to the next line otherwise */
335
336 } while (1);
337
338 out:
339 if (authfile) {
340 fclose(authfile);
341 }
342 if (line) {
343 buf_free(line);
344 }
345 m_free(filename);
346 if (options_buf) {
347 buf_free(options_buf);
348 }
349 TRACE(("leave checkpubkey: ret=%d", ret))
350 return ret;
351 }
352
353
354 /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
355 * DROPBEAR_FAILURE otherwise.
356 * Checks that the user's homedir, ~/.ssh, and
357 * ~/.ssh/authorized_keys are all owned by either root or the user, and are
358 * g-w, o-w */
359 static int checkpubkeyperms() {
360
361 char* filename = NULL;
362 int ret = DROPBEAR_FAILURE;
363 unsigned int len;
364
365 TRACE(("enter checkpubkeyperms"))
366
367 if (ses.authstate.pw_dir == NULL) {
368 goto out;
369 }
370
371 if ((len = strlen(ses.authstate.pw_dir)) == 0) {
372 goto out;
373 }
374
375 /* allocate max required pathname storage,
376 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
377 filename = m_malloc(len + 22);
378 strncpy(filename, ses.authstate.pw_dir, len+1);
379
380 /* check ~ */
381 if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
382 goto out;
383 }
384
385 /* check ~/.ssh */
386 strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
387 if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
388 goto out;
389 }
390
391 /* now check ~/.ssh/authorized_keys */
392 strncat(filename, "/authorized_keys", 16);
393 if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
394 goto out;
395 }
396
397 /* file looks ok, return success */
398 ret = DROPBEAR_SUCCESS;
399
400 out:
401 m_free(filename);
402
403 TRACE(("leave checkpubkeyperms"))
404 return ret;
405 }
406
407 /* Checks that a file is owned by the user or root, and isn't writable by
408 * group or other */
409 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
410 static int checkfileperm(char * filename) {
411 struct stat filestat;
412 int badperm = 0;
413
414 TRACE(("enter checkfileperm(%s)", filename))
415
416 if (stat(filename, &filestat) != 0) {
417 TRACE(("leave checkfileperm: stat() != 0"))
418 return DROPBEAR_FAILURE;
419 }
420 /* check ownership - user or root only*/
421 if (filestat.st_uid != ses.authstate.pw_uid
422 && filestat.st_uid != 0) {
423 badperm = 1;
424 TRACE(("wrong ownership"))
425 }
426 /* check permissions - don't want group or others +w */
427 if (filestat.st_mode & (S_IWGRP | S_IWOTH)) {
428 badperm = 1;
429 TRACE(("wrong perms"))
430 }
431 if (badperm) {
432 if (!ses.authstate.perm_warn) {
433 ses.authstate.perm_warn = 1;
434 dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename);
435 }
436 TRACE(("leave checkfileperm: failure perms/owner"))
437 return DROPBEAR_FAILURE;
438 }
439
440 TRACE(("leave checkfileperm: success"))
441 return DROPBEAR_SUCCESS;
442 }
443
444 #endif
Tomato firmware and modifications.