diff options
Diffstat (limited to 'ssh-keysign.c')
-rw-r--r-- | ssh-keysign.c | 37 |
1 files changed, 32 insertions, 5 deletions
diff --git a/ssh-keysign.c b/ssh-keysign.c index 7f1d25d8c..79aee17c0 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c | |||
@@ -22,12 +22,15 @@ | |||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
23 | */ | 23 | */ |
24 | #include "includes.h" | 24 | #include "includes.h" |
25 | RCSID("$OpenBSD: ssh-keysign.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $"); | 25 | RCSID("$OpenBSD: ssh-keysign.c,v 1.7 2002/07/03 14:21:05 markus Exp $"); |
26 | 26 | ||
27 | #include <openssl/evp.h> | 27 | #include <openssl/evp.h> |
28 | #include <openssl/rand.h> | ||
29 | #include <openssl/rsa.h> | ||
28 | 30 | ||
29 | #include "log.h" | 31 | #include "log.h" |
30 | #include "key.h" | 32 | #include "key.h" |
33 | #include "ssh.h" | ||
31 | #include "ssh2.h" | 34 | #include "ssh2.h" |
32 | #include "misc.h" | 35 | #include "misc.h" |
33 | #include "xmalloc.h" | 36 | #include "xmalloc.h" |
@@ -37,6 +40,9 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $"); | |||
37 | #include "msg.h" | 40 | #include "msg.h" |
38 | #include "canohost.h" | 41 | #include "canohost.h" |
39 | #include "pathnames.h" | 42 | #include "pathnames.h" |
43 | #include "readconf.h" | ||
44 | |||
45 | uid_t original_real_uid; /* XXX readconf.c needs this */ | ||
40 | 46 | ||
41 | #ifdef HAVE___PROGNAME | 47 | #ifdef HAVE___PROGNAME |
42 | extern char *__progname; | 48 | extern char *__progname; |
@@ -134,12 +140,14 @@ int | |||
134 | main(int argc, char **argv) | 140 | main(int argc, char **argv) |
135 | { | 141 | { |
136 | Buffer b; | 142 | Buffer b; |
143 | Options options; | ||
137 | Key *keys[2], *key; | 144 | Key *keys[2], *key; |
138 | struct passwd *pw; | 145 | struct passwd *pw; |
139 | int key_fd[2], i, found, version = 2, fd; | 146 | int key_fd[2], i, found, version = 2, fd; |
140 | u_char *signature, *data; | 147 | u_char *signature, *data; |
141 | char *host; | 148 | char *host; |
142 | u_int slen, dlen; | 149 | u_int slen, dlen; |
150 | u_int32_t rnd[256]; | ||
143 | 151 | ||
144 | key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); | 152 | key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); |
145 | key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); | 153 | key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); |
@@ -155,6 +163,15 @@ main(int argc, char **argv) | |||
155 | log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); | 163 | log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); |
156 | #endif | 164 | #endif |
157 | 165 | ||
166 | /* verify that ssh-keysign is enabled by the admin */ | ||
167 | original_real_uid = getuid(); /* XXX readconf.c needs this */ | ||
168 | initialize_options(&options); | ||
169 | (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options); | ||
170 | fill_default_options(&options); | ||
171 | if (options.hostbased_authentication != 1) | ||
172 | fatal("Hostbased authentication not enabled in %s", | ||
173 | _PATH_HOST_CONFIG_FILE); | ||
174 | |||
158 | if (key_fd[0] == -1 && key_fd[1] == -1) | 175 | if (key_fd[0] == -1 && key_fd[1] == -1) |
159 | fatal("could not open any host key"); | 176 | fatal("could not open any host key"); |
160 | 177 | ||
@@ -163,6 +180,9 @@ main(int argc, char **argv) | |||
163 | pw = pwcopy(pw); | 180 | pw = pwcopy(pw); |
164 | 181 | ||
165 | SSLeay_add_all_algorithms(); | 182 | SSLeay_add_all_algorithms(); |
183 | for (i = 0; i < 256; i++) | ||
184 | rnd[i] = arc4random(); | ||
185 | RAND_seed(rnd, sizeof(rnd)); | ||
166 | 186 | ||
167 | found = 0; | 187 | found = 0; |
168 | for (i = 0; i < 2; i++) { | 188 | for (i = 0; i < 2; i++) { |
@@ -172,6 +192,13 @@ main(int argc, char **argv) | |||
172 | keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC, | 192 | keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC, |
173 | NULL, NULL); | 193 | NULL, NULL); |
174 | close(key_fd[i]); | 194 | close(key_fd[i]); |
195 | if (keys[i] != NULL && keys[i]->type == KEY_RSA) { | ||
196 | if (RSA_blinding_on(keys[i]->rsa, NULL) != 1) { | ||
197 | error("RSA_blinding_on failed"); | ||
198 | key_free(keys[i]); | ||
199 | keys[i] = NULL; | ||
200 | } | ||
201 | } | ||
175 | if (keys[i] != NULL) | 202 | if (keys[i] != NULL) |
176 | found = 1; | 203 | found = 1; |
177 | } | 204 | } |
@@ -179,8 +206,8 @@ main(int argc, char **argv) | |||
179 | fatal("no hostkey found"); | 206 | fatal("no hostkey found"); |
180 | 207 | ||
181 | buffer_init(&b); | 208 | buffer_init(&b); |
182 | if (msg_recv(STDIN_FILENO, &b) < 0) | 209 | if (ssh_msg_recv(STDIN_FILENO, &b) < 0) |
183 | fatal("msg_recv failed"); | 210 | fatal("ssh_msg_recv failed"); |
184 | if (buffer_get_char(&b) != version) | 211 | if (buffer_get_char(&b) != version) |
185 | fatal("bad version"); | 212 | fatal("bad version"); |
186 | fd = buffer_get_int(&b); | 213 | fd = buffer_get_int(&b); |
@@ -192,7 +219,6 @@ main(int argc, char **argv) | |||
192 | data = buffer_get_string(&b, &dlen); | 219 | data = buffer_get_string(&b, &dlen); |
193 | if (valid_request(pw, host, &key, data, dlen) < 0) | 220 | if (valid_request(pw, host, &key, data, dlen) < 0) |
194 | fatal("not a valid request"); | 221 | fatal("not a valid request"); |
195 | xfree(data); | ||
196 | xfree(host); | 222 | xfree(host); |
197 | 223 | ||
198 | found = 0; | 224 | found = 0; |
@@ -208,11 +234,12 @@ main(int argc, char **argv) | |||
208 | 234 | ||
209 | if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) | 235 | if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) |
210 | fatal("key_sign failed"); | 236 | fatal("key_sign failed"); |
237 | xfree(data); | ||
211 | 238 | ||
212 | /* send reply */ | 239 | /* send reply */ |
213 | buffer_clear(&b); | 240 | buffer_clear(&b); |
214 | buffer_put_string(&b, signature, slen); | 241 | buffer_put_string(&b, signature, slen); |
215 | msg_send(STDOUT_FILENO, version, &b); | 242 | ssh_msg_send(STDOUT_FILENO, version, &b); |
216 | 243 | ||
217 | return (0); | 244 | return (0); |
218 | } | 245 | } |