Mercurial > dropbear
annotate svr-authpubkey.c @ 1861:2b3a8026a6ce
Add re-exec for server
This allows ASLR to re-randomize the address
space for every connection, preventing some
vulnerabilities from being exploitable by
repeated probing.
Overhead (memory and time) is yet to be confirmed.
At present this is only enabled on Linux. Other BSD platforms
with fexecve() would probably also work though have not been tested.
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 30 Jan 2022 10:14:56 +0800 |
parents | 064f5be2fc45 |
children | d39cfedaf015 |
rev | line source |
---|---|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 /* |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 * Dropbear - a SSH2 server |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 * Copyright (c) 2002,2003 Matt Johnston |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 * All rights reserved. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 * Permission is hereby granted, free of charge, to any person obtaining a copy |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 * of this software and associated documentation files (the "Software"), to deal |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 * in the Software without restriction, including without limitation the rights |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 * copies of the Software, and to permit persons to whom the Software is |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 * furnished to do so, subject to the following conditions: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 * The above copyright notice and this permission notice shall be included in |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 * all copies or substantial portions of the Software. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 * SOFTWARE. */ |
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
24 /* |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
25 * This file incorporates work covered by the following copyright and |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
26 * permission notice: |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
27 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
28 * Copyright (c) 2000 Markus Friedl. All rights reserved. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
29 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
30 * Redistribution and use in source and binary forms, with or without |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
31 * modification, are permitted provided that the following conditions |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
32 * are met: |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
33 * 1. Redistributions of source code must retain the above copyright |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
34 * notice, this list of conditions and the following disclaimer. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
35 * 2. Redistributions in binary form must reproduce the above copyright |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
36 * notice, this list of conditions and the following disclaimer in the |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
37 * documentation and/or other materials provided with the distribution. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
38 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
39 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
40 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
41 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
42 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
43 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
45 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
46 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
47 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
48 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
49 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
50 * This copyright and permission notice applies to the code parsing public keys |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
51 * options string which can also be found in OpenSSH auth2-pubkey.c file |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
52 * (user_key_allowed2). It has been adapted to work with buffers. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
53 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
54 */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
56 /* Process a pubkey auth request */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
57 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
58 #include "includes.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
59 #include "session.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 #include "dbutil.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
61 #include "buffer.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 #include "signkey.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
63 #include "auth.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
64 #include "ssh.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
65 #include "packet.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 #include "algo.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
68 #if DROPBEAR_SVR_PUBKEY_AUTH |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
69 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
70 #define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */ |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
71 #define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
72 |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
73 static int checkpubkey(const char* keyalgo, unsigned int keyalgolen, |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
74 const unsigned char* keyblob, unsigned int keybloblen); |
1276
9169e4e7cbee
fix empty C prototypes
Francois Perrad <francois.perrad@gadz.org>
parents:
1122
diff
changeset
|
75 static int checkpubkeyperms(void); |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
76 static void send_msg_userauth_pk_ok(const char* sigalgo, unsigned int sigalgolen, |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
77 const unsigned char* keyblob, unsigned int keybloblen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
78 static int checkfileperm(char * filename); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
79 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
80 /* process a pubkey auth request, sending success or failure message as |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
81 * appropriate */ |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
82 void svr_auth_pubkey(int valid_user) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
83 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
84 unsigned char testkey; /* whether we're just checking if a key is usable */ |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
85 char* sigalgo = NULL; |
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
86 unsigned int sigalgolen; |
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
87 const char* keyalgo; |
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
88 unsigned int keyalgolen; |
70
b0316ce64e4b
Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
89 unsigned char* keyblob = NULL; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
90 unsigned int keybloblen; |
1059
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
91 unsigned int sign_payload_length; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
92 buffer * signbuf = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
93 sign_key * key = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
94 char* fp = NULL; |
1675
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
95 enum signature_type sigtype; |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
96 enum signkey_type keytype; |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
97 int auth_failure = 1; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
98 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
99 TRACE(("enter pubkeyauth")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
100 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
101 /* 0 indicates user just wants to check if key can be used, 1 is an |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
102 * actual attempt*/ |
179
161557a9dde8
* fix longstanding bug with connections being closed on failure to
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
103 testkey = (buf_getbool(ses.payload) == 0); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
104 |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
105 sigalgo = buf_getstring(ses.payload, &sigalgolen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
106 keybloblen = buf_getint(ses.payload); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
107 keyblob = buf_getptr(ses.payload, keybloblen); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
108 |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
109 if (!valid_user) { |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
110 /* Return failure once we have read the contents of the packet |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
111 required to validate a public key. |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
112 Avoids blind user enumeration though it isn't possible to prevent |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
113 testing for user existence if the public key is known */ |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
114 send_msg_userauth_failure(0, 0); |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
115 goto out; |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
116 } |
1675
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
117 |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
118 sigtype = signature_type_from_name(sigalgo, sigalgolen); |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
119 if (sigtype == DROPBEAR_SIGNATURE_NONE) { |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
120 send_msg_userauth_failure(0, 0); |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
121 goto out; |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
122 } |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
123 |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
124 keytype = signkey_type_from_signature(sigtype); |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
125 keyalgo = signkey_name_from_type(keytype, &keyalgolen); |
ae41624c2198
split signkey_type and signature_type for RSA sha1 vs sha256
Matt Johnston <matt@ucc.asn.au>
parents:
1674
diff
changeset
|
126 |
1654 | 127 #if DROPBEAR_PLUGIN |
128 if (svr_ses.plugin_instance != NULL) { | |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
129 char *options_buf; |
1654 | 130 if (svr_ses.plugin_instance->checkpubkey( |
131 svr_ses.plugin_instance, | |
132 &ses.plugin_session, | |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
133 keyalgo, |
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
134 keyalgolen, |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
135 keyblob, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
136 keybloblen, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
137 ses.authstate.username) == DROPBEAR_SUCCESS) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
138 /* Success */ |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
139 auth_failure = 0; |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
140 |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
141 /* Options provided? */ |
1654 | 142 options_buf = ses.plugin_session->get_options(ses.plugin_session); |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
143 if (options_buf) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
144 struct buf temp_buf = { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
145 .data = (unsigned char *)options_buf, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
146 .len = strlen(options_buf), |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
147 .pos = 0, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
148 .size = 0 |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
149 }; |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
150 int ret = svr_add_pubkey_options(&temp_buf, 0, "N/A"); |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
151 if (ret == DROPBEAR_FAILURE) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
152 /* Fail immediately as the plugin provided wrong options */ |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
153 send_msg_userauth_failure(0, 0); |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
154 goto out; |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
155 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
156 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
157 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
158 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
159 #endif |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
160 /* check if the key is valid */ |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
161 if (auth_failure) { |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
162 auth_failure = checkpubkey(keyalgo, keyalgolen, keyblob, keybloblen) == DROPBEAR_FAILURE; |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
163 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
164 |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
165 if (auth_failure) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
166 send_msg_userauth_failure(0, 0); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
167 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
168 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
169 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
170 /* let them know that the key is ok to use */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
171 if (testkey) { |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
172 send_msg_userauth_pk_ok(sigalgo, sigalgolen, keyblob, keybloblen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
173 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
174 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
175 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
176 /* now we can actually verify the signature */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
177 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
178 /* get the key */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
179 key = new_sign_key(); |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
180 if (buf_get_pub_key(ses.payload, key, &keytype) == DROPBEAR_FAILURE) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
181 send_msg_userauth_failure(0, 1); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
182 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
183 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
184 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
185 /* create the data which has been signed - this a string containing |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
186 * session_id, concatenated with the payload packet up to the signature */ |
1059
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
187 assert(ses.payload_beginning <= ses.payload->pos); |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
188 sign_payload_length = ses.payload->pos - ses.payload_beginning; |
762
a78a38e402d1
- Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents:
761
diff
changeset
|
189 signbuf = buf_new(ses.payload->pos + 4 + ses.session_id->len); |
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
190 buf_putbufstring(signbuf, ses.session_id); |
1059
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
191 |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
192 /* The entire contents of the payload prior. */ |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
193 buf_setpos(ses.payload, ses.payload_beginning); |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
194 buf_putbytes(signbuf, |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
195 buf_getptr(ses.payload, sign_payload_length), |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
196 sign_payload_length); |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
197 buf_incrpos(ses.payload, sign_payload_length); |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
198 |
44 | 199 buf_setpos(signbuf, 0); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
200 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
201 /* ... and finally verify the signature */ |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
202 fp = sign_key_fingerprint(keyblob, keybloblen); |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
203 if (buf_verify(ses.payload, key, sigtype, signbuf) == DROPBEAR_SUCCESS) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
204 dropbear_log(LOG_NOTICE, |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
476
diff
changeset
|
205 "Pubkey auth succeeded for '%s' with key %s from %s", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
206 ses.authstate.pw_name, fp, svr_ses.addrstring); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
207 send_msg_userauth_success(); |
1654 | 208 #if DROPBEAR_PLUGIN |
209 if ((ses.plugin_session != NULL) && (svr_ses.plugin_instance->auth_success != NULL)) { | |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
210 /* Was authenticated through the external plugin. tell plugin that signature verification was ok */ |
1654 | 211 svr_ses.plugin_instance->auth_success(ses.plugin_session); |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
212 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
213 #endif |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
214 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
215 } else { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
216 dropbear_log(LOG_WARNING, |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
476
diff
changeset
|
217 "Pubkey auth bad signature for '%s' with key %s from %s", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
218 ses.authstate.pw_name, fp, svr_ses.addrstring); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
219 send_msg_userauth_failure(0, 1); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
220 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
221 m_free(fp); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
222 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
223 out: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
224 /* cleanup stuff */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
225 if (signbuf) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
226 buf_free(signbuf); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
227 } |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
228 if (sigalgo) { |
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
229 m_free(sigalgo); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
230 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
231 if (key) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
232 sign_key_free(key); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
233 key = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
234 } |
1598
252b406d0e9a
avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
235 /* Retain pubkey options only if auth succeeded */ |
252b406d0e9a
avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
236 if (!ses.authstate.authdone) { |
252b406d0e9a
avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
237 svr_pubkey_options_cleanup(); |
252b406d0e9a
avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
238 } |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
239 TRACE(("leave pubkeyauth")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
240 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
241 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
242 /* Reply that the key is valid for auth, this is sent when the user sends |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
243 * a straight copy of their pubkey to test, to avoid having to perform |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
244 * expensive signing operations with a worthless key */ |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
245 static void send_msg_userauth_pk_ok(const char* sigalgo, unsigned int sigalgolen, |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
246 const unsigned char* keyblob, unsigned int keybloblen) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
247 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
248 TRACE(("enter send_msg_userauth_pk_ok")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
249 CHECKCLEARTOWRITE(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
250 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
251 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_PK_OK); |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
252 buf_putstring(ses.writepayload, sigalgo, sigalgolen); |
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1110
diff
changeset
|
253 buf_putstring(ses.writepayload, (const char*)keyblob, keybloblen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
254 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
255 encrypt_packet(); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
256 TRACE(("leave send_msg_userauth_pk_ok")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
257 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
258 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
259 |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
260 static int checkpubkey_line(buffer* line, int line_num, const char* filename, |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
261 const char* algo, unsigned int algolen, |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
262 const unsigned char* keyblob, unsigned int keybloblen) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
263 buffer *options_buf = NULL; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
264 unsigned int pos, len; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
265 int ret = DROPBEAR_FAILURE; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
266 |
1376 | 267 if (line->len < MIN_AUTHKEYS_LINE || line->len > MAX_AUTHKEYS_LINE) { |
1452
15d4b821bcc9
fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents:
1451
diff
changeset
|
268 TRACE(("checkpubkey_line: bad line length %d", line->len)) |
1600
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
269 goto out; |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
270 } |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
271 |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
272 if (memchr(line->data, 0x0, line->len) != NULL) { |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
273 TRACE(("checkpubkey_line: bad line has null char")) |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
274 goto out; |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
275 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
276 |
1372
de1d895b1cae
don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents:
1368
diff
changeset
|
277 /* compare the algorithm. +3 so we have enough bytes to read a space and some base64 characters too. */ |
de1d895b1cae
don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents:
1368
diff
changeset
|
278 if (line->pos + algolen+3 > line->len) { |
de1d895b1cae
don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents:
1368
diff
changeset
|
279 goto out; |
de1d895b1cae
don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents:
1368
diff
changeset
|
280 } |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
281 /* check the key type */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
282 if (strncmp((const char *) buf_getptr(line, algolen), algo, algolen) != 0) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
283 int is_comment = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
284 unsigned char *options_start = NULL; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
285 int options_len = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
286 int escape, quoted; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
287 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
288 /* skip over any comments or leading whitespace */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
289 while (line->pos < line->len) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
290 const char c = buf_getbyte(line); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
291 if (c == ' ' || c == '\t') { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
292 continue; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
293 } else if (c == '#') { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
294 is_comment = 1; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
295 break; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
296 } |
1754 | 297 buf_decrpos(line, 1); |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
298 break; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
299 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
300 if (is_comment) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
301 /* next line */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
302 goto out; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
303 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
304 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
305 /* remember start of options */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
306 options_start = buf_getptr(line, 1); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
307 quoted = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
308 escape = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
309 options_len = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
310 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
311 /* figure out where the options are */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
312 while (line->pos < line->len) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
313 const char c = buf_getbyte(line); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
314 if (!quoted && (c == ' ' || c == '\t')) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
315 break; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
316 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
317 escape = (!escape && c == '\\'); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
318 if (!escape && c == '"') { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
319 quoted = !quoted; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
320 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
321 options_len++; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
322 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
323 options_buf = buf_new(options_len); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
324 buf_putbytes(options_buf, options_start, options_len); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
325 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
326 /* compare the algorithm. +3 so we have enough bytes to read a space and some base64 characters too. */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
327 if (line->pos + algolen+3 > line->len) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
328 goto out; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
329 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
330 if (strncmp((const char *) buf_getptr(line, algolen), algo, algolen) != 0) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
331 goto out; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
332 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
333 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
334 buf_incrpos(line, algolen); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
335 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
336 /* check for space (' ') character */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
337 if (buf_getbyte(line) != ' ') { |
1452
15d4b821bcc9
fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents:
1451
diff
changeset
|
338 TRACE(("checkpubkey_line: space character expected, isn't there")) |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
339 goto out; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
340 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
341 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
342 /* truncate the line at the space after the base64 data */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
343 pos = line->pos; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
344 for (len = 0; line->pos < line->len; len++) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
345 if (buf_getbyte(line) == ' ') break; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
346 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
347 buf_setpos(line, pos); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
348 buf_setlen(line, line->pos + len); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
349 |
1452
15d4b821bcc9
fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents:
1451
diff
changeset
|
350 TRACE(("checkpubkey_line: line pos = %d len = %d", line->pos, line->len)) |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
351 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
352 ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
353 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
354 if (ret == DROPBEAR_SUCCESS && options_buf) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
355 ret = svr_add_pubkey_options(options_buf, line_num, filename); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
356 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
357 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
358 out: |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
359 if (options_buf) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
360 buf_free(options_buf); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
361 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
362 return ret; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
363 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
364 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
365 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
366 /* Checks whether a specified publickey (and associated algorithm) is an |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
367 * acceptable key for authentication */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
368 /* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */ |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
369 static int checkpubkey(const char* keyalgo, unsigned int keyalgolen, |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
370 const unsigned char* keyblob, unsigned int keybloblen) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
371 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
372 FILE * authfile = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
373 char * filename = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
374 int ret = DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
375 buffer * line = NULL; |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
376 unsigned int len; |
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
377 int line_num; |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
378 uid_t origuid; |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
379 gid_t origgid; |
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
380 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
381 TRACE(("enter checkpubkey")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
382 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
383 /* check file permissions, also whether file exists */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
384 if (checkpubkeyperms() == DROPBEAR_FAILURE) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
385 TRACE(("bad authorized_keys permissions, or file doesn't exist")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
386 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
387 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
388 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
389 /* we don't need to check pw and pw_dir for validity, since |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
390 * its been done in checkpubkeyperms. */ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
391 len = strlen(ses.authstate.pw_dir); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
392 /* allocate max required pathname storage, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
393 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
394 filename = m_malloc(len + 22); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
395 snprintf(filename, len + 22, "%s/.ssh/authorized_keys", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
396 ses.authstate.pw_dir); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
397 |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1630
diff
changeset
|
398 #if DROPBEAR_SVR_MULTIUSER |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
399 /* open the file as the authenticating user. */ |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
400 origuid = getuid(); |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
401 origgid = getgid(); |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
402 if ((setegid(ses.authstate.pw_gid)) < 0 || |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
403 (seteuid(ses.authstate.pw_uid)) < 0) { |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
404 dropbear_exit("Failed to set euid"); |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
405 } |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1630
diff
changeset
|
406 #endif |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
407 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
408 authfile = fopen(filename, "r"); |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
409 |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1630
diff
changeset
|
410 #if DROPBEAR_SVR_MULTIUSER |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
411 if ((seteuid(origuid)) < 0 || |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
412 (setegid(origgid)) < 0) { |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
413 dropbear_exit("Failed to revert euid"); |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
414 } |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1630
diff
changeset
|
415 #endif |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
416 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
417 if (authfile == NULL) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
418 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
419 } |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
420 TRACE(("checkpubkey: opened authorized_keys OK")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
421 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
422 line = buf_new(MAX_AUTHKEYS_LINE); |
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
423 line_num = 0; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
424 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
425 /* iterate through the lines */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
426 do { |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
427 if (buf_getline(line, authfile) == DROPBEAR_FAILURE) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
428 /* EOF reached */ |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
429 TRACE(("checkpubkey: authorized_keys EOF reached")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
430 break; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
431 } |
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
432 line_num++; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
433 |
1674
ba6fc7afe1c5
use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents:
1654
diff
changeset
|
434 ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen, keyblob, keybloblen); |
1451
7e95ab97d2b0
fix pubkey authentication return value
Matt Johnston <matt@ucc.asn.au>
parents:
1376
diff
changeset
|
435 if (ret == DROPBEAR_SUCCESS) { |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
436 break; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
437 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
438 |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
439 /* We continue to the next line otherwise */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
440 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
441 } while (1); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
442 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
443 out: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
444 if (authfile) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
445 fclose(authfile); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
446 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
447 if (line) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
448 buf_free(line); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
449 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
450 m_free(filename); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
451 TRACE(("leave checkpubkey: ret=%d", ret)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
452 return ret; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
453 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
454 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
455 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
456 /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
457 * DROPBEAR_FAILURE otherwise. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
458 * Checks that the user's homedir, ~/.ssh, and |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
459 * ~/.ssh/authorized_keys are all owned by either root or the user, and are |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
460 * g-w, o-w */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
461 static int checkpubkeyperms() { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
462 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
463 char* filename = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
464 int ret = DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
465 unsigned int len; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
466 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
467 TRACE(("enter checkpubkeyperms")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
468 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
469 if (ses.authstate.pw_dir == NULL) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
470 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
471 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
472 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
473 if ((len = strlen(ses.authstate.pw_dir)) == 0) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
474 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
475 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
476 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
477 /* allocate max required pathname storage, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
478 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ |
1630
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
479 len += 22; |
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
480 filename = m_malloc(len); |
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
481 strlcpy(filename, ses.authstate.pw_dir, len); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
482 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
483 /* check ~ */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
484 if (checkfileperm(filename) != DROPBEAR_SUCCESS) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
485 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
486 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
487 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
488 /* check ~/.ssh */ |
1630
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
489 strlcat(filename, "/.ssh", len); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
490 if (checkfileperm(filename) != DROPBEAR_SUCCESS) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
491 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
492 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
493 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
494 /* now check ~/.ssh/authorized_keys */ |
1630
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
495 strlcat(filename, "/authorized_keys", len); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
496 if (checkfileperm(filename) != DROPBEAR_SUCCESS) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
497 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
498 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
499 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
500 /* file looks ok, return success */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
501 ret = DROPBEAR_SUCCESS; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
502 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
503 out: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
504 m_free(filename); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
505 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
506 TRACE(("leave checkpubkeyperms")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
507 return ret; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
508 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
509 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
510 /* Checks that a file is owned by the user or root, and isn't writable by |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
511 * group or other */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
512 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
513 static int checkfileperm(char * filename) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
514 struct stat filestat; |
248
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
515 int badperm = 0; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
516 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
517 TRACE(("enter checkfileperm(%s)", filename)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
518 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
519 if (stat(filename, &filestat) != 0) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
520 TRACE(("leave checkfileperm: stat() != 0")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
521 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
522 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
523 /* check ownership - user or root only*/ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
524 if (filestat.st_uid != ses.authstate.pw_uid |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
525 && filestat.st_uid != 0) { |
248
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
526 badperm = 1; |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
527 TRACE(("wrong ownership")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
528 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
529 /* check permissions - don't want group or others +w */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
530 if (filestat.st_mode & (S_IWGRP | S_IWOTH)) { |
248
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
531 badperm = 1; |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
532 TRACE(("wrong perms")) |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
533 } |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
534 if (badperm) { |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
535 if (!ses.authstate.perm_warn) { |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
536 ses.authstate.perm_warn = 1; |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
537 dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename); |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
538 } |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
539 TRACE(("leave checkfileperm: failure perms/owner")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
540 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
541 } |
248
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
542 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
543 TRACE(("leave checkfileperm: success")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
544 return DROPBEAR_SUCCESS; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
545 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
546 |
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1511
diff
changeset
|
547 #if DROPBEAR_FUZZ |
1511 | 548 int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename, |
549 const char* algo, unsigned int algolen, | |
550 const unsigned char* keyblob, unsigned int keybloblen) { | |
551 return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen); | |
552 } | |
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
553 #endif |
1511 | 554 |
555 #endif |