blob: cbd971be1f1780dce9d91c8b9afe4cf388fcd72e [file] [log] [blame]
djm@openbsd.org9ce86c92015-01-28 22:36:00 +00001/* $OpenBSD: auth-rsa.c,v 1.90 2015/01/28 22:36:00 djm Exp $ */
Damien Millerd4a8b7e1999-10-27 13:42:43 +10002/*
Damien Miller95def091999-11-25 00:26:21 +11003 * Author: Tatu Ylonen <ylo@cs.hut.fi>
Damien Miller95def091999-11-25 00:26:21 +11004 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
Damien Miller95def091999-11-25 00:26:21 +11006 * RSA-based authentication. This code determines whether to admit a login
7 * based on RSA authentication. This file also contains functions to check
8 * validity of the host key.
Damien Miller4af51302000-04-16 11:18:38 +10009 *
Damien Millere4340be2000-09-16 13:29:08 +110010 * As far as I am concerned, the code I have written for this software
11 * can be used freely for any purpose. Any derived versions of this
12 * software must be clearly marked as such, and if the derived work is
13 * incompatible with the protocol description in the RFC file, it must be
14 * called by a name other than "ssh" or "Secure Shell".
Damien Miller95def091999-11-25 00:26:21 +110015 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100016
17#include "includes.h"
Damien Millerf17883e2006-03-15 11:45:54 +110018
Damien Miller76c04802015-01-13 19:38:18 +110019#ifdef WITH_SSH1
20
Damien Millerf17883e2006-03-15 11:45:54 +110021#include <sys/types.h>
22#include <sys/stat.h>
Damien Millerd4a8b7e1999-10-27 13:42:43 +100023
24#include <openssl/rsa.h>
Damien Millerd4a8b7e1999-10-27 13:42:43 +100025
Damien Miller9f2abc42006-07-10 20:53:08 +100026#include <pwd.h>
Damien Millera7a73ee2006-08-05 11:37:59 +100027#include <stdio.h>
Damien Millerded319c2006-09-01 15:38:36 +100028#include <stdarg.h>
Damien Millere3476ed2006-07-24 14:13:33 +100029#include <string.h>
Damien Miller9f2abc42006-07-10 20:53:08 +100030
Damien Millerd7834352006-08-05 12:39:39 +100031#include "xmalloc.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000032#include "rsa.h"
33#include "packet.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000034#include "ssh1.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000035#include "uidswap.h"
36#include "match.h"
Damien Millerd7834352006-08-05 12:39:39 +100037#include "buffer.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000038#include "pathnames.h"
39#include "log.h"
Damien Miller7acefbb2014-07-18 14:11:24 +100040#include "misc.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000041#include "servconf.h"
Damien Millerd7834352006-08-05 12:39:39 +100042#include "key.h"
Damien Miller4e270b02010-04-16 15:56:21 +100043#include "auth-options.h"
Damien Miller89681212001-12-21 12:52:39 +110044#include "hostfile.h"
Damien Millerd7834352006-08-05 12:39:39 +100045#include "auth.h"
46#ifdef GSSAPI
47#include "ssh-gss.h"
48#endif
Ben Lindstrom7a2073c2002-03-22 02:30:41 +000049#include "monitor_wrap.h"
Ben Lindstrom03f39322002-04-02 20:43:11 +000050#include "ssh.h"
Damien Miller874d77b2000-10-14 16:23:11 +110051
Damien Miller4a1c7aa2014-02-04 11:03:36 +110052#include "digest.h"
53
Damien Miller874d77b2000-10-14 16:23:11 +110054/* import */
55extern ServerOptions options;
56
Damien Miller5428f641999-11-25 11:54:57 +110057/*
58 * Session identifier that is used to bind key exchange and authentication
59 * responses to a particular session.
60 */
Ben Lindstrom46c16222000-12-22 01:43:59 +000061extern u_char session_id[16];
Damien Millerd4a8b7e1999-10-27 13:42:43 +100062
Damien Miller5428f641999-11-25 11:54:57 +110063/*
64 * The .ssh/authorized_keys file contains public keys, one per line, in the
65 * following format:
66 * options bits e n comment
67 * where bits, e and n are decimal numbers,
68 * and comment is any string of characters up to newline. The maximum
Darren Tucker22cc7412004-12-06 22:47:41 +110069 * length of a line is SSH_MAX_PUBKEY_BYTES characters. See sshd(8) for a
Damien Miller5428f641999-11-25 11:54:57 +110070 * description of the options.
71 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100072
Ben Lindstrom7a2073c2002-03-22 02:30:41 +000073BIGNUM *
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +000074auth_rsa_generate_challenge(Key *key)
75{
76 BIGNUM *challenge;
77 BN_CTX *ctx;
78
79 if ((challenge = BN_new()) == NULL)
80 fatal("auth_rsa_generate_challenge: BN_new() failed");
81 /* Generate a random challenge. */
Darren Tucker0bc85572006-11-07 23:14:41 +110082 if (BN_rand(challenge, 256, 0, 0) == 0)
83 fatal("auth_rsa_generate_challenge: BN_rand failed");
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +000084 if ((ctx = BN_CTX_new()) == NULL)
Darren Tucker0bc85572006-11-07 23:14:41 +110085 fatal("auth_rsa_generate_challenge: BN_CTX_new failed");
86 if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0)
87 fatal("auth_rsa_generate_challenge: BN_mod failed");
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +000088 BN_CTX_free(ctx);
89
90 return challenge;
91}
92
Ben Lindstrom7a2073c2002-03-22 02:30:41 +000093int
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +000094auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
95{
96 u_char buf[32], mdbuf[16];
Damien Miller4a1c7aa2014-02-04 11:03:36 +110097 struct ssh_digest_ctx *md;
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +000098 int len;
99
Ben Lindstrome1f9e322002-03-27 17:38:43 +0000100 /* don't allow short keys */
Ben Lindstrom03f39322002-04-02 20:43:11 +0000101 if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
Damien Miller4a1c7aa2014-02-04 11:03:36 +1100102 error("%s: RSA modulus too small: %d < minimum %d bits",
103 __func__,
Ben Lindstrom2779d282002-06-11 15:47:42 +0000104 BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
Ben Lindstrome1f9e322002-03-27 17:38:43 +0000105 return (0);
106 }
107
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000108 /* The response is MD5 of decrypted challenge plus session id. */
109 len = BN_num_bytes(challenge);
110 if (len <= 0 || len > 32)
Damien Miller4a1c7aa2014-02-04 11:03:36 +1100111 fatal("%s: bad challenge length %d", __func__, len);
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000112 memset(buf, 0, 32);
113 BN_bn2bin(challenge, buf + 32 - len);
Damien Miller4a1c7aa2014-02-04 11:03:36 +1100114 if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
115 ssh_digest_update(md, buf, 32) < 0 ||
116 ssh_digest_update(md, session_id, 16) < 0 ||
117 ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
118 fatal("%s: md5 failed", __func__);
119 ssh_digest_free(md);
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000120
121 /* Verify that the response is the original challenge. */
Damien Millerea1651c2010-07-16 13:58:37 +1000122 if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000123 /* Wrong answer. */
124 return (0);
125 }
126 /* Correct answer. */
127 return (1);
128}
129
Damien Miller5428f641999-11-25 11:54:57 +1100130/*
131 * Performs the RSA authentication challenge-response dialog with the client,
132 * and returns true (non-zero) if the client gave the correct answer to
133 * our challenge; returns zero if the client gives a wrong answer.
134 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000135
136int
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000137auth_rsa_challenge_dialog(Key *key)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000138{
Damien Miller98c7ad62000-03-09 21:27:49 +1100139 BIGNUM *challenge, *encrypted_challenge;
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000140 u_char response[16];
141 int i, success;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000142
Damien Millerda755162002-01-22 23:09:22 +1100143 if ((encrypted_challenge = BN_new()) == NULL)
144 fatal("auth_rsa_challenge_dialog: BN_new() failed");
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000145
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000146 challenge = PRIVSEP(auth_rsa_generate_challenge(key));
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000147
Damien Miller95def091999-11-25 00:26:21 +1100148 /* Encrypt the challenge with the public key. */
Damien Miller86687062014-07-02 15:28:02 +1000149 if (rsa_public_encrypt(encrypted_challenge, challenge, key->rsa) != 0)
150 fatal("%s: rsa_public_encrypt failed", __func__);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000151
Damien Miller95def091999-11-25 00:26:21 +1100152 /* Send the encrypted challenge to the client. */
153 packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
154 packet_put_bignum(encrypted_challenge);
155 packet_send();
Damien Miller98c7ad62000-03-09 21:27:49 +1100156 BN_clear_free(encrypted_challenge);
Damien Miller95def091999-11-25 00:26:21 +1100157 packet_write_wait();
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000158
Damien Miller98c7ad62000-03-09 21:27:49 +1100159 /* Wait for a response. */
Damien Millerdff50992002-01-22 23:16:32 +1100160 packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
Damien Miller98c7ad62000-03-09 21:27:49 +1100161 for (i = 0; i < 16; i++)
Damien Miller8ba29fe2006-03-26 14:25:19 +1100162 response[i] = (u_char)packet_get_char();
Damien Miller48b03fc2002-01-22 23:11:40 +1100163 packet_check_eom();
Damien Miller98c7ad62000-03-09 21:27:49 +1100164
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000165 success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
Damien Miller95def091999-11-25 00:26:21 +1100166 BN_clear_free(challenge);
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000167 return (success);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000168}
169
Damien Millerd8478b62011-05-29 21:39:36 +1000170static int
171rsa_key_allowed_in_file(struct passwd *pw, char *file,
172 const BIGNUM *client_n, Key **rkey)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000173{
Darren Tucker0acca372013-06-02 07:41:51 +1000174 char *fp, line[SSH_MAX_PUBKEY_BYTES];
Damien Millerce986542013-07-18 16:12:44 +1000175 int allowed = 0, bits;
Damien Miller95def091999-11-25 00:26:21 +1100176 FILE *f;
Ben Lindstrom46c16222000-12-22 01:43:59 +0000177 u_long linenum = 0;
Damien Miller89681212001-12-21 12:52:39 +1100178 Key *key;
Damien Miller874d77b2000-10-14 16:23:11 +1100179
Ben Lindstrombfb3a0e2001-06-05 20:25:05 +0000180 debug("trying public RSA key file %s", file);
Damien Millerd8478b62011-05-29 21:39:36 +1000181 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
182 return 0;
Damien Miller95def091999-11-25 00:26:21 +1100183
Damien Miller5428f641999-11-25 11:54:57 +1100184 /*
185 * Go though the accepted keys, looking for the current key. If
186 * found, perform a challenge-response dialog to verify that the
187 * user really has the corresponding private key.
188 */
Damien Millerd8478b62011-05-29 21:39:36 +1000189 key = key_new(KEY_RSA1);
Darren Tucker22cc7412004-12-06 22:47:41 +1100190 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
Damien Miller95def091999-11-25 00:26:21 +1100191 char *cp;
Darren Tucker3f9fdc72004-06-22 12:56:01 +1000192 char *key_options;
Damien Millereccb9de2005-06-17 12:59:34 +1000193 int keybits;
Damien Miller95def091999-11-25 00:26:21 +1100194
Damien Miller5428f641999-11-25 11:54:57 +1100195 /* Skip leading whitespace, empty and comment lines. */
196 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
197 ;
Damien Miller95def091999-11-25 00:26:21 +1100198 if (!*cp || *cp == '\n' || *cp == '#')
199 continue;
200
Damien Miller5428f641999-11-25 11:54:57 +1100201 /*
202 * Check if there are options for this key, and if so,
203 * save their starting address and skip the option part
204 * for now. If there are no options, set the starting
205 * address to NULL.
206 */
Damien Miller95def091999-11-25 00:26:21 +1100207 if (*cp < '0' || *cp > '9') {
208 int quoted = 0;
Darren Tucker3f9fdc72004-06-22 12:56:01 +1000209 key_options = cp;
Damien Miller95def091999-11-25 00:26:21 +1100210 for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
211 if (*cp == '\\' && cp[1] == '"')
212 cp++; /* Skip both */
213 else if (*cp == '"')
214 quoted = !quoted;
215 }
216 } else
Darren Tucker3f9fdc72004-06-22 12:56:01 +1000217 key_options = NULL;
Damien Miller95def091999-11-25 00:26:21 +1100218
219 /* Parse the key from the line. */
Damien Miller89681212001-12-21 12:52:39 +1100220 if (hostfile_read_key(&cp, &bits, key) == 0) {
Ben Lindstromf96704d2001-06-25 04:17:12 +0000221 debug("%.100s, line %lu: non ssh1 key syntax",
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000222 file, linenum);
Damien Miller95def091999-11-25 00:26:21 +1100223 continue;
224 }
225 /* cp now points to the comment part. */
226
Damien Millerd8478b62011-05-29 21:39:36 +1000227 /*
228 * Check if the we have found the desired key (identified
229 * by its modulus).
230 */
Damien Miller89681212001-12-21 12:52:39 +1100231 if (BN_cmp(key->rsa->n, client_n) != 0)
Damien Miller5428f641999-11-25 11:54:57 +1100232 continue;
Damien Miller95def091999-11-25 00:26:21 +1100233
Damien Milleraae6c611999-12-06 11:47:28 +1100234 /* check the real bits */
Damien Millereccb9de2005-06-17 12:59:34 +1000235 keybits = BN_num_bits(key->rsa->n);
Damien Millerce986542013-07-18 16:12:44 +1000236 if (keybits < 0 || bits != keybits)
Damien Miller996acd22003-04-09 20:59:48 +1000237 logit("Warning: %s, line %lu: keysize mismatch: "
Damien Milleraae6c611999-12-06 11:47:28 +1100238 "actual %d vs. announced %d.",
Damien Miller89681212001-12-21 12:52:39 +1100239 file, linenum, BN_num_bits(key->rsa->n), bits);
Damien Milleraae6c611999-12-06 11:47:28 +1100240
djm@openbsd.org9ce86c92015-01-28 22:36:00 +0000241 if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
242 SSH_FP_DEFAULT)) == NULL)
243 continue;
Darren Tucker0acca372013-06-02 07:41:51 +1000244 debug("matching key found: file %s, line %lu %s %s",
245 file, linenum, key_type(key), fp);
246 free(fp);
247
Darren Tuckeradab6f12010-12-05 09:01:47 +1100248 /* Never accept a revoked key */
249 if (auth_key_is_revoked(key))
250 break;
251
Damien Miller95def091999-11-25 00:26:21 +1100252 /* We have found the desired key. */
Ben Lindstrom14920292000-11-21 21:24:55 +0000253 /*
254 * If our options do not allow this key to be used,
255 * do not send challenge.
256 */
Darren Tucker3f9fdc72004-06-22 12:56:01 +1000257 if (!auth_parse_options(pw, key_options, file, linenum))
Ben Lindstrom14920292000-11-21 21:24:55 +0000258 continue;
Damien Miller3b903822010-05-21 14:56:25 +1000259 if (key_is_cert_authority)
260 continue;
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000261 /* break out, this key is allowed */
262 allowed = 1;
Damien Miller50a41ed2000-10-16 12:14:42 +1100263 break;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000264 }
265
Damien Miller95def091999-11-25 00:26:21 +1100266 /* Close the file. */
267 fclose(f);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000268
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000269 /* return key if allowed */
270 if (allowed && rkey != NULL)
271 *rkey = key;
272 else
273 key_free(key);
Damien Millerd8478b62011-05-29 21:39:36 +1000274
275 return allowed;
276}
277
278/*
279 * check if there's user key matching client_n,
280 * return key if login is allowed, NULL otherwise
281 */
282
283int
284auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
285{
286 char *file;
287 u_int i, allowed = 0;
288
289 temporarily_use_uid(pw);
290
291 for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
Damien Miller09d3e122012-10-31 08:58:58 +1100292 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
293 continue;
Damien Millerd8478b62011-05-29 21:39:36 +1000294 file = expand_authorized_keys(
295 options.authorized_keys_files[i], pw);
296 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
Darren Tuckera627d422013-06-02 07:31:17 +1000297 free(file);
Damien Millerd8478b62011-05-29 21:39:36 +1000298 }
299
300 restore_uid();
301
302 return allowed;
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000303}
304
305/*
306 * Performs the RSA authentication dialog with the client. This returns
307 * 0 if the client could not be authenticated, and 1 if authentication was
308 * successful. This may exit if there is a serious protocol violation.
309 */
310int
Damien Miller3e3b5142003-11-17 21:13:40 +1100311auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000312{
313 Key *key;
Damien Miller3e3b5142003-11-17 21:13:40 +1100314 struct passwd *pw = authctxt->pw;
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000315
316 /* no user given */
Damien Miller3e3b5142003-11-17 21:13:40 +1100317 if (!authctxt->valid)
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000318 return 0;
319
Ben Lindstrom7a2073c2002-03-22 02:30:41 +0000320 if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) {
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000321 auth_clear_options();
322 return (0);
323 }
324
325 /* Perform the challenge-response dialog for this key. */
326 if (!auth_rsa_challenge_dialog(key)) {
327 /* Wrong response. */
328 verbose("Wrong response to RSA authentication challenge.");
329 packet_send_debug("Wrong response to RSA authentication challenge.");
330 /*
331 * Break out of the loop. Otherwise we might send
332 * another challenge and break the protocol.
333 */
334 key_free(key);
335 return (0);
336 }
337 /*
338 * Correct response. The client has been successfully
339 * authenticated. Note that we have not yet processed the
340 * options; this will be reset if the options cause the
341 * authentication to be rejected.
342 */
Damien Miller20bdcd72013-07-18 16:10:09 +1000343 pubkey_auth_info(authctxt, key, NULL);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000344
Ben Lindstrom9c8aefe2002-03-22 01:12:58 +0000345 packet_send_debug("RSA authentication accepted.");
346 return (1);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000347}
Damien Miller76c04802015-01-13 19:38:18 +1100348
349#endif /* WITH_SSH1 */