1 /* 2 * Copyright (c) 2002 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 #include "includes.h" 25 RCSID("$OpenBSD: ssh-keysign.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $"); 26 27 #include <openssl/evp.h> 28 29 #include "log.h" 30 #include "key.h" 31 #include "ssh2.h" 32 #include "misc.h" 33 #include "xmalloc.h" 34 #include "buffer.h" 35 #include "bufaux.h" 36 #include "authfile.h" 37 #include "msg.h" 38 #include "canohost.h" 39 #include "pathnames.h" 40 41 static int 42 valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, 43 u_int datalen) 44 { 45 Buffer b; 46 Key *key; 47 u_char *pkblob; 48 u_int blen, len; 49 char *pkalg, *p; 50 int pktype, fail; 51 52 fail = 0; 53 54 buffer_init(&b); 55 buffer_append(&b, data, datalen); 56 57 /* session id, currently limited to SHA1 (20 bytes) */ 58 p = buffer_get_string(&b, &len); 59 if (len != 20) 60 fail++; 61 xfree(p); 62 63 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 64 fail++; 65 66 /* server user */ 67 buffer_skip_string(&b); 68 69 /* service */ 70 p = buffer_get_string(&b, NULL); 71 if (strcmp("ssh-connection", p) != 0) 72 fail++; 73 xfree(p); 74 75 /* method */ 76 p = buffer_get_string(&b, NULL); 77 if (strcmp("hostbased", p) != 0) 78 fail++; 79 xfree(p); 80 81 /* pubkey */ 82 pkalg = buffer_get_string(&b, NULL); 83 pkblob = buffer_get_string(&b, &blen); 84 85 pktype = key_type_from_name(pkalg); 86 if (pktype == KEY_UNSPEC) 87 fail++; 88 else if ((key = key_from_blob(pkblob, blen)) == NULL) 89 fail++; 90 else if (key->type != pktype) 91 fail++; 92 xfree(pkalg); 93 xfree(pkblob); 94 95 /* client host name, handle trailing dot */ 96 p = buffer_get_string(&b, &len); 97 debug2("valid_request: check expect chost %s got %s", host, p); 98 if (strlen(host) != len - 1) 99 fail++; 100 else if (p[len - 1] != '.') 101 fail++; 102 else if (strncasecmp(host, p, len - 1) != 0) 103 fail++; 104 xfree(p); 105 106 /* local user */ 107 p = buffer_get_string(&b, NULL); 108 109 if (strcmp(pw->pw_name, p) != 0) 110 fail++; 111 xfree(p); 112 113 /* end of message */ 114 if (buffer_len(&b) != 0) 115 fail++; 116 117 debug3("valid_request: fail %d", fail); 118 119 if (fail && key != NULL) 120 key_free(key); 121 else 122 *ret = key; 123 124 return (fail ? -1 : 0); 125 } 126 127 int 128 main(int argc, char **argv) 129 { 130 Buffer b; 131 Key *keys[2], *key; 132 struct passwd *pw; 133 int key_fd[2], i, found, version = 2, fd; 134 u_char *signature, *data; 135 char *host; 136 u_int slen, dlen; 137 138 key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); 139 key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); 140 141 seteuid(getuid()); 142 setuid(getuid()); 143 144 #ifdef DEBUG_SSH_KEYSIGN 145 log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); 146 #endif 147 148 if (key_fd[0] == -1 && key_fd[1] == -1) 149 fatal("could not open any host key"); 150 151 if ((pw = getpwuid(getuid())) == NULL) 152 fatal("getpwuid failed"); 153 pw = pwcopy(pw); 154 155 SSLeay_add_all_algorithms(); 156 157 found = 0; 158 for (i = 0; i < 2; i++) { 159 keys[i] = NULL; 160 if (key_fd[i] == -1) 161 continue; 162 keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC, 163 NULL, NULL); 164 close(key_fd[i]); 165 if (keys[i] != NULL) 166 found = 1; 167 } 168 if (!found) 169 fatal("no hostkey found"); 170 171 buffer_init(&b); 172 if (msg_recv(STDIN_FILENO, &b) < 0) 173 fatal("msg_recv failed"); 174 if (buffer_get_char(&b) != version) 175 fatal("bad version"); 176 fd = buffer_get_int(&b); 177 if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO)) 178 fatal("bad fd"); 179 if ((host = get_local_name(fd)) == NULL) 180 fatal("cannot get sockname for fd"); 181 182 data = buffer_get_string(&b, &dlen); 183 if (valid_request(pw, host, &key, data, dlen) < 0) 184 fatal("not a valid request"); 185 xfree(data); 186 xfree(host); 187 188 found = 0; 189 for (i = 0; i < 2; i++) { 190 if (keys[i] != NULL && 191 key_equal(key, keys[i])) { 192 found = 1; 193 break; 194 } 195 } 196 if (!found) 197 fatal("no matching hostkey found"); 198 199 if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) 200 fatal("key_sign failed"); 201 202 /* send reply */ 203 buffer_clear(&b); 204 buffer_put_string(&b, signature, slen); 205 msg_send(STDOUT_FILENO, version, &b); 206 207 return (0); 208 } 209