1 /* 2 * Copyright (c) 2002 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 #include "includes.h" 25 RCSID("$OpenBSD: ssh-keysign.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $"); 26 27 #include <openssl/evp.h> 28 29 #include "log.h" 30 #include "key.h" 31 #include "ssh2.h" 32 #include "misc.h" 33 #include "xmalloc.h" 34 #include "buffer.h" 35 #include "bufaux.h" 36 #include "authfile.h" 37 #include "msg.h" 38 #include "canohost.h" 39 #include "pathnames.h" 40 41 #ifdef HAVE___PROGNAME 42 extern char *__progname; 43 #else 44 char *__progname; 45 #endif 46 47 static int 48 valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, 49 u_int datalen) 50 { 51 Buffer b; 52 Key *key; 53 u_char *pkblob; 54 u_int blen, len; 55 char *pkalg, *p; 56 int pktype, fail; 57 58 fail = 0; 59 60 buffer_init(&b); 61 buffer_append(&b, data, datalen); 62 63 /* session id, currently limited to SHA1 (20 bytes) */ 64 p = buffer_get_string(&b, &len); 65 if (len != 20) 66 fail++; 67 xfree(p); 68 69 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 70 fail++; 71 72 /* server user */ 73 buffer_skip_string(&b); 74 75 /* service */ 76 p = buffer_get_string(&b, NULL); 77 if (strcmp("ssh-connection", p) != 0) 78 fail++; 79 xfree(p); 80 81 /* method */ 82 p = buffer_get_string(&b, NULL); 83 if (strcmp("hostbased", p) != 0) 84 fail++; 85 xfree(p); 86 87 /* pubkey */ 88 pkalg = buffer_get_string(&b, NULL); 89 pkblob = buffer_get_string(&b, &blen); 90 91 pktype = key_type_from_name(pkalg); 92 if (pktype == KEY_UNSPEC) 93 fail++; 94 else if ((key = key_from_blob(pkblob, blen)) == NULL) 95 fail++; 96 else if (key->type != pktype) 97 fail++; 98 xfree(pkalg); 99 xfree(pkblob); 100 101 /* client host name, handle trailing dot */ 102 p = buffer_get_string(&b, &len); 103 debug2("valid_request: check expect chost %s got %s", host, p); 104 if (strlen(host) != len - 1) 105 fail++; 106 else if (p[len - 1] != '.') 107 fail++; 108 else if (strncasecmp(host, p, len - 1) != 0) 109 fail++; 110 xfree(p); 111 112 /* local user */ 113 p = buffer_get_string(&b, NULL); 114 115 if (strcmp(pw->pw_name, p) != 0) 116 fail++; 117 xfree(p); 118 119 /* end of message */ 120 if (buffer_len(&b) != 0) 121 fail++; 122 123 debug3("valid_request: fail %d", fail); 124 125 if (fail && key != NULL) 126 key_free(key); 127 else 128 *ret = key; 129 130 return (fail ? -1 : 0); 131 } 132 133 int 134 main(int argc, char **argv) 135 { 136 Buffer b; 137 Key *keys[2], *key; 138 struct passwd *pw; 139 int key_fd[2], i, found, version = 2, fd; 140 u_char *signature, *data; 141 char *host; 142 u_int slen, dlen; 143 144 key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); 145 key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); 146 147 seteuid(getuid()); 148 setuid(getuid()); 149 150 init_rng(); 151 seed_rng(); 152 arc4random_stir(); 153 154 #ifdef DEBUG_SSH_KEYSIGN 155 log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); 156 #endif 157 158 if (key_fd[0] == -1 && key_fd[1] == -1) 159 fatal("could not open any host key"); 160 161 if ((pw = getpwuid(getuid())) == NULL) 162 fatal("getpwuid failed"); 163 pw = pwcopy(pw); 164 165 SSLeay_add_all_algorithms(); 166 167 found = 0; 168 for (i = 0; i < 2; i++) { 169 keys[i] = NULL; 170 if (key_fd[i] == -1) 171 continue; 172 keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC, 173 NULL, NULL); 174 close(key_fd[i]); 175 if (keys[i] != NULL) 176 found = 1; 177 } 178 if (!found) 179 fatal("no hostkey found"); 180 181 buffer_init(&b); 182 if (msg_recv(STDIN_FILENO, &b) < 0) 183 fatal("msg_recv failed"); 184 if (buffer_get_char(&b) != version) 185 fatal("bad version"); 186 fd = buffer_get_int(&b); 187 if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO)) 188 fatal("bad fd"); 189 if ((host = get_local_name(fd)) == NULL) 190 fatal("cannot get sockname for fd"); 191 192 data = buffer_get_string(&b, &dlen); 193 if (valid_request(pw, host, &key, data, dlen) < 0) 194 fatal("not a valid request"); 195 xfree(data); 196 xfree(host); 197 198 found = 0; 199 for (i = 0; i < 2; i++) { 200 if (keys[i] != NULL && 201 key_equal(key, keys[i])) { 202 found = 1; 203 break; 204 } 205 } 206 if (!found) 207 fatal("no matching hostkey found"); 208 209 if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) 210 fatal("key_sign failed"); 211 212 /* send reply */ 213 buffer_clear(&b); 214 buffer_put_string(&b, signature, slen); 215 msg_send(STDOUT_FILENO, version, &b); 216 217 return (0); 218 } 219