forked from rpms/openssh
154 lines
6.3 KiB
Diff
154 lines
6.3 KiB
Diff
diff -up openssh-5.8p1/auth2-hostbased.c.audit2a openssh-5.8p1/auth2-hostbased.c
|
|
--- openssh-5.8p1/auth2-hostbased.c.audit2a 2011-03-02 08:26:16.000000000 +0100
|
|
+++ openssh-5.8p1/auth2-hostbased.c 2011-03-02 08:26:17.000000000 +0100
|
|
@@ -119,7 +119,7 @@ userauth_hostbased(Authctxt *authctxt)
|
|
/* test for allowed key and correct signature */
|
|
authenticated = 0;
|
|
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
|
- PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
|
|
+ PRIVSEP(hostbased_key_verify(key, sig, slen, buffer_ptr(&b),
|
|
buffer_len(&b))) == 1)
|
|
authenticated = 1;
|
|
|
|
@@ -137,7 +137,7 @@ done:
|
|
}
|
|
|
|
int
|
|
-hostkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
|
|
+hostbased_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
|
|
{
|
|
int rv;
|
|
|
|
diff -up openssh-5.8p1/auth2-pubkey.c.audit2a openssh-5.8p1/auth2-pubkey.c
|
|
--- openssh-5.8p1/auth2-pubkey.c.audit2a 2011-03-02 08:26:16.000000000 +0100
|
|
+++ openssh-5.8p1/auth2-pubkey.c 2011-03-02 08:26:17.000000000 +0100
|
|
@@ -140,7 +140,7 @@ userauth_pubkey(Authctxt *authctxt)
|
|
/* test for correct signature */
|
|
authenticated = 0;
|
|
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
|
|
- PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
|
|
+ PRIVSEP(user_key_verify(key, sig, slen, buffer_ptr(&b),
|
|
buffer_len(&b))) == 1)
|
|
authenticated = 1;
|
|
buffer_free(&b);
|
|
@@ -178,7 +178,7 @@ done:
|
|
}
|
|
|
|
int
|
|
-pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
|
|
+user_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
|
|
{
|
|
int rv;
|
|
|
|
diff -up openssh-5.8p1/auth.h.audit2a openssh-5.8p1/auth.h
|
|
--- openssh-5.8p1/auth.h.audit2a 2011-03-02 08:26:16.000000000 +0100
|
|
+++ openssh-5.8p1/auth.h 2011-03-02 08:26:17.000000000 +0100
|
|
@@ -170,7 +170,7 @@ void abandon_challenge_response(Authctxt
|
|
char *authorized_keys_file(struct passwd *);
|
|
char *authorized_keys_file2(struct passwd *);
|
|
char *authorized_principals_file(struct passwd *);
|
|
-int pubkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
|
+int user_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
|
|
|
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
|
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
|
@@ -186,7 +186,7 @@ Key *get_hostkey_public_by_type(int);
|
|
Key *get_hostkey_private_by_type(int);
|
|
int get_hostkey_index(Key *);
|
|
int ssh1_session_key(BIGNUM *);
|
|
-int hostkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
|
+int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
|
|
|
/* debug messages during authentication */
|
|
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
|
diff -up openssh-5.8p1/monitor.c.audit2a openssh-5.8p1/monitor.c
|
|
--- openssh-5.8p1/monitor.c.audit2a 2011-03-02 08:26:17.000000000 +0100
|
|
+++ openssh-5.8p1/monitor.c 2011-03-02 08:26:17.000000000 +0100
|
|
@@ -1208,9 +1208,11 @@ mm_answer_keyverify(int sock, Buffer *m)
|
|
Key *key;
|
|
u_char *signature, *data, *blob;
|
|
u_int signaturelen, datalen, bloblen;
|
|
+ int type = 0;
|
|
int verified = 0;
|
|
int valid_data = 0;
|
|
|
|
+ type = buffer_get_int(m);
|
|
blob = buffer_get_string(m, &bloblen);
|
|
signature = buffer_get_string(m, &signaturelen);
|
|
data = buffer_get_string(m, &datalen);
|
|
@@ -1218,6 +1220,8 @@ mm_answer_keyverify(int sock, Buffer *m)
|
|
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
|
!monitor_allowed_key(blob, bloblen))
|
|
fatal("%s: bad key, not previously allowed", __func__);
|
|
+ if (type != key_blobtype)
|
|
+ fatal("%s: bad key type", __func__);
|
|
|
|
key = key_from_blob(blob, bloblen);
|
|
if (key == NULL)
|
|
@@ -1240,10 +1244,10 @@ mm_answer_keyverify(int sock, Buffer *m)
|
|
|
|
switch (key_blobtype) {
|
|
case MM_USERKEY:
|
|
- verified = pubkey_key_verify(key, signature, signaturelen, data, datalen);
|
|
+ verified = user_key_verify(key, signature, signaturelen, data, datalen);
|
|
break;
|
|
case MM_HOSTKEY:
|
|
- verified = hostkey_key_verify(key, signature, signaturelen, data, datalen);
|
|
+ verified = hostbased_key_verify(key, signature, signaturelen, data, datalen);
|
|
break;
|
|
default:
|
|
verified = 0;
|
|
diff -up openssh-5.8p1/monitor_wrap.c.audit2a openssh-5.8p1/monitor_wrap.c
|
|
--- openssh-5.8p1/monitor_wrap.c.audit2a 2011-03-02 08:26:16.000000000 +0100
|
|
+++ openssh-5.8p1/monitor_wrap.c 2011-03-02 08:26:17.000000000 +0100
|
|
@@ -393,7 +393,7 @@ mm_key_allowed(enum mm_keytype type, cha
|
|
*/
|
|
|
|
int
|
|
-mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
|
|
+mm_key_verify(enum mm_keytype type, Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
|
|
{
|
|
Buffer m;
|
|
u_char *blob;
|
|
@@ -407,6 +407,7 @@ mm_key_verify(Key *key, u_char *sig, u_i
|
|
return (0);
|
|
|
|
buffer_init(&m);
|
|
+ buffer_put_int(&m, type);
|
|
buffer_put_string(&m, blob, len);
|
|
buffer_put_string(&m, sig, siglen);
|
|
buffer_put_string(&m, data, datalen);
|
|
@@ -424,6 +425,19 @@ mm_key_verify(Key *key, u_char *sig, u_i
|
|
return (verified);
|
|
}
|
|
|
|
+int
|
|
+mm_hostbased_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
|
|
+{
|
|
+ return mm_key_verify(MM_HOSTKEY, key, sig, siglen, data, datalen);
|
|
+}
|
|
+
|
|
+int
|
|
+mm_user_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
|
|
+{
|
|
+ return mm_key_verify(MM_USERKEY, key, sig, siglen, data, datalen);
|
|
+}
|
|
+
|
|
+
|
|
/* Export key state after authentication */
|
|
Newkeys *
|
|
mm_newkeys_from_blob(u_char *blob, int blen)
|
|
diff -up openssh-5.8p1/monitor_wrap.h.audit2a openssh-5.8p1/monitor_wrap.h
|
|
--- openssh-5.8p1/monitor_wrap.h.audit2a 2011-03-02 08:26:16.000000000 +0100
|
|
+++ openssh-5.8p1/monitor_wrap.h 2011-03-02 08:26:17.000000000 +0100
|
|
@@ -48,7 +48,8 @@ int mm_key_allowed(enum mm_keytype, char
|
|
int mm_user_key_allowed(struct passwd *, Key *);
|
|
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
|
|
int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
|
|
-int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
|
|
+int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int);
|
|
+int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int);
|
|
int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
|
|
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
|
|
BIGNUM *mm_auth_rsa_generate_challenge(Key *);
|