Attachment 2055 Details for Bug 1914 – Patch

[patch] Patch

openssh-5.8p2-sshadd-verify.patch (text/plain), 5.17 KB, created by Konrad Bucheli on 2011-06-10 21:37:04 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Konrad Bucheli

Created: 2011-06-10 21:37:04 AEST

Size: 5.17 KB

patch

obsolete

>diff -Naur openssh-5.8p2/regress/agent.sh openssh-5.8p2-sshadd-verify/regress/agent.sh
>--- openssh-5.8p2/regress/agent.sh	2008-03-12 13:58:56.000000000 +0100
>+++ openssh-5.8p2-sshadd-verify/regress/agent.sh	2011-06-10 11:06:41.827348198 +0200
>@@ -25,6 +25,9 @@
> 		rm -f $OBJ/$t-agent
> 		${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
> 			 fail "ssh-keygen for $t-agent failed"
>+		# verify key is not loaded into agent
>+		${SSHADD} -v $OBJ/$t-agent.pub &&\
>+			fail "ssh-add -v verified unloaded key"
> 		# add to authorized keys
> 		cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
> 		# add privat key to agent
>@@ -32,6 +35,9 @@
> 		if [ $? -ne 0 ]; then
> 			fail "ssh-add did succeed exit code 0"
> 		fi
>+		# verify if key is loaded into agent
>+		${SSHADD} -v $OBJ/$t-agent.pub ||\
>+			fail "ssh-add -v did not verify loaded key"
> 	done
> 	${SSHADD} -l > /dev/null 2>&1
> 	if [ $? -ne 0 ]; then
>diff -Naur openssh-5.8p2/ssh-add.0 openssh-5.8p2-sshadd-verify/ssh-add.0
>--- openssh-5.8p2/ssh-add.0	2011-05-05 03:58:10.000000000 +0200
>+++ openssh-5.8p2-sshadd-verify/ssh-add.0	2011-06-10 11:04:17.683922100 +0200
>@@ -59,6 +59,9 @@
>              lifetime may be specified in seconds or in a time format
>              specified in sshd_config(5).
> 
>+     -v pubkey
>+             Verify if the agent has access to the matching private key.     
>+
>      -X      Unlock the agent.
> 
>      -x      Lock the agent with a password.
>diff -Naur openssh-5.8p2/ssh-add.c openssh-5.8p2-sshadd-verify/ssh-add.c
>--- openssh-5.8p2/ssh-add.c	2010-11-11 04:17:02.000000000 +0100
>+++ openssh-5.8p2-sshadd-verify/ssh-add.c	2011-06-10 11:56:17.828544948 +0200
>@@ -42,6 +42,7 @@
> #include <sys/param.h>
> 
> #include <openssl/evp.h>
>+#include <openssl/md5.h>
> #include "openbsd-compat/openssl-compat.h"
> 
> #include <fcntl.h>
>@@ -329,6 +330,109 @@
> 	return (ret);
> }
> 
>+
>+static int
>+verify_key_ssh1 (AuthenticationConnection *ac, Key *key)
>+{
>+
>+	int ret = 0;
>+	BIGNUM *challenge, *encrypted_challenge;
>+	u_char session_id[16], response[16], token[32], mdbuf[16];
>+	MD5_CTX md;
>+
>+	/* generate random session_id and token */
>+	arc4random_buf(session_id, sizeof(session_id));
>+	arc4random_buf(token, sizeof(token));
>+	if ((challenge = BN_bin2bn(token, sizeof(token), NULL)) == NULL) {
>+		fprintf(stderr, "%s: BNbin2bn failed", __func__);
>+		return ret;
>+	}
>+
>+	/* Encrypt the challenge with the public key. */
>+	if ((encrypted_challenge = BN_new()) == NULL) {
>+		fprintf(stderr, "%s: BN_new failed", __func__);
>+		BN_clear_free(challenge);
>+		return ret;
>+	}
>+	rsa_public_encrypt(encrypted_challenge, challenge, key->rsa);
>+
>+	/* send challenge to agent and expect response */
>+	ssh_decrypt_challenge(ac, key, encrypted_challenge, session_id, 1, response);
>+
>+	MD5_Init(&md);
>+	MD5_Update(&md, token, sizeof(token));
>+	MD5_Update(&md, session_id, sizeof(session_id));
>+	MD5_Final(mdbuf, &md);
>+
>+	/* Verify that the response is the original challenge. */
>+	if (timingsafe_bcmp(response, mdbuf, sizeof(mdbuf)) == 0) {
>+		ret = 1;
>+	}
>+
>+	BN_clear_free(encrypted_challenge);
>+	BN_clear_free(challenge);
>+	
>+	return ret;
>+}
>+
>+static int
>+verify_key_ssh2 (AuthenticationConnection *ac, Key *key)
>+{
>+	int ret = 0;
>+	u_char *signature, token[512];
>+	u_int slen;
>+	
>+	arc4random_buf(token, sizeof(token));
>+	
>+	/* let the agent sign the token */
>+	if (ssh_agent_sign(ac, key, &signature, &slen, token, sizeof(token)) == 0 ) {
>+		/* verify signature */
>+		if (key_verify(key, signature, slen, token, sizeof(token))) {
>+			ret = 1;
>+		}
>+		xfree(signature);
>+	}
>+	return ret;
>+}
>+
>+static int
>+verify_key(AuthenticationConnection *ac, const char *filename)
>+{
>+	Key *public, *key;
>+	char *comment;
>+	int version, ret = -1;
>+
>+	/* load public key */
>+	public = key_load_public(filename, NULL);
>+	if (public == NULL) {
>+		fprintf(stderr, "Could not read public key: %s\n", filename);
>+		return ret;
>+	}
>+	
>+	/* try to find public key in agent */
>+	for (version = 1; version <= 2 && ret != 0; version++) {
>+		for (key = ssh_get_first_identity(ac, &comment, version);
>+		    key != NULL && ret != 0;
>+		    key = ssh_get_next_identity(ac, &comment, version)) {
>+			if (key_equal_public(public, key)) {
>+				if (version == 1) {
>+					if (verify_key_ssh1(ac, public))
>+						ret = 0;
>+				} else {
>+					if (verify_key_ssh2(ac, public))
>+						ret = 0;
>+				}
>+			}
>+			key_free(key);
>+			xfree(comment);
>+		}
>+	}
>+
>+	key_free(public);
>+	
>+	return ret;
>+}
>+
> static int
> do_file(AuthenticationConnection *ac, int deleting, char *file)
> {
>@@ -357,6 +461,7 @@
> 	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
> 	fprintf(stderr, "  -s pkcs11   Add keys from PKCS#11 provider.\n");
> 	fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11 provider.\n");
>+	fprintf(stderr, "  -v pubkey   Verify if agent can access matching private key.\n");
> }
> 
> int
>@@ -384,7 +489,7 @@
> 		    "Could not open a connection to your authentication agent.\n");
> 		exit(2);
> 	}
>-	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
>+	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:v:")) != -1) {
> 		switch (ch) {
> 		case 'l':
> 		case 'L':
>@@ -420,6 +525,10 @@
> 				goto done;
> 			}
> 			break;
>+		case 'v':
>+			if (verify_key(ac, optarg) == -1)
>+				ret = 1;
>+			goto done;
> 		default:
> 			usage();
> 			ret = 1;

Actions: View | Diff

Attachments on bug 1914: 2055 | 2056 | 2058 | 2162