- djm@cvs.openbsd.org 2010/05/14 00:47:22

[ssh-add.c] check that the certificate matches the corresponding private key before grafting it on
author: Damien Miller <djm@mindrot.org> 2010-05-21 14:56:47 +1000
committer: Damien Miller <djm@mindrot.org> 2010-05-21 14:56:47 +1000
commit: c6afb5f2c095a6a4380cc13a6480abb7614d949f (patch)
tree: 419ee7f1c432de379e2669585b85814cc67ac34e
parent: 3b903827ebe16c97f705cb3b6ef6e9702d770087 (diff)
2 files changed, 33 insertions, 21 deletions
diff --git a/ChangeLog b/ChangeLog
index d5a5aa6d2..b90af22b0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,10 @@
   - djm@cvs.openbsd.org 2010/05/11 02:58:04
     [auth-rsa.c]
     don't accept certificates marked as "cert-authority" here; ok markus@
+   - djm@cvs.openbsd.org 2010/05/14 00:47:22
+     [ssh-add.c]
+     check that the certificate matches the corresponding private key before
+     grafting it on
 20100511
 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
diff --git a/ssh-add.c b/ssh-add.c
index cba1078b4..fb641ec48 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.95 2010/04/16 01:47:26 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.96 2010/05/14 00:47:22 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -194,7 +194,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
                            "Lifetime set to %d seconds\n", lifetime);
                if (confirm != 0)
                        fprintf(stderr,
-                            "The user has to confirm each use of the key\n");
+                            "The user must confirm each use of the key\n");
        } else {
                fprintf(stderr, "Could not add identity: %s\n", filename);
        }
@@ -202,29 +202,37 @@ add_file(AuthenticationConnection *ac, const char *filename)
        /* Now try to add the certificate flavour too */
        xasprintf(&certpath, "%s-cert.pub", filename);
-        if ((cert = key_load_public(certpath, NULL)) != NULL) {
+        if ((cert = key_load_public(certpath, NULL)) == NULL)
-                /* Graft with private bits */
+                goto out;
-                if (key_to_certified(private, key_cert_is_legacy(cert)) != 0)
-                        fatal("%s: key_to_certified failed", __func__);
+        if (!key_equal_public(cert, private)) {
-                key_cert_copy(cert, private);
+                error("Certificate %s does not match private key %s",
+                    certpath, filename);
                key_free(cert);
+                goto out;
+        } 
-                if (ssh_add_identity_constrained(ac, private, comment,
+        /* Graft with private bits */
-                    lifetime, confirm)) {
+        if (key_to_certified(private, key_cert_is_legacy(cert)) != 0) {
-                        fprintf(stderr, "Certificate added: %s (%s)\n",
+                error("%s: key_to_certified failed", __func__);
-                            certpath, private->cert->key_id);
+                key_free(cert);
-                        if (lifetime != 0)
+                goto out;
-                                fprintf(stderr, "Lifetime set to %d seconds\n",
-                                    lifetime);
-                        if (confirm != 0)
-                                fprintf(stderr, "The user has to confirm each "
-                                    "use of the key\n");
-                } else {
-                        error("Certificate %s (%s) add failed", certpath,
-                            private->cert->key_id);
-                }
        }
+        key_cert_copy(cert, private);
+        key_free(cert);
+        if (!ssh_add_identity_constrained(ac, private, comment,
+            lifetime, confirm)) {
+                error("Certificate %s (%s) add failed", certpath,
+                    private->cert->key_id);
+        }
+        fprintf(stderr, "Certificate added: %s (%s)\n", certpath,
+            private->cert->key_id);
+        if (lifetime != 0)
+                fprintf(stderr, "Lifetime set to %d seconds\n", lifetime);
+        if (confirm != 0)
+                fprintf(stderr, "The user must confirm each use of the key\n");
+ out:
        xfree(certpath);
        xfree(comment);
        key_free(private);
author	Damien Miller <djm@mindrot.org>	2010-05-21 14:56:47 +1000
committer	Damien Miller <djm@mindrot.org>	2010-05-21 14:56:47 +1000
commit	c6afb5f2c095a6a4380cc13a6480abb7614d949f (patch)
tree	419ee7f1c432de379e2669585b85814cc67ac34e
parent	3b903827ebe16c97f705cb3b6ef6e9702d770087 (diff)

diff --git a/ChangeLog b/ChangeLog index d5a5aa6d2..b90af22b0 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -7,6 +7,10 @@
7	- djm@cvs.openbsd.org 2010/05/11 02:58:04	7	- djm@cvs.openbsd.org 2010/05/11 02:58:04
8	[auth-rsa.c]	8	[auth-rsa.c]
9	don't accept certificates marked as "cert-authority" here; ok markus@	9	don't accept certificates marked as "cert-authority" here; ok markus@
		10	- djm@cvs.openbsd.org 2010/05/14 00:47:22
		11	[ssh-add.c]
		12	check that the certificate matches the corresponding private key before
		13	grafting it on
10		14
11	20100511	15	20100511
12	- (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve	16	- (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve


diff --git a/ssh-add.c b/ssh-add.c index cba1078b4..fb641ec48 100644 --- a/ssh-add.c +++ b/ssh-add.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh-add.c,v 1.95 2010/04/16 01:47:26 djm Exp $ */	1	/* $OpenBSD: ssh-add.c,v 1.96 2010/05/14 00:47:22 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -194,7 +194,7 @@ add_file(AuthenticationConnection ac, const char filename)
194	"Lifetime set to %d seconds\n", lifetime);	194	"Lifetime set to %d seconds\n", lifetime);
195	if (confirm != 0)	195	if (confirm != 0)
196	fprintf(stderr,	196	fprintf(stderr,
197	"The user has to confirm each use of the key\n");	197	"The user must confirm each use of the key\n");
198	} else {	198	} else {
199	fprintf(stderr, "Could not add identity: %s\n", filename);	199	fprintf(stderr, "Could not add identity: %s\n", filename);
200	}	200	}
@@ -202,29 +202,37 @@ add_file(AuthenticationConnection ac, const char filename)
202		202
203	/* Now try to add the certificate flavour too */	203	/* Now try to add the certificate flavour too */
204	xasprintf(&certpath, "%s-cert.pub", filename);	204	xasprintf(&certpath, "%s-cert.pub", filename);
205	if ((cert = key_load_public(certpath, NULL)) != NULL) {	205	if ((cert = key_load_public(certpath, NULL)) == NULL)
206	/* Graft with private bits */	206	goto out;
207	if (key_to_certified(private, key_cert_is_legacy(cert)) != 0)	207
208	fatal("%s: key_to_certified failed", __func__);	208	if (!key_equal_public(cert, private)) {
209	key_cert_copy(cert, private);	209	error("Certificate %s does not match private key %s",
		210	certpath, filename);
210	key_free(cert);	211	key_free(cert);
		212	goto out;
		213	}
211		214
212	if (ssh_add_identity_constrained(ac, private, comment,	215	/* Graft with private bits */
213	lifetime, confirm)) {	216	if (key_to_certified(private, key_cert_is_legacy(cert)) != 0) {
214	fprintf(stderr, "Certificate added: %s (%s)\n",	217	error("%s: key_to_certified failed", __func__);
215	certpath, private->cert->key_id);	218	key_free(cert);
216	if (lifetime != 0)	219	goto out;
217	fprintf(stderr, "Lifetime set to %d seconds\n",
218	lifetime);
219	if (confirm != 0)
220	fprintf(stderr, "The user has to confirm each "
221	"use of the key\n");
222	} else {
223	error("Certificate %s (%s) add failed", certpath,
224	private->cert->key_id);
225	}
226	}	220	}
		221	key_cert_copy(cert, private);
		222	key_free(cert);
227		223
		224	if (!ssh_add_identity_constrained(ac, private, comment,
		225	lifetime, confirm)) {
		226	error("Certificate %s (%s) add failed", certpath,
		227	private->cert->key_id);
		228	}
		229	fprintf(stderr, "Certificate added: %s (%s)\n", certpath,
		230	private->cert->key_id);
		231	if (lifetime != 0)
		232	fprintf(stderr, "Lifetime set to %d seconds\n", lifetime);
		233	if (confirm != 0)
		234	fprintf(stderr, "The user must confirm each use of the key\n");
		235	out:
228	xfree(certpath);	236	xfree(certpath);
229	xfree(comment);	237	xfree(comment);
230	key_free(private);	238	key_free(private);