summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-05-21 14:56:47 +1000
committerDamien Miller <djm@mindrot.org>2010-05-21 14:56:47 +1000
commitc6afb5f2c095a6a4380cc13a6480abb7614d949f (patch)
tree419ee7f1c432de379e2669585b85814cc67ac34e
parent3b903827ebe16c97f705cb3b6ef6e9702d770087 (diff)
- djm@cvs.openbsd.org 2010/05/14 00:47:22
[ssh-add.c] check that the certificate matches the corresponding private key before grafting it on
-rw-r--r--ChangeLog4
-rw-r--r--ssh-add.c50
2 files changed, 33 insertions, 21 deletions
diff --git a/ChangeLog b/ChangeLog
index d5a5aa6d2..b90af22b0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,10 @@
7 - djm@cvs.openbsd.org 2010/05/11 02:58:04 7 - djm@cvs.openbsd.org 2010/05/11 02:58:04
8 [auth-rsa.c] 8 [auth-rsa.c]
9 don't accept certificates marked as "cert-authority" here; ok markus@ 9 don't accept certificates marked as "cert-authority" here; ok markus@
10 - djm@cvs.openbsd.org 2010/05/14 00:47:22
11 [ssh-add.c]
12 check that the certificate matches the corresponding private key before
13 grafting it on
10 14
1120100511 1520100511
12 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve 16 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
diff --git a/ssh-add.c b/ssh-add.c
index cba1078b4..fb641ec48 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-add.c,v 1.95 2010/04/16 01:47:26 djm Exp $ */ 1/* $OpenBSD: ssh-add.c,v 1.96 2010/05/14 00:47:22 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -194,7 +194,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
194 "Lifetime set to %d seconds\n", lifetime); 194 "Lifetime set to %d seconds\n", lifetime);
195 if (confirm != 0) 195 if (confirm != 0)
196 fprintf(stderr, 196 fprintf(stderr,
197 "The user has to confirm each use of the key\n"); 197 "The user must confirm each use of the key\n");
198 } else { 198 } else {
199 fprintf(stderr, "Could not add identity: %s\n", filename); 199 fprintf(stderr, "Could not add identity: %s\n", filename);
200 } 200 }
@@ -202,29 +202,37 @@ add_file(AuthenticationConnection *ac, const char *filename)
202 202
203 /* Now try to add the certificate flavour too */ 203 /* Now try to add the certificate flavour too */
204 xasprintf(&certpath, "%s-cert.pub", filename); 204 xasprintf(&certpath, "%s-cert.pub", filename);
205 if ((cert = key_load_public(certpath, NULL)) != NULL) { 205 if ((cert = key_load_public(certpath, NULL)) == NULL)
206 /* Graft with private bits */ 206 goto out;
207 if (key_to_certified(private, key_cert_is_legacy(cert)) != 0) 207
208 fatal("%s: key_to_certified failed", __func__); 208 if (!key_equal_public(cert, private)) {
209 key_cert_copy(cert, private); 209 error("Certificate %s does not match private key %s",
210 certpath, filename);
210 key_free(cert); 211 key_free(cert);
212 goto out;
213 }
211 214
212 if (ssh_add_identity_constrained(ac, private, comment, 215 /* Graft with private bits */
213 lifetime, confirm)) { 216 if (key_to_certified(private, key_cert_is_legacy(cert)) != 0) {
214 fprintf(stderr, "Certificate added: %s (%s)\n", 217 error("%s: key_to_certified failed", __func__);
215 certpath, private->cert->key_id); 218 key_free(cert);
216 if (lifetime != 0) 219 goto out;
217 fprintf(stderr, "Lifetime set to %d seconds\n",
218 lifetime);
219 if (confirm != 0)
220 fprintf(stderr, "The user has to confirm each "
221 "use of the key\n");
222 } else {
223 error("Certificate %s (%s) add failed", certpath,
224 private->cert->key_id);
225 }
226 } 220 }
221 key_cert_copy(cert, private);
222 key_free(cert);
227 223
224 if (!ssh_add_identity_constrained(ac, private, comment,
225 lifetime, confirm)) {
226 error("Certificate %s (%s) add failed", certpath,
227 private->cert->key_id);
228 }
229 fprintf(stderr, "Certificate added: %s (%s)\n", certpath,
230 private->cert->key_id);
231 if (lifetime != 0)
232 fprintf(stderr, "Lifetime set to %d seconds\n", lifetime);
233 if (confirm != 0)
234 fprintf(stderr, "The user must confirm each use of the key\n");
235 out:
228 xfree(certpath); 236 xfree(certpath);
229 xfree(comment); 237 xfree(comment);
230 key_free(private); 238 key_free(private);