diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-03-08 11:51:22 +0000 |
commit | 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch) | |
tree | 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /auth2-pubkey.c | |
parent | c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff) | |
parent | 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff) |
New upstream release (7.2).
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 1eee16168..aace7ca15 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -79,19 +79,19 @@ userauth_pubkey(Authctxt *authctxt) | |||
79 | { | 79 | { |
80 | Buffer b; | 80 | Buffer b; |
81 | Key *key = NULL; | 81 | Key *key = NULL; |
82 | char *pkalg, *userstyle; | 82 | char *pkalg, *userstyle, *fp = NULL; |
83 | u_char *pkblob, *sig; | 83 | u_char *pkblob, *sig; |
84 | u_int alen, blen, slen; | 84 | u_int alen, blen, slen; |
85 | int have_sig, pktype; | 85 | int have_sig, pktype; |
86 | int authenticated = 0; | 86 | int authenticated = 0; |
87 | 87 | ||
88 | if (!authctxt->valid) { | 88 | if (!authctxt->valid) { |
89 | debug2("userauth_pubkey: disabled because of invalid user"); | 89 | debug2("%s: disabled because of invalid user", __func__); |
90 | return 0; | 90 | return 0; |
91 | } | 91 | } |
92 | have_sig = packet_get_char(); | 92 | have_sig = packet_get_char(); |
93 | if (datafellows & SSH_BUG_PKAUTH) { | 93 | if (datafellows & SSH_BUG_PKAUTH) { |
94 | debug2("userauth_pubkey: SSH_BUG_PKAUTH"); | 94 | debug2("%s: SSH_BUG_PKAUTH", __func__); |
95 | /* no explicit pkalg given */ | 95 | /* no explicit pkalg given */ |
96 | pkblob = packet_get_string(&blen); | 96 | pkblob = packet_get_string(&blen); |
97 | buffer_init(&b); | 97 | buffer_init(&b); |
@@ -106,18 +106,18 @@ userauth_pubkey(Authctxt *authctxt) | |||
106 | pktype = key_type_from_name(pkalg); | 106 | pktype = key_type_from_name(pkalg); |
107 | if (pktype == KEY_UNSPEC) { | 107 | if (pktype == KEY_UNSPEC) { |
108 | /* this is perfectly legal */ | 108 | /* this is perfectly legal */ |
109 | logit("userauth_pubkey: unsupported public key algorithm: %s", | 109 | logit("%s: unsupported public key algorithm: %s", |
110 | pkalg); | 110 | __func__, pkalg); |
111 | goto done; | 111 | goto done; |
112 | } | 112 | } |
113 | key = key_from_blob(pkblob, blen); | 113 | key = key_from_blob(pkblob, blen); |
114 | if (key == NULL) { | 114 | if (key == NULL) { |
115 | error("userauth_pubkey: cannot decode key: %s", pkalg); | 115 | error("%s: cannot decode key: %s", __func__, pkalg); |
116 | goto done; | 116 | goto done; |
117 | } | 117 | } |
118 | if (key->type != pktype) { | 118 | if (key->type != pktype) { |
119 | error("userauth_pubkey: type mismatch for decoded key " | 119 | error("%s: type mismatch for decoded key " |
120 | "(received %d, expected %d)", key->type, pktype); | 120 | "(received %d, expected %d)", __func__, key->type, pktype); |
121 | goto done; | 121 | goto done; |
122 | } | 122 | } |
123 | if (key_type_plain(key->type) == KEY_RSA && | 123 | if (key_type_plain(key->type) == KEY_RSA && |
@@ -126,6 +126,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
126 | "signature scheme"); | 126 | "signature scheme"); |
127 | goto done; | 127 | goto done; |
128 | } | 128 | } |
129 | fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); | ||
129 | if (auth2_userkey_already_used(authctxt, key)) { | 130 | if (auth2_userkey_already_used(authctxt, key)) { |
130 | logit("refusing previously-used %s key", key_type(key)); | 131 | logit("refusing previously-used %s key", key_type(key)); |
131 | goto done; | 132 | goto done; |
@@ -138,6 +139,8 @@ userauth_pubkey(Authctxt *authctxt) | |||
138 | } | 139 | } |
139 | 140 | ||
140 | if (have_sig) { | 141 | if (have_sig) { |
142 | debug3("%s: have signature for %s %s", | ||
143 | __func__, sshkey_type(key), fp); | ||
141 | sig = packet_get_string(&slen); | 144 | sig = packet_get_string(&slen); |
142 | packet_check_eom(); | 145 | packet_check_eom(); |
143 | buffer_init(&b); | 146 | buffer_init(&b); |
@@ -183,7 +186,8 @@ userauth_pubkey(Authctxt *authctxt) | |||
183 | buffer_free(&b); | 186 | buffer_free(&b); |
184 | free(sig); | 187 | free(sig); |
185 | } else { | 188 | } else { |
186 | debug("test whether pkalg/pkblob are acceptable"); | 189 | debug("%s: test whether pkalg/pkblob are acceptable for %s %s", |
190 | __func__, sshkey_type(key), fp); | ||
187 | packet_check_eom(); | 191 | packet_check_eom(); |
188 | 192 | ||
189 | /* XXX fake reply and always send PK_OK ? */ | 193 | /* XXX fake reply and always send PK_OK ? */ |
@@ -206,11 +210,12 @@ userauth_pubkey(Authctxt *authctxt) | |||
206 | if (authenticated != 1) | 210 | if (authenticated != 1) |
207 | auth_clear_options(); | 211 | auth_clear_options(); |
208 | done: | 212 | done: |
209 | debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); | 213 | debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg); |
210 | if (key != NULL) | 214 | if (key != NULL) |
211 | key_free(key); | 215 | key_free(key); |
212 | free(pkalg); | 216 | free(pkalg); |
213 | free(pkblob); | 217 | free(pkblob); |
218 | free(fp); | ||
214 | return authenticated; | 219 | return authenticated; |
215 | } | 220 | } |
216 | 221 | ||
@@ -798,8 +803,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) | |||
798 | free(fp); | 803 | free(fp); |
799 | continue; | 804 | continue; |
800 | } | 805 | } |
801 | verbose("Accepted certificate ID \"%s\" " | 806 | verbose("Accepted certificate ID \"%s\" (serial %llu) " |
802 | "signed by %s CA %s via %s", key->cert->key_id, | 807 | "signed by %s CA %s via %s", key->cert->key_id, |
808 | (unsigned long long)key->cert->serial, | ||
803 | key_type(found), fp, file); | 809 | key_type(found), fp, file); |
804 | free(fp); | 810 | free(fp); |
805 | found_key = 1; | 811 | found_key = 1; |
@@ -878,8 +884,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
878 | if (auth_cert_options(key, pw) != 0) | 884 | if (auth_cert_options(key, pw) != 0) |
879 | goto out; | 885 | goto out; |
880 | 886 | ||
881 | verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", | 887 | verbose("Accepted certificate ID \"%s\" (serial %llu) signed by " |
882 | key->cert->key_id, key_type(key->cert->signature_key), ca_fp, | 888 | "%s CA %s via %s", key->cert->key_id, |
889 | (unsigned long long)key->cert->serial, | ||
890 | key_type(key->cert->signature_key), ca_fp, | ||
883 | options.trusted_user_ca_keys); | 891 | options.trusted_user_ca_keys); |
884 | ret = 1; | 892 | ret = 1; |
885 | 893 | ||