upstream commit

include signature type and CA key (if applicable) in some debug messages OpenBSD-Commit-ID: b71615cc20e78cec7105bb6e940c03ce9ae414a5
author: djm@openbsd.org <djm@openbsd.org> 2017-12-19 00:24:34 +0000
committer: Damien Miller <djm@mindrot.org> 2017-12-19 15:21:37 +1100
commit: 278856320520e851063b06cef6ef1c60d4c5d652 (patch)
tree: ed57ecdcaf75baa1fd762d35d7161f021e50d4e4 /auth2-pubkey.c
parent: 7860731ef190b52119fa480f8064ab03c44a120a (diff)
1 files changed, 28 insertions, 8 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0707b8ab3..eac79cc3d 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.72 2017/12/18 02:25:15 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.73 2017/12/19 00:24:34 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -73,13 +73,24 @@ extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
+static char *
+format_key(const struct sshkey *key)
+{
+        char *ret, *fp = sshkey_fingerprint(key,
+            options.fingerprint_hash, SSH_FP_DEFAULT);
+        xasprintf(&ret, "%s %s", sshkey_type(key), fp);
+        free(fp);
+        return ret;
+}
 static int
 userauth_pubkey(struct ssh *ssh)
 {
        Authctxt *authctxt = ssh->authctxt;
        struct sshbuf *b;
        struct sshkey *key = NULL;
-        char *pkalg, *userstyle = NULL, *fp = NULL;
+        char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
        u_char *pkblob, *sig, have_sig;
        size_t blen, slen;
        int r, pktype;
@@ -135,7 +146,6 @@ userauth_pubkey(struct ssh *ssh)
                    "signature scheme");
                goto done;
        }
-        fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
        if (auth2_key_already_used(authctxt, key)) {
                logit("refusing previously-used %s key", sshkey_type(key));
                goto done;
@@ -147,9 +157,15 @@ userauth_pubkey(struct ssh *ssh)
                goto done;
        }
+        key_s = format_key(key);
+        if (sshkey_is_cert(key))
+                ca_s = format_key(key->cert->signature_key);
        if (have_sig) {
-                debug3("%s: have signature for %s %s",
+                debug3("%s: have %s signature for %s%s%s",
-                    __func__, sshkey_type(key), fp);
+                    __func__, pkalg, key_s,
+                    ca_s == NULL ? "" : " CA ",
+                    ca_s == NULL ? "" : ca_s);
                if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 ||
                    (r = sshpkt_get_end(ssh)) != 0)
                        fatal("%s: %s", __func__, ssh_err(r));
@@ -205,8 +221,11 @@ userauth_pubkey(struct ssh *ssh)
                free(sig);
                auth2_record_key(authctxt, authenticated, key);
        } else {
-                debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
+                debug("%s: test pkalg %s pkblob %s%s%s",
-                    __func__, sshkey_type(key), fp);
+                    __func__, pkalg, key_s,
+                    ca_s == NULL ? "" : " CA ",
+                    ca_s == NULL ? "" : ca_s);
                if ((r = sshpkt_get_end(ssh)) != 0)
                        fatal("%s: %s", __func__, ssh_err(r));
@@ -237,7 +256,8 @@ done:
        free(userstyle);
        free(pkalg);
        free(pkblob);
-        free(fp);
+        free(key_s);
+        free(ca_s);
        return authenticated;
 }
author	djm@openbsd.org <djm@openbsd.org>	2017-12-19 00:24:34 +0000
committer	Damien Miller <djm@mindrot.org>	2017-12-19 15:21:37 +1100
commit	278856320520e851063b06cef6ef1c60d4c5d652 (patch)
tree	ed57ecdcaf75baa1fd762d35d7161f021e50d4e4 /auth2-pubkey.c
parent	7860731ef190b52119fa480f8064ab03c44a120a (diff)