- djm@cvs.openbsd.org 2010/08/04 05:42:47

[auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8] [ssh-keysign.c ssh.c] enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
author: Damien Miller <djm@mindrot.org> 2010-08-05 13:04:50 +1000
committer: Damien Miller <djm@mindrot.org> 2010-08-05 13:04:50 +1000
commit: c158331f8c7e059c6c1d099bffc7f5fc6087ddbd (patch)
tree: f1998f0fb52e5fb666ee67064a424af45e941f6b /authfile.c
parent: 1da638895916bc061ff6aca9f373d48a9776810b (diff)
1 files changed, 59 insertions, 1 deletions
diff --git a/authfile.c b/authfile.c
index 224c6aa80..6bf41db9a 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.80 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.81 2010/08/04 05:42:47 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -693,6 +693,64 @@ key_load_public(const char *filename, char **commentp)
        return NULL;
 }
+/* Load the certificate associated with the named private key */
+Key *
+key_load_cert(const char *filename)
+{
+        Key *pub;
+        char file[MAXPATHLEN];
+        pub = key_new(KEY_UNSPEC);
+        if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
+            (strlcat(file, "-cert.pub", sizeof file) < sizeof(file)) &&
+            (key_try_load_public(pub, file, NULL) == 1))
+                return pub;
+        key_free(pub);
+        return NULL;
+}
+/* Load private key and certificate */
+Key *
+key_load_private_cert(int type, const char *filename, const char *passphrase,
+    int *perm_ok)
+{
+        Key *key, *pub;
+        switch (type) {
+        case KEY_RSA:
+        case KEY_DSA:
+                break;
+        default:
+                error("%s: unsupported key type", __func__);
+                return NULL;
+        }
+        if ((key = key_load_private_type(type, filename, 
+            passphrase, NULL, perm_ok)) == NULL)
+                return NULL;
+        if ((pub = key_load_cert(filename)) == NULL) {
+                key_free(key);
+                return NULL;
+        }
+        /* Make sure the private key matches the certificate */
+        if (key_equal_public(key, pub) == 0) {
+                error("%s: certificate does not match private key %s",
+                    __func__, filename);
+        } else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) {
+                error("%s: key_to_certified failed", __func__);
+        } else {
+                key_cert_copy(pub, key);
+                key_free(pub);
+                return key;
+        }
+        key_free(key);
+        key_free(pub);
+        return NULL;
+}
 /*
 * Returns 1 if the specified "key" is listed in the file "filename",
 * 0 if the key is not listed or -1 on error.
author	Damien Miller <djm@mindrot.org>	2010-08-05 13:04:50 +1000
committer	Damien Miller <djm@mindrot.org>	2010-08-05 13:04:50 +1000
commit	c158331f8c7e059c6c1d099bffc7f5fc6087ddbd (patch)
tree	f1998f0fb52e5fb666ee67064a424af45e941f6b /authfile.c
parent	1da638895916bc061ff6aca9f373d48a9776810b (diff)

diff --git a/authfile.c b/authfile.c index 224c6aa80..6bf41db9a 100644 --- a/authfile.c +++ b/authfile.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: authfile.c,v 1.80 2010/03/04 10:36:03 djm Exp $ */	1	/* $OpenBSD: authfile.c,v 1.81 2010/08/04 05:42:47 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -693,6 +693,64 @@ key_load_public(const char filename, char *commentp)
693	return NULL;	693	return NULL;
694	}	694	}
695		695
		696	/* Load the certificate associated with the named private key */
		697	Key *
		698	key_load_cert(const char *filename)
		699	{
		700	Key *pub;
		701	char file[MAXPATHLEN];
		702
		703	pub = key_new(KEY_UNSPEC);
		704	if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
		705	(strlcat(file, "-cert.pub", sizeof file) < sizeof(file)) &&
		706	(key_try_load_public(pub, file, NULL) == 1))
		707	return pub;
		708	key_free(pub);
		709	return NULL;
		710	}
		711
		712	/* Load private key and certificate */
		713	Key *
		714	key_load_private_cert(int type, const char filename, const char passphrase,
		715	int *perm_ok)
		716	{
		717	Key key, pub;
		718
		719	switch (type) {
		720	case KEY_RSA:
		721	case KEY_DSA:
		722	break;
		723	default:
		724	error("%s: unsupported key type", __func__);
		725	return NULL;
		726	}
		727
		728	if ((key = key_load_private_type(type, filename,
		729	passphrase, NULL, perm_ok)) == NULL)
		730	return NULL;
		731
		732	if ((pub = key_load_cert(filename)) == NULL) {
		733	key_free(key);
		734	return NULL;
		735	}
		736
		737	/* Make sure the private key matches the certificate */
		738	if (key_equal_public(key, pub) == 0) {
		739	error("%s: certificate does not match private key %s",
		740	__func__, filename);
		741	} else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) {
		742	error("%s: key_to_certified failed", __func__);
		743	} else {
		744	key_cert_copy(pub, key);
		745	key_free(pub);
		746	return key;
		747	}
		748
		749	key_free(key);
		750	key_free(pub);
		751	return NULL;
		752	}
		753
696	/*	754	/*
697	* Returns 1 if the specified "key" is listed in the file "filename",	755	* Returns 1 if the specified "key" is listed in the file "filename",
698	* 0 if the key is not listed or -1 on error.	756	* 0 if the key is not listed or -1 on error.