- djm@cvs.openbsd.org 2010/03/04 10:36:03

     [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@

1 files changed, 81 insertions, 21 deletions

diff --git a/hostfile.c b/hostfile.c
index fc7f84c79..afab6dad1 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.47 2010/02/26 20:29:54 djm Exp $ */
+/* $OpenBSD: hostfile.c,v 1.48 2010/03/04 10:36:03 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -183,6 +183,41 @@ hostfile_check_key(int bits, const Key *key, const char *host, const char *filen
         return 1;
 }
 
+static enum { MRK_ERROR, MRK_NONE, MRK_REVOKE, MRK_CA }
+check_markers(char **cpp)
+{
+        char marker[32], *sp, *cp = *cpp;
+        int ret = MRK_NONE;
+
+        while (*cp == '@') {
+                /* Only one marker is allowed */
+                if (ret != MRK_NONE)
+                        return MRK_ERROR;
+                /* Markers are terminated by whitespace */
+                if ((sp = strchr(cp, ' ')) == NULL &&
+                    (sp = strchr(cp, '\t')) == NULL)
+                        return MRK_ERROR;
+                /* Extract marker for comparison */
+                if (sp <= cp + 1 || sp >= cp + sizeof(marker))
+                        return MRK_ERROR;
+                memcpy(marker, cp, sp - cp);
+                marker[sp - cp] = '\0';
+                if (strcmp(marker, CA_MARKER) == 0)
+                        ret = MRK_CA;
+                else if (strcmp(marker, REVOKE_MARKER) == 0)
+                        ret = MRK_REVOKE;
+                else
+                        return MRK_ERROR;
+
+                /* Skip past marker and any whitespace that follows it */
+                cp = sp;
+                for (; *cp == ' ' || *cp == '\t'; cp++)
+                        ;
+        }
+        *cpp = cp;
+        return ret;
+}
+
 /*
  * Checks whether the given host (which must be in all lowercase) is already
  * in the list of our known hosts. Returns HOST_OK if the host is known and
@@ -195,17 +230,21 @@ hostfile_check_key(int bits, const Key *key, const char *host, const char *filen
 
 static HostStatus
 check_host_in_hostfile_by_key_or_type(const char *filename,
-    const char *host, const Key *key, int keytype, Key *found, int *numret)
+    const char *host, const Key *key, int keytype, Key *found,
+    int want_revocation, int *numret)
 {
         FILE *f;
         char line[8192];
-        int linenum = 0, want_cert = key_is_cert(key);
+        int want, have, linenum = 0, want_cert = key_is_cert(key);
         u_int kbits;
         char *cp, *cp2, *hashed_host;
         HostStatus end_return;
 
         debug3("check_host_in_hostfile: host %s filename %s", host, filename);
 
+        if (want_revocation && (key == NULL || keytype != 0 || found != NULL))
+                fatal("%s: invalid arguments", __func__);
+
         /* Open the file containing the list of known hosts. */
         f = fopen(filename, "r");
         if (!f)
@@ -229,21 +268,18 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
                 if (!*cp || *cp == '#' || *cp == '\n')
                         continue;
 
-                /*
-                 * Ignore CA keys when looking for raw keys.
-                 * Ignore raw keys when looking for CA keys.
-                 */
-                if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&
-                    (cp[sizeof(CA_MARKER) - 1] == ' ' ||
-                    cp[sizeof(CA_MARKER) - 1] == '\t')) {
-                        if (want_cert) {
-                                /* Skip the marker and following whitespace */
-                                cp += sizeof(CA_MARKER);
-                                for (; *cp == ' ' || *cp == '\t'; cp++)
-                                        ;
-                        } else
-                                continue;
-                } else if (want_cert)
+                if (want_revocation)
+                        want = MRK_REVOKE;
+                else if (want_cert)
+                        want = MRK_CA;
+                else
+                        want = MRK_NONE;
+
+                if ((have = check_markers(&cp)) == MRK_ERROR) {
+                        verbose("%s: invalid marker at %s:%d",
+                            __func__, filename, linenum);
+                        continue;
+                } else if (want != have)
                         continue;
 
                 /* Find the end of the host name portion. */
@@ -267,6 +303,9 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
                 /* Got a match.  Skip host name. */
                 cp = cp2;
 
+                if (want_revocation)
+                        found = key_new(KEY_UNSPEC);
+
                 /*
                  * Extract the key from the line.  This will skip any leading
                  * whitespace.  Ignore badly formatted lines.
@@ -289,6 +328,24 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
                 if (!hostfile_check_key(kbits, found, host, filename, linenum))
                         continue;
 
+                if (want_revocation) {
+                        if (key_is_cert(key) &&
+                            key_equal_public(key->cert->signature_key, found)) {
+                                verbose("check_host_in_hostfile: revoked CA "
+                                    "line %d", linenum);
+                                key_free(found);
+                                return HOST_REVOKED;
+                        }
+                        if (key_equal_public(key, found)) {
+                                verbose("check_host_in_hostfile: revoked key "
+                                    "line %d", linenum);
+                                key_free(found);
+                                return HOST_REVOKED;
+                        }
+                        key_free(found);
+                        continue;
+                }
+
                 /* Check if the current key is the same as the given key. */
                 if (want_cert && key_equal(key->cert->signature_key, found)) {
                         /* Found CA cert for key */
@@ -325,8 +382,11 @@ check_host_in_hostfile(const char *filename, const char *host, const Key *key,
 {
         if (key == NULL)
                 fatal("no key to look up");
-        return (check_host_in_hostfile_by_key_or_type(filename, host, key, 0,
-            found, numret));
+        if (check_host_in_hostfile_by_key_or_type(filename, host,
+            key, 0, NULL, 1, NULL) == HOST_REVOKED)
+                return HOST_REVOKED;
+        return check_host_in_hostfile_by_key_or_type(filename, host, key, 0,
+            found, 0, numret);
 }
 
 int
@@ -334,7 +394,7 @@ lookup_key_in_hostfile_by_type(const char *filename, const char *host,
     int keytype, Key *found, int *numret)
 {
         return (check_host_in_hostfile_by_key_or_type(filename, host, NULL,
-            keytype, found, numret) == HOST_FOUND);
+            keytype, found, 0, numret) == HOST_FOUND);
 }
 
 /*