summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth2-pubkey.c36
1 files changed, 28 insertions, 8 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0707b8ab3..eac79cc3d 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.72 2017/12/18 02:25:15 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.73 2017/12/19 00:24:34 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -73,13 +73,24 @@ extern ServerOptions options;
73extern u_char *session_id2; 73extern u_char *session_id2;
74extern u_int session_id2_len; 74extern u_int session_id2_len;
75 75
76static char *
77format_key(const struct sshkey *key)
78{
79 char *ret, *fp = sshkey_fingerprint(key,
80 options.fingerprint_hash, SSH_FP_DEFAULT);
81
82 xasprintf(&ret, "%s %s", sshkey_type(key), fp);
83 free(fp);
84 return ret;
85}
86
76static int 87static int
77userauth_pubkey(struct ssh *ssh) 88userauth_pubkey(struct ssh *ssh)
78{ 89{
79 Authctxt *authctxt = ssh->authctxt; 90 Authctxt *authctxt = ssh->authctxt;
80 struct sshbuf *b; 91 struct sshbuf *b;
81 struct sshkey *key = NULL; 92 struct sshkey *key = NULL;
82 char *pkalg, *userstyle = NULL, *fp = NULL; 93 char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
83 u_char *pkblob, *sig, have_sig; 94 u_char *pkblob, *sig, have_sig;
84 size_t blen, slen; 95 size_t blen, slen;
85 int r, pktype; 96 int r, pktype;
@@ -135,7 +146,6 @@ userauth_pubkey(struct ssh *ssh)
135 "signature scheme"); 146 "signature scheme");
136 goto done; 147 goto done;
137 } 148 }
138 fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
139 if (auth2_key_already_used(authctxt, key)) { 149 if (auth2_key_already_used(authctxt, key)) {
140 logit("refusing previously-used %s key", sshkey_type(key)); 150 logit("refusing previously-used %s key", sshkey_type(key));
141 goto done; 151 goto done;
@@ -147,9 +157,15 @@ userauth_pubkey(struct ssh *ssh)
147 goto done; 157 goto done;
148 } 158 }
149 159
160 key_s = format_key(key);
161 if (sshkey_is_cert(key))
162 ca_s = format_key(key->cert->signature_key);
163
150 if (have_sig) { 164 if (have_sig) {
151 debug3("%s: have signature for %s %s", 165 debug3("%s: have %s signature for %s%s%s",
152 __func__, sshkey_type(key), fp); 166 __func__, pkalg, key_s,
167 ca_s == NULL ? "" : " CA ",
168 ca_s == NULL ? "" : ca_s);
153 if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 || 169 if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 ||
154 (r = sshpkt_get_end(ssh)) != 0) 170 (r = sshpkt_get_end(ssh)) != 0)
155 fatal("%s: %s", __func__, ssh_err(r)); 171 fatal("%s: %s", __func__, ssh_err(r));
@@ -205,8 +221,11 @@ userauth_pubkey(struct ssh *ssh)
205 free(sig); 221 free(sig);
206 auth2_record_key(authctxt, authenticated, key); 222 auth2_record_key(authctxt, authenticated, key);
207 } else { 223 } else {
208 debug("%s: test whether pkalg/pkblob are acceptable for %s %s", 224 debug("%s: test pkalg %s pkblob %s%s%s",
209 __func__, sshkey_type(key), fp); 225 __func__, pkalg, key_s,
226 ca_s == NULL ? "" : " CA ",
227 ca_s == NULL ? "" : ca_s);
228
210 if ((r = sshpkt_get_end(ssh)) != 0) 229 if ((r = sshpkt_get_end(ssh)) != 0)
211 fatal("%s: %s", __func__, ssh_err(r)); 230 fatal("%s: %s", __func__, ssh_err(r));
212 231
@@ -237,7 +256,8 @@ done:
237 free(userstyle); 256 free(userstyle);
238 free(pkalg); 257 free(pkalg);
239 free(pkblob); 258 free(pkblob);
240 free(fp); 259 free(key_s);
260 free(ca_s);
241 return authenticated; 261 return authenticated;
242} 262}
243 263