diff options
-rw-r--r-- | auth2-pubkey.c | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 0707b8ab3..eac79cc3d 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.72 2017/12/18 02:25:15 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.73 2017/12/19 00:24:34 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -73,13 +73,24 @@ extern ServerOptions options; | |||
73 | extern u_char *session_id2; | 73 | extern u_char *session_id2; |
74 | extern u_int session_id2_len; | 74 | extern u_int session_id2_len; |
75 | 75 | ||
76 | static char * | ||
77 | format_key(const struct sshkey *key) | ||
78 | { | ||
79 | char *ret, *fp = sshkey_fingerprint(key, | ||
80 | options.fingerprint_hash, SSH_FP_DEFAULT); | ||
81 | |||
82 | xasprintf(&ret, "%s %s", sshkey_type(key), fp); | ||
83 | free(fp); | ||
84 | return ret; | ||
85 | } | ||
86 | |||
76 | static int | 87 | static int |
77 | userauth_pubkey(struct ssh *ssh) | 88 | userauth_pubkey(struct ssh *ssh) |
78 | { | 89 | { |
79 | Authctxt *authctxt = ssh->authctxt; | 90 | Authctxt *authctxt = ssh->authctxt; |
80 | struct sshbuf *b; | 91 | struct sshbuf *b; |
81 | struct sshkey *key = NULL; | 92 | struct sshkey *key = NULL; |
82 | char *pkalg, *userstyle = NULL, *fp = NULL; | 93 | char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; |
83 | u_char *pkblob, *sig, have_sig; | 94 | u_char *pkblob, *sig, have_sig; |
84 | size_t blen, slen; | 95 | size_t blen, slen; |
85 | int r, pktype; | 96 | int r, pktype; |
@@ -135,7 +146,6 @@ userauth_pubkey(struct ssh *ssh) | |||
135 | "signature scheme"); | 146 | "signature scheme"); |
136 | goto done; | 147 | goto done; |
137 | } | 148 | } |
138 | fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); | ||
139 | if (auth2_key_already_used(authctxt, key)) { | 149 | if (auth2_key_already_used(authctxt, key)) { |
140 | logit("refusing previously-used %s key", sshkey_type(key)); | 150 | logit("refusing previously-used %s key", sshkey_type(key)); |
141 | goto done; | 151 | goto done; |
@@ -147,9 +157,15 @@ userauth_pubkey(struct ssh *ssh) | |||
147 | goto done; | 157 | goto done; |
148 | } | 158 | } |
149 | 159 | ||
160 | key_s = format_key(key); | ||
161 | if (sshkey_is_cert(key)) | ||
162 | ca_s = format_key(key->cert->signature_key); | ||
163 | |||
150 | if (have_sig) { | 164 | if (have_sig) { |
151 | debug3("%s: have signature for %s %s", | 165 | debug3("%s: have %s signature for %s%s%s", |
152 | __func__, sshkey_type(key), fp); | 166 | __func__, pkalg, key_s, |
167 | ca_s == NULL ? "" : " CA ", | ||
168 | ca_s == NULL ? "" : ca_s); | ||
153 | if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 || | 169 | if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 || |
154 | (r = sshpkt_get_end(ssh)) != 0) | 170 | (r = sshpkt_get_end(ssh)) != 0) |
155 | fatal("%s: %s", __func__, ssh_err(r)); | 171 | fatal("%s: %s", __func__, ssh_err(r)); |
@@ -205,8 +221,11 @@ userauth_pubkey(struct ssh *ssh) | |||
205 | free(sig); | 221 | free(sig); |
206 | auth2_record_key(authctxt, authenticated, key); | 222 | auth2_record_key(authctxt, authenticated, key); |
207 | } else { | 223 | } else { |
208 | debug("%s: test whether pkalg/pkblob are acceptable for %s %s", | 224 | debug("%s: test pkalg %s pkblob %s%s%s", |
209 | __func__, sshkey_type(key), fp); | 225 | __func__, pkalg, key_s, |
226 | ca_s == NULL ? "" : " CA ", | ||
227 | ca_s == NULL ? "" : ca_s); | ||
228 | |||
210 | if ((r = sshpkt_get_end(ssh)) != 0) | 229 | if ((r = sshpkt_get_end(ssh)) != 0) |
211 | fatal("%s: %s", __func__, ssh_err(r)); | 230 | fatal("%s: %s", __func__, ssh_err(r)); |
212 | 231 | ||
@@ -237,7 +256,8 @@ done: | |||
237 | free(userstyle); | 256 | free(userstyle); |
238 | free(pkalg); | 257 | free(pkalg); |
239 | free(pkblob); | 258 | free(pkblob); |
240 | free(fp); | 259 | free(key_s); |
260 | free(ca_s); | ||
241 | return authenticated; | 261 | return authenticated; |
242 | } | 262 | } |
243 | 263 | ||