1 files changed, 62 insertions, 24 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index f980b0dad..7c0ceee55 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt)
 {
        Buffer b;
        Key *key = NULL;
-        char *pkalg;
+        char *pkalg, *userstyle;
        u_char *pkblob, *sig;
        u_int alen, blen, slen;
        int have_sig, pktype;
@@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
                }
                /* reconstruct packet */
                buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-                buffer_put_cstring(&b, authctxt->user);
+                xasprintf(&userstyle, "%s%s%s", authctxt->user,
+                    authctxt->style ? ":" : "",
+                    authctxt->style ? authctxt->style : "");
+                buffer_put_cstring(&b, userstyle);
+                free(userstyle);
                buffer_put_cstring(&b,
                    datafellows & SSH_BUG_PKSERVICE ?
                    "ssh-userauth" :
@@ -143,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
 #ifdef DEBUG_PK
                buffer_dump(&b);
 #endif
+                pubkey_auth_info(authctxt, key, NULL);
                /* test for correct signature */
                authenticated = 0;
                if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -150,7 +156,7 @@ userauth_pubkey(Authctxt *authctxt)
                    buffer_len(&b))) == 1)
                        authenticated = 1;
                buffer_free(&b);
-                xfree(sig);
+                free(sig);
        } else {
                debug("test whether pkalg/pkblob are acceptable");
                packet_check_eom();
@@ -178,11 +184,45 @@ done:
        debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
        if (key != NULL)
                key_free(key);
-        xfree(pkalg);
+        free(pkalg);
-        xfree(pkblob);
+        free(pkblob);
        return authenticated;
 }
+void
+pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
+{
+        char *fp, *extra;
+        va_list ap;
+        int i;
+        extra = NULL;
+        if (fmt != NULL) {
+                va_start(ap, fmt);
+                i = vasprintf(&extra, fmt, ap);
+                va_end(ap);
+                if (i < 0 || extra == NULL)
+                        fatal("%s: vasprintf failed", __func__);        
+        }
+        if (key_is_cert(key)) {
+                fp = key_fingerprint(key->cert->signature_key,
+                    SSH_FP_MD5, SSH_FP_HEX);
+                auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 
+                    key_type(key), key->cert->key_id,
+                    (unsigned long long)key->cert->serial,
+                    key_type(key->cert->signature_key), fp,
+                    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
+                free(fp);
+        } else {
+                fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+                auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
+                    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
+                free(fp);
+        }
+        free(extra);
+}
 static int
 match_principals_option(const char *principal_list, struct KeyCert *cert)
 {
@@ -196,7 +236,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
                    principal_list, NULL)) != NULL) {
                        debug3("matched principal from key options \"%.100s\"",
                            result);
-                        xfree(result);
+                        free(result);
                        return 1;
                }
        }
@@ -277,13 +317,14 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
        char *fp;
        found_key = 0;
-        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+        found = NULL;
        auth_start_parse_options();
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp, *key_options = NULL;
+                if (found != NULL)
+                        key_free(found);
+                found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
                auth_clear_options();
                /* Skip leading whitespace, empty and comment lines. */
@@ -335,7 +376,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
                                reason = "Certificate does not contain an "
                                    "authorized principal";
 fail_reason:
-                                xfree(fp);
+                                free(fp);
                                error("%s", reason);
                                auth_debug_add("%s", reason);
                                continue;
@@ -345,13 +386,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
                            &reason) != 0)
                                goto fail_reason;
                        if (auth_cert_options(key, pw) != 0) {
-                                xfree(fp);
+                                free(fp);
                                continue;
                        }
                        verbose("Accepted certificate ID \"%s\" "
                            "signed by %s CA %s via %s", key->cert->key_id,
                            key_type(found), fp, file);
-                        xfree(fp);
+                        free(fp);
                        found_key = 1;
                        break;
                } else if (key_equal(found, key)) {
@@ -361,16 +402,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
                        if (key_is_cert_authority)
                                continue;
                        found_key = 1;
-                        debug("matching key found: file %s, line %lu",
-                            file, linenum);
                        fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-                        verbose("Found matching %s key: %s",
+                        debug("matching key found: file %s, line %lu %s %s",
-                            key_type(found), fp);
+                            file, linenum, key_type(found), fp);
-                        xfree(fp);
+                        free(fp);
                        break;
                }
        }
-        key_free(found);
+        if (found != NULL)
+                key_free(found);
        if (!found_key)
                debug2("key not found");
        return found_key;
@@ -425,10 +465,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
        ret = 1;
 out:
-        if (principals_file != NULL)
+        free(principals_file);
-                xfree(principals_file);
+        free(ca_fp);
-        if (ca_fp != NULL)
-                xfree(ca_fp);
        return ret;
 }
@@ -634,7 +672,7 @@ user_key_allowed(struct passwd *pw, Key *key)
                    options.authorized_keys_files[i], pw);
                success = user_key_allowed2(pw, key, file);
-                xfree(file);
+                free(file);
        }
        return success;

diff --git a/auth2-pubkey.c b/auth2-pubkey.c index f980b0dad..7c0ceee55 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt)
75	{	75	{
76	Buffer b;	76	Buffer b;
77	Key *key = NULL;	77	Key *key = NULL;
78	char *pkalg;	78	char pkalg, userstyle;
79	u_char pkblob, sig;	79	u_char pkblob, sig;
80	u_int alen, blen, slen;	80	u_int alen, blen, slen;
81	int have_sig, pktype;	81	int have_sig, pktype;
@@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
127	}	127	}
128	/* reconstruct packet */	128	/* reconstruct packet */
129	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);	129	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
130	buffer_put_cstring(&b, authctxt->user);	130	xasprintf(&userstyle, "%s%s%s", authctxt->user,
		131	authctxt->style ? ":" : "",
		132	authctxt->style ? authctxt->style : "");
		133	buffer_put_cstring(&b, userstyle);
		134	free(userstyle);
131	buffer_put_cstring(&b,	135	buffer_put_cstring(&b,
132	datafellows & SSH_BUG_PKSERVICE ?	136	datafellows & SSH_BUG_PKSERVICE ?
133	"ssh-userauth" :	137	"ssh-userauth" :
@@ -143,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
143	#ifdef DEBUG_PK	147	#ifdef DEBUG_PK
144	buffer_dump(&b);	148	buffer_dump(&b);
145	#endif	149	#endif
		150	pubkey_auth_info(authctxt, key, NULL);
		151
146	/* test for correct signature */	152	/* test for correct signature */
147	authenticated = 0;	153	authenticated = 0;
148	if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&	154	if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -150,7 +156,7 @@ userauth_pubkey(Authctxt *authctxt)
150	buffer_len(&b))) == 1)	156	buffer_len(&b))) == 1)
151	authenticated = 1;	157	authenticated = 1;
152	buffer_free(&b);	158	buffer_free(&b);
153	xfree(sig);	159	free(sig);
154	} else {	160	} else {
155	debug("test whether pkalg/pkblob are acceptable");	161	debug("test whether pkalg/pkblob are acceptable");
156	packet_check_eom();	162	packet_check_eom();
@@ -178,11 +184,45 @@ done:
178	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);	184	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
179	if (key != NULL)	185	if (key != NULL)
180	key_free(key);	186	key_free(key);
181	xfree(pkalg);	187	free(pkalg);
182	xfree(pkblob);	188	free(pkblob);
183	return authenticated;	189	return authenticated;
184	}	190	}
185		191
		192	void
		193	pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)
		194	{
		195	char fp, extra;
		196	va_list ap;
		197	int i;
		198
		199	extra = NULL;
		200	if (fmt != NULL) {
		201	va_start(ap, fmt);
		202	i = vasprintf(&extra, fmt, ap);
		203	va_end(ap);
		204	if (i < 0 \|\| extra == NULL)
		205	fatal("%s: vasprintf failed", __func__);
		206	}
		207
		208	if (key_is_cert(key)) {
		209	fp = key_fingerprint(key->cert->signature_key,
		210	SSH_FP_MD5, SSH_FP_HEX);
		211	auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
		212	key_type(key), key->cert->key_id,
		213	(unsigned long long)key->cert->serial,
		214	key_type(key->cert->signature_key), fp,
		215	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
		216	free(fp);
		217	} else {
		218	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		219	auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
		220	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
		221	free(fp);
		222	}
		223	free(extra);
		224	}
		225
186	static int	226	static int
187	match_principals_option(const char principal_list, struct KeyCert cert)	227	match_principals_option(const char principal_list, struct KeyCert cert)
188	{	228	{
@@ -196,7 +236,7 @@ match_principals_option(const char principal_list, struct KeyCert cert)
196	principal_list, NULL)) != NULL) {	236	principal_list, NULL)) != NULL) {
197	debug3("matched principal from key options \"%.100s\"",	237	debug3("matched principal from key options \"%.100s\"",
198	result);	238	result);
199	xfree(result);	239	free(result);
200	return 1;	240	return 1;
201	}	241	}
202	}	242	}
@@ -277,13 +317,14 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
277	char *fp;	317	char *fp;
278		318
279	found_key = 0;	319	found_key = 0;
280	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
281		320
		321	found = NULL;
282	auth_start_parse_options();	322	auth_start_parse_options();
283
284	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {	323	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
285	char cp, key_options = NULL;	324	char cp, key_options = NULL;
286		325	if (found != NULL)
		326	key_free(found);
		327	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
287	auth_clear_options();	328	auth_clear_options();
288		329
289	/* Skip leading whitespace, empty and comment lines. */	330	/* Skip leading whitespace, empty and comment lines. */
@@ -335,7 +376,7 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
335	reason = "Certificate does not contain an "	376	reason = "Certificate does not contain an "
336	"authorized principal";	377	"authorized principal";
337	fail_reason:	378	fail_reason:
338	xfree(fp);	379	free(fp);
339	error("%s", reason);	380	error("%s", reason);
340	auth_debug_add("%s", reason);	381	auth_debug_add("%s", reason);
341	continue;	382	continue;
@@ -345,13 +386,13 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
345	&reason) != 0)	386	&reason) != 0)
346	goto fail_reason;	387	goto fail_reason;
347	if (auth_cert_options(key, pw) != 0) {	388	if (auth_cert_options(key, pw) != 0) {
348	xfree(fp);	389	free(fp);
349	continue;	390	continue;
350	}	391	}
351	verbose("Accepted certificate ID \"%s\" "	392	verbose("Accepted certificate ID \"%s\" "
352	"signed by %s CA %s via %s", key->cert->key_id,	393	"signed by %s CA %s via %s", key->cert->key_id,
353	key_type(found), fp, file);	394	key_type(found), fp, file);
354	xfree(fp);	395	free(fp);
355	found_key = 1;	396	found_key = 1;
356	break;	397	break;
357	} else if (key_equal(found, key)) {	398	} else if (key_equal(found, key)) {
@@ -361,16 +402,15 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
361	if (key_is_cert_authority)	402	if (key_is_cert_authority)
362	continue;	403	continue;
363	found_key = 1;	404	found_key = 1;
364	debug("matching key found: file %s, line %lu",
365	file, linenum);
366	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);	405	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
367	verbose("Found matching %s key: %s",	406	debug("matching key found: file %s, line %lu %s %s",
368	key_type(found), fp);	407	file, linenum, key_type(found), fp);
369	xfree(fp);	408	free(fp);
370	break;	409	break;
371	}	410	}
372	}	411	}
373	key_free(found);	412	if (found != NULL)
		413	key_free(found);
374	if (!found_key)	414	if (!found_key)
375	debug2("key not found");	415	debug2("key not found");
376	return found_key;	416	return found_key;
@@ -425,10 +465,8 @@ user_cert_trusted_ca(struct passwd pw, Key key)
425	ret = 1;	465	ret = 1;
426		466
427	out:	467	out:
428	if (principals_file != NULL)	468	free(principals_file);
429	xfree(principals_file);	469	free(ca_fp);
430	if (ca_fp != NULL)
431	xfree(ca_fp);
432	return ret;	470	return ret;
433	}	471	}
434		472
@@ -634,7 +672,7 @@ user_key_allowed(struct passwd pw, Key key)
634	options.authorized_keys_files[i], pw);	672	options.authorized_keys_files[i], pw);
635		673
636	success = user_key_allowed2(pw, key, file);	674	success = user_key_allowed2(pw, key, file);
637	xfree(file);	675	free(file);
638	}	676	}
639		677
640	return success;	678	return success;