diff options
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 80 |
1 files changed, 4 insertions, 76 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 5794f1f4d..1c59b5bb0 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.67 2017/05/31 10:54:00 markus Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.68 2017/06/24 06:34:38 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -137,7 +137,7 @@ userauth_pubkey(struct ssh *ssh) | |||
137 | goto done; | 137 | goto done; |
138 | } | 138 | } |
139 | fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); | 139 | fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); |
140 | if (auth2_userkey_already_used(authctxt, key)) { | 140 | if (auth2_key_already_used(authctxt, key)) { |
141 | logit("refusing previously-used %s key", sshkey_type(key)); | 141 | logit("refusing previously-used %s key", sshkey_type(key)); |
142 | goto done; | 142 | goto done; |
143 | } | 143 | } |
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh) | |||
194 | #ifdef DEBUG_PK | 194 | #ifdef DEBUG_PK |
195 | sshbuf_dump(b, stderr); | 195 | sshbuf_dump(b, stderr); |
196 | #endif | 196 | #endif |
197 | pubkey_auth_info(authctxt, key, NULL); | ||
198 | 197 | ||
199 | /* test for correct signature */ | 198 | /* test for correct signature */ |
200 | authenticated = 0; | 199 | authenticated = 0; |
@@ -202,12 +201,10 @@ userauth_pubkey(struct ssh *ssh) | |||
202 | PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b), | 201 | PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b), |
203 | sshbuf_len(b), ssh->compat)) == 0) { | 202 | sshbuf_len(b), ssh->compat)) == 0) { |
204 | authenticated = 1; | 203 | authenticated = 1; |
205 | /* Record the successful key to prevent reuse */ | ||
206 | auth2_record_userkey(authctxt, key); | ||
207 | key = NULL; /* Don't free below */ | ||
208 | } | 204 | } |
209 | sshbuf_free(b); | 205 | sshbuf_free(b); |
210 | free(sig); | 206 | free(sig); |
207 | auth2_record_key(authctxt, authenticated, key); | ||
211 | } else { | 208 | } else { |
212 | debug("%s: test whether pkalg/pkblob are acceptable for %s %s", | 209 | debug("%s: test whether pkalg/pkblob are acceptable for %s %s", |
213 | __func__, sshkey_type(key), fp); | 210 | __func__, sshkey_type(key), fp); |
@@ -237,8 +234,7 @@ userauth_pubkey(struct ssh *ssh) | |||
237 | auth_clear_options(); | 234 | auth_clear_options(); |
238 | done: | 235 | done: |
239 | debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg); | 236 | debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg); |
240 | if (key != NULL) | 237 | sshkey_free(key); |
241 | sshkey_free(key); | ||
242 | free(userstyle); | 238 | free(userstyle); |
243 | free(pkalg); | 239 | free(pkalg); |
244 | free(pkblob); | 240 | free(pkblob); |
@@ -246,44 +242,6 @@ done: | |||
246 | return authenticated; | 242 | return authenticated; |
247 | } | 243 | } |
248 | 244 | ||
249 | void | ||
250 | pubkey_auth_info(Authctxt *authctxt, const struct sshkey *key, | ||
251 | const char *fmt, ...) | ||
252 | { | ||
253 | char *fp, *extra; | ||
254 | va_list ap; | ||
255 | int i; | ||
256 | |||
257 | extra = NULL; | ||
258 | if (fmt != NULL) { | ||
259 | va_start(ap, fmt); | ||
260 | i = vasprintf(&extra, fmt, ap); | ||
261 | va_end(ap); | ||
262 | if (i < 0 || extra == NULL) | ||
263 | fatal("%s: vasprintf failed", __func__); | ||
264 | } | ||
265 | |||
266 | if (sshkey_is_cert(key)) { | ||
267 | fp = sshkey_fingerprint(key->cert->signature_key, | ||
268 | options.fingerprint_hash, SSH_FP_DEFAULT); | ||
269 | auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", | ||
270 | sshkey_type(key), key->cert->key_id, | ||
271 | (unsigned long long)key->cert->serial, | ||
272 | sshkey_type(key->cert->signature_key), | ||
273 | fp == NULL ? "(null)" : fp, | ||
274 | extra == NULL ? "" : ", ", extra == NULL ? "" : extra); | ||
275 | free(fp); | ||
276 | } else { | ||
277 | fp = sshkey_fingerprint(key, options.fingerprint_hash, | ||
278 | SSH_FP_DEFAULT); | ||
279 | auth_info(authctxt, "%s %s%s%s", sshkey_type(key), | ||
280 | fp == NULL ? "(null)" : fp, | ||
281 | extra == NULL ? "" : ", ", extra == NULL ? "" : extra); | ||
282 | free(fp); | ||
283 | } | ||
284 | free(extra); | ||
285 | } | ||
286 | |||
287 | /* | 245 | /* |
288 | * Splits 's' into an argument vector. Handles quoted string and basic | 246 | * Splits 's' into an argument vector. Handles quoted string and basic |
289 | * escape characters (\\, \", \'). Caller must free the argument vector | 247 | * escape characters (\\, \", \'). Caller must free the argument vector |
@@ -1148,36 +1106,6 @@ user_key_allowed(struct passwd *pw, struct sshkey *key, int auth_attempt) | |||
1148 | return success; | 1106 | return success; |
1149 | } | 1107 | } |
1150 | 1108 | ||
1151 | /* Records a public key in the list of previously-successful keys */ | ||
1152 | void | ||
1153 | auth2_record_userkey(Authctxt *authctxt, struct sshkey *key) | ||
1154 | { | ||
1155 | struct sshkey **tmp; | ||
1156 | |||
1157 | if (authctxt->nprev_userkeys >= INT_MAX || | ||
1158 | (tmp = recallocarray(authctxt->prev_userkeys, | ||
1159 | authctxt->nprev_userkeys, authctxt->nprev_userkeys + 1, | ||
1160 | sizeof(*tmp))) == NULL) | ||
1161 | fatal("%s: recallocarray failed", __func__); | ||
1162 | authctxt->prev_userkeys = tmp; | ||
1163 | authctxt->prev_userkeys[authctxt->nprev_userkeys] = key; | ||
1164 | authctxt->nprev_userkeys++; | ||
1165 | } | ||
1166 | |||
1167 | /* Checks whether a key has already been used successfully for authentication */ | ||
1168 | int | ||
1169 | auth2_userkey_already_used(Authctxt *authctxt, struct sshkey *key) | ||
1170 | { | ||
1171 | u_int i; | ||
1172 | |||
1173 | for (i = 0; i < authctxt->nprev_userkeys; i++) { | ||
1174 | if (sshkey_equal_public(key, authctxt->prev_userkeys[i])) { | ||
1175 | return 1; | ||
1176 | } | ||
1177 | } | ||
1178 | return 0; | ||
1179 | } | ||
1180 | |||
1181 | Authmethod method_pubkey = { | 1109 | Authmethod method_pubkey = { |
1182 | "publickey", | 1110 | "publickey", |
1183 | userauth_pubkey, | 1111 | userauth_pubkey, |