summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c36
1 files changed, 22 insertions, 14 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 1eee16168..aace7ca15 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -79,19 +79,19 @@ userauth_pubkey(Authctxt *authctxt)
79{ 79{
80 Buffer b; 80 Buffer b;
81 Key *key = NULL; 81 Key *key = NULL;
82 char *pkalg, *userstyle; 82 char *pkalg, *userstyle, *fp = NULL;
83 u_char *pkblob, *sig; 83 u_char *pkblob, *sig;
84 u_int alen, blen, slen; 84 u_int alen, blen, slen;
85 int have_sig, pktype; 85 int have_sig, pktype;
86 int authenticated = 0; 86 int authenticated = 0;
87 87
88 if (!authctxt->valid) { 88 if (!authctxt->valid) {
89 debug2("userauth_pubkey: disabled because of invalid user"); 89 debug2("%s: disabled because of invalid user", __func__);
90 return 0; 90 return 0;
91 } 91 }
92 have_sig = packet_get_char(); 92 have_sig = packet_get_char();
93 if (datafellows & SSH_BUG_PKAUTH) { 93 if (datafellows & SSH_BUG_PKAUTH) {
94 debug2("userauth_pubkey: SSH_BUG_PKAUTH"); 94 debug2("%s: SSH_BUG_PKAUTH", __func__);
95 /* no explicit pkalg given */ 95 /* no explicit pkalg given */
96 pkblob = packet_get_string(&blen); 96 pkblob = packet_get_string(&blen);
97 buffer_init(&b); 97 buffer_init(&b);
@@ -106,18 +106,18 @@ userauth_pubkey(Authctxt *authctxt)
106 pktype = key_type_from_name(pkalg); 106 pktype = key_type_from_name(pkalg);
107 if (pktype == KEY_UNSPEC) { 107 if (pktype == KEY_UNSPEC) {
108 /* this is perfectly legal */ 108 /* this is perfectly legal */
109 logit("userauth_pubkey: unsupported public key algorithm: %s", 109 logit("%s: unsupported public key algorithm: %s",
110 pkalg); 110 __func__, pkalg);
111 goto done; 111 goto done;
112 } 112 }
113 key = key_from_blob(pkblob, blen); 113 key = key_from_blob(pkblob, blen);
114 if (key == NULL) { 114 if (key == NULL) {
115 error("userauth_pubkey: cannot decode key: %s", pkalg); 115 error("%s: cannot decode key: %s", __func__, pkalg);
116 goto done; 116 goto done;
117 } 117 }
118 if (key->type != pktype) { 118 if (key->type != pktype) {
119 error("userauth_pubkey: type mismatch for decoded key " 119 error("%s: type mismatch for decoded key "
120 "(received %d, expected %d)", key->type, pktype); 120 "(received %d, expected %d)", __func__, key->type, pktype);
121 goto done; 121 goto done;
122 } 122 }
123 if (key_type_plain(key->type) == KEY_RSA && 123 if (key_type_plain(key->type) == KEY_RSA &&
@@ -126,6 +126,7 @@ userauth_pubkey(Authctxt *authctxt)
126 "signature scheme"); 126 "signature scheme");
127 goto done; 127 goto done;
128 } 128 }
129 fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
129 if (auth2_userkey_already_used(authctxt, key)) { 130 if (auth2_userkey_already_used(authctxt, key)) {
130 logit("refusing previously-used %s key", key_type(key)); 131 logit("refusing previously-used %s key", key_type(key));
131 goto done; 132 goto done;
@@ -138,6 +139,8 @@ userauth_pubkey(Authctxt *authctxt)
138 } 139 }
139 140
140 if (have_sig) { 141 if (have_sig) {
142 debug3("%s: have signature for %s %s",
143 __func__, sshkey_type(key), fp);
141 sig = packet_get_string(&slen); 144 sig = packet_get_string(&slen);
142 packet_check_eom(); 145 packet_check_eom();
143 buffer_init(&b); 146 buffer_init(&b);
@@ -183,7 +186,8 @@ userauth_pubkey(Authctxt *authctxt)
183 buffer_free(&b); 186 buffer_free(&b);
184 free(sig); 187 free(sig);
185 } else { 188 } else {
186 debug("test whether pkalg/pkblob are acceptable"); 189 debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
190 __func__, sshkey_type(key), fp);
187 packet_check_eom(); 191 packet_check_eom();
188 192
189 /* XXX fake reply and always send PK_OK ? */ 193 /* XXX fake reply and always send PK_OK ? */
@@ -206,11 +210,12 @@ userauth_pubkey(Authctxt *authctxt)
206 if (authenticated != 1) 210 if (authenticated != 1)
207 auth_clear_options(); 211 auth_clear_options();
208done: 212done:
209 debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); 213 debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg);
210 if (key != NULL) 214 if (key != NULL)
211 key_free(key); 215 key_free(key);
212 free(pkalg); 216 free(pkalg);
213 free(pkblob); 217 free(pkblob);
218 free(fp);
214 return authenticated; 219 return authenticated;
215} 220}
216 221
@@ -798,8 +803,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
798 free(fp); 803 free(fp);
799 continue; 804 continue;
800 } 805 }
801 verbose("Accepted certificate ID \"%s\" " 806 verbose("Accepted certificate ID \"%s\" (serial %llu) "
802 "signed by %s CA %s via %s", key->cert->key_id, 807 "signed by %s CA %s via %s", key->cert->key_id,
808 (unsigned long long)key->cert->serial,
803 key_type(found), fp, file); 809 key_type(found), fp, file);
804 free(fp); 810 free(fp);
805 found_key = 1; 811 found_key = 1;
@@ -878,8 +884,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
878 if (auth_cert_options(key, pw) != 0) 884 if (auth_cert_options(key, pw) != 0)
879 goto out; 885 goto out;
880 886
881 verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", 887 verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
882 key->cert->key_id, key_type(key->cert->signature_key), ca_fp, 888 "%s CA %s via %s", key->cert->key_id,
889 (unsigned long long)key->cert->serial,
890 key_type(key->cert->signature_key), ca_fp,
883 options.trusted_user_ca_keys); 891 options.trusted_user_ca_keys);
884 ret = 1; 892 ret = 1;
885 893
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-30 08:17:52 +0000