summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c31
1 files changed, 17 insertions, 14 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 51aa77487..c4cadf4e7 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -240,22 +240,26 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
240 continue; 240 continue;
241 if (!key_equal(found, key->cert->signature_key)) 241 if (!key_equal(found, key->cert->signature_key))
242 continue; 242 continue;
243 debug("matching CA found: file %s, line %lu",
244 file, linenum);
245 fp = key_fingerprint(found, SSH_FP_MD5, 243 fp = key_fingerprint(found, SSH_FP_MD5,
246 SSH_FP_HEX); 244 SSH_FP_HEX);
247 verbose("Found matching %s CA: %s", 245 debug("matching CA found: file %s, line %lu, %s %s",
248 key_type(found), fp); 246 file, linenum, key_type(found), fp);
249 xfree(fp);
250 if (key_cert_check_authority(key, 0, 0, pw->pw_name, 247 if (key_cert_check_authority(key, 0, 0, pw->pw_name,
251 &reason) != 0) { 248 &reason) != 0) {
249 xfree(fp);
252 error("%s", reason); 250 error("%s", reason);
253 auth_debug_add("%s", reason); 251 auth_debug_add("%s", reason);
254 continue; 252 continue;
255 } 253 }
256 if (auth_cert_constraints(&key->cert->constraints, 254 if (auth_cert_constraints(&key->cert->constraints,
257 pw) != 0) 255 pw) != 0) {
256 xfree(fp);
258 continue; 257 continue;
258 }
259 verbose("Accepted certificate ID \"%s\" "
260 "signed by %s CA %s via %s", key->cert->key_id,
261 key_type(found), fp, file);
262 xfree(fp);
259 found_key = 1; 263 found_key = 1;
260 break; 264 break;
261 } else if (!key_is_cert_authority && key_equal(found, key)) { 265 } else if (!key_is_cert_authority && key_equal(found, key)) {
@@ -281,15 +285,15 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
281static int 285static int
282user_cert_trusted_ca(struct passwd *pw, Key *key) 286user_cert_trusted_ca(struct passwd *pw, Key *key)
283{ 287{
284 char *key_fp, *ca_fp; 288 char *ca_fp;
285 const char *reason; 289 const char *reason;
286 int ret = 0; 290 int ret = 0;
287 291
288 if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) 292 if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
289 return 0; 293 return 0;
290 294
291 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 295 ca_fp = key_fingerprint(key->cert->signature_key,
292 ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 296 SSH_FP_MD5, SSH_FP_HEX);
293 297
294 if (key_in_file(key->cert->signature_key, 298 if (key_in_file(key->cert->signature_key,
295 options.trusted_user_ca_keys, 1) != 1) { 299 options.trusted_user_ca_keys, 1) != 1) {
@@ -306,13 +310,12 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
306 if (auth_cert_constraints(&key->cert->constraints, pw) != 0) 310 if (auth_cert_constraints(&key->cert->constraints, pw) != 0)
307 goto out; 311 goto out;
308 312
309 verbose("%s certificate %s allowed by trusted %s key %s", 313 verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
310 key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp); 314 key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
315 options.trusted_user_ca_keys);
311 ret = 1; 316 ret = 1;
312 317
313 out: 318 out:
314 if (key_fp != NULL)
315 xfree(key_fp);
316 if (ca_fp != NULL) 319 if (ca_fp != NULL)
317 xfree(ca_fp); 320 xfree(ca_fp);
318 return ret; 321 return ret;