1 files changed, 62 insertions, 23 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3ff6faa8b..2b3ecb104 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt)
 {
        Buffer b;
        Key *key = NULL;
-        char *pkalg;
+        char *pkalg, *userstyle;
        u_char *pkblob, *sig;
        u_int alen, blen, slen;
        int have_sig, pktype;
@@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
                }
                /* reconstruct packet */
                buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-                buffer_put_cstring(&b, authctxt->user);
+                xasprintf(&userstyle, "%s%s%s", authctxt->user,
+                    authctxt->style ? ":" : "",
+                    authctxt->style ? authctxt->style : "");
+                buffer_put_cstring(&b, userstyle);
+                free(userstyle);
                buffer_put_cstring(&b,
                    datafellows & SSH_BUG_PKSERVICE ?
                    "ssh-userauth" :
@@ -143,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
 #ifdef DEBUG_PK
                buffer_dump(&b);
 #endif
+                pubkey_auth_info(authctxt, key, NULL);
                /* test for correct signature */
                authenticated = 0;
                if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -150,7 +156,7 @@ userauth_pubkey(Authctxt *authctxt)
                    buffer_len(&b))) == 1)
                        authenticated = 1;
                buffer_free(&b);
-                xfree(sig);
+                free(sig);
        } else {
                debug("test whether pkalg/pkblob are acceptable");
                packet_check_eom();
@@ -178,11 +184,45 @@ done:
        debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
        if (key != NULL)
                key_free(key);
-        xfree(pkalg);
+        free(pkalg);
-        xfree(pkblob);
+        free(pkblob);
        return authenticated;
 }
+void
+pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
+{
+        char *fp, *extra;
+        va_list ap;
+        int i;
+        extra = NULL;
+        if (fmt != NULL) {
+                va_start(ap, fmt);
+                i = vasprintf(&extra, fmt, ap);
+                va_end(ap);
+                if (i < 0 || extra == NULL)
+                        fatal("%s: vasprintf failed", __func__);        
+        }
+        if (key_is_cert(key)) {
+                fp = key_fingerprint(key->cert->signature_key,
+                    SSH_FP_MD5, SSH_FP_HEX);
+                auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 
+                    key_type(key), key->cert->key_id,
+                    (unsigned long long)key->cert->serial,
+                    key_type(key->cert->signature_key), fp,
+                    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
+                free(fp);
+        } else {
+                fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+                auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
+                    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
+                free(fp);
+        }
+        free(extra);
+}
 static int
 match_principals_option(const char *principal_list, struct KeyCert *cert)
 {
@@ -196,7 +236,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
                    principal_list, NULL)) != NULL) {
                        debug3("matched principal from key options \"%.100s\"",
                            result);
-                        xfree(result);
+                        free(result);
                        return 1;
                }
        }
@@ -276,11 +316,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
        char *fp;
        found_key = 0;
-        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+        found = NULL;
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp, *key_options = NULL;
+                if (found != NULL)
+                        key_free(found);
+                found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
                auth_clear_options();
                /* Skip leading whitespace, empty and comment lines. */
@@ -332,7 +374,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
                                reason = "Certificate does not contain an "
                                    "authorized principal";
 fail_reason:
-                                xfree(fp);
+                                free(fp);
                                error("%s", reason);
                                auth_debug_add("%s", reason);
                                continue;
@@ -342,13 +384,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
                            &reason) != 0)
                                goto fail_reason;
                        if (auth_cert_options(key, pw) != 0) {
-                                xfree(fp);
+                                free(fp);
                                continue;
                        }
                        verbose("Accepted certificate ID \"%s\" "
                            "signed by %s CA %s via %s", key->cert->key_id,
                            key_type(found), fp, file);
-                        xfree(fp);
+                        free(fp);
                        found_key = 1;
                        break;
                } else if (key_equal(found, key)) {
@@ -358,16 +400,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
                        if (key_is_cert_authority)
                                continue;
                        found_key = 1;
-                        debug("matching key found: file %s, line %lu",
-                            file, linenum);
                        fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-                        verbose("Found matching %s key: %s",
+                        debug("matching key found: file %s, line %lu %s %s",
-                            key_type(found), fp);
+                            file, linenum, key_type(found), fp);
-                        xfree(fp);
+                        free(fp);
                        break;
                }
        }
-        key_free(found);
+        if (found != NULL)
+                key_free(found);
        if (!found_key)
                debug2("key not found");
        return found_key;
@@ -421,10 +462,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
        ret = 1;
 out:
-        if (principals_file != NULL)
+        free(principals_file);
-                xfree(principals_file);
+        free(ca_fp);
-        if (ca_fp != NULL)
-                xfree(ca_fp);
        return ret;
 }
@@ -629,7 +668,7 @@ user_key_allowed(struct passwd *pw, Key *key)
                    options.authorized_keys_files[i], pw);
                success = user_key_allowed2(pw, key, file);
-                xfree(file);
+                free(file);
        }
        return success;

diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 3ff6faa8b..2b3ecb104 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt)
75	{	75	{
76	Buffer b;	76	Buffer b;
77	Key *key = NULL;	77	Key *key = NULL;
78	char *pkalg;	78	char pkalg, userstyle;
79	u_char pkblob, sig;	79	u_char pkblob, sig;
80	u_int alen, blen, slen;	80	u_int alen, blen, slen;
81	int have_sig, pktype;	81	int have_sig, pktype;
@@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
127	}	127	}
128	/* reconstruct packet */	128	/* reconstruct packet */
129	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);	129	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
130	buffer_put_cstring(&b, authctxt->user);	130	xasprintf(&userstyle, "%s%s%s", authctxt->user,
		131	authctxt->style ? ":" : "",
		132	authctxt->style ? authctxt->style : "");
		133	buffer_put_cstring(&b, userstyle);
		134	free(userstyle);
131	buffer_put_cstring(&b,	135	buffer_put_cstring(&b,
132	datafellows & SSH_BUG_PKSERVICE ?	136	datafellows & SSH_BUG_PKSERVICE ?
133	"ssh-userauth" :	137	"ssh-userauth" :
@@ -143,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
143	#ifdef DEBUG_PK	147	#ifdef DEBUG_PK
144	buffer_dump(&b);	148	buffer_dump(&b);
145	#endif	149	#endif
		150	pubkey_auth_info(authctxt, key, NULL);
		151
146	/* test for correct signature */	152	/* test for correct signature */
147	authenticated = 0;	153	authenticated = 0;
148	if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&	154	if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -150,7 +156,7 @@ userauth_pubkey(Authctxt *authctxt)
150	buffer_len(&b))) == 1)	156	buffer_len(&b))) == 1)
151	authenticated = 1;	157	authenticated = 1;
152	buffer_free(&b);	158	buffer_free(&b);
153	xfree(sig);	159	free(sig);
154	} else {	160	} else {
155	debug("test whether pkalg/pkblob are acceptable");	161	debug("test whether pkalg/pkblob are acceptable");
156	packet_check_eom();	162	packet_check_eom();
@@ -178,11 +184,45 @@ done:
178	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);	184	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
179	if (key != NULL)	185	if (key != NULL)
180	key_free(key);	186	key_free(key);
181	xfree(pkalg);	187	free(pkalg);
182	xfree(pkblob);	188	free(pkblob);
183	return authenticated;	189	return authenticated;
184	}	190	}
185		191
		192	void
		193	pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)
		194	{
		195	char fp, extra;
		196	va_list ap;
		197	int i;
		198
		199	extra = NULL;
		200	if (fmt != NULL) {
		201	va_start(ap, fmt);
		202	i = vasprintf(&extra, fmt, ap);
		203	va_end(ap);
		204	if (i < 0 \|\| extra == NULL)
		205	fatal("%s: vasprintf failed", __func__);
		206	}
		207
		208	if (key_is_cert(key)) {
		209	fp = key_fingerprint(key->cert->signature_key,
		210	SSH_FP_MD5, SSH_FP_HEX);
		211	auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
		212	key_type(key), key->cert->key_id,
		213	(unsigned long long)key->cert->serial,
		214	key_type(key->cert->signature_key), fp,
		215	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
		216	free(fp);
		217	} else {
		218	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		219	auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
		220	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
		221	free(fp);
		222	}
		223	free(extra);
		224	}
		225
186	static int	226	static int
187	match_principals_option(const char principal_list, struct KeyCert cert)	227	match_principals_option(const char principal_list, struct KeyCert cert)
188	{	228	{
@@ -196,7 +236,7 @@ match_principals_option(const char principal_list, struct KeyCert cert)
196	principal_list, NULL)) != NULL) {	236	principal_list, NULL)) != NULL) {
197	debug3("matched principal from key options \"%.100s\"",	237	debug3("matched principal from key options \"%.100s\"",
198	result);	238	result);
199	xfree(result);	239	free(result);
200	return 1;	240	return 1;
201	}	241	}
202	}	242	}
@@ -276,11 +316,13 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
276	char *fp;	316	char *fp;
277		317
278	found_key = 0;	318	found_key = 0;
279	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
280		319
		320	found = NULL;
281	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {	321	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
282	char cp, key_options = NULL;	322	char cp, key_options = NULL;
283		323	if (found != NULL)
		324	key_free(found);
		325	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
284	auth_clear_options();	326	auth_clear_options();
285		327
286	/* Skip leading whitespace, empty and comment lines. */	328	/* Skip leading whitespace, empty and comment lines. */
@@ -332,7 +374,7 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
332	reason = "Certificate does not contain an "	374	reason = "Certificate does not contain an "
333	"authorized principal";	375	"authorized principal";
334	fail_reason:	376	fail_reason:
335	xfree(fp);	377	free(fp);
336	error("%s", reason);	378	error("%s", reason);
337	auth_debug_add("%s", reason);	379	auth_debug_add("%s", reason);
338	continue;	380	continue;
@@ -342,13 +384,13 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
342	&reason) != 0)	384	&reason) != 0)
343	goto fail_reason;	385	goto fail_reason;
344	if (auth_cert_options(key, pw) != 0) {	386	if (auth_cert_options(key, pw) != 0) {
345	xfree(fp);	387	free(fp);
346	continue;	388	continue;
347	}	389	}
348	verbose("Accepted certificate ID \"%s\" "	390	verbose("Accepted certificate ID \"%s\" "
349	"signed by %s CA %s via %s", key->cert->key_id,	391	"signed by %s CA %s via %s", key->cert->key_id,
350	key_type(found), fp, file);	392	key_type(found), fp, file);
351	xfree(fp);	393	free(fp);
352	found_key = 1;	394	found_key = 1;
353	break;	395	break;
354	} else if (key_equal(found, key)) {	396	} else if (key_equal(found, key)) {
@@ -358,16 +400,15 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
358	if (key_is_cert_authority)	400	if (key_is_cert_authority)
359	continue;	401	continue;
360	found_key = 1;	402	found_key = 1;
361	debug("matching key found: file %s, line %lu",
362	file, linenum);
363	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);	403	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
364	verbose("Found matching %s key: %s",	404	debug("matching key found: file %s, line %lu %s %s",
365	key_type(found), fp);	405	file, linenum, key_type(found), fp);
366	xfree(fp);	406	free(fp);
367	break;	407	break;
368	}	408	}
369	}	409	}
370	key_free(found);	410	if (found != NULL)
		411	key_free(found);
371	if (!found_key)	412	if (!found_key)
372	debug2("key not found");	413	debug2("key not found");
373	return found_key;	414	return found_key;
@@ -421,10 +462,8 @@ user_cert_trusted_ca(struct passwd pw, Key key)
421	ret = 1;	462	ret = 1;
422		463
423	out:	464	out:
424	if (principals_file != NULL)	465	free(principals_file);
425	xfree(principals_file);	466	free(ca_fp);
426	if (ca_fp != NULL)
427	xfree(ca_fp);
428	return ret;	467	return ret;
429	}	468	}
430		469
@@ -629,7 +668,7 @@ user_key_allowed(struct passwd pw, Key key)
629	options.authorized_keys_files[i], pw);	668	options.authorized_keys_files[i], pw);
630		669
631	success = user_key_allowed2(pw, key, file);	670	success = user_key_allowed2(pw, key, file);
632	xfree(file);	671	free(file);
633	}	672	}
634		673
635	return success;	674	return success;