1 files changed, 47 insertions, 14 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index aace7ca15..add77136e 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -560,7 +560,7 @@ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
 static int
 process_principals(FILE *f, char *file, struct passwd *pw,
-    struct sshkey_cert *cert)
+    const struct sshkey_cert *cert)
 {
        char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
        u_long linenum = 0;
@@ -630,14 +630,17 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
 * returns 1 if the principal is allowed or 0 otherwise.
 */
 static int
-match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
+match_principals_command(struct passwd *user_pw, const struct sshkey *key)
 {
+        const struct sshkey_cert *cert = key->cert;
        FILE *f = NULL;
-        int ok, found_principal = 0;
+        int r, ok, found_principal = 0;
        struct passwd *pw;
        int i, ac = 0, uid_swapped = 0;
        pid_t pid;
        char *tmp, *username = NULL, *command = NULL, **av = NULL;
+        char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL;
+        char serial_s[16];
        void (*osigchld)(int);
        if (options.authorized_principals_command == NULL)
@@ -675,10 +678,38 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
                    command);
                goto out;
        }
+        if ((ca_fp = sshkey_fingerprint(cert->signature_key,
+            options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+                error("%s: sshkey_fingerprint failed", __func__);
+                goto out;
+        }
+        if ((key_fp = sshkey_fingerprint(key,
+            options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+                error("%s: sshkey_fingerprint failed", __func__);
+                goto out;
+        }
+        if ((r = sshkey_to_base64(cert->signature_key, &catext)) != 0) {
+                error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
+                goto out;
+        }
+        if ((r = sshkey_to_base64(key, &keytext)) != 0) {
+                error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
+                goto out;
+        }
+        snprintf(serial_s, sizeof(serial_s), "%llu",
+            (unsigned long long)cert->serial);
        for (i = 1; i < ac; i++) {
                tmp = percent_expand(av[i],
                    "u", user_pw->pw_name,
                    "h", user_pw->pw_dir,
+                    "t", sshkey_ssh_name(key),
+                    "T", sshkey_ssh_name(cert->signature_key),
+                    "f", key_fp,
+                    "F", ca_fp,
+                    "k", keytext,
+                    "K", catext,
+                    "i", cert->key_id,
+                    "s", serial_s,
                    (char *)NULL);
                if (tmp == NULL)
                        fatal("%s: percent_expand failed", __func__);
@@ -713,6 +744,10 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
                restore_uid();
        free(command);
        free(username);
+        free(ca_fp);
+        free(key_fp);
+        free(catext);
+        free(keytext);
        return found_principal;
 }
 /*
@@ -723,18 +758,18 @@ static int
 check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 {
        char line[SSH_MAX_PUBKEY_BYTES];
-        const char *reason;
        int found_key = 0;
        u_long linenum = 0;
        Key *found;
-        char *fp;
        found_key = 0;
        found = NULL;
        auth_start_parse_options();
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-                char *cp, *key_options = NULL;
+                char *cp, *key_options = NULL, *fp = NULL;
+                const char *reason = NULL;
                if (found != NULL)
                        key_free(found);
                found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -799,10 +834,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
                            authorized_principals == NULL ? pw->pw_name : NULL,
                            &reason) != 0)
                                goto fail_reason;
-                        if (auth_cert_options(key, pw) != 0) {
+                        if (auth_cert_options(key, pw, &reason) != 0)
-                                free(fp);
+                                goto fail_reason;
-                                continue;
-                        }
                        verbose("Accepted certificate ID \"%s\" (serial %llu) "
                            "signed by %s CA %s via %s", key->cert->key_id,
                            (unsigned long long)key->cert->serial,
@@ -865,7 +898,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
                        found_principal = 1;
        }
        /* Try querying command if specified */
-        if (!found_principal && match_principals_command(pw, key->cert))
+        if (!found_principal && match_principals_command(pw, key))
                found_principal = 1;
        /* If principals file or command is specified, then require a match */
        use_authorized_principals = principals_file != NULL ||
@@ -881,8 +914,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
            use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
                goto fail_reason;
        auth_start_parse_options();
-        if (auth_cert_options(key, pw) != 0)
+        if (auth_cert_options(key, pw, &reason) != 0)
-                goto out;
+                goto fail_reason;
        verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
            "%s CA %s via %s", key->cert->key_id,