From c158331f8c7e059c6c1d099bffc7f5fc6087ddbd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 Aug 2010 13:04:50 +1000 Subject: - djm@cvs.openbsd.org 2010/08/04 05:42:47 [auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8] [ssh-keysign.c ssh.c] enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@ --- authfile.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) (limited to 'authfile.c') diff --git a/authfile.c b/authfile.c index 224c6aa80..6bf41db9a 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.80 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.81 2010/08/04 05:42:47 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -693,6 +693,64 @@ key_load_public(const char *filename, char **commentp) return NULL; } +/* Load the certificate associated with the named private key */ +Key * +key_load_cert(const char *filename) +{ + Key *pub; + char file[MAXPATHLEN]; + + pub = key_new(KEY_UNSPEC); + if ((strlcpy(file, filename, sizeof file) < sizeof(file)) && + (strlcat(file, "-cert.pub", sizeof file) < sizeof(file)) && + (key_try_load_public(pub, file, NULL) == 1)) + return pub; + key_free(pub); + return NULL; +} + +/* Load private key and certificate */ +Key * +key_load_private_cert(int type, const char *filename, const char *passphrase, + int *perm_ok) +{ + Key *key, *pub; + + switch (type) { + case KEY_RSA: + case KEY_DSA: + break; + default: + error("%s: unsupported key type", __func__); + return NULL; + } + + if ((key = key_load_private_type(type, filename, + passphrase, NULL, perm_ok)) == NULL) + return NULL; + + if ((pub = key_load_cert(filename)) == NULL) { + key_free(key); + return NULL; + } + + /* Make sure the private key matches the certificate */ + if (key_equal_public(key, pub) == 0) { + error("%s: certificate does not match private key %s", + __func__, filename); + } else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) { + error("%s: key_to_certified failed", __func__); + } else { + key_cert_copy(pub, key); + key_free(pub); + return key; + } + + key_free(key); + key_free(pub); + return NULL; +} + /* * Returns 1 if the specified "key" is listed in the file "filename", * 0 if the key is not listed or -1 on error. -- cgit v1.2.3 From 5458c4dd138a4ca14ad5d1d1c2da9acff7d909d6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 Aug 2010 13:05:15 +1000 Subject: - djm@cvs.openbsd.org 2010/08/04 05:49:22 [authfile.c] commited the wrong version of the hostbased certificate diff; this version replaces some strlc{py,at} verbosity with xasprintf() at the request of markus@ --- ChangeLog | 5 +++++ authfile.c | 12 +++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) (limited to 'authfile.c') diff --git a/ChangeLog b/ChangeLog index 7125eaa1e..684c5233b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,11 @@ [ssh-keysign.c ssh.c] enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@ + - djm@cvs.openbsd.org 2010/08/04 05:49:22 + [authfile.c] + commited the wrong version of the hostbased certificate diff; this + version replaces some strlc{py,at} verbosity with xasprintf() at + the request of markus@ 20100903 - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from diff --git a/authfile.c b/authfile.c index 6bf41db9a..2bd887845 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.81 2010/08/04 05:42:47 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.82 2010/08/04 05:49:22 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -698,13 +698,15 @@ Key * key_load_cert(const char *filename) { Key *pub; - char file[MAXPATHLEN]; + char *file; pub = key_new(KEY_UNSPEC); - if ((strlcpy(file, filename, sizeof file) < sizeof(file)) && - (strlcat(file, "-cert.pub", sizeof file) < sizeof(file)) && - (key_try_load_public(pub, file, NULL) == 1)) + xasprintf(&file, "%s-cert.pub", filename); + if (key_try_load_public(pub, file, NULL) == 1) { + xfree(file); return pub; + } + xfree(file); key_free(pub); return NULL; } -- cgit v1.2.3