Attachment #1855 for bug #1776

View | Details | Raw Unified | Return to bug 1776
Collapse All | Expand All

Lines 385-391 Link Here

(-)auth.c (-1 / +1 lines)
385	HostStatus host_status;	385	HostStatus host_status;
386		386
387	/* Check if we know the host and its host key. */	387	/* Check if we know the host and its host key. */
388	found = key_new(key->type);	388	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
389	host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);	389	host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
390		390
391	if (host_status != HOST_OK && userfile != NULL) {	391	if (host_status != HOST_OK && userfile != NULL) {

Lines 141-147 Link Here

(-)auth2-hostbased.c (-1 / +13 lines)
141	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,	141	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,
142	Key *key)	142	Key *key)
143	{	143	{
144	const char resolvedname, ipaddr, *lookup;	144	const char resolvedname, ipaddr, lookup, reason;
145	HostStatus host_status;	145	HostStatus host_status;
146	int len;	146	int len;
147		147
Lines 174-179 Link Here
174	}	174	}
175	debug2("userauth_hostbased: access allowed by auth_rhosts2");	175	debug2("userauth_hostbased: access allowed by auth_rhosts2");
176		176
		177	if (key_is_cert(key) &&
		178	key_cert_check_authority(key, 1, 0, lookup, &reason)) {
		179	error("%s", reason);
		180	auth_debug_add("%s", reason);
		181	return 0;
		182	}
		183
177	host_status = check_key_in_hostfiles(pw, key, lookup,	184	host_status = check_key_in_hostfiles(pw, key, lookup,
178	_PATH_SSH_SYSTEM_HOSTFILE,	185	_PATH_SSH_SYSTEM_HOSTFILE,
179	options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);	186	options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
Lines 184-189 Link Here
184	_PATH_SSH_SYSTEM_HOSTFILE2,	191	_PATH_SSH_SYSTEM_HOSTFILE2,
185	options.ignore_user_known_hosts ? NULL :	192	options.ignore_user_known_hosts ? NULL :
186	_PATH_SSH_USER_HOSTFILE2);	193	_PATH_SSH_USER_HOSTFILE2);
		194
		195	if (key_is_cert(key) && host_status == HOST_OK)
		196	verbose("Accepted %s certificate, ID \"%s\", "
		197	"from %s, client user %s", key_cert_type(key),
		198	key->cert->key_id, lookup, cuser);
187		199
188	return (host_status == HOST_OK);	200	return (host_status == HOST_OK);
189	}	201	}




	return NULL;
}

/* Load the certificate associated with the named private key */
Key *
key_load_cert(const char *filename)
{
	Key *pub;
	char file[MAXPATHLEN];

	pub = key_new(KEY_UNSPEC);
	if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
	    (strlcat(file, "-cert.pub", sizeof file) < sizeof(file)) &&
	    (key_try_load_public(pub, file, NULL) == 1))
		return pub;
	key_free(pub);
	return NULL;
}

/* Load private key and certificate */
Key *
key_load_private_cert(int type, const char *filename, const char *passphrase,
    int *perm_ok)
{
	Key *key, *pub;

	switch (type) {
	case KEY_RSA:
	case KEY_DSA:
		break;
	default:
		error("%s: unsupported key type", __func__);
		return NULL;
	}

	if ((key = key_load_private_type(type, filename, 
	    passphrase, NULL, perm_ok)) == NULL)
		return NULL;

	if ((pub = key_load_cert(filename)) == NULL) {
		key_free(key);
		return NULL;
	}

	/* Make sure the private key matches the certificate */
	if (key_equal_public(key, pub) == 0) {
		error("%s: certificate does not match private key %s",
		    __func__, filename);
	} else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) {
		error("%s: key_to_certified failed", __func__);
	} else {
		key_cert_copy(pub, key);
		key_free(pub);
		return key;
	}

	key_free(key);
	key_free(pub);
	return NULL;
}

/*
 * Returns 1 if the specified "key" is listed in the file "filename",
 * 0 if the key is not listed or -1 on error.

Lines 16-24 Link Here

(-)authfile.h (+2 lines)
16	#define AUTHFILE_H	16	#define AUTHFILE_H
17		17
18	int key_save_private(Key , const char , const char , const char );	18	int key_save_private(Key , const char , const char , const char );
		19	Key key_load_cert(const char );
19	Key key_load_public(const char , char **);	20	Key key_load_public(const char , char **);
20	Key key_load_public_type(int, const char , char **);	21	Key key_load_public_type(int, const char , char **);
21	Key key_load_private(const char , const char , char *);	22	Key key_load_private(const char , const char , char *);
		23	Key key_load_private_cert(int, const char , const char , int );
22	Key key_load_private_type(int, const char , const char , char , int );	24	Key key_load_private_type(int, const char , const char , char , int );
23	Key key_load_private_pem(int, int, const char , char **);	25	Key key_load_private_pem(int, int, const char , char **);
24	int key_perm_ok(int, const char *);	26	int key_perm_ok(int, const char *);

Lines 232-238 Link Here

(-)ssh-keysign.c (-1 / +1 lines)
232	found = 0;	232	found = 0;
233	for (i = 0; i < 2; i++) {	233	for (i = 0; i < 2; i++) {
234	if (keys[i] != NULL &&	234	if (keys[i] != NULL &&
235	key_equal(key, keys[i])) {	235	key_equal_public(key, keys[i])) {
236	found = 1;	236	found = 1;
237	break;	237	break;
238	}	238	}




	sensitive_data.external_keysign = 0;
	if (options.rhosts_rsa_authentication ||
	    options.hostbased_authentication) {
		sensitive_data.nkeys = 5;
		sensitive_data.keys = xcalloc(sensitive_data.nkeys,
		    sizeof(Key));

		PRIV_START;
		sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
		    _PATH_HOST_KEY_FILE, "", NULL, NULL);
		sensitive_data.keys[1] = key_load_private_cert(KEY_DSA,
		    _PATH_HOST_DSA_KEY_FILE, "", NULL);
		sensitive_data.keys[2] = key_load_private_cert(KEY_RSA,
		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
		sensitive_data.keys[3] = key_load_private_type(KEY_DSA,
		    _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
		sensitive_data.keys[4] = key_load_private_type(KEY_RSA,
		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
		PRIV_END;

		if (options.hostbased_authentication == 1 &&
		    sensitive_data.keys[0] == NULL &&
		    sensitive_data.keys[3] == NULL &&
		    sensitive_data.keys[4] == NULL) {
			sensitive_data.keys[1] = key_load_cert(
			    _PATH_HOST_DSA_KEY_FILE);
			sensitive_data.keys[2] = key_load_cert(
			    _PATH_HOST_RSA_KEY_FILE);
			sensitive_data.keys[3] = key_load_public(
			    _PATH_HOST_DSA_KEY_FILE, NULL);
			sensitive_data.keys[4] = key_load_public(
			    _PATH_HOST_RSA_KEY_FILE, NULL);
			sensitive_data.external_keysign = 1;
		}

Return to bug 1776

Lines 693-698 Link Here

(-)authfile.c (+58 lines)
693	return NULL;	693	return NULL;
694	}	694	}
695		695
		696	/* Load the certificate associated with the named private key */
		697	Key *
		698	key_load_cert(const char *filename)
		699	{
		700	Key *pub;
		701	char file[MAXPATHLEN];
		702
		703	pub = key_new(KEY_UNSPEC);
		704	if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
		705	(strlcat(file, "-cert.pub", sizeof file) < sizeof(file)) &&
		706	(key_try_load_public(pub, file, NULL) == 1))
		707	return pub;
		708	key_free(pub);
		709	return NULL;
		710	}
		711
		712	/* Load private key and certificate */
		713	Key *
		714	key_load_private_cert(int type, const char filename, const char passphrase,
		715	int *perm_ok)
		716	{
		717	Key key, pub;
		718
		719	switch (type) {
		720	case KEY_RSA:
		721	case KEY_DSA:
		722	break;
		723	default:
		724	error("%s: unsupported key type", __func__);
		725	return NULL;
		726	}
		727
		728	if ((key = key_load_private_type(type, filename,
		729	passphrase, NULL, perm_ok)) == NULL)
		730	return NULL;
		731
		732	if ((pub = key_load_cert(filename)) == NULL) {
		733	key_free(key);
		734	return NULL;
		735	}
		736
		737	/* Make sure the private key matches the certificate */
		738	if (key_equal_public(key, pub) == 0) {
		739	error("%s: certificate does not match private key %s",
		740	__func__, filename);
		741	} else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) {
		742	error("%s: key_to_certified failed", __func__);
		743	} else {
		744	key_cert_copy(pub, key);
		745	key_free(pub);
		746	return key;
		747	}
		748
		749	key_free(key);
		750	key_free(pub);
		751	return NULL;
		752	}
		753
696	/*	754	/*
697	* Returns 1 if the specified "key" is listed in the file "filename",	755	* Returns 1 if the specified "key" is listed in the file "filename",
698	* 0 if the key is not listed or -1 on error.	756	* 0 if the key is not listed or -1 on error.

Lines 763-788 Link Here

(-)ssh.c (-7 / +15 lines)
763	sensitive_data.external_keysign = 0;	763	sensitive_data.external_keysign = 0;
764	if (options.rhosts_rsa_authentication \|\|	764	if (options.rhosts_rsa_authentication \|\|
765	options.hostbased_authentication) {	765	options.hostbased_authentication) {
766	sensitive_data.nkeys = 3;	766	sensitive_data.nkeys = 5;
767	sensitive_data.keys = xcalloc(sensitive_data.nkeys,	767	sensitive_data.keys = xcalloc(sensitive_data.nkeys,
768	sizeof(Key));	768	sizeof(Key));
769		769
770	PRIV_START;	770	PRIV_START;
771	sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,	771	sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
772	_PATH_HOST_KEY_FILE, "", NULL, NULL);	772	_PATH_HOST_KEY_FILE, "", NULL, NULL);
773	sensitive_data.keys[1] = key_load_private_type(KEY_DSA,	773	sensitive_data.keys[1] = key_load_private_cert(KEY_DSA,
		774	_PATH_HOST_DSA_KEY_FILE, "", NULL);
		775	sensitive_data.keys[2] = key_load_private_cert(KEY_RSA,
		776	_PATH_HOST_RSA_KEY_FILE, "", NULL);
		777	sensitive_data.keys[3] = key_load_private_type(KEY_DSA,
774	_PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);	778	_PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
775	sensitive_data.keys[2] = key_load_private_type(KEY_RSA,	779	sensitive_data.keys[4] = key_load_private_type(KEY_RSA,
776	_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);	780	_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
777	PRIV_END;	781	PRIV_END;
778		782
779	if (options.hostbased_authentication == 1 &&	783	if (options.hostbased_authentication == 1 &&
780	sensitive_data.keys[0] == NULL &&	784	sensitive_data.keys[0] == NULL &&
781	sensitive_data.keys[1] == NULL &&	785	sensitive_data.keys[3] == NULL &&
782	sensitive_data.keys[2] == NULL) {	786	sensitive_data.keys[4] == NULL) {
783	sensitive_data.keys[1] = key_load_public(	787	sensitive_data.keys[1] = key_load_cert(
		788	_PATH_HOST_DSA_KEY_FILE);
		789	sensitive_data.keys[2] = key_load_cert(
		790	_PATH_HOST_RSA_KEY_FILE);
		791	sensitive_data.keys[3] = key_load_public(
784	_PATH_HOST_DSA_KEY_FILE, NULL);	792	_PATH_HOST_DSA_KEY_FILE, NULL);
785	sensitive_data.keys[2] = key_load_public(	793	sensitive_data.keys[4] = key_load_public(
786	_PATH_HOST_RSA_KEY_FILE, NULL);	794	_PATH_HOST_RSA_KEY_FILE, NULL);
787	sensitive_data.external_keysign = 1;	795	sensitive_data.external_keysign = 1;
788	}	796	}