diff options
| author |   djm <djm@openbsd.org> | 2010-08-04 05:42:47 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2010-08-04 05:42:47 +0000 |
| commit | 58056d14b173850e2ad912bc1b7b75a1d7497c83 (patch) | |
| tree | dae7a643e5e5cad40ba0be301a80e83429e29248 /usr.bin/ssh/authfile.c | |
| parent | tighten the rules for certificate encoding by requiring that options (diff) | |
| download | wireguard-openbsd-58056d14b173850e2ad912bc1b7b75a1d7497c83.tar.xz wireguard-openbsd-58056d14b173850e2ad912bc1b7b75a1d7497c83.zip | |
enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@
Diffstat (limited to 'usr.bin/ssh/authfile.c')
| -rw-r--r-- | usr.bin/ssh/authfile.c | 60 |
1 files changed, 59 insertions, 1 deletions
diff --git a/usr.bin/ssh/authfile.c b/usr.bin/ssh/authfile.c index 3726f51042f..ffc21005c0c 100644 --- a/usr.bin/ssh/authfile.c +++ b/usr.bin/ssh/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.80 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.81 2010/08/04 05:42:47 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -681,6 +681,64 @@ key_load_public(const char *filename, char **commentp) return NULL; } +/* Load the certificate associated with the named private key */ +Key * +key_load_cert(const char *filename) +{ + Key *pub; + char file[MAXPATHLEN]; + + pub = key_new(KEY_UNSPEC); + if ((strlcpy(file, filename, sizeof file) < sizeof(file)) && + (strlcat(file, "-cert.pub", sizeof file) < sizeof(file)) && + (key_try_load_public(pub, file, NULL) == 1)) + return pub; + key_free(pub); + return NULL; +} + +/* Load private key and certificate */ +Key * +key_load_private_cert(int type, const char *filename, const char *passphrase, + int *perm_ok) +{ + Key *key, *pub; + + switch (type) { + case KEY_RSA: + case KEY_DSA: + break; + default: + error("%s: unsupported key type", __func__); + return NULL; + } + + if ((key = key_load_private_type(type, filename, + passphrase, NULL, perm_ok)) == NULL) + return NULL; + + if ((pub = key_load_cert(filename)) == NULL) { + key_free(key); + return NULL; + } + + /* Make sure the private key matches the certificate */ + if (key_equal_public(key, pub) == 0) { + error("%s: certificate does not match private key %s", + __func__, filename); + } else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) { + error("%s: key_to_certified failed", __func__); + } else { + key_cert_copy(pub, key); + key_free(pub); + return key; + } + + key_free(key); + key_free(pub); + return NULL; +} + /* * Returns 1 if the specified "key" is listed in the file "filename", * 0 if the key is not listed or -1 on error. |