diff options
| author |   djm <djm@openbsd.org> | 2021-01-26 00:49:30 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2021-01-26 00:49:30 +0000 |
| commit | fb19656940552b0db7188a4a498f59bf8824b925 (patch) | |
| tree | 7e5548517400d49118c69bdd4c0a8cd0225e5d76 /usr.bin/ssh/sshconnect.c | |
| parent | use recallocarray to allocate the agent sockets table; also clear (diff) | |
| download | wireguard-openbsd-fb19656940552b0db7188a4a498f59bf8824b925.tar.xz wireguard-openbsd-fb19656940552b0db7188a4a498f59bf8824b925.zip | |
move check_host_cert() from sshconnect,c to sshkey.c and refactor
it to make it more generally usable and testable.
ok markus@
Diffstat (limited to 'usr.bin/ssh/sshconnect.c')
| -rw-r--r-- | usr.bin/ssh/sshconnect.c | 56 |
1 files changed, 20 insertions, 36 deletions
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 65f2773870b..47904020d6b 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.349 2020/12/22 00:15:23 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.350 2021/01/26 00:49:30 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -568,36 +568,6 @@ confirm(const char *prompt, const char *fingerprint) } static int -check_host_cert(const char *host, const struct sshkey *key) -{ - const char *reason; - int r; - - if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { - error("%s", reason); - return 0; - } - if (sshbuf_len(key->cert->critical) != 0) { - error("Certificate for %s contains unsupported " - "critical options(s)", host); - return 0; - } - if ((r = sshkey_check_cert_sigtype(key, - options.ca_sign_algorithms)) != 0) { - logit_fr(r, "certificate signature algorithm %s", - (key->cert == NULL || key->cert->signature_type == NULL) ? - "(null)" : key->cert->signature_type); - return 0; - } - /* Do not attempt hostkey update if a certificate was successful */ - if (options.update_hostkeys != 0) { - options.update_hostkeys = 0; - debug3_f("certificate host key in use; disabling UpdateHostkeys"); - } - return 1; -} - -static int sockaddr_is_local(struct sockaddr *hostaddr) { switch (hostaddr->sa_family) { @@ -925,7 +895,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; char msg[1024]; - const char *type; + const char *type, *fail_reason; const struct hostkey_entry *host_found = NULL, *ip_found = NULL; int len, cancelled_forwarding = 0, confirmed; int local = sockaddr_is_local(hostaddr); @@ -1031,10 +1001,24 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, host, type, want_cert ? "certificate" : "key"); debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", host_found->file, host_found->line); - if (want_cert && - !check_host_cert(options.host_key_alias == NULL ? - hostname : options.host_key_alias, host_key)) - goto fail; + if (want_cert) { + if (sshkey_cert_check_host(host_key, + options.host_key_alias == NULL ? + hostname : options.host_key_alias, 0, + options.ca_sign_algorithms, &fail_reason) != 0) { + error("%s", fail_reason); + goto fail; + } + /* + * Do not attempt hostkey update if a certificate was + * successfully matched. + */ + if (options.update_hostkeys != 0) { + options.update_hostkeys = 0; + debug3_f("certificate host key in use; " + "disabling UpdateHostkeys"); + } + } /* Turn off UpdateHostkeys if key was in system known_hosts */ if (options.update_hostkeys != 0 && (path_in_hostfiles(host_found->file, |