diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-01-26 00:49:30 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-01-26 12:21:48 +1100 |
| commit | 3b44f2513cae89c920e8fe927b9bc910a1c8c65a (patch) | |
| tree | c67b9a8583b9795bec5a5dd56f7a8556c8da2d5e /sshconnect.c | |
| parent | 1fe16fd61bb53944ec510882acc0491abd66ff76 (diff) | |
| download | openssh-git-3b44f2513cae89c920e8fe927b9bc910a1c8c65a.tar.gz | |
upstream: move check_host_cert() from sshconnect,c to sshkey.c and
refactor it to make it more generally usable and testable.
ok markus@
OpenBSD-Commit-ID: 536f489f5ff38808c1fa711ba58d4579b636f9e4
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 56 |
1 files changed, 20 insertions, 36 deletions
diff --git a/sshconnect.c b/sshconnect.c index 616ee37e..74f9e767 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.349 2020/12/22 00:15:23 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.350 2021/01/26 00:49:30 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -590,36 +590,6 @@ confirm(const char *prompt, const char *fingerprint) } static int -check_host_cert(const char *host, const struct sshkey *key) -{ - const char *reason; - int r; - - if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { - error("%s", reason); - return 0; - } - if (sshbuf_len(key->cert->critical) != 0) { - error("Certificate for %s contains unsupported " - "critical options(s)", host); - return 0; - } - if ((r = sshkey_check_cert_sigtype(key, - options.ca_sign_algorithms)) != 0) { - logit_fr(r, "certificate signature algorithm %s", - (key->cert == NULL || key->cert->signature_type == NULL) ? - "(null)" : key->cert->signature_type); - return 0; - } - /* Do not attempt hostkey update if a certificate was successful */ - if (options.update_hostkeys != 0) { - options.update_hostkeys = 0; - debug3_f("certificate host key in use; disabling UpdateHostkeys"); - } - return 1; -} - -static int sockaddr_is_local(struct sockaddr *hostaddr) { switch (hostaddr->sa_family) { @@ -963,7 +933,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; char msg[1024]; - const char *type; + const char *type, *fail_reason; const struct hostkey_entry *host_found = NULL, *ip_found = NULL; int len, cancelled_forwarding = 0, confirmed; int local = sockaddr_is_local(hostaddr); @@ -1069,10 +1039,24 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, host, type, want_cert ? "certificate" : "key"); debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", host_found->file, host_found->line); - if (want_cert && - !check_host_cert(options.host_key_alias == NULL ? - hostname : options.host_key_alias, host_key)) - goto fail; + if (want_cert) { + if (sshkey_cert_check_host(host_key, + options.host_key_alias == NULL ? + hostname : options.host_key_alias, 0, + options.ca_sign_algorithms, &fail_reason) != 0) { + error("%s", fail_reason); + goto fail; + } + /* + * Do not attempt hostkey update if a certificate was + * successfully matched. + */ + if (options.update_hostkeys != 0) { + options.update_hostkeys = 0; + debug3_f("certificate host key in use; " + "disabling UpdateHostkeys"); + } + } /* Turn off UpdateHostkeys if key was in system known_hosts */ if (options.update_hostkeys != 0 && (path_in_hostfiles(host_found->file, |