From 3b44f2513cae89c920e8fe927b9bc910a1c8c65a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 26 Jan 2021 00:49:30 +0000 Subject: upstream: move check_host_cert() from sshconnect,c to sshkey.c and refactor it to make it more generally usable and testable. ok markus@ OpenBSD-Commit-ID: 536f489f5ff38808c1fa711ba58d4579b636f9e4 --- sshconnect.c | 56 ++++++++++++++++++++------------------------------------ 1 file changed, 20 insertions(+), 36 deletions(-) (limited to 'sshconnect.c') diff --git a/sshconnect.c b/sshconnect.c index 616ee37e8..74f9e7670 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.349 2020/12/22 00:15:23 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.350 2021/01/26 00:49:30 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -589,36 +589,6 @@ confirm(const char *prompt, const char *fingerprint) } } -static int -check_host_cert(const char *host, const struct sshkey *key) -{ - const char *reason; - int r; - - if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { - error("%s", reason); - return 0; - } - if (sshbuf_len(key->cert->critical) != 0) { - error("Certificate for %s contains unsupported " - "critical options(s)", host); - return 0; - } - if ((r = sshkey_check_cert_sigtype(key, - options.ca_sign_algorithms)) != 0) { - logit_fr(r, "certificate signature algorithm %s", - (key->cert == NULL || key->cert->signature_type == NULL) ? - "(null)" : key->cert->signature_type); - return 0; - } - /* Do not attempt hostkey update if a certificate was successful */ - if (options.update_hostkeys != 0) { - options.update_hostkeys = 0; - debug3_f("certificate host key in use; disabling UpdateHostkeys"); - } - return 1; -} - static int sockaddr_is_local(struct sockaddr *hostaddr) { @@ -963,7 +933,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; char msg[1024]; - const char *type; + const char *type, *fail_reason; const struct hostkey_entry *host_found = NULL, *ip_found = NULL; int len, cancelled_forwarding = 0, confirmed; int local = sockaddr_is_local(hostaddr); @@ -1069,10 +1039,24 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, host, type, want_cert ? "certificate" : "key"); debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", host_found->file, host_found->line); - if (want_cert && - !check_host_cert(options.host_key_alias == NULL ? - hostname : options.host_key_alias, host_key)) - goto fail; + if (want_cert) { + if (sshkey_cert_check_host(host_key, + options.host_key_alias == NULL ? + hostname : options.host_key_alias, 0, + options.ca_sign_algorithms, &fail_reason) != 0) { + error("%s", fail_reason); + goto fail; + } + /* + * Do not attempt hostkey update if a certificate was + * successfully matched. + */ + if (options.update_hostkeys != 0) { + options.update_hostkeys = 0; + debug3_f("certificate host key in use; " + "disabling UpdateHostkeys"); + } + } /* Turn off UpdateHostkeys if key was in system known_hosts */ if (options.update_hostkeys != 0 && (path_in_hostfiles(host_found->file, -- cgit v1.2.3