diff options
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 49 |
1 files changed, 38 insertions, 11 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 9e32259a5ca3..9c2298fc887d 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.109 2021/07/23 03:37:52 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.112 2021/12/19 22:12:30 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -67,6 +67,7 @@ #include "authfile.h" #include "match.h" #include "ssherr.h" +#include "kex.h" #include "channels.h" /* XXX for session.h */ #include "session.h" /* XXX for child_set_env(); refactor? */ #include "sk-api.h" @@ -86,24 +87,39 @@ format_key(const struct sshkey *key) } static int -userauth_pubkey(struct ssh *ssh) +userauth_pubkey(struct ssh *ssh, const char *method) { Authctxt *authctxt = ssh->authctxt; struct passwd *pw = authctxt->pw; struct sshbuf *b = NULL; - struct sshkey *key = NULL; + struct sshkey *key = NULL, *hostkey = NULL; char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; u_char *pkblob = NULL, *sig = NULL, have_sig; size_t blen, slen; - int r, pktype; + int hostbound, r, pktype; int req_presence = 0, req_verify = 0, authenticated = 0; struct sshauthopt *authopts = NULL; struct sshkey_sig_details *sig_details = NULL; + hostbound = strcmp(method, "publickey-hostbound-v00@openssh.com") == 0; + if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) - fatal_fr(r, "parse packet"); + fatal_fr(r, "parse %s packet", method); + + /* hostbound auth includes the hostkey offered at initial KEX */ + if (hostbound) { + if ((r = sshpkt_getb_froms(ssh, &b)) != 0 || + (r = sshkey_fromb(b, &hostkey)) != 0) + fatal_fr(r, "parse %s hostkey", method); + if (ssh->kex->initial_hostkey == NULL) + fatal_f("internal error: initial hostkey not recorded"); + if (!sshkey_equal(hostkey, ssh->kex->initial_hostkey)) + fatal_f("%s packet contained wrong host key", method); + sshbuf_free(b); + b = NULL; + } if (log_level_get() >= SYSLOG_LEVEL_DEBUG2) { char *keystring; @@ -166,7 +182,8 @@ userauth_pubkey(struct ssh *ssh) ca_s = format_key(key->cert->signature_key); if (have_sig) { - debug3_f("have %s signature for %s%s%s", pkalg, key_s, + debug3_f("%s have %s signature for %s%s%s", + method, pkalg, key_s, ca_s == NULL ? "" : " CA ", ca_s == NULL ? "" : ca_s); if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 || (r = sshpkt_get_end(ssh)) != 0) @@ -192,11 +209,14 @@ userauth_pubkey(struct ssh *ssh) if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_cstring(b, userstyle)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || - (r = sshbuf_put_cstring(b, "publickey")) != 0 || + (r = sshbuf_put_cstring(b, method)) != 0 || (r = sshbuf_put_u8(b, have_sig)) != 0 || (r = sshbuf_put_cstring(b, pkalg)) != 0 || (r = sshbuf_put_string(b, pkblob, blen)) != 0) - fatal_fr(r, "reconstruct packet"); + fatal_fr(r, "reconstruct %s packet", method); + if (hostbound && + (r = sshkey_puts(ssh->kex->initial_hostkey, b)) != 0) + fatal_fr(r, "reconstruct %s packet", method); #ifdef DEBUG_PK sshbuf_dump(b, stderr); #endif @@ -246,7 +266,7 @@ userauth_pubkey(struct ssh *ssh) } auth2_record_key(authctxt, authenticated, key); } else { - debug_f("test pkalg %s pkblob %s%s%s", pkalg, key_s, + debug_f("%s test pkalg %s pkblob %s%s%s", method, pkalg, key_s, ca_s == NULL ? "" : " CA ", ca_s == NULL ? "" : ca_s); if ((r = sshpkt_get_end(ssh)) != 0) @@ -285,6 +305,7 @@ done: sshbuf_free(b); sshauthopt_free(authopts); sshkey_free(key); + sshkey_free(hostkey); free(userstyle); free(pkalg); free(pkblob); @@ -376,7 +397,7 @@ process_principals(struct ssh *ssh, FILE *f, const char *file, { char loc[256], *line = NULL, *cp, *ep; size_t linesize = 0; - u_long linenum = 0; + u_long linenum = 0, nonblank = 0; u_int found_principal = 0; if (authoptsp != NULL) @@ -397,10 +418,12 @@ process_principals(struct ssh *ssh, FILE *f, const char *file, if (!*cp || *cp == '\n') continue; + nonblank++; snprintf(loc, sizeof(loc), "%.200s:%lu", file, linenum); if (check_principals_line(ssh, cp, cert, loc, authoptsp) == 0) found_principal = 1; } + debug2_f("%s: processed %lu/%lu lines", file, nonblank, linenum); free(line); return found_principal; } @@ -719,7 +742,7 @@ check_authkeys_file(struct ssh *ssh, struct passwd *pw, FILE *f, char *cp, *line = NULL, loc[256]; size_t linesize = 0; int found_key = 0; - u_long linenum = 0; + u_long linenum = 0, nonblank = 0; if (authoptsp != NULL) *authoptsp = NULL; @@ -735,11 +758,14 @@ check_authkeys_file(struct ssh *ssh, struct passwd *pw, FILE *f, skip_space(&cp); if (!*cp || *cp == '\n' || *cp == '#') continue; + + nonblank++; snprintf(loc, sizeof(loc), "%.200s:%lu", file, linenum); if (check_authkey_line(ssh, pw, key, cp, loc, authoptsp) == 0) found_key = 1; } free(line); + debug2_f("%s: processed %lu/%lu lines", file, nonblank, linenum); return found_key; } @@ -1062,6 +1088,7 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, Authmethod method_pubkey = { "publickey", + "publickey-hostbound-v00@openssh.com", userauth_pubkey, &options.pubkey_authentication }; |