src - OpenBSD base system

diff options


context:
space:
mode:

author	Damien Miller <djm@cvs.openbsd.org>	2015-01-28 22:36:01 +0000
committer	Damien Miller <djm@cvs.openbsd.org>	2015-01-28 22:36:01 +0000
commit	2b012acecb227ec7ee164f472ee352f4ff23773e (patch)
tree	517b1be99f1e001209b154c012945165d140cb1e /usr.bin/ssh
parent	f61b92016d6b95eb1ab639792f3f79de3513114a (diff)

update to new API (key_fingerprint => sshkey_fingerprint)

check sshkey_fingerprint return values; ok markus

Diffstat (limited to 'usr.bin/ssh')

-rw-r--r--

usr.bin/ssh/auth-rsa.c

-rw-r--r--

usr.bin/ssh/auth2-hostbased.c

-rw-r--r--

usr.bin/ssh/auth2-pubkey.c

-rw-r--r--

usr.bin/ssh/dns.c

-rw-r--r--

usr.bin/ssh/key.c

-rw-r--r--

usr.bin/ssh/key.h

-rw-r--r--

usr.bin/ssh/ssh-add.c

-rw-r--r--

usr.bin/ssh/ssh-agent.c

-rw-r--r--

usr.bin/ssh/ssh-keygen.c

-rw-r--r--

usr.bin/ssh/ssh-keysign.c

-rw-r--r--

usr.bin/ssh/sshconnect.c

-rw-r--r--

usr.bin/ssh/sshconnect2.c

12 files changed, 81 insertions, 68 deletions

diff --git a/usr.bin/ssh/auth-rsa.c b/usr.bin/ssh/auth-rsa.c
index 76546b85bd6..52969dcf7e6 100644
--- a/usr.bin/ssh/auth-rsa.c
+++ b/usr.bin/ssh/auth-rsa.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */

+/* $OpenBSD: auth-rsa.c,v 1.90 2015/01/28 22:36:00 djm Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -233,8 +233,9 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,

"actual %d vs. announced %d.",

file, linenum, BN_num_bits(key->rsa->n), bits);

- fp = key_fingerprint(key, options.fingerprint_hash,

- SSH_FP_DEFAULT);

+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,

+ SSH_FP_DEFAULT)) == NULL)

+ continue;

debug("matching key found: file %s, line %lu %s %s",

file, linenum, key_type(key), fp);

free(fp);

diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
index b2d70666409..ebd407374f2 100644
--- a/usr.bin/ssh/auth2-hostbased.c
+++ b/usr.bin/ssh/auth2-hostbased.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: auth2-hostbased.c,v 1.23 2015/01/28 11:07:25 djm Exp $ */

+/* $OpenBSD: auth2-hostbased.c,v 1.24 2015/01/28 22:36:00 djm Exp $ */

@@ -223,15 +223,17 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,

if (host_status == HOST_OK) {

if (key_is_cert(key)) {

- fp = key_fingerprint(key->cert->signature_key,

- options.fingerprint_hash, SSH_FP_DEFAULT);

+ if ((fp = sshkey_fingerprint(key->cert->signature_key,

+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

verbose("Accepted certificate ID \"%s\" signed by "

"%s CA %s from %s@%s", key->cert->key_id,

key_type(key->cert->signature_key), fp,

cuser, lookup);

} else {

- fp = key_fingerprint(key, options.fingerprint_hash,

- SSH_FP_DEFAULT);

+ if ((fp = sshkey_fingerprint(key,

+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

verbose("Accepted %s public key %s from %s@%s",

key_type(key), fp, cuser, lookup);

}

diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
index 87c8132c8dc..0e982543a91 100644
--- a/usr.bin/ssh/auth2-pubkey.c
+++ b/usr.bin/ssh/auth2-pubkey.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: auth2-pubkey.c,v 1.45 2015/01/13 07:39:19 djm Exp $ */

+/* $OpenBSD: auth2-pubkey.c,v 1.46 2015/01/28 22:36:00 djm Exp $ */

@@ -225,18 +225,20 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)

}

if (key_is_cert(key)) {

- fp = key_fingerprint(key->cert->signature_key,

+ fp = sshkey_fingerprint(key->cert->signature_key,

options.fingerprint_hash, SSH_FP_DEFAULT);

auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",

key_type(key), key->cert->key_id,

(unsigned long long)key->cert->serial,

- key_type(key->cert->signature_key), fp,

+ key_type(key->cert->signature_key),

+ fp == NULL ? "(null)" : "",

extra == NULL ? "" : ", ", extra == NULL ? "" : extra);

free(fp);

} else {

- fp = key_fingerprint(key, options.fingerprint_hash,

+ fp = sshkey_fingerprint(key, options.fingerprint_hash,

SSH_FP_DEFAULT);

- auth_info(authctxt, "%s %s%s%s", key_type(key), fp,

+ auth_info(authctxt, "%s %s%s%s", key_type(key),

+ fp == NULL ? "(null)" : "",

extra == NULL ? "" : ", ", extra == NULL ? "" : extra);

free(fp);

}

@@ -379,8 +381,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)

continue;

if (!key_is_cert_authority)

continue;

- fp = key_fingerprint(found, options.fingerprint_hash,

- SSH_FP_DEFAULT);

+ if ((fp = sshkey_fingerprint(found,

+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

+ continue;

debug("matching CA found: file %s, line %lu, %s %s",

file, linenum, key_type(found), fp);

@@ -419,12 +422,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)

continue;

if (key_is_cert_authority)

continue;

- found_key = 1;

- fp = key_fingerprint(found, options.fingerprint_hash,

- SSH_FP_DEFAULT);

+ if ((fp = sshkey_fingerprint(found,

+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

+ continue;

debug("matching key found: file %s, line %lu %s %s",

file, linenum, key_type(found), fp);

free(fp);

+ found_key = 1;

break;

}

@@ -446,8 +450,9 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)

if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)

return 0;

- ca_fp = key_fingerprint(key->cert->signature_key,

- options.fingerprint_hash, SSH_FP_DEFAULT);

+ if ((ca_fp = sshkey_fingerprint(key->cert->signature_key,

+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

+ return 0;

if (sshkey_in_file(key->cert->signature_key,

options.trusted_user_ca_keys, 1, 0) != 0) {

diff --git a/usr.bin/ssh/dns.c b/usr.bin/ssh/dns.c
index c0087727148..acbcc2c675c 100644
--- a/usr.bin/ssh/dns.c
+++ b/usr.bin/ssh/dns.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: dns.c,v 1.33 2015/01/15 09:40:00 djm Exp $ */

+/* $OpenBSD: dns.c,v 1.34 2015/01/28 22:36:00 djm Exp $ */

@@ -291,7 +291,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,

free(dnskey_digest);

}

- free(hostkey_digest); /* from key_fingerprint_raw() */

+ free(hostkey_digest); /* from sshkey_fingerprint_raw() */

freerrset(fingerprints);

if (*flags & DNS_VERIFY_FOUND)

@@ -334,7 +334,7 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)

for (i = 0; i < rdata_digest_len; i++)

fprintf(f, "%02x", rdata_digest[i]);

fprintf(f, "\n");

- free(rdata_digest); /* from key_fingerprint_raw() */

+ free(rdata_digest); /* from sshkey_fingerprint_raw() */

success = 1;

}

diff --git a/usr.bin/ssh/key.c b/usr.bin/ssh/key.c
index ec477b83d0a..0dea76a6a73 100644
--- a/usr.bin/ssh/key.c
+++ b/usr.bin/ssh/key.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: key.c,v 1.126 2015/01/20 23:14:00 deraadt Exp $ */

+/* $OpenBSD: key.c,v 1.127 2015/01/28 22:36:00 djm Exp $ */

* placed in the public domain

@@ -37,23 +37,6 @@ key_new_private(int type)

return ret;

}

-u_char*

-key_fingerprint_raw(const Key *k, int dgst_alg, u_int *dgst_raw_length)

- u_char *ret = NULL;

- size_t dlen;

- int r;

- if (dgst_raw_length != NULL)

- *dgst_raw_length = 0;

- if ((r = sshkey_fingerprint_raw(k, dgst_alg, &ret, &dlen)) != 0)

- fatal("%s: %s", __func__, ssh_err(r));

- if (dlen > INT_MAX)

- fatal("%s: giant len %zu", __func__, dlen);

- *dgst_raw_length = dlen;

- return ret;

int

key_read(Key *ret, char **cpp)

{

diff --git a/usr.bin/ssh/key.h b/usr.bin/ssh/key.h
index 188d417041a..a33d72d616a 100644
--- a/usr.bin/ssh/key.h
+++ b/usr.bin/ssh/key.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: key.h,v 1.46 2015/01/13 07:39:19 djm Exp $ */

+/* $OpenBSD: key.h,v 1.47 2015/01/28 22:36:00 djm Exp $ */

@@ -39,7 +39,6 @@ typedef struct sshkey Key;

#define key_free sshkey_free

#define key_equal_public sshkey_equal_public

#define key_equal sshkey_equal

-#define key_fingerprint sshkey_fingerprint

#define key_type sshkey_type

#define key_cert_type sshkey_cert_type

#define key_ssh_name sshkey_ssh_name

@@ -59,14 +58,12 @@ typedef struct sshkey Key;

#define key_ec_nid_to_hash_alg sshkey_ec_nid_to_hash_alg

#define key_dump_ec_point sshkey_dump_ec_point

#define key_dump_ec_key sshkey_dump_ec_key

-#define key_fingerprint sshkey_fingerprint

#endif

void key_add_private(Key *);

Key *key_new_private(int);

void key_free(Key *);

Key *key_demote(const Key *);

-u_char *key_fingerprint_raw(const Key *, int, u_int *);

int key_write(const Key *, FILE *);

int key_read(Key *, char **);

diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c
index 9f1101a2c1c..740fa8f712e 100644
--- a/usr.bin/ssh/ssh-add.c
+++ b/usr.bin/ssh/ssh-add.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssh-add.c,v 1.117 2015/01/16 06:40:12 deraadt Exp $ */

+/* $OpenBSD: ssh-add.c,v 1.118 2015/01/28 22:36:00 djm Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -367,7 +367,8 @@ list_identities(int agent_fd, int do_fp)

fp = sshkey_fingerprint(idlist->keys[i],

fingerprint_hash, SSH_FP_DEFAULT);

printf("%d %s %s (%s)\n",

- sshkey_size(idlist->keys[i]), fp,

+ sshkey_size(idlist->keys[i]),

+ fp == NULL ? "(null)" : fp,

idlist->comments[i],

sshkey_type(idlist->keys[i]));

free(fp);

diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c
index e149098ad5d..11775dc5886 100644
--- a/usr.bin/ssh/ssh-agent.c
+++ b/usr.bin/ssh/ssh-agent.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssh-agent.c,v 1.196 2015/01/16 06:40:12 deraadt Exp $ */

+/* $OpenBSD: ssh-agent.c,v 1.197 2015/01/28 22:36:00 djm Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -197,7 +197,8 @@ confirm_key(Identity *id)

int ret = -1;

p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);

- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",

+ if (p != NULL &&

+ ask_permission("Allow use of key %s?\nKey fingerprint %s.",

id->comment, p))

ret = 0;

free(p);

diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index 66d786229ec..e80d1b314a9 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssh-keygen.c,v 1.258 2015/01/19 00:32:54 deraadt Exp $ */

+/* $OpenBSD: ssh-keygen.c,v 1.259 2015/01/28 22:36:00 djm Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -783,6 +783,8 @@ do_download(struct passwd *pw)

fp = sshkey_fingerprint(keys[i], fptype, rep);

ra = sshkey_fingerprint(keys[i], fingerprint_hash,

SSH_FP_RANDOMART);

+ if (fp == NULL || ra == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]),

fp, sshkey_type(keys[i]));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

@@ -829,6 +831,8 @@ do_fingerprint(struct passwd *pw)

fp = sshkey_fingerprint(public, fptype, rep);

ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

+ if (fp == NULL || ra == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment,

sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

@@ -898,6 +902,8 @@ do_fingerprint(struct passwd *pw)

fp = sshkey_fingerprint(public, fptype, rep);

ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

+ if (fp == NULL || ra == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

printf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

@@ -1883,6 +1889,8 @@ do_show_cert(struct passwd *pw)

key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);

ca_fp = sshkey_fingerprint(key->cert->signature_key,

fingerprint_hash, SSH_FP_DEFAULT);

+ if (key_fp == NULL || ca_fp == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

printf("%s:\n", identity_file);

printf(" Type: %s %s certificate\n", sshkey_ssh_name(key),

@@ -2199,7 +2207,7 @@ main(int argc, char **argv)

{

char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;

char *checkpoint = NULL;

- char out_file[PATH_MAX], *rr_hostname = NULL, *ep;

+ char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra;

struct sshkey *private, *public;

struct passwd *pw;

struct stat st;

@@ -2686,10 +2694,12 @@ passphrase_again:

fclose(f);

if (!quiet) {

- char *fp = sshkey_fingerprint(public, fingerprint_hash,

+ fp = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_DEFAULT);

- char *ra = sshkey_fingerprint(public, fingerprint_hash,

+ ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

+ if (fp == NULL || ra == NULL)

+ fatal("sshkey_fingerprint failed");

printf("Your public key has been saved in %s.\n",

identity_file);

printf("The key fingerprint is:\n");

diff --git a/usr.bin/ssh/ssh-keysign.c b/usr.bin/ssh/ssh-keysign.c
index ed8d0b75e91..0196b60ffba 100644
--- a/usr.bin/ssh/ssh-keysign.c
+++ b/usr.bin/ssh/ssh-keysign.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssh-keysign.c,v 1.46 2015/01/15 09:40:00 djm Exp $ */

+/* $OpenBSD: ssh-keysign.c,v 1.47 2015/01/28 22:36:00 djm Exp $ */

@@ -255,8 +255,9 @@ main(int argc, char **argv)

}

if (!found) {

- fp = sshkey_fingerprint(key, options.fingerprint_hash,

- SSH_FP_DEFAULT);

+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,

+ SSH_FP_DEFAULT)) == NULL)

+ fatal("%s: sshkey_fingerprint failed", __func__);

fatal("no matching hostkey found for key %s %s",

sshkey_type(key), fp ? fp : "");

}

diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c
index 0b19421002f..97c6cfa4788 100644
--- a/usr.bin/ssh/sshconnect.c
+++ b/usr.bin/ssh/sshconnect.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: sshconnect.c,v 1.258 2015/01/26 06:10:03 djm Exp $ */

+/* $OpenBSD: sshconnect.c,v 1.259 2015/01/28 22:36:00 djm Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -744,7 +744,7 @@ get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr,

if (options.proxy_command == NULL) {

if (getnameinfo(hostaddr, hostaddr->sa_len,

ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0)

- fatal("check_host_key: getnameinfo failed");

+ fatal("%s: getnameinfo failed", __func__);

*hostfile_ipaddr = put_host_port(ntop, port);

} else {

*hostfile_ipaddr = xstrdup("<no hostip for proxy "

@@ -893,10 +893,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,

"key for IP address '%.128s' to the list "

"of known hosts.", type, ip);

} else if (options.visual_host_key) {

- fp = key_fingerprint(host_key,

+ fp = sshkey_fingerprint(host_key,

options.fingerprint_hash, SSH_FP_DEFAULT);

- ra = key_fingerprint(host_key,

+ ra = sshkey_fingerprint(host_key,

options.fingerprint_hash, SSH_FP_RANDOMART);

+ if (fp == NULL || ra == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

logit("Host key fingerprint is %s\n%s\n", fp, ra);

free(ra);

free(fp);

@@ -936,10 +938,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,

else

snprintf(msg1, sizeof(msg1), ".");

/* The default */

- fp = key_fingerprint(host_key,

+ fp = sshkey_fingerprint(host_key,

options.fingerprint_hash, SSH_FP_DEFAULT);

- ra = key_fingerprint(host_key,

+ ra = sshkey_fingerprint(host_key,

options.fingerprint_hash, SSH_FP_RANDOMART);

+ if (fp == NULL || ra == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

msg2[0] = '\0';

if (options.verify_host_key_dns) {

if (matching_host_key_dns)

@@ -1373,10 +1377,12 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)

continue;

if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))

continue;

- fp = key_fingerprint(found->key,

+ fp = sshkey_fingerprint(found->key,

options.fingerprint_hash, SSH_FP_DEFAULT);

- ra = key_fingerprint(found->key,

+ ra = sshkey_fingerprint(found->key,

options.fingerprint_hash, SSH_FP_RANDOMART);

+ if (fp == NULL || ra == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

logit("WARNING: %s key found for host %s\n"

"in %s:%lu\n"

"%s key fingerprint %s.",

@@ -1397,8 +1403,10 @@ warn_changed_key(Key *host_key)

{

char *fp;

- fp = key_fingerprint(host_key, options.fingerprint_hash,

+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash,

SSH_FP_DEFAULT);

+ if (fp == NULL)

+ fatal("%s: sshkey_fingerprint fail", __func__);

error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");

error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");

diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index e8fe45a68f9..12515fdf986 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: sshconnect2.c,v 1.221 2015/01/20 20:16:21 markus Exp $ */

+/* $OpenBSD: sshconnect2.c,v 1.222 2015/01/28 22:36:00 djm Exp $ */

@@ -585,7 +585,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)

key->type, pktype);

goto done;

}

- fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);

+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,

+ SSH_FP_DEFAULT)) == NULL)

+ goto done;

debug2("input_userauth_pk_ok: fp %s", fp);

free(fp);

@@ -1003,7 +1005,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)

int have_sig = 1;

char *fp;

- fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT);

+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,

+ SSH_FP_DEFAULT)) == NULL)

+ return 0;

debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);

free(fp);