version 1.349, 2020/12/22 00:15:23 |
version 1.350, 2021/01/26 00:49:30 |
|
|
} |
} |
|
|
static int |
static int |
check_host_cert(const char *host, const struct sshkey *key) |
|
{ |
|
const char *reason; |
|
int r; |
|
|
|
if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { |
|
error("%s", reason); |
|
return 0; |
|
} |
|
if (sshbuf_len(key->cert->critical) != 0) { |
|
error("Certificate for %s contains unsupported " |
|
"critical options(s)", host); |
|
return 0; |
|
} |
|
if ((r = sshkey_check_cert_sigtype(key, |
|
options.ca_sign_algorithms)) != 0) { |
|
logit_fr(r, "certificate signature algorithm %s", |
|
(key->cert == NULL || key->cert->signature_type == NULL) ? |
|
"(null)" : key->cert->signature_type); |
|
return 0; |
|
} |
|
/* Do not attempt hostkey update if a certificate was successful */ |
|
if (options.update_hostkeys != 0) { |
|
options.update_hostkeys = 0; |
|
debug3_f("certificate host key in use; disabling UpdateHostkeys"); |
|
} |
|
return 1; |
|
} |
|
|
|
static int |
|
sockaddr_is_local(struct sockaddr *hostaddr) |
sockaddr_is_local(struct sockaddr *hostaddr) |
{ |
{ |
switch (hostaddr->sa_family) { |
switch (hostaddr->sa_family) { |
|
|
char *ip = NULL, *host = NULL; |
char *ip = NULL, *host = NULL; |
char hostline[1000], *hostp, *fp, *ra; |
char hostline[1000], *hostp, *fp, *ra; |
char msg[1024]; |
char msg[1024]; |
const char *type; |
const char *type, *fail_reason; |
const struct hostkey_entry *host_found = NULL, *ip_found = NULL; |
const struct hostkey_entry *host_found = NULL, *ip_found = NULL; |
int len, cancelled_forwarding = 0, confirmed; |
int len, cancelled_forwarding = 0, confirmed; |
int local = sockaddr_is_local(hostaddr); |
int local = sockaddr_is_local(hostaddr); |
|
|
host, type, want_cert ? "certificate" : "key"); |
host, type, want_cert ? "certificate" : "key"); |
debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", |
debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", |
host_found->file, host_found->line); |
host_found->file, host_found->line); |
if (want_cert && |
if (want_cert) { |
!check_host_cert(options.host_key_alias == NULL ? |
if (sshkey_cert_check_host(host_key, |
hostname : options.host_key_alias, host_key)) |
options.host_key_alias == NULL ? |
goto fail; |
hostname : options.host_key_alias, 0, |
|
options.ca_sign_algorithms, &fail_reason) != 0) { |
|
error("%s", fail_reason); |
|
goto fail; |
|
} |
|
/* |
|
* Do not attempt hostkey update if a certificate was |
|
* successfully matched. |
|
*/ |
|
if (options.update_hostkeys != 0) { |
|
options.update_hostkeys = 0; |
|
debug3_f("certificate host key in use; " |
|
"disabling UpdateHostkeys"); |
|
} |
|
} |
/* Turn off UpdateHostkeys if key was in system known_hosts */ |
/* Turn off UpdateHostkeys if key was in system known_hosts */ |
if (options.update_hostkeys != 0 && |
if (options.update_hostkeys != 0 && |
(path_in_hostfiles(host_found->file, |
(path_in_hostfiles(host_found->file, |