| version 1.349, 2020/12/22 00:15:23 |
version 1.350, 2021/01/26 00:49:30 |
|
|
| } |
} |
| |
|
| static int |
static int |
| check_host_cert(const char *host, const struct sshkey *key) |
|
| { |
|
| const char *reason; |
|
| int r; |
|
| |
|
| if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { |
|
| error("%s", reason); |
|
| return 0; |
|
| } |
|
| if (sshbuf_len(key->cert->critical) != 0) { |
|
| error("Certificate for %s contains unsupported " |
|
| "critical options(s)", host); |
|
| return 0; |
|
| } |
|
| if ((r = sshkey_check_cert_sigtype(key, |
|
| options.ca_sign_algorithms)) != 0) { |
|
| logit_fr(r, "certificate signature algorithm %s", |
|
| (key->cert == NULL || key->cert->signature_type == NULL) ? |
|
| "(null)" : key->cert->signature_type); |
|
| return 0; |
|
| } |
|
| /* Do not attempt hostkey update if a certificate was successful */ |
|
| if (options.update_hostkeys != 0) { |
|
| options.update_hostkeys = 0; |
|
| debug3_f("certificate host key in use; disabling UpdateHostkeys"); |
|
| } |
|
| return 1; |
|
| } |
|
| |
|
| static int |
|
| sockaddr_is_local(struct sockaddr *hostaddr) |
sockaddr_is_local(struct sockaddr *hostaddr) |
| { |
{ |
| switch (hostaddr->sa_family) { |
switch (hostaddr->sa_family) { |
|
|
| char *ip = NULL, *host = NULL; |
char *ip = NULL, *host = NULL; |
| char hostline[1000], *hostp, *fp, *ra; |
char hostline[1000], *hostp, *fp, *ra; |
| char msg[1024]; |
char msg[1024]; |
| const char *type; |
const char *type, *fail_reason; |
| const struct hostkey_entry *host_found = NULL, *ip_found = NULL; |
const struct hostkey_entry *host_found = NULL, *ip_found = NULL; |
| int len, cancelled_forwarding = 0, confirmed; |
int len, cancelled_forwarding = 0, confirmed; |
| int local = sockaddr_is_local(hostaddr); |
int local = sockaddr_is_local(hostaddr); |
|
|
| host, type, want_cert ? "certificate" : "key"); |
host, type, want_cert ? "certificate" : "key"); |
| debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", |
debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", |
| host_found->file, host_found->line); |
host_found->file, host_found->line); |
| if (want_cert && |
if (want_cert) { |
| !check_host_cert(options.host_key_alias == NULL ? |
if (sshkey_cert_check_host(host_key, |
| hostname : options.host_key_alias, host_key)) |
options.host_key_alias == NULL ? |
| goto fail; |
hostname : options.host_key_alias, 0, |
| |
options.ca_sign_algorithms, &fail_reason) != 0) { |
| |
error("%s", fail_reason); |
| |
goto fail; |
| |
} |
| |
/* |
| |
* Do not attempt hostkey update if a certificate was |
| |
* successfully matched. |
| |
*/ |
| |
if (options.update_hostkeys != 0) { |
| |
options.update_hostkeys = 0; |
| |
debug3_f("certificate host key in use; " |
| |
"disabling UpdateHostkeys"); |
| |
} |
| |
} |
| /* Turn off UpdateHostkeys if key was in system known_hosts */ |
/* Turn off UpdateHostkeys if key was in system known_hosts */ |
| if (options.update_hostkeys != 0 && |
if (options.update_hostkeys != 0 && |
| (path_in_hostfiles(host_found->file, |
(path_in_hostfiles(host_found->file, |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshconnect.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh