tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-29 16:54:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2014/07/03 03:47:27

Browse Source 
[ssh-keygen.c]
     When hashing or removing hosts using ssh-keygen, don't choke on
     @revoked markers and don't remove @cert-authority markers;
     bz#2241, reported by mlindgren AT runelind.net
This commit is contained in:
Damien Miller 2014-07-03 21:24:40 +10:00
parent e5c0d52ceb
commit 4a1d3d50f0
2 changed files with 49 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -29,6 +29,11 @@
[gss-serv.c session.c ssh-keygen.c] [gss-serv.c session.c ssh-keygen.c]
standardise on NI_MAXHOST for gethostname() string lengths; about standardise on NI_MAXHOST for gethostname() string lengths; about
1/2 the cases were using it already. Fixes bz#2239 en passant 1/2 the cases were using it already. Fixes bz#2239 en passant
- djm@cvs.openbsd.org 2014/07/03 03:47:27
[ssh-keygen.c]
When hashing or removing hosts using ssh-keygen, don't choke on
@revoked markers and don't remove @cert-authority markers;
bz#2241, reported by mlindgren AT runelind.net
20140702 20140702
- OpenBSD CVS Sync - OpenBSD CVS Sync

70
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.248 2014/07/03 03:34:09 djm Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.249 2014/07/03 03:47:27 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -987,7 +987,7 @@ do_gen_all_hostkeys(struct passwd *pw)
} }
static void static void
printhost(FILE *f, const char *name, Key *public, int ca, int hash) printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
{ {
if (print_fingerprint) { if (print_fingerprint) {
enum fp_rep rep; enum fp_rep rep;
@ -1007,7 +1007,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
} else { } else {
if (hash && (name = host_hash(name, NULL, 0)) == NULL) if (hash && (name = host_hash(name, NULL, 0)) == NULL)
fatal("hash_host failed"); fatal("hash_host failed");
fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name); fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "",
revoked ? REVOKE_MARKER " " : "" , name);
if (!key_write(public, f)) if (!key_write(public, f))
fatal("key_write failed"); fatal("key_write failed");
fprintf(f, "\n"); fprintf(f, "\n");
@ -1022,7 +1023,7 @@ do_known_hosts(struct passwd *pw, const char *name)
char *cp, *cp2, *kp, *kp2; char *cp, *cp2, *kp, *kp2;
char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
int ca; int ca, revoked;
int found_key = 0; int found_key = 0;
if (!have_identity) { if (!have_identity) {
@ -1036,6 +1037,7 @@ do_known_hosts(struct passwd *pw, const char *name)
if ((in = fopen(identity_file, "r")) == NULL) if ((in = fopen(identity_file, "r")) == NULL)
fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
/* XXX this code is a mess; refactor -djm */
/* /*
* Find hosts goes to stdout, hash and deletions happen in-place * Find hosts goes to stdout, hash and deletions happen in-place
* A corner case is ssh-keygen -HF foo, which should go to stdout * A corner case is ssh-keygen -HF foo, which should go to stdout
@ -1079,7 +1081,7 @@ do_known_hosts(struct passwd *pw, const char *name)
fprintf(out, "%s\n", cp); fprintf(out, "%s\n", cp);
continue; continue;
} }
/* Check whether this is a CA key */ /* Check whether this is a CA key or revocation marker */
if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&
(cp[sizeof(CA_MARKER) - 1] == ' ' || (cp[sizeof(CA_MARKER) - 1] == ' ' ||
cp[sizeof(CA_MARKER) - 1] == '\t')) { cp[sizeof(CA_MARKER) - 1] == '\t')) {
@ -1087,6 +1089,14 @@ do_known_hosts(struct passwd *pw, const char *name)
cp += sizeof(CA_MARKER); cp += sizeof(CA_MARKER);
} else } else
ca = 0; ca = 0;
if (strncasecmp(cp, REVOKE_MARKER,
sizeof(REVOKE_MARKER) - 1) == 0 &&
(cp[sizeof(REVOKE_MARKER) - 1] == ' ' ||
cp[sizeof(REVOKE_MARKER) - 1] == '\t')) {
revoked = 1;
cp += sizeof(REVOKE_MARKER);
} else
revoked = 0;
/* Find the end of the host name portion. */ /* Find the end of the host name portion. */
for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
@ -1130,20 +1140,23 @@ do_known_hosts(struct passwd *pw, const char *name)
printf("# Host %s found: " printf("# Host %s found: "
"line %d type %s%s\n", name, "line %d type %s%s\n", name,
num, key_type(pub), num, key_type(pub),
ca ? " (CA key)" : ""); ca ? " (CA key)" :
printhost(out, cp, pub, ca, 0); revoked? " (revoked)" : "");
printhost(out, cp, pub, ca, revoked, 0);
found_key = 1; found_key = 1;
} }
if (delete_host) { if (delete_host) {
if (!c && !ca) if (!c || ca || revoked) {
printhost(out, cp, pub, ca, 0); printhost(out, cp, pub,
else ca, revoked, 0);
} else {
printf("# Host %s found: " printf("# Host %s found: "
"line %d type %s\n", name, "line %d type %s\n", name,
num, key_type(pub)); num, key_type(pub));
}
} }
} else if (hash_hosts) } else if (hash_hosts)
printhost(out, cp, pub, ca, 0); printhost(out, cp, pub, ca, revoked, 0);
} else { } else {
if (find_host || delete_host) { if (find_host || delete_host) {
c = (match_hostname(name, cp, c = (match_hostname(name, cp,
@ -1154,38 +1167,43 @@ do_known_hosts(struct passwd *pw, const char *name)
"line %d type %s%s\n", name, "line %d type %s%s\n", name,
num, key_type(pub), num, key_type(pub),
ca ? " (CA key)" : ""); ca ? " (CA key)" : "");
printhost(out, name, pub, printhost(out, name, pub, ca, revoked,
ca, hash_hosts && !ca); hash_hosts && !(ca || revoked));
found_key = 1; found_key = 1;
} }
if (delete_host) { if (delete_host) {
if (!c && !ca) if (!c || ca || revoked) {
printhost(out, cp, pub, ca, 0); printhost(out, cp, pub,
else ca, revoked, 0);
} else {
printf("# Host %s found: " printf("# Host %s found: "
"line %d type %s\n", name, "line %d type %s\n", name,
num, key_type(pub)); num, key_type(pub));
}
} }
} else if (hash_hosts && (ca || revoked)) {
/* Don't hash CA and revoked keys' hostnames */
printhost(out, cp, pub, ca, revoked, 0);
has_unhashed = 1;
} else if (hash_hosts) { } else if (hash_hosts) {
/* Hash each hostname separately */
for (cp2 = strsep(&cp, ","); for (cp2 = strsep(&cp, ",");
cp2 != NULL && *cp2 != '\0'; cp2 != NULL && *cp2 != '\0';
cp2 = strsep(&cp, ",")) { cp2 = strsep(&cp, ",")) {
if (ca) { if (strcspn(cp2, "*?!") !=
fprintf(stderr, "Warning: "
"ignoring CA key for host: "
"%.64s\n", cp2);
printhost(out, cp2, pub, ca, 0);
} else if (strcspn(cp2, "*?!") !=
strlen(cp2)) { strlen(cp2)) {
fprintf(stderr, "Warning: " fprintf(stderr, "Warning: "
"ignoring host name with " "ignoring host name with "
"metacharacters: %.64s\n", "metacharacters: %.64s\n",
cp2); cp2);
printhost(out, cp2, pub, ca, 0); printhost(out, cp2, pub, ca,
} else revoked, 0);
printhost(out, cp2, pub, ca, 1); has_unhashed = 1;
} else {
printhost(out, cp2, pub, ca,
revoked, 1);
}
} }
has_unhashed = 1;
} }
} }
key_free(pub); key_free(pub);