diff -up openssh-5.8p1/auth2-hostbased.c.audit2a openssh-5.8p1/auth2-hostbased.c --- openssh-5.8p1/auth2-hostbased.c.audit2a 2011-03-02 08:26:16.000000000 +0100 +++ openssh-5.8p1/auth2-hostbased.c 2011-03-02 08:26:17.000000000 +0100 @@ -119,7 +119,7 @@ userauth_hostbased(Authctxt *authctxt) /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && - PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), + PRIVSEP(hostbased_key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b))) == 1) authenticated = 1; @@ -137,7 +137,7 @@ done: } int -hostkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen) +hostbased_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen) { int rv; diff -up openssh-5.8p1/auth2-pubkey.c.audit2a openssh-5.8p1/auth2-pubkey.c --- openssh-5.8p1/auth2-pubkey.c.audit2a 2011-03-02 08:26:16.000000000 +0100 +++ openssh-5.8p1/auth2-pubkey.c 2011-03-02 08:26:17.000000000 +0100 @@ -140,7 +140,7 @@ userauth_pubkey(Authctxt *authctxt) /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && - PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), + PRIVSEP(user_key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); @@ -178,7 +178,7 @@ done: } int -pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen) +user_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen) { int rv; diff -up openssh-5.8p1/auth.h.audit2a openssh-5.8p1/auth.h --- openssh-5.8p1/auth.h.audit2a 2011-03-02 08:26:16.000000000 +0100 +++ openssh-5.8p1/auth.h 2011-03-02 08:26:17.000000000 +0100 @@ -170,7 +170,7 @@ void abandon_challenge_response(Authctxt char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); char *authorized_principals_file(struct passwd *); -int pubkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); +int user_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); @@ -186,7 +186,7 @@ Key *get_hostkey_public_by_type(int); Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); int ssh1_session_key(BIGNUM *); -int hostkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); +int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff -up openssh-5.8p1/monitor.c.audit2a openssh-5.8p1/monitor.c --- openssh-5.8p1/monitor.c.audit2a 2011-03-02 08:26:17.000000000 +0100 +++ openssh-5.8p1/monitor.c 2011-03-02 08:26:17.000000000 +0100 @@ -1208,9 +1208,11 @@ mm_answer_keyverify(int sock, Buffer *m) Key *key; u_char *signature, *data, *blob; u_int signaturelen, datalen, bloblen; + int type = 0; int verified = 0; int valid_data = 0; + type = buffer_get_int(m); blob = buffer_get_string(m, &bloblen); signature = buffer_get_string(m, &signaturelen); data = buffer_get_string(m, &datalen); @@ -1218,6 +1220,8 @@ mm_answer_keyverify(int sock, Buffer *m) if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) fatal("%s: bad key, not previously allowed", __func__); + if (type != key_blobtype) + fatal("%s: bad key type", __func__); key = key_from_blob(blob, bloblen); if (key == NULL) @@ -1240,10 +1244,10 @@ mm_answer_keyverify(int sock, Buffer *m) switch (key_blobtype) { case MM_USERKEY: - verified = pubkey_key_verify(key, signature, signaturelen, data, datalen); + verified = user_key_verify(key, signature, signaturelen, data, datalen); break; case MM_HOSTKEY: - verified = hostkey_key_verify(key, signature, signaturelen, data, datalen); + verified = hostbased_key_verify(key, signature, signaturelen, data, datalen); break; default: verified = 0; diff -up openssh-5.8p1/monitor_wrap.c.audit2a openssh-5.8p1/monitor_wrap.c --- openssh-5.8p1/monitor_wrap.c.audit2a 2011-03-02 08:26:16.000000000 +0100 +++ openssh-5.8p1/monitor_wrap.c 2011-03-02 08:26:17.000000000 +0100 @@ -393,7 +393,7 @@ mm_key_allowed(enum mm_keytype type, cha */ int -mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +mm_key_verify(enum mm_keytype type, Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) { Buffer m; u_char *blob; @@ -407,6 +407,7 @@ mm_key_verify(Key *key, u_char *sig, u_i return (0); buffer_init(&m); + buffer_put_int(&m, type); buffer_put_string(&m, blob, len); buffer_put_string(&m, sig, siglen); buffer_put_string(&m, data, datalen); @@ -424,6 +425,19 @@ mm_key_verify(Key *key, u_char *sig, u_i return (verified); } +int +mm_hostbased_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +{ + return mm_key_verify(MM_HOSTKEY, key, sig, siglen, data, datalen); +} + +int +mm_user_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +{ + return mm_key_verify(MM_USERKEY, key, sig, siglen, data, datalen); +} + + /* Export key state after authentication */ Newkeys * mm_newkeys_from_blob(u_char *blob, int blen) diff -up openssh-5.8p1/monitor_wrap.h.audit2a openssh-5.8p1/monitor_wrap.h --- openssh-5.8p1/monitor_wrap.h.audit2a 2011-03-02 08:26:16.000000000 +0100 +++ openssh-5.8p1/monitor_wrap.h 2011-03-02 08:26:17.000000000 +0100 @@ -48,7 +48,8 @@ int mm_key_allowed(enum mm_keytype, char int mm_user_key_allowed(struct passwd *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); -int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); +int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int); +int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int); int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); BIGNUM *mm_auth_rsa_generate_challenge(Key *);