diff options
| author | Damien Miller <djm@mindrot.org> | 2013-12-29 17:49:31 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-12-29 17:49:31 +1100 |
| commit | 29ace1cb68cc378a464c72c0fd67aa5f9acd6b5b (patch) | |
| tree | ed2c1bec2f2be78c21f1222413ac39101c3e6651 | |
| parent | 9de4fcdc5a9cff48d49a3e2f6194d3fb2d7ae34d (diff) | |
- djm@cvs.openbsd.org 2013/12/29 04:20:04
[key.c]
to make sure we don't omit any key types as valid CA keys again,
factor the valid key type check into a key_type_is_valid_ca()
function
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | key.c | 24 |
2 files changed, 22 insertions, 7 deletions
| @@ -52,6 +52,11 @@ | |||
| 52 | - djm@cvs.openbsd.org 2013/12/29 02:49:52 | 52 | - djm@cvs.openbsd.org 2013/12/29 02:49:52 |
| 53 | [key.c] | 53 | [key.c] |
| 54 | correct comment for key_drop_cert() | 54 | correct comment for key_drop_cert() |
| 55 | - djm@cvs.openbsd.org 2013/12/29 04:20:04 | ||
| 56 | [key.c] | ||
| 57 | to make sure we don't omit any key types as valid CA keys again, | ||
| 58 | factor the valid key type check into a key_type_is_valid_ca() | ||
| 59 | function | ||
| 55 | 60 | ||
| 56 | 20131221 | 61 | 20131221 |
| 57 | - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. | 62 | - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: key.c,v 1.113 2013/12/29 02:49:52 djm Exp $ */ | 1 | /* $OpenBSD: key.c,v 1.114 2013/12/29 04:20:04 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * read_bignum(): | 3 | * read_bignum(): |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -1091,6 +1091,20 @@ key_type_is_cert(int type) | |||
| 1091 | return 0; | 1091 | return 0; |
| 1092 | } | 1092 | } |
| 1093 | 1093 | ||
| 1094 | static int | ||
| 1095 | key_type_is_valid_ca(int type) | ||
| 1096 | { | ||
| 1097 | switch (type) { | ||
| 1098 | case KEY_RSA: | ||
| 1099 | case KEY_DSA: | ||
| 1100 | case KEY_ECDSA: | ||
| 1101 | case KEY_ED25519: | ||
| 1102 | return 1; | ||
| 1103 | default: | ||
| 1104 | return 0; | ||
| 1105 | } | ||
| 1106 | } | ||
| 1107 | |||
| 1094 | u_int | 1108 | u_int |
| 1095 | key_size(const Key *k) | 1109 | key_size(const Key *k) |
| 1096 | { | 1110 | { |
| @@ -1479,10 +1493,7 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
| 1479 | error("%s: Signature key invalid", __func__); | 1493 | error("%s: Signature key invalid", __func__); |
| 1480 | goto out; | 1494 | goto out; |
| 1481 | } | 1495 | } |
| 1482 | if (key->cert->signature_key->type != KEY_RSA && | 1496 | if (!key_type_is_valid_ca(key->cert->signature_key->type)) { |
| 1483 | key->cert->signature_key->type != KEY_DSA && | ||
| 1484 | key->cert->signature_key->type != KEY_ECDSA && | ||
| 1485 | key->cert->signature_key->type != KEY_ED25519) { | ||
| 1486 | error("%s: Invalid signature key type %s (%d)", __func__, | 1497 | error("%s: Invalid signature key type %s (%d)", __func__, |
| 1487 | key_type(key->cert->signature_key), | 1498 | key_type(key->cert->signature_key), |
| 1488 | key->cert->signature_key->type); | 1499 | key->cert->signature_key->type); |
| @@ -1980,8 +1991,7 @@ key_certify(Key *k, Key *ca) | |||
| 1980 | return -1; | 1991 | return -1; |
| 1981 | } | 1992 | } |
| 1982 | 1993 | ||
| 1983 | if (ca->type != KEY_RSA && ca->type != KEY_DSA && | 1994 | if (!key_type_is_valid_ca(ca->type)) { |
| 1984 | ca->type != KEY_ECDSA && ca->type != KEY_ED25519) { | ||
| 1985 | error("%s: CA key has unsupported type %s", __func__, | 1995 | error("%s: CA key has unsupported type %s", __func__, |
| 1986 | key_type(ca)); | 1996 | key_type(ca)); |
| 1987 | return -1; | 1997 | return -1; |