- djm@cvs.openbsd.org 2010/05/11 02:58:04

[auth-rsa.c] don't accept certificates marked as "cert-authority" here; ok markus@
author: Damien Miller <djm@mindrot.org> 2010-05-21 14:56:25 +1000
committer: Damien Miller <djm@mindrot.org> 2010-05-21 14:56:25 +1000
commit: 3b903827ebe16c97f705cb3b6ef6e9702d770087 (patch)
tree: 4c10236ed3ef5c75eba44e4e0586ca3634ff88cf
parent: 3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b (diff)
2 files changed, 6 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 35cd857a2..d5a5aa6d2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
     [regress/Makefile regress/cert-userkey.sh]
     regress tests for AuthorizedPrincipalsFile and "principals=" key option.
     feedback and ok markus@
+   - djm@cvs.openbsd.org 2010/05/11 02:58:04
+     [auth-rsa.c]
+     don't accept certificates marked as "cert-authority" here; ok markus@
 20100511
 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
diff --git a/auth-rsa.c b/auth-rsa.c
index 326937ac0..ef6767bfb 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rsa.c,v 1.75 2010/04/16 01:47:26 djm Exp $ */
+/* $OpenBSD: auth-rsa.c,v 1.76 2010/05/11 02:58:04 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -256,7 +256,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
                 */
                if (!auth_parse_options(pw, key_options, file, linenum))
                        continue;
+                if (key_is_cert_authority)
+                        continue;
                /* break out, this key is allowed */
                allowed = 1;
                break;
author	Damien Miller <djm@mindrot.org>	2010-05-21 14:56:25 +1000
committer	Damien Miller <djm@mindrot.org>	2010-05-21 14:56:25 +1000
commit	3b903827ebe16c97f705cb3b6ef6e9702d770087 (patch)
tree	4c10236ed3ef5c75eba44e4e0586ca3634ff88cf
parent	3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b (diff)

diff --git a/ChangeLog b/ChangeLog index 35cd857a2..d5a5aa6d2 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -4,6 +4,9 @@
4	[regress/Makefile regress/cert-userkey.sh]	4	[regress/Makefile regress/cert-userkey.sh]
5	regress tests for AuthorizedPrincipalsFile and "principals=" key option.	5	regress tests for AuthorizedPrincipalsFile and "principals=" key option.
6	feedback and ok markus@	6	feedback and ok markus@
		7	- djm@cvs.openbsd.org 2010/05/11 02:58:04
		8	[auth-rsa.c]
		9	don't accept certificates marked as "cert-authority" here; ok markus@
7		10
8	20100511	11	20100511
9	- (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve	12	- (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve


diff --git a/auth-rsa.c b/auth-rsa.c index 326937ac0..ef6767bfb 100644 --- a/auth-rsa.c +++ b/auth-rsa.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth-rsa.c,v 1.75 2010/04/16 01:47:26 djm Exp $ */	1	/* $OpenBSD: auth-rsa.c,v 1.76 2010/05/11 02:58:04 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -256,7 +256,8 @@ auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)
256	*/	256	*/
257	if (!auth_parse_options(pw, key_options, file, linenum))	257	if (!auth_parse_options(pw, key_options, file, linenum))
258	continue;	258	continue;
259		259	if (key_is_cert_authority)
		260	continue;
260	/* break out, this key is allowed */	261	/* break out, this key is allowed */
261	allowed = 1;	262	allowed = 1;
262	break;	263	break;