summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-08-05 13:03:51 +1000
committerDamien Miller <djm@mindrot.org>2010-08-05 13:03:51 +1000
commit1da638895916bc061ff6aca9f373d48a9776810b (patch)
treecb085a570b7fae045555c12b680c73506f333b03
parent7fa96602e52f02e66897f98a1568cbd3a555192b (diff)
- djm@cvs.openbsd.org 2010/08/04 05:40:39
[PROTOCOL.certkeys ssh-keygen.c] tighten the rules for certificate encoding by requiring that options appear in lexical order and make our ssh-keygen comply. ok markus@
Diffstat
-rw-r--r--ChangeLog4
-rw-r--r--PROTOCOL.certkeys12
-rw-r--r--ssh-keygen.c14
3 files changed, 19 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog
index eadbb9a79..73954735a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@
5 Remove mentions of weird "addr/port" alternate address format for IPv6 5 Remove mentions of weird "addr/port" alternate address format for IPv6
6 addresses combinations. It hasn't worked for ages and we have supported 6 addresses combinations. It hasn't worked for ages and we have supported
7 the more commen "[addr]:port" format for a long time. ok jmc@ markus@ 7 the more commen "[addr]:port" format for a long time. ok jmc@ markus@
8 - djm@cvs.openbsd.org 2010/08/04 05:40:39
9 [PROTOCOL.certkeys ssh-keygen.c]
10 tighten the rules for certificate encoding by requiring that options
11 appear in lexical order and make our ssh-keygen comply. ok markus@
8 12
920100903 1320100903
10 - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from 14 - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 81b02a078..1d1be13da 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -157,6 +157,9 @@ is a sequence of zero or more tuples:
157 string name 157 string name
158 string data 158 string data
159 159
160Options must be lexically ordered by "name" if they appear in the
161sequence.
162
160The name field identifies the option and the data field encodes 163The name field identifies the option and the data field encodes
161option-specific information (see below). All options are 164option-specific information (see below). All options are
162"critical", if an implementation does not recognise a option 165"critical", if an implementation does not recognise a option
@@ -185,9 +188,10 @@ Extensions
185---------- 188----------
186 189
187The extensions section of the certificate specifies zero or more 190The extensions section of the certificate specifies zero or more
188non-critical certificate extensions. The encoding of extensions in this 191non-critical certificate extensions. The encoding and ordering of
189field is identical to that of the critical options. If an implementation 192extensions in this field is identical to that of the critical options.
190does not recognise an extension, then it should ignore it. 193If an implementation does not recognise an extension, then it should
194ignore it.
191 195
192The supported extensions and the contents and structure of their data 196The supported extensions and the contents and structure of their data
193fields are: 197fields are:
@@ -218,4 +222,4 @@ permit-user-rc empty Flag indicating that execution of
218 of this script will not be permitted if 222 of this script will not be permitted if
219 this option is not present. 223 this option is not present.
220 224
221$OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $ 225$OpenBSD: PROTOCOL.certkeys,v 1.7 2010/08/04 05:40:39 djm Exp $
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 56bfee20d..4c60a659f 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.195 2010/07/16 04:45:30 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.196 2010/08/04 05:40:39 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1295,9 +1295,9 @@ static void
1295prepare_options_buf(Buffer *c, int which) 1295prepare_options_buf(Buffer *c, int which)
1296{ 1296{
1297 buffer_clear(c); 1297 buffer_clear(c);
1298 if ((which & OPTIONS_EXTENSIONS) != 0 && 1298 if ((which & OPTIONS_CRITICAL) != 0 &&
1299 (certflags_flags & CERTOPT_X_FWD) != 0) 1299 certflags_command != NULL)
1300 add_flag_option(c, "permit-X11-forwarding"); 1300 add_string_option(c, "force-command", certflags_command);
1301 if ((which & OPTIONS_EXTENSIONS) != 0 && 1301 if ((which & OPTIONS_EXTENSIONS) != 0 &&
1302 (certflags_flags & CERTOPT_AGENT_FWD) != 0) 1302 (certflags_flags & CERTOPT_AGENT_FWD) != 0)
1303 add_flag_option(c, "permit-agent-forwarding"); 1303 add_flag_option(c, "permit-agent-forwarding");
@@ -1310,9 +1310,9 @@ prepare_options_buf(Buffer *c, int which)
1310 if ((which & OPTIONS_EXTENSIONS) != 0 && 1310 if ((which & OPTIONS_EXTENSIONS) != 0 &&
1311 (certflags_flags & CERTOPT_USER_RC) != 0) 1311 (certflags_flags & CERTOPT_USER_RC) != 0)
1312 add_flag_option(c, "permit-user-rc"); 1312 add_flag_option(c, "permit-user-rc");
1313 if ((which & OPTIONS_CRITICAL) != 0 && 1313 if ((which & OPTIONS_EXTENSIONS) != 0 &&
1314 certflags_command != NULL) 1314 (certflags_flags & CERTOPT_X_FWD) != 0)
1315 add_string_option(c, "force-command", certflags_command); 1315 add_flag_option(c, "permit-X11-forwarding");
1316 if ((which & OPTIONS_CRITICAL) != 0 && 1316 if ((which & OPTIONS_CRITICAL) != 0 &&
1317 certflags_src_addr != NULL) 1317 certflags_src_addr != NULL)
1318 add_string_option(c, "source-address", certflags_src_addr); 1318 add_string_option(c, "source-address", certflags_src_addr);
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 09:14:42 +0000