upstream commit

allow ssh-keygen to include arbitrary string or flag certificate extensions and critical options. ok markus@ dtucker@ Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
author: djm@openbsd.org <djm@openbsd.org> 2017-04-29 04:12:25 +0000
committer: Damien Miller <djm@mindrot.org> 2017-05-01 09:35:38 +1000
commit: 249516e428e8461b46340a5df5d5ed1fbad2ccce (patch)
tree: 6e815007fb5507f1590e0c8835dae904f7b3107a /ssh-keygen.c
parent: 47a287bb6ac936c26b4f3ae63279c02902ded3b9 (diff)
1 files changed, 37 insertions, 2 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index f17af036b..c0d2d5942 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.299 2017/03/10 04:26:06 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.300 2017/04/29 04:12:25 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -149,6 +149,15 @@ u_int32_t certflags_flags = CERTOPT_DEFAULT;
 char *certflags_command = NULL;
 char *certflags_src_addr = NULL;
+/* Arbitrary extensions specified by user */
+struct cert_userext {
+        char *key;
+        char *val;
+        int crit;
+};
+struct cert_userext *cert_userext;
+size_t ncert_userext;
 /* Conversion to/from various formats */
 int convert_to = 0;
 int convert_from = 0;
@@ -1531,6 +1540,8 @@ add_string_option(struct sshbuf *c, const char *name, const char *value)
 static void
 prepare_options_buf(struct sshbuf *c, int which)
 {
+        size_t i;
        sshbuf_reset(c);
        if ((which & OPTIONS_CRITICAL) != 0 &&
            certflags_command != NULL)
@@ -1553,6 +1564,17 @@ prepare_options_buf(struct sshbuf *c, int which)
        if ((which & OPTIONS_CRITICAL) != 0 &&
            certflags_src_addr != NULL)
                add_string_option(c, "source-address", certflags_src_addr);
+        for (i = 0; i < ncert_userext; i++) {
+                if ((cert_userext[i].crit && (which & OPTIONS_EXTENSIONS)) ||
+                    (!cert_userext[i].crit && (which & OPTIONS_CRITICAL)))
+                        continue;
+                if (cert_userext[i].val == NULL)
+                        add_flag_option(c, cert_userext[i].key);
+                else {
+                        add_string_option(c, cert_userext[i].key,
+                            cert_userext[i].val);
+                }
+        }
 }
 static struct sshkey *
@@ -1789,7 +1811,8 @@ parse_cert_times(char *timespec)
 static void
 add_cert_option(char *opt)
 {
-        char *val;
+        char *val, *cp;
+        int iscrit = 0;
        if (strcasecmp(opt, "clear") == 0)
                certflags_flags = 0;
@@ -1829,6 +1852,18 @@ add_cert_option(char *opt)
                if (addr_match_cidr_list(NULL, val) != 0)
                        fatal("Invalid source-address list");
                certflags_src_addr = xstrdup(val);
+        } else if (strncasecmp(opt, "extension:", 10) == 0 ||
+                   (iscrit = (strncasecmp(opt, "critical:", 9) == 0))) {
+                val = xstrdup(strchr(opt, ':') + 1);
+                if ((cp = strchr(val, '=')) != NULL)
+                        *cp++ = '\0';
+                cert_userext = xreallocarray(cert_userext, ncert_userext + 1,
+                    sizeof(*cert_userext));
+                cert_userext[ncert_userext].key = val;
+                cert_userext[ncert_userext].val = cp == NULL ?
+                    NULL : xstrdup(cp);
+                cert_userext[ncert_userext].crit = iscrit;
+                ncert_userext++;
        } else
                fatal("Unsupported certificate option \"%s\"", opt);
 }
author	djm@openbsd.org <djm@openbsd.org>	2017-04-29 04:12:25 +0000
committer	Damien Miller <djm@mindrot.org>	2017-05-01 09:35:38 +1000
commit	249516e428e8461b46340a5df5d5ed1fbad2ccce (patch)
tree	6e815007fb5507f1590e0c8835dae904f7b3107a /ssh-keygen.c
parent	47a287bb6ac936c26b4f3ae63279c02902ded3b9 (diff)