diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | PROTOCOL.certkeys | 12 | ||||
-rw-r--r-- | ssh-keygen.c | 14 |
3 files changed, 19 insertions, 11 deletions
@@ -5,6 +5,10 @@ | |||
5 | Remove mentions of weird "addr/port" alternate address format for IPv6 | 5 | Remove mentions of weird "addr/port" alternate address format for IPv6 |
6 | addresses combinations. It hasn't worked for ages and we have supported | 6 | addresses combinations. It hasn't worked for ages and we have supported |
7 | the more commen "[addr]:port" format for a long time. ok jmc@ markus@ | 7 | the more commen "[addr]:port" format for a long time. ok jmc@ markus@ |
8 | - djm@cvs.openbsd.org 2010/08/04 05:40:39 | ||
9 | [PROTOCOL.certkeys ssh-keygen.c] | ||
10 | tighten the rules for certificate encoding by requiring that options | ||
11 | appear in lexical order and make our ssh-keygen comply. ok markus@ | ||
8 | 12 | ||
9 | 20100903 | 13 | 20100903 |
10 | - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from | 14 | - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from |
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 81b02a078..1d1be13da 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys | |||
@@ -157,6 +157,9 @@ is a sequence of zero or more tuples: | |||
157 | string name | 157 | string name |
158 | string data | 158 | string data |
159 | 159 | ||
160 | Options must be lexically ordered by "name" if they appear in the | ||
161 | sequence. | ||
162 | |||
160 | The name field identifies the option and the data field encodes | 163 | The name field identifies the option and the data field encodes |
161 | option-specific information (see below). All options are | 164 | option-specific information (see below). All options are |
162 | "critical", if an implementation does not recognise a option | 165 | "critical", if an implementation does not recognise a option |
@@ -185,9 +188,10 @@ Extensions | |||
185 | ---------- | 188 | ---------- |
186 | 189 | ||
187 | The extensions section of the certificate specifies zero or more | 190 | The extensions section of the certificate specifies zero or more |
188 | non-critical certificate extensions. The encoding of extensions in this | 191 | non-critical certificate extensions. The encoding and ordering of |
189 | field is identical to that of the critical options. If an implementation | 192 | extensions in this field is identical to that of the critical options. |
190 | does not recognise an extension, then it should ignore it. | 193 | If an implementation does not recognise an extension, then it should |
194 | ignore it. | ||
191 | 195 | ||
192 | The supported extensions and the contents and structure of their data | 196 | The supported extensions and the contents and structure of their data |
193 | fields are: | 197 | fields are: |
@@ -218,4 +222,4 @@ permit-user-rc empty Flag indicating that execution of | |||
218 | of this script will not be permitted if | 222 | of this script will not be permitted if |
219 | this option is not present. | 223 | this option is not present. |
220 | 224 | ||
221 | $OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $ | 225 | $OpenBSD: PROTOCOL.certkeys,v 1.7 2010/08/04 05:40:39 djm Exp $ |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 56bfee20d..4c60a659f 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.195 2010/07/16 04:45:30 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.196 2010/08/04 05:40:39 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1295,9 +1295,9 @@ static void | |||
1295 | prepare_options_buf(Buffer *c, int which) | 1295 | prepare_options_buf(Buffer *c, int which) |
1296 | { | 1296 | { |
1297 | buffer_clear(c); | 1297 | buffer_clear(c); |
1298 | if ((which & OPTIONS_EXTENSIONS) != 0 && | 1298 | if ((which & OPTIONS_CRITICAL) != 0 && |
1299 | (certflags_flags & CERTOPT_X_FWD) != 0) | 1299 | certflags_command != NULL) |
1300 | add_flag_option(c, "permit-X11-forwarding"); | 1300 | add_string_option(c, "force-command", certflags_command); |
1301 | if ((which & OPTIONS_EXTENSIONS) != 0 && | 1301 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
1302 | (certflags_flags & CERTOPT_AGENT_FWD) != 0) | 1302 | (certflags_flags & CERTOPT_AGENT_FWD) != 0) |
1303 | add_flag_option(c, "permit-agent-forwarding"); | 1303 | add_flag_option(c, "permit-agent-forwarding"); |
@@ -1310,9 +1310,9 @@ prepare_options_buf(Buffer *c, int which) | |||
1310 | if ((which & OPTIONS_EXTENSIONS) != 0 && | 1310 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
1311 | (certflags_flags & CERTOPT_USER_RC) != 0) | 1311 | (certflags_flags & CERTOPT_USER_RC) != 0) |
1312 | add_flag_option(c, "permit-user-rc"); | 1312 | add_flag_option(c, "permit-user-rc"); |
1313 | if ((which & OPTIONS_CRITICAL) != 0 && | 1313 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
1314 | certflags_command != NULL) | 1314 | (certflags_flags & CERTOPT_X_FWD) != 0) |
1315 | add_string_option(c, "force-command", certflags_command); | 1315 | add_flag_option(c, "permit-X11-forwarding"); |
1316 | if ((which & OPTIONS_CRITICAL) != 0 && | 1316 | if ((which & OPTIONS_CRITICAL) != 0 && |
1317 | certflags_src_addr != NULL) | 1317 | certflags_src_addr != NULL) |
1318 | add_string_option(c, "source-address", certflags_src_addr); | 1318 | add_string_option(c, "source-address", certflags_src_addr); |