diff options
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 94 |
1 files changed, 55 insertions, 39 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 1eb25bd94..14eee6f87 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.189 2010/04/23 22:48:31 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.190 2010/05/20 23:46:02 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -122,17 +122,16 @@ u_int64_t cert_valid_from = 0; | |||
| 122 | u_int64_t cert_valid_to = ~0ULL; | 122 | u_int64_t cert_valid_to = ~0ULL; |
| 123 | 123 | ||
| 124 | /* Certificate options */ | 124 | /* Certificate options */ |
| 125 | #define CRITOPT_X_FWD (1) | 125 | #define CERTOPT_X_FWD (1) |
| 126 | #define CRITOPT_AGENT_FWD (1<<1) | 126 | #define CERTOPT_AGENT_FWD (1<<1) |
| 127 | #define CRITOPT_PORT_FWD (1<<2) | 127 | #define CERTOPT_PORT_FWD (1<<2) |
| 128 | #define CRITOPT_PTY (1<<3) | 128 | #define CERTOPT_PTY (1<<3) |
| 129 | #define CRITOPT_USER_RC (1<<4) | 129 | #define CERTOPT_USER_RC (1<<4) |
| 130 | #define CRITOPT_DEFAULT (CRITOPT_X_FWD|CRITOPT_AGENT_FWD| \ | 130 | #define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \ |
| 131 | CRITOPT_PORT_FWD|CRITOPT_PTY| \ | 131 | CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC) |
| 132 | CRITOPT_USER_RC) | 132 | u_int32_t certflags_flags = CERTOPT_DEFAULT; |
| 133 | u_int32_t critical_flags = CRITOPT_DEFAULT; | 133 | char *certflags_command = NULL; |
| 134 | char *critical_command = NULL; | 134 | char *certflags_src_addr = NULL; |
| 135 | char *critical_src_addr = NULL; | ||
| 136 | 135 | ||
| 137 | /* Dump public key file in format used by real and the original SSH 2 */ | 136 | /* Dump public key file in format used by real and the original SSH 2 */ |
| 138 | int convert_to_ssh2 = 0; | 137 | int convert_to_ssh2 = 0; |
| @@ -1133,24 +1132,33 @@ add_string_option(Buffer *c, const char *name, const char *value) | |||
| 1133 | buffer_free(&b); | 1132 | buffer_free(&b); |
| 1134 | } | 1133 | } |
| 1135 | 1134 | ||
| 1135 | #define OPTIONS_CRITICAL 1 | ||
| 1136 | #define OPTIONS_EXTENSIONS 2 | ||
| 1136 | static void | 1137 | static void |
| 1137 | prepare_options_buf(Buffer *c) | 1138 | prepare_options_buf(Buffer *c, int which) |
| 1138 | { | 1139 | { |
| 1139 | buffer_clear(c); | 1140 | buffer_clear(c); |
| 1140 | if ((critical_flags & CRITOPT_X_FWD) != 0) | 1141 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1142 | (certflags_flags & CERTOPT_X_FWD) != 0) | ||
| 1141 | add_flag_option(c, "permit-X11-forwarding"); | 1143 | add_flag_option(c, "permit-X11-forwarding"); |
| 1142 | if ((critical_flags & CRITOPT_AGENT_FWD) != 0) | 1144 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1145 | (certflags_flags & CERTOPT_AGENT_FWD) != 0) | ||
| 1143 | add_flag_option(c, "permit-agent-forwarding"); | 1146 | add_flag_option(c, "permit-agent-forwarding"); |
| 1144 | if ((critical_flags & CRITOPT_PORT_FWD) != 0) | 1147 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1148 | (certflags_flags & CERTOPT_PORT_FWD) != 0) | ||
| 1145 | add_flag_option(c, "permit-port-forwarding"); | 1149 | add_flag_option(c, "permit-port-forwarding"); |
| 1146 | if ((critical_flags & CRITOPT_PTY) != 0) | 1150 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1151 | (certflags_flags & CERTOPT_PTY) != 0) | ||
| 1147 | add_flag_option(c, "permit-pty"); | 1152 | add_flag_option(c, "permit-pty"); |
| 1148 | if ((critical_flags & CRITOPT_USER_RC) != 0) | 1153 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1154 | (certflags_flags & CERTOPT_USER_RC) != 0) | ||
| 1149 | add_flag_option(c, "permit-user-rc"); | 1155 | add_flag_option(c, "permit-user-rc"); |
| 1150 | if (critical_command != NULL) | 1156 | if ((which & OPTIONS_CRITICAL) != 0 && |
| 1151 | add_string_option(c, "force-command", critical_command); | 1157 | certflags_command != NULL) |
| 1152 | if (critical_src_addr != NULL) | 1158 | add_string_option(c, "force-command", certflags_command); |
| 1153 | add_string_option(c, "source-address", critical_src_addr); | 1159 | if ((which & OPTIONS_CRITICAL) != 0 && |
| 1160 | certflags_src_addr != NULL) | ||
| 1161 | add_string_option(c, "source-address", certflags_src_addr); | ||
| 1154 | } | 1162 | } |
| 1155 | 1163 | ||
| 1156 | static void | 1164 | static void |
| @@ -1218,7 +1226,15 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
| 1218 | public->cert->principals = plist; | 1226 | public->cert->principals = plist; |
| 1219 | public->cert->valid_after = cert_valid_from; | 1227 | public->cert->valid_after = cert_valid_from; |
| 1220 | public->cert->valid_before = cert_valid_to; | 1228 | public->cert->valid_before = cert_valid_to; |
| 1221 | prepare_options_buf(&public->cert->critical); | 1229 | if (v00) { |
| 1230 | prepare_options_buf(&public->cert->critical, | ||
| 1231 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); | ||
| 1232 | } else { | ||
| 1233 | prepare_options_buf(&public->cert->critical, | ||
| 1234 | OPTIONS_CRITICAL); | ||
| 1235 | prepare_options_buf(&public->cert->extensions, | ||
| 1236 | OPTIONS_EXTENSIONS); | ||
| 1237 | } | ||
| 1222 | public->cert->signature_key = key_from_private(ca); | 1238 | public->cert->signature_key = key_from_private(ca); |
| 1223 | 1239 | ||
| 1224 | if (key_certify(public, ca) != 0) | 1240 | if (key_certify(public, ca) != 0) |
| @@ -1354,43 +1370,43 @@ add_cert_option(char *opt) | |||
| 1354 | char *val; | 1370 | char *val; |
| 1355 | 1371 | ||
| 1356 | if (strcmp(opt, "clear") == 0) | 1372 | if (strcmp(opt, "clear") == 0) |
| 1357 | critical_flags = 0; | 1373 | certflags_flags = 0; |
| 1358 | else if (strcasecmp(opt, "no-x11-forwarding") == 0) | 1374 | else if (strcasecmp(opt, "no-x11-forwarding") == 0) |
| 1359 | critical_flags &= ~CRITOPT_X_FWD; | 1375 | certflags_flags &= ~CERTOPT_X_FWD; |
| 1360 | else if (strcasecmp(opt, "permit-x11-forwarding") == 0) | 1376 | else if (strcasecmp(opt, "permit-x11-forwarding") == 0) |
| 1361 | critical_flags |= CRITOPT_X_FWD; | 1377 | certflags_flags |= CERTOPT_X_FWD; |
| 1362 | else if (strcasecmp(opt, "no-agent-forwarding") == 0) | 1378 | else if (strcasecmp(opt, "no-agent-forwarding") == 0) |
| 1363 | critical_flags &= ~CRITOPT_AGENT_FWD; | 1379 | certflags_flags &= ~CERTOPT_AGENT_FWD; |
| 1364 | else if (strcasecmp(opt, "permit-agent-forwarding") == 0) | 1380 | else if (strcasecmp(opt, "permit-agent-forwarding") == 0) |
| 1365 | critical_flags |= CRITOPT_AGENT_FWD; | 1381 | certflags_flags |= CERTOPT_AGENT_FWD; |
| 1366 | else if (strcasecmp(opt, "no-port-forwarding") == 0) | 1382 | else if (strcasecmp(opt, "no-port-forwarding") == 0) |
| 1367 | critical_flags &= ~CRITOPT_PORT_FWD; | 1383 | certflags_flags &= ~CERTOPT_PORT_FWD; |
| 1368 | else if (strcasecmp(opt, "permit-port-forwarding") == 0) | 1384 | else if (strcasecmp(opt, "permit-port-forwarding") == 0) |
| 1369 | critical_flags |= CRITOPT_PORT_FWD; | 1385 | certflags_flags |= CERTOPT_PORT_FWD; |
| 1370 | else if (strcasecmp(opt, "no-pty") == 0) | 1386 | else if (strcasecmp(opt, "no-pty") == 0) |
| 1371 | critical_flags &= ~CRITOPT_PTY; | 1387 | certflags_flags &= ~CERTOPT_PTY; |
| 1372 | else if (strcasecmp(opt, "permit-pty") == 0) | 1388 | else if (strcasecmp(opt, "permit-pty") == 0) |
| 1373 | critical_flags |= CRITOPT_PTY; | 1389 | certflags_flags |= CERTOPT_PTY; |
| 1374 | else if (strcasecmp(opt, "no-user-rc") == 0) | 1390 | else if (strcasecmp(opt, "no-user-rc") == 0) |
| 1375 | critical_flags &= ~CRITOPT_USER_RC; | 1391 | certflags_flags &= ~CERTOPT_USER_RC; |
| 1376 | else if (strcasecmp(opt, "permit-user-rc") == 0) | 1392 | else if (strcasecmp(opt, "permit-user-rc") == 0) |
| 1377 | critical_flags |= CRITOPT_USER_RC; | 1393 | certflags_flags |= CERTOPT_USER_RC; |
| 1378 | else if (strncasecmp(opt, "force-command=", 14) == 0) { | 1394 | else if (strncasecmp(opt, "force-command=", 14) == 0) { |
| 1379 | val = opt + 14; | 1395 | val = opt + 14; |
| 1380 | if (*val == '\0') | 1396 | if (*val == '\0') |
| 1381 | fatal("Empty force-command option"); | 1397 | fatal("Empty force-command option"); |
| 1382 | if (critical_command != NULL) | 1398 | if (certflags_command != NULL) |
| 1383 | fatal("force-command already specified"); | 1399 | fatal("force-command already specified"); |
| 1384 | critical_command = xstrdup(val); | 1400 | certflags_command = xstrdup(val); |
| 1385 | } else if (strncasecmp(opt, "source-address=", 15) == 0) { | 1401 | } else if (strncasecmp(opt, "source-address=", 15) == 0) { |
| 1386 | val = opt + 15; | 1402 | val = opt + 15; |
| 1387 | if (*val == '\0') | 1403 | if (*val == '\0') |
| 1388 | fatal("Empty source-address option"); | 1404 | fatal("Empty source-address option"); |
| 1389 | if (critical_src_addr != NULL) | 1405 | if (certflags_src_addr != NULL) |
| 1390 | fatal("source-address already specified"); | 1406 | fatal("source-address already specified"); |
| 1391 | if (addr_match_cidr_list(NULL, val) != 0) | 1407 | if (addr_match_cidr_list(NULL, val) != 0) |
| 1392 | fatal("Invalid source-address list"); | 1408 | fatal("Invalid source-address list"); |
| 1393 | critical_src_addr = xstrdup(val); | 1409 | certflags_src_addr = xstrdup(val); |
| 1394 | } else | 1410 | } else |
| 1395 | fatal("Unsupported certificate option \"%s\"", opt); | 1411 | fatal("Unsupported certificate option \"%s\"", opt); |
| 1396 | } | 1412 | } |
| @@ -1667,7 +1683,7 @@ main(int argc, char **argv) | |||
| 1667 | break; | 1683 | break; |
| 1668 | case 'h': | 1684 | case 'h': |
| 1669 | cert_key_type = SSH2_CERT_TYPE_HOST; | 1685 | cert_key_type = SSH2_CERT_TYPE_HOST; |
| 1670 | critical_flags = 0; | 1686 | certflags_flags = 0; |
| 1671 | break; | 1687 | break; |
| 1672 | case 'i': | 1688 | case 'i': |
| 1673 | case 'X': | 1689 | case 'X': |