upstream: add sshkey_check_cert_sigtype() that checks a
cert->signature_type against a supplied whitelist; ok markus OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
This commit is contained in:
parent
a70fd4ad7b
commit
ba9e788315
23
sshkey.c
23
sshkey.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshkey.c,v 1.67 2018/09/12 01:31:30 djm Exp $ */
|
||||
/* $OpenBSD: sshkey.c,v 1.68 2018/09/12 01:32:54 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
|
||||
|
@ -2260,6 +2260,27 @@ get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
|
|||
return r;
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
* Checks whether a certificate's signature type is allowed.
|
||||
* Returns 0 (success) if the certificate signature type appears in the
|
||||
* "allowed" pattern-list, or the key is not a certificate to begin with.
|
||||
* Otherwise returns a ssherr.h code.
|
||||
*/
|
||||
int
|
||||
sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
|
||||
{
|
||||
if (key == NULL || allowed == NULL)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (!sshkey_type_is_cert(key->type))
|
||||
return 0;
|
||||
if (key->cert == NULL || key->cert->signature_type == NULL)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
|
||||
return SSH_ERR_SIGN_ALG_UNSUPPORTED;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns the expected signature algorithm for a given public key algorithm.
|
||||
*/
|
||||
|
|
3
sshkey.h
3
sshkey.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshkey.h,v 1.27 2018/09/12 01:31:30 djm Exp $ */
|
||||
/* $OpenBSD: sshkey.h,v 1.28 2018/09/12 01:32:54 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -158,6 +158,7 @@ int sshkey_cert_check_authority(const struct sshkey *, int, int,
|
|||
const char *, const char **);
|
||||
size_t sshkey_format_cert_validity(const struct sshkey_cert *,
|
||||
char *, size_t) __attribute__((__bounded__(__string__, 2, 3)));
|
||||
int sshkey_check_cert_sigtype(const struct sshkey *, const char *);
|
||||
|
||||
int sshkey_certify(struct sshkey *, struct sshkey *, const char *);
|
||||
/* Variant allowing use of a custom signature function (e.g. for ssh-agent) */
|
||||
|
|
Loading…
Reference in New Issue