upstream: add sshkey_check_cert_sigtype() that checks a
cert->signature_type against a supplied whitelist; ok markus OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
a70fd4ad7b
commit
ba9e788315
23
sshkey.c
23
sshkey.c
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshkey.c,v 1.67 2018/09/12 01:31:30 djm Exp $ */
|
/* $OpenBSD: sshkey.c,v 1.68 2018/09/12 01:32:54 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||||
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
|
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
|
||||||
|
|
@ -2260,6 +2260,27 @@ get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
*
|
||||||
|
* Checks whether a certificate's signature type is allowed.
|
||||||
|
* Returns 0 (success) if the certificate signature type appears in the
|
||||||
|
* "allowed" pattern-list, or the key is not a certificate to begin with.
|
||||||
|
* Otherwise returns a ssherr.h code.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
|
||||||
|
{
|
||||||
|
if (key == NULL || allowed == NULL)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
if (!sshkey_type_is_cert(key->type))
|
||||||
|
return 0;
|
||||||
|
if (key->cert == NULL || key->cert->signature_type == NULL)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
|
||||||
|
return SSH_ERR_SIGN_ALG_UNSUPPORTED;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Returns the expected signature algorithm for a given public key algorithm.
|
* Returns the expected signature algorithm for a given public key algorithm.
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
3
sshkey.h
3
sshkey.h
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshkey.h,v 1.27 2018/09/12 01:31:30 djm Exp $ */
|
/* $OpenBSD: sshkey.h,v 1.28 2018/09/12 01:32:54 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||||
|
|
@ -158,6 +158,7 @@ int sshkey_cert_check_authority(const struct sshkey *, int, int,
|
||||||
const char *, const char **);
|
const char *, const char **);
|
||||||
size_t sshkey_format_cert_validity(const struct sshkey_cert *,
|
size_t sshkey_format_cert_validity(const struct sshkey_cert *,
|
||||||
char *, size_t) __attribute__((__bounded__(__string__, 2, 3)));
|
char *, size_t) __attribute__((__bounded__(__string__, 2, 3)));
|
||||||
|
int sshkey_check_cert_sigtype(const struct sshkey *, const char *);
|
||||||
|
|
||||||
int sshkey_certify(struct sshkey *, struct sshkey *, const char *);
|
int sshkey_certify(struct sshkey *, struct sshkey *, const char *);
|
||||||
/* Variant allowing use of a custom signature function (e.g. for ssh-agent) */
|
/* Variant allowing use of a custom signature function (e.g. for ssh-agent) */
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue