diff options
author | Damien Miller <djm@mindrot.org> | 2010-08-05 13:03:51 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-08-05 13:03:51 +1000 |
commit | 1da638895916bc061ff6aca9f373d48a9776810b (patch) | |
tree | cb085a570b7fae045555c12b680c73506f333b03 | |
parent | 7fa96602e52f02e66897f98a1568cbd3a555192b (diff) |
- djm@cvs.openbsd.org 2010/08/04 05:40:39
[PROTOCOL.certkeys ssh-keygen.c]
tighten the rules for certificate encoding by requiring that options
appear in lexical order and make our ssh-keygen comply. ok markus@
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | PROTOCOL.certkeys | 12 | ||||
-rw-r--r-- | ssh-keygen.c | 14 |
3 files changed, 19 insertions, 11 deletions
@@ -5,6 +5,10 @@ Remove mentions of weird "addr/port" alternate address format for IPv6 addresses combinations. It hasn't worked for ages and we have supported the more commen "[addr]:port" format for a long time. ok jmc@ markus@ + - djm@cvs.openbsd.org 2010/08/04 05:40:39 + [PROTOCOL.certkeys ssh-keygen.c] + tighten the rules for certificate encoding by requiring that options + appear in lexical order and make our ssh-keygen comply. ok markus@ 20100903 - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 81b02a07..1d1be13d 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys @@ -157,6 +157,9 @@ is a sequence of zero or more tuples: string name string data +Options must be lexically ordered by "name" if they appear in the +sequence. + The name field identifies the option and the data field encodes option-specific information (see below). All options are "critical", if an implementation does not recognise a option @@ -185,9 +188,10 @@ Extensions ---------- The extensions section of the certificate specifies zero or more -non-critical certificate extensions. The encoding of extensions in this -field is identical to that of the critical options. If an implementation -does not recognise an extension, then it should ignore it. +non-critical certificate extensions. The encoding and ordering of +extensions in this field is identical to that of the critical options. +If an implementation does not recognise an extension, then it should +ignore it. The supported extensions and the contents and structure of their data fields are: @@ -218,4 +222,4 @@ permit-user-rc empty Flag indicating that execution of of this script will not be permitted if this option is not present. -$OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $ +$OpenBSD: PROTOCOL.certkeys,v 1.7 2010/08/04 05:40:39 djm Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 56bfee20..4c60a659 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.195 2010/07/16 04:45:30 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.196 2010/08/04 05:40:39 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1295,9 +1295,9 @@ static void prepare_options_buf(Buffer *c, int which) { buffer_clear(c); - if ((which & OPTIONS_EXTENSIONS) != 0 && - (certflags_flags & CERTOPT_X_FWD) != 0) - add_flag_option(c, "permit-X11-forwarding"); + if ((which & OPTIONS_CRITICAL) != 0 && + certflags_command != NULL) + add_string_option(c, "force-command", certflags_command); if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_AGENT_FWD) != 0) add_flag_option(c, "permit-agent-forwarding"); @@ -1310,9 +1310,9 @@ prepare_options_buf(Buffer *c, int which) if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); - if ((which & OPTIONS_CRITICAL) != 0 && - certflags_command != NULL) - add_string_option(c, "force-command", certflags_command); + if ((which & OPTIONS_EXTENSIONS) != 0 && + (certflags_flags & CERTOPT_X_FWD) != 0) + add_flag_option(c, "permit-X11-forwarding"); if ((which & OPTIONS_CRITICAL) != 0 && certflags_src_addr != NULL) add_string_option(c, "source-address", certflags_src_addr); |