diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-04-29 06:12:25 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-05-01 01:35:38 +0200 |
| commit | 249516e428e8461b46340a5df5d5ed1fbad2ccce (patch) | |
| tree | 6e815007fb5507f1590e0c8835dae904f7b3107a /ssh-keygen.c | |
| parent | upstream commit (diff) | |
| download | openssh-249516e428e8461b46340a5df5d5ed1fbad2ccce.tar.xz openssh-249516e428e8461b46340a5df5d5ed1fbad2ccce.zip | |
upstream commit
allow ssh-keygen to include arbitrary string or flag
certificate extensions and critical options. ok markus@ dtucker@
Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 39 |
1 files changed, 37 insertions, 2 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index f17af036b..c0d2d5942 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.299 2017/03/10 04:26:06 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.300 2017/04/29 04:12:25 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -149,6 +149,15 @@ u_int32_t certflags_flags = CERTOPT_DEFAULT; char *certflags_command = NULL; char *certflags_src_addr = NULL; +/* Arbitrary extensions specified by user */ +struct cert_userext { + char *key; + char *val; + int crit; +}; +struct cert_userext *cert_userext; +size_t ncert_userext; + /* Conversion to/from various formats */ int convert_to = 0; int convert_from = 0; @@ -1531,6 +1540,8 @@ add_string_option(struct sshbuf *c, const char *name, const char *value) static void prepare_options_buf(struct sshbuf *c, int which) { + size_t i; + sshbuf_reset(c); if ((which & OPTIONS_CRITICAL) != 0 && certflags_command != NULL) @@ -1553,6 +1564,17 @@ prepare_options_buf(struct sshbuf *c, int which) if ((which & OPTIONS_CRITICAL) != 0 && certflags_src_addr != NULL) add_string_option(c, "source-address", certflags_src_addr); + for (i = 0; i < ncert_userext; i++) { + if ((cert_userext[i].crit && (which & OPTIONS_EXTENSIONS)) || + (!cert_userext[i].crit && (which & OPTIONS_CRITICAL))) + continue; + if (cert_userext[i].val == NULL) + add_flag_option(c, cert_userext[i].key); + else { + add_string_option(c, cert_userext[i].key, + cert_userext[i].val); + } + } } static struct sshkey * @@ -1789,7 +1811,8 @@ parse_cert_times(char *timespec) static void add_cert_option(char *opt) { - char *val; + char *val, *cp; + int iscrit = 0; if (strcasecmp(opt, "clear") == 0) certflags_flags = 0; @@ -1829,6 +1852,18 @@ add_cert_option(char *opt) if (addr_match_cidr_list(NULL, val) != 0) fatal("Invalid source-address list"); certflags_src_addr = xstrdup(val); + } else if (strncasecmp(opt, "extension:", 10) == 0 || + (iscrit = (strncasecmp(opt, "critical:", 9) == 0))) { + val = xstrdup(strchr(opt, ':') + 1); + if ((cp = strchr(val, '=')) != NULL) + *cp++ = '\0'; + cert_userext = xreallocarray(cert_userext, ncert_userext + 1, + sizeof(*cert_userext)); + cert_userext[ncert_userext].key = val; + cert_userext[ncert_userext].val = cp == NULL ? + NULL : xstrdup(cp); + cert_userext[ncert_userext].crit = iscrit; + ncert_userext++; } else fatal("Unsupported certificate option \"%s\"", opt); } |