From: djm@openbsd.org Date: Fri, 5 Nov 2021 03:10:58 +0000 (+0000) Subject: upstream: move cert_filter_principals() to earlier in the file for X-Git-Tag: V_8_9_P1~200 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e4f501bf1d3b53f1cc23d9521fd7c5163307b760;p=thirdparty%2Fopenssh-portable.git upstream: move cert_filter_principals() to earlier in the file for reuse; no code change OpenBSD-Commit-ID: 598fa9528b656b2f38bcc3cf5b6f3869a8c115cf --- diff --git a/sshsig.c b/sshsig.c index d0d401a32..b05e74155 100644 --- a/sshsig.c +++ b/sshsig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshsig.c,v 1.21 2021/07/23 04:00:59 djm Exp $ */ +/* $OpenBSD: sshsig.c,v 1.22 2021/11/05 03:10:58 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -812,6 +812,60 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line, return r; } +static int +cert_filter_principals(const char *path, u_long linenum, + char **principalsp, const struct sshkey *cert, uint64_t verify_time) +{ + char *cp, *oprincipals, *principals; + const char *reason; + struct sshbuf *nprincipals; + int r = SSH_ERR_INTERNAL_ERROR, success = 0; + + oprincipals = principals = *principalsp; + *principalsp = NULL; + + if ((nprincipals = sshbuf_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + + while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') { + if (strcspn(cp, "!?*") != strlen(cp)) { + debug("%s:%lu: principal \"%s\" not authorized: " + "contains wildcards", path, linenum, cp); + continue; + } + /* Check against principals list in certificate */ + if ((r = sshkey_cert_check_authority(cert, 0, 1, 0, + verify_time, cp, &reason)) != 0) { + debug("%s:%lu: principal \"%s\" not authorized: %s", + path, linenum, cp, reason); + continue; + } + if ((r = sshbuf_putf(nprincipals, "%s%s", + sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) { + error_f("buffer error"); + goto out; + } + } + if (sshbuf_len(nprincipals) == 0) { + error("%s:%lu: no valid principals found", path, linenum); + r = SSH_ERR_KEY_CERT_INVALID; + goto out; + } + if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { + error_f("buffer error"); + goto out; + } + /* success */ + success = 1; + *principalsp = principals; + out: + sshbuf_free(nprincipals); + free(oprincipals); + return success ? 0 : r; +} + static int check_allowed_keys_line(const char *path, u_long linenum, char *line, const struct sshkey *sign_key, const char *principal, @@ -925,60 +979,6 @@ sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key, return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r; } -static int -cert_filter_principals(const char *path, u_long linenum, - char **principalsp, const struct sshkey *cert, uint64_t verify_time) -{ - char *cp, *oprincipals, *principals; - const char *reason; - struct sshbuf *nprincipals; - int r = SSH_ERR_INTERNAL_ERROR, success = 0; - - oprincipals = principals = *principalsp; - *principalsp = NULL; - - if ((nprincipals = sshbuf_new()) == NULL) { - r = SSH_ERR_ALLOC_FAIL; - goto out; - } - - while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') { - if (strcspn(cp, "!?*") != strlen(cp)) { - debug("%s:%lu: principal \"%s\" not authorized: " - "contains wildcards", path, linenum, cp); - continue; - } - /* Check against principals list in certificate */ - if ((r = sshkey_cert_check_authority(cert, 0, 1, 0, - verify_time, cp, &reason)) != 0) { - debug("%s:%lu: principal \"%s\" not authorized: %s", - path, linenum, cp, reason); - continue; - } - if ((r = sshbuf_putf(nprincipals, "%s%s", - sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) { - error_f("buffer error"); - goto out; - } - } - if (sshbuf_len(nprincipals) == 0) { - error("%s:%lu: no valid principals found", path, linenum); - r = SSH_ERR_KEY_CERT_INVALID; - goto out; - } - if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { - error_f("buffer error"); - goto out; - } - /* success */ - success = 1; - *principalsp = principals; - out: - sshbuf_free(nprincipals); - free(oprincipals); - return success ? 0 : r; -} - static int get_matching_principals_from_line(const char *path, u_long linenum, char *line, const struct sshkey *sign_key, uint64_t verify_time, char **principalsp)