diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2023-06-21 05:10:27 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2023-06-21 05:10:27 +0000 |
| commit | 498d45d43bf88cb6982141561a13bfa4553a69d3 (patch) | |
| tree | 97310f45559a085017e977070b77300bc68934a5 /usr.bin/ssh/sshkey.c | |
| parent | 9034712bf030f650fa6ddce7d901662e326dbc8a (diff) | |
better validate CASignatureAlgorithms in ssh_config and sshd_config.
Previously this directive would accept certificate algorithm names, but
these were unusable in practice as OpenSSH does not support CA chains.
part of bz3577; ok dtucker@
Diffstat (limited to 'usr.bin/ssh/sshkey.c')
| -rw-r--r-- | usr.bin/ssh/sshkey.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index eac9c866ebe..3b07c92de12 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.135 2023/03/31 03:22:49 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.136 2023/06/21 05:10:26 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -319,7 +319,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) } int -sshkey_names_valid2(const char *names, int allow_wildcard) +sshkey_names_valid2(const char *names, int allow_wildcard, int plain_only) { char *s, *cp, *p; const struct sshkey_impl *impl; @@ -352,6 +352,9 @@ sshkey_names_valid2(const char *names, int allow_wildcard) } free(s); return 0; + } else if (plain_only && sshkey_type_is_cert(type)) { + free(s); + return 0; } } free(s); |