summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2021-11-05 03:10:59 +0000
committerDamien Miller <djm@cvs.openbsd.org>2021-11-05 03:10:59 +0000
commit2ff782d0566a59e02dc565575bb6e967d6685d88 (patch)
tree6e4b385ad558f25cc5702887dcb7aa939edb06e7 /usr.bin
parent749123e2352a2453eb0a60225b866fe0dc6e7dfb (diff)
move cert_filter_principals() to earlier in the file for reuse;
no code change
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/sshsig.c110
1 files changed, 55 insertions, 55 deletions
diff --git a/usr.bin/ssh/sshsig.c b/usr.bin/ssh/sshsig.c
index 9301f2e9f17..a1ab0a2c600 100644
--- a/usr.bin/ssh/sshsig.c
+++ b/usr.bin/ssh/sshsig.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshsig.c,v 1.21 2021/07/23 04:00:59 djm Exp $ */
+/* $OpenBSD: sshsig.c,v 1.22 2021/11/05 03:10:58 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@@ -811,6 +811,60 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
}
static int
+cert_filter_principals(const char *path, u_long linenum,
+ char **principalsp, const struct sshkey *cert, uint64_t verify_time)
+{
+ char *cp, *oprincipals, *principals;
+ const char *reason;
+ struct sshbuf *nprincipals;
+ int r = SSH_ERR_INTERNAL_ERROR, success = 0;
+
+ oprincipals = principals = *principalsp;
+ *principalsp = NULL;
+
+ if ((nprincipals = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+
+ while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') {
+ if (strcspn(cp, "!?*") != strlen(cp)) {
+ debug("%s:%lu: principal \"%s\" not authorized: "
+ "contains wildcards", path, linenum, cp);
+ continue;
+ }
+ /* Check against principals list in certificate */
+ if ((r = sshkey_cert_check_authority(cert, 0, 1, 0,
+ verify_time, cp, &reason)) != 0) {
+ debug("%s:%lu: principal \"%s\" not authorized: %s",
+ path, linenum, cp, reason);
+ continue;
+ }
+ if ((r = sshbuf_putf(nprincipals, "%s%s",
+ sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) {
+ error_f("buffer error");
+ goto out;
+ }
+ }
+ if (sshbuf_len(nprincipals) == 0) {
+ error("%s:%lu: no valid principals found", path, linenum);
+ r = SSH_ERR_KEY_CERT_INVALID;
+ goto out;
+ }
+ if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+ error_f("buffer error");
+ goto out;
+ }
+ /* success */
+ success = 1;
+ *principalsp = principals;
+ out:
+ sshbuf_free(nprincipals);
+ free(oprincipals);
+ return success ? 0 : r;
+}
+
+static int
check_allowed_keys_line(const char *path, u_long linenum, char *line,
const struct sshkey *sign_key, const char *principal,
const char *sig_namespace, uint64_t verify_time)
@@ -924,60 +978,6 @@ sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key,
}
static int
-cert_filter_principals(const char *path, u_long linenum,
- char **principalsp, const struct sshkey *cert, uint64_t verify_time)
-{
- char *cp, *oprincipals, *principals;
- const char *reason;
- struct sshbuf *nprincipals;
- int r = SSH_ERR_INTERNAL_ERROR, success = 0;
-
- oprincipals = principals = *principalsp;
- *principalsp = NULL;
-
- if ((nprincipals = sshbuf_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-
- while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') {
- if (strcspn(cp, "!?*") != strlen(cp)) {
- debug("%s:%lu: principal \"%s\" not authorized: "
- "contains wildcards", path, linenum, cp);
- continue;
- }
- /* Check against principals list in certificate */
- if ((r = sshkey_cert_check_authority(cert, 0, 1, 0,
- verify_time, cp, &reason)) != 0) {
- debug("%s:%lu: principal \"%s\" not authorized: %s",
- path, linenum, cp, reason);
- continue;
- }
- if ((r = sshbuf_putf(nprincipals, "%s%s",
- sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) {
- error_f("buffer error");
- goto out;
- }
- }
- if (sshbuf_len(nprincipals) == 0) {
- error("%s:%lu: no valid principals found", path, linenum);
- r = SSH_ERR_KEY_CERT_INVALID;
- goto out;
- }
- if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
- error_f("buffer error");
- goto out;
- }
- /* success */
- success = 1;
- *principalsp = principals;
- out:
- sshbuf_free(nprincipals);
- free(oprincipals);
- return success ? 0 : r;
-}
-
-static int
get_matching_principals_from_line(const char *path, u_long linenum, char *line,
const struct sshkey *sign_key, uint64_t verify_time, char **principalsp)
{